DataMotion, an email encryption and health information service provider (HISP), offers the results of its third annual survey on corporate email and file transfer habits, revealing significant security risks. While companies in all industries increasingly have put security and compliance policies in place – nearly 90 percent of all respondents affirming that in 2014 (compared to 81 percent in 2013) – the growth is largely from healthcare entities.
More than 97 percent from the industry report their organizations as having policies in place, compared to 90.4 percent in 2013. However, challenges remain for healthcare when it comes to implementing these, ranging from low employee comprehension to policy violations. Additionally, a lack of encryption, risks in mobile device usage and low awareness of Direct Secure Messaging (Direct) pose serious issues for the highly regulated industry.
DataMotion polled more than 780 IT and business decision-makers across the U.S. and Canada. In particular, the survey focused on individuals who routinely work with sensitive data and compliance regulations in a variety of industries including healthcare, financial services, education and government.
More than 300 respondents were from healthcare. Key insights/comparisons on the industry include:
Healthcare Security and Compliance Policy: Gains Undermined by Implementation Failure
36 percent of healthcare respondents said within their entity, security and compliance policies are at most only moderately enforced.
81 percent of all respondents said employees/co-workers either occasionally or routinely violate these policies. While healthcare fared better, nearly 73 percent admitted the same.
Key to making policies work is ensuring employee comprehension. When asked if they thought employees fully understood these types of policies, more than a third in healthcare said no, just a slight improvement over those from other industries.
When asked about common reasons why policies are violated, 52.7 percent from healthcare said it was because employees were not aware of the policy or that they were in violation. Another 29.1 percent said employees didn’t understand policies. Most troubling,18.2 percent said policies were intentionally violated by employees to get their job done.
These healthcare findings raise a “red flag” whereas key to passing an HHS/OCR HIPAA audit is demonstrating implementation of policies.
Representing more than 5,000 app companies and information technology firms, ACT | The App Association is widely recognized as the foremost authority on the intersection of government and the app economy. In addition to drafting best practices, guidelines, and FAQs to help inform app companies about new legal obligations, ACT | The App Association hosts conferences, bootcamps and workshops to provide developers the resources they need to ensure compliance.
As the only organization focused on the needs of small business entrepreneurs from around the world, ACT | The App Association advocates for an environment that inspires and rewards innovation while providing resources to help its members leverage their intellectual assets to raise capital, create jobs, and continue innovating.
Here, Morgan Reed, executive director of the organization, discusses its goals, the app economy, how ACT | The App Association works across mobile health, innovations in the space and what’s likely to come in the year ahead.
What are the biggest barriers to entry for new health IT companies?
We have a “cascading” problem in the mobile health space right now. Regulatory guidance hasn’t kept pace with the rate of innovation, which has led to care providers being worried they will be exposed to liability, or will be providing services that aren’t covered by health plans.
It’s this fear and uncertainty that keeps hospital systems, independent practices, and individuals from adopting new technology, leaving care providers and patients to suffer as we wait for all the pieces to catch up.
What is ACT | The App Association doing to address issues facing mobile health companies?
ACT | The App Association is spearheading an effort to bring updates to outdated health privacy laws with a group we recently launched called the Connected Health Initiative. This coalition of leading mobile health companies and key stakeholders urge Congress, the Food and Drug Administration (FDA), and Department of Health and Human Services (HHS) to adopt policies that encourage mobile health innovation.
How is ACT | The App Association working with Congress and the Department of Health and Human Services to bring clarity to the outdated regulatory environment facing mobile health companies?
Most recently, ACT | The App Association and a number of our member companies, all of which are part of the newly formed Connected Health Initiative, called on Congress to bring much needed updates to the Health Insurance Portability and Accountability Act (HIPAA). We outlined changes needed from the Department of Health and Human Services (HHS) to ensure HIPAA fits better in today’s mobile world.
Make existing regulation more accessible for tech companies. Information on HIPAA is still mired in a Washington, D.C. mindset that revolves around reading the Federal Register, or hiring expert consultants to ‘explain’ what should be clear in the regulation itself. Not surprisingly, app makers do not find the Federal Register to be an effective resource when developing health apps.
Additionally, there are limited user-friendly resources available for app developers, who are mostly solo inventors or small groups of designers – not large companies with the resources to easily hire counsel or consultants who can help through the regulatory process.
Proposed solution: HHS must provide HIPAA information in a manner that is accessible and useful to the community who needs it. The agency should draft new FAQs that directly address mobile developer concerns.
In this series, we are featuring some of the thousands of vendors who will be participating in the HIMSS15 conference and trade show. Through it, we hope to offer readers a closer look at some of the solution providers who will either be in attendance – with a booth showcasing and displaying key products and offerings – or that will have a presence of some kind at the show – key executives in attendance or presenting, for example.
Even as HIMSS Media has said that its employees will be making more of an effort this year to cover the trade show floor and its vendors and events, hopefully this series will give you a bit more useful information about the companies that help make this event, and the industry as a whole, so exciting.
Founded in 2009, etherFAX offers a solution that extends existing fax server solutions to the cloud. By eliminating the need for costly network fax systems, such as fax boards and recurring telephony fees, etherFAX leverages the Internet to manage all business-critical fax communications for healthcare organizations.
etherFAX was established in 2009 and leverages talent with 30-plus years of experience designing and developing fax technology solutions. By eliminating the need for costly components such as fax boards, media gateways, and telephony infrastructure, etherFAX’s namesake technology, network and datacenter solutions leverage the Internet to manage business-critical fax communications.
As a hybrid fax solution, etherFAX eliminates the complexities and costs of provisioning SIP, T.38, PRI, T1, and other analog connections. By simply connecting on-premise fax server resources to etherFAX, all fax communications are securely delivered via the cloud. Say goodbye to expensive fax hardware, complex fault-tolerant designs, and costly disaster recovery solutions. etherFAX is the fax board in the cloud, capable of processing billions of faxes.
etherFAX serves the healthcare market by securely transmit electronic health records (EHRs), electronic medical records (EMRs), health information exchange data (HIEs) and unstructured patient data. etherFAX enables healthcare organizations and medical groups, insurance companies and billing operators to securely transport data and ensure compliance with government mandated regulations such as the Health Insurance Portability and Accountability Act (HIPAA).
Fully integrating with existing fax servers and applications such as EMR solutions and healthcare management systems, etherFAX leverages the Internet to manage all healthcare-critical fax communications without capacity constraints.
Services and Products Offered
HIMSS 15 Focus:
o etherFAX – Extending existing fax server solutions to the cloud, etherFAX eliminates the need for costly network fax systems, such as fax boards and recurring telephony fees. etherFAX leverages the Internet to manage all your business-critical fax communications.
o etherFAX SEN – Gives healthcare and enterprise organizations the capability to create their own private fax network to ensure secure data and document transmissions. Offering a simple and unique approach to document delivery, etherFAX SEN offers speed, performance and reliability without compromising security.
o etherFAX A2E – The etherFAX A2E device, manufactured by MultiTech, provides a plug-and-play device that enables organizations to extend their existing fax machines to the cloud.
etherFAX DR – Provides immediate failover for all business-critical fax communications, ensuring uptime when existing telephony equipment fails, such as fax boards, PRI lines, servers and applications.
etherFAX Toolkit – Integrating fax capabilities within applications has never been easier with the etherFAX API. The solution provides the capability to fax-enable custom developed applications in addition to enterprise resource planning (ERP), document management systems, etc.
etherFAX Colocation Services – etherFAX provides highly-secure, protected, and climate-controlled colocation services that are capable of supporting the most complex business-critical IT environments.
According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records.
With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate, but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of 5 percent or 10 percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?
Chris Strammiello, vice president of marketing and product strategy, Nuance.
Patient admissions and discharge processes implemented at many hospitals today are rife with vulnerabilities and potential HIPAA violations. One of the greatest challenges hospitals face is how they can successfully deliver on dual requirements to make the information in a patient’s electronic health record (EHR) more accessible while at the same time making it more secure, especially because of their reliance on paper, analog fax machines and unmonitored multi-function devices (MFDs).
Every time a document or form is copied, scanned, printed, faxed or emailed — on either an analog fax machine, digital MFD or mobile phone or tablet — a patient’s protected health information (PHI) can be accidentally exposed or intentionally compromised. In light of this, federal standards have now defined digital MFDs as workstations, where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, maintain an audit trail of all activity and encrypt data at rest and in motion.
Healthcare organizations need to add a layer of security and control to electronic and paper-based patient admissions and discharge processes to help minimize the manual work and decisions that invite human error, automatically mitigate the risk of non-compliance and avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
As hospitals are rapidly approaching an FY 2015 deadline for meaningful use, they must demonstrate their “meaningful use” of certified EHR technology, including the ability to protect patients’ health information, or face reduced Medicare payments. The recent HIMSS Analytics survey found that despite the vast majority of hospitals reporting progress toward Stage 2 EHR, barely half of them — just 54 percent — were yet capable of protecting electronic health information, a required Core Objective in Stage 1.
Acting under provisions of HITECH, the Department of Health and Human Services Office of Civil Rights issued new rules in 2013 that enhance patients’ privacy protections, expand individuals’ rights to their health information and strengthen the government’s ability to enforce the law. One new development from these rules is that a security risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Hospitals also need to conduct a risk assessment to identify threats and vulnerabilities (including copiers), implement and train workers in data loss protection (DLP) technology and procedures, and establish security incident reporting.
Dr. Jose Barreau is the chairman and CEO, Doc Halo.
Health IT advancements have become a very important part of the doctor-to-doctor and doctor-to-staff communication channel, and secure text messaging is a very important tool that allows physicians to streamline vital tasks. In busy environments like hospitals, the need for efficient and real-time communication touch points between doctors and staff promotes better patient care, increases productivity and reduce expenses. Over time, innovations like secure text messaging have made healthcare workflow much faster and safer.
Why secure texting is an important element for improving doctor communication channels
A streamlined mobile health platform makes it easy for doctors to use many different communication tools, such as secure texting. Secure texting features can allow senders to create separate threads when conversing with another doctor about multiple patients, providing a platform that reduces medication errors and maintains HIPAA compliance at the same time. As an overall strategy, physician-to-physician messages, notes between doctors and nurses, managers or other staff, checking on and scheduling appointments or video/photo consultations with specialists works alongside secure messaging to create an optimal mobile health system.
What’s more, doctors can accomplish more tasks during their time on the floor because they don’t have to lose time searching for phone numbers. Scrambling to find an office or hospital’s number following a traditional page adds complexity and reduces valuable response time.
Secure messaging can also improve referrals between doctors by leveraging the organization’s internal database and giving the physician the ability to easily send that person a message seeking to refer a patient in real time. Names can be organized by specialty and then aligned in an organizational directory so physicians can access the individuals they need without hassle.
Guest post by Roman Foeckl, CEO and founder, CoSoSys.
Since HIPAA was enacted in 1996, IT security specialists in the healthcare industry have often been confused by the complex regulations the U.S. government has put in place to carry out the law. Even for experts that were already used to untangling complicated IT security practices, HIPAA regulations have remained a bit of a mystery. What may not be appreciated is that the great work being done by these patient and hardworking industry professionals is setting a new standard for enterprise security that the rest of us can follow.
When we began working on a HIPAA component of our data loss prevention solution we began view it as an opportunity rather than an encumbrance. Here are four reasons why:
Addressing the Previously Unaddressed: Thanks to HIPAA, the healthcare industry is now more aware of the need for a strong data security program. For example, who would have thought that protecting healthcare information should include IPs or postal addresses? Finding the ways to protect this type of data has now become much more critical, and an area of potential risk and huge legal and regulatory costs is now contained. This level of detail and control is something the rest of the industry can learn a great deal from.
Paving the Way: Regulations like HIPAA are essential to protect one of the most private aspects of our lives — information about our health and well-being. This is an opportunity for organizations to position themselves as industry leaders in information security that view patient privacy protection as absolutely equal with patient health. This level of care will reflect very highly on the institution as a whole.
Adding Value: This is an opportunity for all healthcare information security professionals to rise up and demonstrate that the most critical data of patients can, and will, be protected. HIPAA came about because many felt that healthcare organizations were being lax and not protecting our most critical and personal data. An organization can be perceived as cutting edge in an area that is understood by the public at large. By having a best practice obligation to provide patients with an industry leading protection you are reinforcing your commitment to patient advocacy and care.
Guest post by Komal Papneja, IT research and marketing expert, Calance.
It’s time for healthcare organization to conduct a routine checkup on their data management and storage capabilities. Wondering why? To put this into perspective, Kaiser Permanente, nation’s largest health plan based out of California alone manages 26 to 44 petabytes of data from its electronic health records only. And if you are wondering how much is that, it would take around 223,000 DVDs (4.7 GB each) to just hold 1 petabyte of data, according to a Delloittestudy. Now couple this issue of data explosion with the HIPAA/HITECH compliance regulations and you see healthcare industry struggling to keep pace with the emerging technologies. Gone are the days when you could manage data with pen and paper…or even in onsite data centers.
Data explosion has become a generic problem with US healthcare organizations, says Gaurav Garg, vice president – healthcare solutions at Calance Corporation. While working with a large US Healthcare provider, team Calanceobserved that their data was growing at the rate of 50TB per month and also that their onsite data centers will soon run out of capacity. Healthcare organizations in general need a secure, future-proof, and compliant solution that can help eliminate data explosion while remaining cost-effective. This is where hybrid cloud solution comes in.
Why hybrid? Because hybrid cloud model allows for tighter security than traditional public cloud while offering more flexibility than a private cloud. Here is a detailed overview of how a hybrid cloud solution can help healthcare industry overcome the biggest IT challenge which is – data explosion.
Get Storage Space Scaled for You
Critical patient data, confidential communications, and medical records, everything is stored digitally. There is always a need for more storage space. And hybrid cloud gives you that storage space without having to spend IT dollars on in-house data center expansion or to pay for under-utilized capacity. This enables maximum elasticity and efficiency. You only pay for the space you use! But that’s with every cloud model, whether private, public, or hybrid. What makes hybrid more suitable for healthcare industry then? Keep reading as we unfold a few reasons.
Guest post by Stephen Cobb, senior security researcher, ESET.
Whatever you thought of President Obama’s penultimate State of the Union address, you have to admit it set some sort of record for the most words devoted to issues of data privacy and security (198 by my count). Furthermore, those words alluded to a raft of statements and announcements on these topics that were published in the days leading up to the speech. In short, it is clear that this President wants to make some changes with respect to cybersecurity and data privacy. What is not yet clear is how those changes will affect healthcare IT and the management of electronic health records. Will breach notification requirements change? Will penalties for breaches be increased?
The answers are not entirely clear at the moment. For a start, the President is a Democrat, but Republicans control the House and Senate. In other words, it is hard to know which of his proposals will be enacted. That said, it is better to look at them now and ask questions, engaging in the debates they are bound to provoke rather than wait and see what new laws finally emerge. For example, the President proposes to erect a single national 30-day data breach notification law in place of the scores of different state data laws that companies currently have to comply with. How will that affect electronic health records?
The answer may be “very little” and that could be good news for electronic health records and health IT. In its current form, the proposed Personal Data Notification & Protection Act does not disrupt existing federal notification requirements related to health data breaches. The draft legislation does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. Here is a boiled down version of the current language which I have put in quotes to show it comes from the bill: “Nothing in this Act shall apply to business entities to the extent that they act as covered entities and business associates subject to the HITECH act (section 17932 of title 42), including the data breach notification requirements and implementing regulations of that act. Nor will it apply to business entities to the extent that they act as vendors of personal health records and third party service providers subject to the HITECH act.”
If the law were to be passed with that language intact, it would leave in place what many of us still think of as the HIPAA 60-day notification deadline, as well as the FTC 30/60-day PHR regime. And when you’re trying to comply with a regulatory regime, a lack of change can be good. Another way of looking at the breach notification issue is that the healthcare sector, while often maligned for leaking data, is actually a pioneer in notification. The HIPAA privacy and security requirements were in play even before California passed the first of the state breach notification laws, which now exist in some form in more than 40 states (creating the patchwork regulatory nightmare that the President’s unified federal law seeks to dissolve).
Healthcare is one of the last industries to be disrupted by technology. Although unprecedented levels of biomedical knowledge, surgical procedures, and condition management have been amassed, we are not using them to their potential to create the tools to improve healthcare experiences. A balance of privacy and policy regulations with technology is the key to creating a secure yet efficient healthcare system.
The State of Healthcare
A staggering portion of healthcare costs are wasted. According to the Institute of Medicine (IOM), $765 billion or 30 percent of the 2009 total U.S. healthcare spending was wasted. Key areas that were tracked include unnecessary services, services inefficiently delivered, prices that are too high, excess administrative costs, missed prevention opportunities and medical fraud.
Overused services, defensive medicine and higher-cost services total $210 billion in excess cost;
Medical errors, care fragmentation and preventable complications total $130 billion in excess cost;
Duplicative costs to administer insurance and insurances’ administrative inefficiencies drive $190 billion in excess cost;
Product prices beyond competitive levels total $105 billion in excess cost;
Missed prevention opportunities like primary, secondary and tertiary prevention total $55 billion in excess cost;
Fraudulent claims total $75 billion in excess cost.
Additionally, there will not be enough physicians in the next few years to meet the growing demand. The Association of American Medical Colleges (AAMC) projects a shortage of 62,000 physicians by 2015. This shortage is expected to increase to 91,000 by 2020. This physician deficit is due to an aging Boomer Baby population, the insuring millions of new patients through the Affordable Card Act, and the retiring of a large number of doctors in the coming decade.
Technology can curb inefficient health management, increase knowledge sharing, and improve access to a shrinking physician pool. However, proper precautions must be taken to safeguard patient information privacy while empowering healthcare providers to provide more efficient care.
Healthcare technology is largely regulated by the Health Insurance Portability and Accountability Act (HIPAA). It was created in 1996 to protect the privacy of electronic patient data, known as protected health information (PHI) and to restrict access to PHI. Predating the iPhone by 10 years, the HIPAA rules were strengthened in 2013 to increase rigor on de-identifying PHI, to broaden HIPAA’s reach to include all entities that touch PHI directly and indirectly, and to notify affected parties if a PHI breach has occurred.