Mac McMillan Quoted in ModernHealthcare.com Blog

Hoping for ‘progress’ on health data breaches

January 8, 2013 by Joseph Conn

It should be an outrageous number—80,000 breaches—but crazy as it seems, that huge number might be a sign of progress.

I interviewed a group of health IT security specialists last week for a story we published about breaches and encryption.

One of them was Michael “Mac” McMillan, CEO of CynergisTek, an Austin, Texas-based security consultancy. We were talking about an e-mail I had just received from HHS’ Office for Civil Rights reporting there had been about 60,500 healthcare information breaches involving fewer than 500 individuals between September 2009, when the federal breach reporting requirement began, and December 2011.

Providers and other HIPAA covered entities are required to report these lesser breaches to the Office for Civil Rights only once a year, so we were speculating about how many there will be once all of the 2012 reports have been sent.

“We’re probably going to be talking about 90,000, unless you think 2012 was a good year, for some reason,” McMillan said. “If I were to pick a conservative number, I’d pick around 80,000.”

Incredibly, even if McMillan’s “conservative” forecast holds, 2012 will have been a better-than- average year—an average of 1,625 breaches a month in 2012 vs. 2,151 a month in the preceding 28 months.

And that outcome will be somewhat surprising because provider spending on health IT security has remained both inadequate and flat for the past five years, according to Lisa Gallagher, senior director of privacy and security at HIMSS, based on the latest HIMSS security survey.

If it turns out that there were fewer smaller breaches in 2012, coercion may have been the catalyst.

In 2011, HHS’ Office of Inspector General put the spurs to the Office for Civil Rights, accusing it of lax enforcement of the HIPAA security rule.

From 2011 onward, the office has reached settlements in or prosecuted seven of its 11 monetary penalty cases and collected $11.5 million (77%) of its nearly $14.9 million in settlement amounts and court-ordered penalties for HIPAA violations.

In addition, the CMS added specific references to HIPAA-required security risk analysis to the federal EHR incentive payment programs’ meaningful-use requirements. The feds insist that, to get paid, providers at least consider protecting patients’ data via encryption, even though by law the feds can’t mandate it.

There have been 525 breaches involving 500 or more records exposing more than 21.4 million patients’ records. Summaries of these are posted publicly on the “wall of shame” kept by the Office for Civil Rights.

Forty-two percent of the larger breaches involved laptops, backup disks and other portable devices. Had the data on those gizmos been encrypted, those organizations wouldn’t be on the list, and the millions of patients whose records went missing never would have been put in jeopardy.

“There is no excuse” for not using encryption, cryptographer Phil Zimmermann told me. “Any hospital or anybody who has medical records, they have to use encryption, and if they’re not, they’re being negligent.”

Zimmermann developed one of the most popular encryption software programs on the planet— Pretty Good Privacy—or PGP.

I can’t argue with him. Can you?

http://www.modernhealthcare.com/article/20130108/BLOGS02/301089998/blog-hoping-for- progress-on-health-data-breaches

Securing Images in the Cloud

By: Neil Buckley, VP Technical Solutions, CynergisTek Inc.

November 30, 2012

Take a moment to reflect on the decades of digital imaging development that have produced “public embarrassment 2.0” in the public sector. Digital imaging has showcased people with all the colors of the emotional rainbow and unparalleled stupidity — but also has been an amazing media to improve lives the world over. Now, take a moment to consider the images of our family, friends and indiscretions, live on a global stage, and then imagine what it would be like if the images that your doctor views were to reside on that same global stage.

As you do so, ask yourself how securely Facebook, YouTube, Pintrest, Photobucket, Flickr or Shutterfly are designed to protect the images your doctor uses to diagnose your condition from public view. Also imagine that you have been in an accident and the Emergency Department doctor needs to see your images before he performs surgery. Can Amazon, Rackspace or Google provide the infrastructure to support the confidentiality, integrity and availability required of business-critical image storage?

Of course, you might be thinking at this point, it’s just a picture, right? So, let’s examine that for a moment. The digital image rendered by the camera on your phone can range in size from very small to very large. The larger the photo, the steeper the cost to process and transfer the image. Anyone with a teenager and a shared data plan knows the value of teaching them to send small pictures. Businesses everywhere are running into this challenge, and where there are challenges, there are opportunities. Those opportunities are gaining traction in lowering the TCO of image lifecycle management.

Imaging has been in place at hospitals for decades. Traditionally this technology was a bulky piece of specialty imaging equipment that supported input to the process of a clinical diagnosis. This technology was supported by the development of the Digital Imaging and Communication (DICOM) protocol in the mid-‘80s, which served as a universal standard for image sharing in the clinical setting. When coupled with the HL7 transport protocol, this process became a catalystfor change in the clinical decision-making process. It became possible to support image review remotely. Like most things designed in the ‘80s and reengineered in the ‘90s, it was a specification meant to solve a problem and facilitate a better transaction. Confidentially, integrity and availability were afterthoughts on this solution. Later specifications of the protocol bolted on security to the solution without the same unilateral success as the earliest specifications.

Today, in 2012, our imaging technology has come a long way, but the images are no more secure or private than they were when we started decades ago. Clinicians want the most detailed imagery they can get when making a diagnosis. If we think about sending these large images, we quickly see the magnitude and complexity of the healthcare clinician’s use; these images are only dwarfed by the CGI industry.

As healthcare providers look to reduce their expenses, they will look to outsource image storage and delivery to cloud service providers. That outsourcing process can put patient data at risk. The obligation to keep the data safe, secure and private remains in effect, regardless of the competing demands to lower costs and improve care security, and privacy cannot be sacrificed.

There is no such animal as free-IT; all services, infrastructure and business processes come with costs. They also come with risk. Businesses and consumers utilizing digital imagery need to be aware of these risks. Those risks might seem obvious, but let’s examine the most common and relevant ones for the purposes of this article.

Unauthorized access and disclosure of personal information. Typically at the top of most healthcare IT initiatives, not the clinical initiatives. Migrating private services to a public cloud infrastructure will place the data on those cloud infrastructures at greater risk than data supported, administered and delivered internally. In addition, organizations will need to open their infrastructure to those cloud services to ensure that the clinical workflow is not impacted adversely by the transition to the new service offering.

Ensuring the integrity of the data and service. Healthcare typically equates integrity and privacy with encryption. Traditionally, encryption has come in two distinct flavors, data encryption and transport encryption. For reasons I would attribute to poorly written legislation and regulatory guidance, data encryption has become device encryption, and the impact is still being felt on the internal infrastructures of most healthcare organizations across the country.

Managing an encryption model that adequately protects the data while facilitating the demand of the clinical workflow will be challenging for most information security programs. In translation, the security provided by the cloud providers will be accepted and remain untested to satisfy the demands of the clinical data, and the images will be at risk.

Availability of clinical data is a risk to the business for a whole host of reasons, but for the purposes of this discussion we’ll focus on patient safety. Cloud services utilize the Internet and shared infrastructure to keep the costs of their services lower than what your practice could theoretically reproduce them for internally, though I think we’re too soon to tell whether the ROI on the cloud services industry has been properly calculated. The risk to organizations is that the Internet or Amazon EC2 is down (well, it did happen). This will translate into potential patient safety issues. If you can’t process the image, it will be tough to render a clinical decision.

Of course I’ve used an example that will undoubtedly raise some eyebrows as to why folks would even consider this service as a cloud candidate. Consider for a moment; healthcare- clinical data is regulated and must be retained for a period of no less than 7 years

Now ask yourself if this is core business to healthcare? It’s not, taking care of sick people is. To accomplish the improvements demanded by the people, healthcare will need to be able to take advantage of these cost savings.

Well, damn the torpedoes, we’re going to do it, we’re out of options, our budgets have been flat since 2008, patient census is down, referrals are down, and we need to reduce costs so we can ensure the continuity of the mission to take care of sick people!

Take heed. Prepare the battlefield you’ll be fighting on. Shape it as much as you can to ensure victory (if that’s even possible). Ensure that you understand the risks and exposures of the cloud architecture options in painstakingly technical detail. Ensure that you understand the use of images to support the business of healthcare. Ensure that you have the support of the clinical community. Most IT practitioners in healthcare spend very little time in the point-of-care areas, and this can be disastrous when migrating an internal workflow to an external workflow. Embrace the SLA, be the SLA, and please use a seasoned contract professional to ensure that the provider is contractually obligated to deliver on your needs and requirements.

So, what should you do first?

Businesses should invest in the proper training and support staff to assist you in transitioning from an internal infrastructure to a cloud-based infrastructure. This means that you’ll need to accept that you’ll need to cultivate, hire or partner with the right talent. Given my experience on the inside of a large healthcare IT shop for a decade, I would advocate for hiring or partnering to deliver the right solution to your community.

Get educated and keep your eye on the next-generation horizon. The next-generation cloud service products that look to support an SLA model that embrace confidentiality, integrity and availability as part of the base feature sets, not a bolt-on, not an afterthought in response to pending legislation. CIA is actually considered part of the base specification and as history has taught us, when features are considered part of the base specification, and implemented smartly, our lives just become easier.

Consumers should just be cautious and smarter about the images they post. There is no privacy or security in the cloud or on the Internet. If you wouldn’t shout it in a quiet public setting like yoga, church or a high-end restaurant or perform it in the middle of the park on the busiest day of the year, don’t post it. It’s that simple.

Health Breach Tally Tops 500; But Do the Stats Reflect Real Progress?

By Marianne Kolbasuk McGee, Managing Editor, HealthcareInfoSecurity

Major U.S. healthcare data breaches have surpassed a significant milestone: More than 500 breaches have been confirmed since September 2009, when the U.S. Department of Health and Human Services began keeping tabs.

Those incidents, each affecting 500 or more individuals, have impacted a combined total of 21.2 million individuals.

Hitting the 500-breach milestone is a signal that “healthcare continues to lag in its commitment to resources for privacy and security programs,” says Mac McMillan, CEO of CynergisTek, a data security and privacy consulting firm. Until organizations pay more attention to breach prevention, “we’re going to continue to see these kinds of results,” he says.

HIPAA compliance audits conducted on behalf of HHS “have identified a critical gap in organizations’ ability to monitor what users are doing in their enterprises,” McMillan adds.

But McMillan is somewhat encouraged that fewer huge breaches have been reported so far in 2012, compared with 2011. Only one incident has affected more than 500,000 individuals in 2012; last year, there were five such incidents.

“While we still lag in several critical areas, organizations are doing better,” he acknowledges.

Increased awareness of breaches is leading to the reporting of more incidents, the consultant contends. “I think the numbers today are far more accurate that those reported in past years,” says McMillan, who is also chair of the Healthcare Information and Management Systems Society’s Privacy & Security Steering Committee.

To continue to reduce the number of serious breaches, McMillan says healthcare organizations need to invest more in security technology, training and improving how they monitor their business associates.

The Latest Numbers

In the past month, only four incidents affecting about 14,000 individuals were added to the HHS’ “wall of shame” tally of breaches, bringing the total to 502 incidents since September 2009, when the HITECH Act-mandated HIPAA breach notification rule took effect.

The HHS Office for Civil Rights adds – and sometimes deletes – breaches as it conducts investigations and confirms the details. OCR recently consolidated two entries involving Howard University, which are now listed as one incident affecting 66,000, an OCR spokeswoman confirms.

Since 2009, 54 percent of the data breaches reported have involved lost or stolen unencrypted electronic devices or media. That includes three of the four breaches added to the list over the last month. Breaches involving business associates account for more than 20 percent of all incidents.

So far, OCR has posted about 91 incidents occurring in 2012 affecting about 2.06 million individuals. Only four of those incidents have affected 100,000 or more individuals.

By comparison, the OCR list includes about 148 incidents in 2011 affecting 10.8 million. That includes five huge incidents accounting for 86 percent of all those affected by breaches last year.

Largest 2012 Breaches

The largest 2012 breaches reported so far include:

• Utah Department of Health: A March hacking incident that affected 780,000 individuals.
• Emory Healthcare: A February incident involving 10 missing computer disks that affected 315,000 individuals.
• South Carolina Department of Health and Human Services: A January incident affecting 228,000 Medicaid recipients. That case involved a now-fired employee who was arrested for allegedly transferring patient information to his personal e-mail account.
• Memorial Healthcare System in Hollywood, Fla.: A July breach involving improper access to patient information via a physician web portal by an employee of an affiliated doctor’s office affected 102,000 individuals.

Reason for Optimism?

Although the number of breaches, and the number of individuals affected, appears to be declining so far in 2012, “I wouldn’t put too much weight on that yet,” says Dan Berger, CEO of IT security audit firm Redspin. That’s because the totals still could rise in the weeks ahead.

“Certainly the ‘carrot and stick’ impact of [HITECH Act EHR] meaningful use incentives, which require a HIPAA security risk analysis, and recent [OCR] breach penalties has elevated IT security in importance among providers,” Berger says. “But we’ve yet to see widespread improvements in two critical areas – business associate oversight and employee security awareness training.”

A security risk analysis is only the starting point in any breach prevention effort, Berger stresses. “Many organizations put the emphasis on compliance which, while important, is not synonymous with security. We believe IT security in healthcare is an ongoing process.”

Healthcare organizations must maintain a state of breach prevention readiness through a persistent cycle of testing, remediation and validation, he adds. “The same is true for employees and business associates. It is not enough for an employee to attend HIPAA training once per year or a BA to simply agree to security provisions in a contract. Security requires more engagement.”

The OCR Audit Protocol

October 10, 2012 | Mac McMillan – Privacy and Security

We have talked about the Office for Civil Rights (OCR) audits in past posts and I’ve gotten a lot of questions about the audit protocol that the auditors use and that OCR posted on their website a couple of months ago now. Like many aspects of the OCR Audit Program, the protocol is still a work in progress, which is the first thing you should know and understand. That means it is still subject to change and in fact has changed several times already since it was posted. So if you go to use it make sure you get the latest copy from the OCR website directly.

The second most important thing to know is that the protocol was developed as a tool to guide the audit process and the auditors interviews — not as a complete listing of all the questions they could ask about your program to assess your performance.

Third you should know that the auditors are not bound by the protocol, meaning they do not have to ask every question in the protocol when they audit you. What this should tell you is that the audit protocol is a useful tool for assessing your own program ahead of time, but it is not a model for your program or the only thing you should focus on to ensure you are compliant and ready. The best way to do that is still to have implemented a sound program based on a complete security model.

Since I did say it was a useful tool to assist in assessing your readiness, it would also be good to know how to use it. The protocol is based on the three rules covered by the audit program: HIPAA Security, HIPAA Privacy and HITECH Breach Notification. The protocol breaks down the rules into what it refers to as procedures. There are currently 169 procedures outlined in the Protocol, 78 in Privacy, 81 in Security and 10 in Breach Notification. Each procedure is then broken down in a distinct pattern.

Each procedure starts with the specification from the rule and restates the language verbatim. Then it breaks down the specification into a set of key activities. For instance, in Access Control a key activity is terminating access when no longer required. Then for each activity there is a set of questions that the auditor must answer and gather evidence to corroborate his/her findings. To accomplish this, the auditor will interview management as to whether a policy or procedure exists to cover the activity and to explain the routine process followed. The auditor will then ask to see (obtain and review) all related documentation for the activity to include: policies, procedures, forms, checklists, records, audit trails, etc. And last but not least, if the specification is “addressable,” the auditor will ask for documentation any time the entity has chosen not to fully implement the specification and their rationale for doing so. So how do you use the protocol to assess your program?

1. Download the protocol from the OCR website.
2. For each Procedure/Key Activity identify the policy, procedures and any other documentation you have related to its implementation.
3. Interview staff to make sure that what they describe as their routine process is what is documented.
4. Last but not least locate supporting evidence that demonstrates compliance.
5. Identify any gaps and remediate.

CEO of CynergisTek, Mac McMillan Mentioned in “The Unpopular Answer to Data Protection”

October 6, 2012 by Gabriel Perna

I’ve been thinking about data breaches in healthcare a lot lately. For my feature in the October/November issue of Healthcare Informatics, I interviewed various industry thought leaders who had plenty to say on the topic. One constant theme from every interview subject was that this issue is primarily an organizational one. When I interviewed James Rountree, senior consultant for Aspen Advisors, in a recent two-part podcast series, he echoed those feelings.

As Michael ‘Mac’ McMillan, chair of the HIMSS Privacy & Policy Task Force, and co-founder and CEO of CynergisTek Inc., a health information security and regulatory compliance firm located out of Austin, Texas, says, the unpopular answer to why we’ve seen an uptick in the amount of data breaches is “carelessness or lack of attention to controls, or lack of attention by the organization.”

What does this mean? It can mean lost portable devices, stolen devices, unencrypted devices and unencrypted data, and the lack of a multi-layered firewall. It can mean uneducated employees, the lack of uniform BYOD policies, or a miscommunication with a third-party. It can mean a lot of things, but whatever it is; it ultimately falls back on the organization. I keep thinking of something John Halamka, M.D., CIO at the Boston-based 649-bed Beth Israel Deaconess Medical Center (BIDMC), told me during our interview.

“CIOs may not have a lot of authority, but we have a whole lot of accountability,” he says.

That is an accurate statement if I’ve ever heard one!

Take a recent story I read about in Florida. At the 525-bed general medical and surgical facility, the University of Miami Hospital, two employees accessed patient information from registration “face sheets,” and reportedly sold that information to a third-party. According to the hospital, this happened between Oct. 2010 and July 2012, almost two years uninterrupted.

Interestingly, this mirrors another Florida-based data breach. This one occurred at Florida Hospital Celebration Health, a 112-bed acute care facility. In that case, a 35-year-old hospital employee, his 31-year-old wife, and a 30-year-old co-conspirator accessed more than 760,000 patient records from 2009-11, and reportedly sold them to the agent of a medical center, chiropractic clinics, and an injury hotline.

Let’s say for the sake of argument that these charges are true. How does an organization let this kind of behavior happen over a two-year period? You can make every excuse in the book and hospital leaders may not be directly at fault, but don’t be mistaken, as Halamka says, the unquestioned accountability lies at the top.

Halamka would know. His hospital, an industry-recognized leading medical facility, has had to deal with multiple data breaches. After the most recent one, tired of dealing with accountability, he decided to take a more aggressive stance. Every device that touches the BIDMC network, whether it’s the hospital’s own device, the physician’s personal device, or something else, must be synched by the IT team. This forces password-protection and encryption on every device that touches the network, Halamka says.

Other CIOs would likely agree that shoring up policies is the way to go. I heard similar things from Sue Schade, currently CIO of the University of Michigan Hospitals and Health Centers and formerly CIO of Brigham & Women’s Hospital at the time of a recent breach, and Jim Turnbull, CIO of the four-hospital, integrated University of Utah Health Care system, both of whom dealt with breaches of their own.

With all the digitization of healthcare data set to take place in the coming years, this issue will only become more prominent. What’s the first thing providers need to focus on to avoid making the federal Department of Health and Human Services (HHS)’ growing list of data breach victims? Schade’s three-word answer should suffice: “Policy and training.”

Mac McMillan to Speak at, HIMSS 2012 Summit of the Southeast

Healthcare IT Security in the Era of Meaningful Use & Heightened Enforcement

Tuesday, October 16, 2012 at 12:00 p.m. EST 

Nashville Convention Center: 601 Commerce Street, Nashville, TN 37203, (615) 742-2000

Presenter: Mac McMillan, CEO Cynergistek and Chair HIMSS Privacy & Security Task

McMillan will provide session attendees with a foundational understanding of the most significant IT security challenges currently facing healthcare today, including the security implications of Meaningful Use and other regulatory initiatives. In addition to providing an update on current industry trends, McMillan will also share lessons learned from CynergisTek’s experiences providing consultative services to multiple entities chosen to undergo the pilot phase of Office of Civil Rights (OCR) HIPAA Audit program.

About CynergisTek

CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.