Government Health IT Discusses Mac McMillan’s Thoughts on Omnibus Rule

CynergisTek’s CEO, Mac McMillan was recently interviewed and cited by Government Health IT.

Omnibus HIPAA’s Rule’s Impact on Data Breach Notification  January 18, 2013 by Tom Sullivan, Editor and Mary Mosquera

WASHINGTON – “The Omnibus Rule will come out this year,” Michael “Mac” McMillan, CEO of security and regulatory specialist CynergisTek explained earlier this week, “and when it does OCR will have what it needs to investigate their issues.”

And so the HIPAA Privacy and Security final rule arrived late Thursday, to a large extent tracking what was in the proposed rule, but also bringing some significant changes that will impact the industry, according to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications.

“The one that will probably get the most attention is the definition of a breach,” Belfort added. “There’s been a lot of controversy over the ‘risk of harm’ standard.”

[Q&A: Belfort on the delicate dance of data breach notification]

Indeed, the proposed rule held that there would be no breach unless there was significant risk of harm to the individual, but HHS indicated it might rethink that, Belfort explained, and in the omnibus rule replaced it with an assessment of whether the improper disclosure compromises PHI (protected health information).

“The burden is on the covered entity to show that there’s a low probability that the information has been compromised. There are two changes there,” Belfort said. “Number one, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, secondly, the burden of proof is clearly on the covered entity so if it can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Belfort views the final rule as HHS navigating the middle ground between privacy advocates arguing that any improper disclosure should be treated as a breach and those who wanted to retain the risk of harm standard.

Deven McGraw, director of the health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee said this is a very positive development.

[See also: Final HIPAA rule brings changes to fundraising, marketing of PHI]

“It continues to give organizations the right to do an investigation about what happened in the breach, and to make the judgment call in circumstances where the likelihood that anyone else saw the data is very low that they can make a decision not to notify for breach purposes,” McGraw continued. “This addresses the notion of over-notification that many stakeholders commented on and does it in a way that doesn’t give the breaching entity the subjective judgment call about whether that information would harm you or not. It refines some of the gray area and is a response to some of the criticism after the interim final rule. That’s appropriate.”

The rule also, as McMillan pointed out, arms OCR to continue audits and fines. “Third parties account for 40 percent of the breaches reported and 75 percent of the records exposed,” McMillan said.

Belfort expects the uptick in audits and fines currently under way to continue.

“We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties,” Belfort said. “And I think that trend will definitely accelerate.”

http://www.govhealthit.com/news/omnibus-hipaa-rules-impact-data-breach-notification

One Cheap and Easy Thing All Companies Can Do to Boost Security

Event logs are the basic text of what happens in your corporate systems. So why do so many companies ignore them?

We love this blog post by Constantine von Hoffman – http://advice.cio.com/security/17256/one-cheap-and-easy-thing-all-companies-can-do-boost-security which we have reposted below.

In fact, we had a vibrant discussion about this very topic internally yesterday.  We might take a bit of exception to the assertion that log review is “cheap and easy.”  I mean, if it were so cheap and easy, wouldn’t most organizations be doing it?

What we find in healthcare is that the logs are so voluminous because there are so many disparate systems and devices in play.  Most organizations report to us that it is simply impossible, based on the way they are resourced, to have any kind of meaningful log review and log management program.  Further, it is hard to translate for the “non-techies” in risk management how this process is vital to enterprise risk management.  So what happens?

Higher performing organizations are collecting and archiving the logs from most of their systems so that they have them “handy” in the event that they need them to support an investigation or incident response.  Maybe a few of those high performers review logs for their high value/high risk systems routinely.  The highest performers have dedicated the resources required – through the internal investment in tools and/or staff or via outsourcing to an MSSP – to implement an operationally-relevant and compliance-aware log management program.

That said, more often than not, we encounter organizations that don’t know what they are collecting, how they have auditing capabilities enabled in their systems, and have no log review or log management program in place.

The operational relevance is obvious, but in healthcare, we have that little regulation better know as the HIPAA Security Rule that specifically culls out “user activity monitoring” as an implementation specification.  An effective log management program goes a long way to meeting this compliance requirement.

Based on the recent summary report from the first 20 OCR audits,  what was the single greatest deficiency or area of non-compliance vis-a-vis the HIPAA Security Rule?  You guessed it (and if you are a regular reader, you’ve read it here before)…User Activity Monitoring.

In our discussions with OCR, it is clear that this facet of an organization’s information security program is going to continue to be carefully reviewed and scrutinized.  So, whether via a formal audit, breach or complaint investigation, be prepared to have your log management program under the microscope.

It is our belief, from our 10+ years of experience and service to the healthcare industry, that few organizations are on a trajectory for IT security staffing to effectively implement an organic log management program.  After all, your core business is healthcare and your team should be focused on the enablement of care.  As we have mused in previous posts, maybe this is the time for organizations to make an active choice to engage security experts to support their security functional requirements, particularly those that really lend themselves well to outsourcing, like log monitoring and management.

Of course, at CynergisTek, we have a solution for this and we would be happy to talk with you more about what we are doing and how we have chosen to help our clients address this gap.  But what we really hope this post compels, is a change in the conversation that you are having internally.  Does it really make sense to build an information security empire within your healthcare organization or does it make better sense to be a healthcare center of excellence that practices good security?  That is a strategy and tactical discussion that we would love to support you with if our experience can be of help.

Make it a good day!

 

————————————————————————————————————————————–

The business equivalent to the personal -security sin of using the word “PASSWORD” as your password: Not collecting and reviewing the data from all your system logs. Chances are you’re not doing that. And you should feel guilty about it. But you can take some comfort in knowing you’re not alone.

“Relatively few do it,” says Sherri Davidoff, co-author of the startlingly well-written new book Network Forensics: Tracking Hackers Through Cyberspace. “Mostly it’s companies in the financial sector which are at risk of losing money directly from being attacked.”

The truth is most companies don’t know when they’ve been hacked. That’s not just Davidoff’s opinion. I’ve been told the same thing by folks in the security industry and in law enforcement. One agent from the FBI said he stopped counting the number of times he told IT execs about attacks that they knew nothing about.

Why does this happen? Companies don’t regularly review their event logs to see what’s going on in their own systems.

It astounds me that checking event logs is so uncommon. It’s kind of like checking to make sure you didn’t leave the key in your door lock, folks. You’re probably wagging your head in disbelief, too, because no CIO.com reader could be that clueless…could they?

Just in case you decide to pass this post along to someone who works at one of those other companies, I will explain why event logs matter:

• They contain lots of info directly relating to your network, like DHCP lease histories and/or network stats.
• They include records of network activity including remote login histories.
• Because they have been transmitted over your network they create network activity.

If you want to find anomalies or unauthorized/unexpected users, the information is all there in event logs.

What is even more baffling about the fact that these logs so frequently go unreviewed is that companies don’t have to check logs manually. They don’t have to sort through all the different log formats to figure this stuff out. There are a lot of programs that will do all of this. All you have to do is read the report.

“You want to make sure you’re not the lowest fruit on the tree; that you’re not the most vulnerable,” says Davidoff. “Fortunately or unfortunately, that’s not that hard to do.”

PS: I read a lot of computer-related books. In most cases I would rather try to read machine code. That is why I have to point out that Network Forensics is actually well-written. It is a text book that you can read and really learn things from. You probably went to college, so I don’t have to tell you how rare that is.

Alaska DHSS settles HIPAA security case for $1,700,000

The $1.7M fine levied on the Alaska Department of Health and Social Services should peak the interest of compliance officers and risk managers across the healthcare industry.

One stolen USB storage drive.  501 Medicare beneficiaries.  A mandatory report to OCR with its customary investigation. A $1.7M fine. A Resolution Agreement. A Corrective Action Plan.   Three years of independent monitoring of its compliance.

These are the new stakes associated with data breaches. In looking specifically to the Corrective Action Plan documented for the Alaska DHSS, its obligations include:

1.  Remediation, Update and Dissemination of Policies and Procedures

2. Workforce Training

3. Risk Analysis and Risk Management Process Remediation

4. Designation of an Independent Monitory for a period of 3 Years

Visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html for the detail on the OCR’s enforcement in this case.

Would a reported breach open a Pandora’s Box in your organization?  Most of you that we speak with have a fair amount of anxiety about the health of your HIPAA/HITECH privacy and security compliance posture, but continue to struggle to get executive sponsorship and budget for activities that you consider essential and fundamental to your operations and compliance mission.

The circumstances of this breach provide you the “conversation starter” that you may need to engage or re-engage your leadership around HIPAA/HITECH compliance.  Further, the comments offered by OCR affirm what we have learned through the HIPAA Audit Program about our industry’s opportunities for improvement and compliance program priorities.

Contact us if we can be of assistance.

 

 

Business Partners: A New Risk to Health Data Security?

by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

The HIPAA Privacy Rule refers to third parties as “business associates” and defines them as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity. The category may cover a range of companies, including data processing firms, IT consultants and cloud computing providers.

HIPAA’s Security Rule calls for covered entities to create contracts with business associates to ensure that the partner “will appropriately safeguard” PHI. The HITECH Act of 2009 further strengthened HIPAA’s rules regarding business associates and security obligations.

While the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.

Read John’s entire article here: http://www.ihealthbeat.org/features/2012/business-partners-a-new-risk-to-health-data-security.aspx

KPMG Official Describes Early Audit Results, What to Expect If You’re Selected

Reprinted from REPORT ON PATIENT PRIVACY, the industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security.

In his first public comments since his consulting firm officially “exited the field” after wrapping up site visits for the initial 20 compliance audits, the top HIPAA official at KPMG says covered entities (CEs) are failing to complete basic tasks, such as conducting a risk analysis and giving out a notice of private practices.

Michael Ebert, national HIPAA services leader for KPMG, which is performing the audits for OCR, also said a review revealed a pharmacy chain that had failed to provide enough physical space to conduct medical consultations.

“We have walked into entities that are not fully compliant, of course, but what I think is great about this program is it’s really about understanding what the entities are doing and what additional guidance they need, at all levels,” Ebert said.

The unprecedented audit program, undertaken by the Office for Civil Rights as required by the 2009 HITECH Act, is expected to include an additional 95 audits of CEs before it concludes at the end of this year. OCR does not plan to release any findings until that time, and then only details that do not implicate CEs by name. Instead, a report will provide what Ebert termed not “best practices,” but “both better practices and weaknesses the industry has” in meeting the privacy and security rule requirements, which include breach notification mandated under HITECH.

However, OCR has also made clear that egregious findings could prompt an “enforcement investigation,” which sometimes conclude with settlement agreements that identify the errant CE and require a financial payment to close a case (see story, p. 1).

The scope of work under the $9.2 million contract included the creation and the testing of the protocol in 20 audits, which was accomplished by March 1. “Draft reports are out for the first 10,” Ebert said at the recent National HIPAA Summit in Washington, D.C. From those audits “we’ve got some information” but findings are “going to evolve as we get through a greater population,” he said.

During his address, Ebert said the development of the audit program included the “arduous” creation of criteria for HIPAA compliance and then the development of the “protocol” for measuring that, while stressing, “We’re standing up a program that hasn’t existed before.” OCR has pledged to release the audit protocol publicly but had not done so by press time; Ebert’s comments provide the most information about the audits and protocol to date.

OCR based the HIPAA audits on Generally Accepted Government Accounting Standards, known fondly by financial geeks as GAGAS, and which are published in the so-called “Yellow Book.” GAGAS calls for “performance audits,” which can be executed by any governmental agency. Ebert said KPMG employs a former deputy director for the Government Accountability Office “who actually was one of the architects” of performance audits.

“KPMG actually has done now three of the top four largest performance audits that the government has contracted out for to date,” he said. “So we have a tremendous amount of knowledge and experience in this area.”

However, it was still necessary to “create performance criteria” to apply to the OCR audits, “and that’s the toughest thing,” he said. This was accomplished with the “KPMG team sitting in a room with the OCR team,” which included Sue McAndrew, deputy director for health information privacy, and David Holtzman, health information privacy specialist, and “having great discussions about how you measure and quantify compliance with the law.”

The protocol “can go at many different levels. And that’s the interesting aspect, because the protocol will always change. It depends on how far and how deep you go…how specific you want to get in the process,” he said. “The protocol is an evolutionary process, where the criteria are just the criteria. It will always be the measurement base that you are working against.”

Ebert noted that the protocol covers all of the privacy and security requirements, with the exception of the accounting of disclosures “because it’s still in draft.” A final rule for the accounting of disclosures, which includes controversial access reports, will not be included in the “omnibus” final rule that is expected to be released early this summer (RPP 4/12, p. 1).

CEs may find comfort in Ebert’s statement that OCR had “a tremendous amount of concern in not creating too much burden [for auditees] in how things got applied and how we did our work.” He called the audit approach “very balanced.”

Security Compliance Is Difficult to Measure

In addressing privacy, Ebert said, “there were serious questions we had, particularly when you get to areas of uses and disclosures, and minimum necessary.” Minimum necessary is a concept that has bedeviled many a CE and is the topic of guidance that OCR expects to issue when the final regulations are released(RPP 5/12, p. 1).

However, overall, “What we’ve always kind of known…is privacy is, again, very well defined. It’s not tough to understand. It may be tough to implement in some aspects but if you’ve got a good training program, if you’ve got a good awareness program, if you’ve got good governance and policies, the basic instruments” — those are the elements necessary for compliance, he said.

Creating the protocol varied for security versus privacy, he said. In the security rule, the specified standards “are directly definable but there wasn’t a lot of criteria within the law, where with privacy there was,” Ebert said. So the dialogue about the security portions of the protocol “was more balanced of a discussion about industry practices, standards that are out there and application of the standards.”

Ebert said developing performance criteria for the security rule and “to measure that and understand the application of that was a big struggle.”

Without providing specifics regarding noncompliance with the security rule, Ebert said KPMG has “seen a lot of issues at complex entities.”

Regarding who was audited, OCR used another consulting firm, Booz Allen Hamilton, to “identify audit candidates” and “provide background and recommendations” for the audit program, Ebert noted. As RPPreported in December based on a speech by an OCR official, the first 20 auditees were grouped by level of information technology sophistication and by type of entity, with four “levels” or tiers among them. Of the 20, 10 were providers, eight were health plans and two were clearinghouses (RPP 1/12, p. 1).

All Size CEs Were Audited

• Tier 1 organizations are the largest, with “revenues or assets greater than $1 billion,” and consisted of five entities: two health plans, two provider organizations and one clearinghouse. These had “extensive use of health information technology, complicated HIT-enabled clinical and business work streams.”
• Tier 2 was composed of six entities: three health plans, two providers and one clearinghouse. These included hospital systems with three-to-10 hospitals or regions, and regional insurance companies. Assets among the entities in this group are valued at between $300 million and $1 billion.
• Tier 3 had one health plan and two providers, which could include community hospitals, outpatient surgery centers, pharmacies and “self-insured entities that don’t adjudicate their claims.” With revenues between $50 million and $300 million each, these organizations had “some but not extensive use of HIT [and] mostly paper-based workflows.”
• Tier 4 consisted of six entities: two health plans and four providers, which were described in OCR presentations as a provider practice with 10-to-15 providers, and a community or rural pharmacy. These would have “little to no use of HIT — almost exclusively paper-based workflows” and “less than $50 million” in revenues.

The audited entities ranged in complexity from “single physician practices to complex acute care medical centers,” Ebert said. “And in the first 20 we’ve hit the complete landscape.”

It would seem, based on Ebert’s comments, that the program has hewed pretty closely to how it was described by the OCR official and as presented on OCR’s website — with a possible exception being audits of at least one single-physician practice, which it did not appear would be part of the program. “As you can imagine, we freaked out single physicians when we showed up,” Ebert quipped.

While the information OCR posted said the audits would include three-to-10-day visits for “onsite fieldwork,” Ebert said these “run up to seven days in the field,” compared to three-to-four days for a single physician.

Auditors will arrive “within 30, 60 or 90 days” after an entity has been notified and has complied with a request to submit specified policies and procedures. This request, Ebert hastened to add, “is not a complex advance request list. It’s not the audit.”

One aspect of the audits that Ebert described as “really cool” might cause CEs to shudder. Apparently, a covered entity can do its best to ensure broad compliance across all aspects of its operations, while the audit team might zero in on one department.

“We can go in an acute care academic medical center and just look at a very small component like pharmacy or oncology,” Ebert said. OCR is directing the teams to focus on just those areas that have been given a “unique identifier” within the entity, he said.

The audit itself, he contended, “is pretty simple. It’s validating what you have in place and what you don’t have in place.”

Site Visits Result in ‘Findings’

At the end of site visits, “we have findings. We sit down, and we talk about those findings.” An entity may provide further information to mitigate a finding, or clarify something it thinks the team has “misrepresented,” Ebert said. However, once that discussion period ends, time’s up for trying to prove compliance, Ebert added.

“We’ve had entities contact us 30 days out of the field, ‘Hey, I’ve remediated the whole process, you can take the finding off.’” But KPMG responded with, “Well, no, we were in the field, the finding existed, it’s great that you were that proactive and remediate[d] it, but it’s a finding,” Ebert said.

Before findings are submitted to OCR, KPMG sends draft reports to the entities and permits them to respond; their comments will be included. Once a formal report has gone to OCR, the agency will review the findings to determine whether to exercise its option to “do an enforcement-type of investigation.”

As required, KPMG reviewed the protocol after the audits were completed, and found it worked well and did not need to be changed much, Ebert said. A few tweaks, for example, were done to clarify for KPMG personnel that in HIPAA-land, an audit log is an accounting of access, not a financial term.

‘Do a Risk Assessment!’

In addressing what covered entities should be doing in light of the audit program, Ebert said: “Do a risk analysis, risk assessment.”

“I’ll tell you now, on everything we do, that’s the biggest weakness we see,” he said.

Ebert added that “People need to understand that safeguarding PHI goes beyond electronic. It goes to paper and oral. So how you set up your ERs, how you set up your consultation area” matter, he said.

“We did a review at a large national pharmacy chain and they didn’t have consultation areas that were private enough in a good 20% of their stores,” he said. “It was just the nature of the design. They had not updated their design in some of their stores. And they are doing that now. That was an interesting finding. They were like ‘Oh, we missed that.’”

He also related a personal anecdote about being a patient in an emergency room and never receiving a notice of privacy practices (NPP), despite asking for it. He later learned the hospital’s information system issues an NPP only upon admittance as an inpatient — a definite no-no. Once a patient is about to receive treatment, a NPP should be provided on the spot. Failing to give out an NPP as required “is not uncommon,” KPMG has found.

“These are the common aspects [of noncompliance] that you start to see and we all get to see it,” Ebert said. Withholding an NPP is among the “little things that fall through the cracks on the privacy side.”

© 2012 by Atlantic Information Services, Inc. All Rights Reserved.

---

Start your own subscription to Report on Patient Privacy and save! For a limited time, receive a $75 discount off any new newsletter subscription at the AIS Marketplace – just enter coupon code “NEWS75” at checkout.

CynergisTek to Showcase HIPAA Audit Readiness Solution Portfolio at 2012 HCCA Compliance Institute

Company Co-Designed Solution Series with Davis Wright Tremaine LLP; Drew Upon Firsthand Experience Providing Consulting and Advisory Services Under HIPAA Audit Pilot Program

Las Vegas, April 26, 2012 – HCCA Booth #205— CynergisTek™, an authority in enterprise security and privacy solutions and services for healthcare organizations, today announced that the company will feature its new joint offering, the HIPAA Audit Readiness Solution Portfolio, at the 16^th Annual HCCA Compliance Institute from April 29 through May 2 in Las Vegas. The CynergisTek experts designed the solution series in collaboration with the health information technology (HIT) and HIPAA team of national law firm, Davis Wright Tremaine LLP (DWT).

At the HCCA booth, experts from each organization, including CynergisTek CEO, Mac McMillan, and DWT Partner, Adam Greene, will be on hand discussing the new audit readiness portfolio, which was architected specifically to evaluate and improve an organization’s compliance with HIPAA/HITECH based on OCR’s HIPAA Audit Program. The companies will highlight the portfolio’s customized services designed to accommodate the different audit readiness objectives of every healthcare organization with components covering the full scope of audit preparation, from training and risk assessment to a full mock audit. In addition, McMillan and Greene will host “Ask the Expert” informal breakfast briefings in the the exhibit hall on the mornings of April 30th and May 1st.

“The experience CynergisTek gained working with one of the hospitals selected for OCR’s HIPAA Audit Pilot Program provided us an opportunity to glimpse into the upcoming phase of compliance and enforcement that will soon become a reality for all healthcare organizations,” said McMillan. “In developing the solution series with DWT, we wanted to address new complexities that are being added to the already-daunting challenges facing compliance professionals today. In unveiling the HIPAA Audit Readiness Portfolio and engaging in discussions with our colleagues at the HCCA Compliance Institute, we hope to make strides in ensuring all healthcare organizations are equipped to handle OCR’s impending enforcement.”

CynergisTek will also be featuring its additional solutions and services, which are specifically designed to help healthcare organizations improve their security and privacy posture, facilitate compliance, advance operational efficiency and foster trust. CynergisTek’s managed and on-demand solutions address the fundamental elements of information security management, including:

• Strategy and Governance
• Compliance and Risk
• Infrastructure
• Technical Vulnerability Management
• Audit
• Managed Security Solutions

To learn more about the CynergisTek-DWT HIPAA Audit Readiness Solution Portfolio and CynergisTek’s range of enterprise security and privacy solutions and services for healthcare organizations, visit HCCA booth #205.

About CynergisTek

CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

About Davis, Wright Tremaine LLP

The national healthcare practice of Davis Wright Tremaine provides clients with comprehensive regulatory and transactional services, along with real estate, labor/employment, benefits, litigation, financing (including tax-exempt financing, bankruptcy and tax work. Most healthcare clients also face intense challenges in electronic health records and information management. The health information technology and HIPAA team of Davis Wright Tremaine is deeply involved in helping clients take advantage of emerging technical opportunities and cope with related obligation, including the ongoing HIPAA audits.  Learn more at www.dwt.com or contact Adam Greene directly at adamgreene@dwt.com.

###

Media Contact:

Megan Malarkey

Senior Account Executive

Aria Marketing

(617) 332-9999, x215

mmalarkey@ariamarketing.com