Data Breaches, Data Security, and the Data Future: Challenges and Opportunities in Healthcare

Healthcare Informatics is hosting a free informative webinar February 19th, 1:00 PM EST.

Mark Hagland, Editor-In-Cheif will be joined by  guests Mac McMillan, CEO CynergisTek, and Eran Farajun, Executive VP Asigra Inc. The three will join forces to host an open discussion on some of the hot topics in healthcare data security. They will address some of the challenges that healthcare IT leaders face and identify what leads to a data breach. Then they will help advise providers of strategies to improve data security.

The recording from the presentation is available in Healthcare Informatics Webinar Archive. Click here to watch it now.

Security, HIPAA, Breaches, 2012 and Beyond (Video featuring Mac McMillan)

Mac McMillan, CEO, CynergisTek, Inc., summarizes the key issues for 2012 and beyond, the ability of HIPAA to meet today’s IT needs, and avoidable breaches.

Alaska DHSS settles HIPAA security case for $1,700,000

The $1.7M fine levied on the Alaska Department of Health and Social Services should peak the interest of compliance officers and risk managers across the healthcare industry.

One stolen USB storage drive.  501 Medicare beneficiaries.  A mandatory report to OCR with its customary investigation. A $1.7M fine. A Resolution Agreement. A Corrective Action Plan.   Three years of independent monitoring of its compliance.

These are the new stakes associated with data breaches. In looking specifically to the Corrective Action Plan documented for the Alaska DHSS, its obligations include:

1.  Remediation, Update and Dissemination of Policies and Procedures

2. Workforce Training

3. Risk Analysis and Risk Management Process Remediation

4. Designation of an Independent Monitory for a period of 3 Years

Visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html for the detail on the OCR’s enforcement in this case.

Would a reported breach open a Pandora’s Box in your organization?  Most of you that we speak with have a fair amount of anxiety about the health of your HIPAA/HITECH privacy and security compliance posture, but continue to struggle to get executive sponsorship and budget for activities that you consider essential and fundamental to your operations and compliance mission.

The circumstances of this breach provide you the “conversation starter” that you may need to engage or re-engage your leadership around HIPAA/HITECH compliance.  Further, the comments offered by OCR affirm what we have learned through the HIPAA Audit Program about our industry’s opportunities for improvement and compliance program priorities.

Contact us if we can be of assistance.

 

 

Where is your ePHI hiding? A data discovery/data loss risk assessment will tell you

One of the most recent cases of a data breach comes from what, on the surface, may appear to be an unlikely source – powerpoint charts derived from ePHI-rich source data, embedded in a professional presentation, posted on the websites of two medical associations, by one of the world’s leading cancer centers, Memorial-Sloan Kettering.  See the full story here:  http://www.healthcareinfosecurity.com/powerpoint-charts-led-to-breaches-a-4868.

While that may seem like a complicated “it cannot happen to us” scenario, think again.  How many of your esteemed clinicians conduct research, present, and publish?  Not so many?  Let’s try another scenario then.  How many of your employees create, access, use, manipulate, analyze, or transmit ePHI to perform their duties? Have you implemented technical controls that prohibit your employees from moving ePHI from what may be fortified assets to less fortified assets, like a USB drive or workstation hard drive?  In our ten years, we have not met a client yet that is not struggling to understand just how distributed ePHI has become in their environment and gain control over it.

The HIPAA Security Rule is clear – Covered Entities need to have control of their ePHI and safeguard it appropriately.  To gain control, one has to know where it is first.  For many, the challenge lies within unstructured data on employee workstations, file shares, portable media – documents, spreadsheets, databases that employees have created.  Such is the story with Memorial-Sloan Kettering.  But it could very likely be your organization’s story too.

Manual efforts to locate ePHI across the enterprise are fraught with inefficiency and inaccuracy.  As introduced in this follow up article, http://www.healthcareinfosecurity.com/how-to-avoid-exposing-patient-data-a-4891,  Data Loss Prevention (DLP) solutions cannot only help organizations effectively discover ePHI across the enterprise but enforce rules and policies to prevent data loss and data leakage.

For nearly three years, CynergisTek has offered clients a structured and affordable way to discovery ePHI across the enterprise and measure data loss/data breach risk by monitoring data-in-motion for a defined period of time.  Contact us  http://blog.cynergistek.com/about/contact-us/ for more information or to request a quote for this service.

OCR Publishes its HIPAA Audit Protocol

The industry has been eager for the release of the OCR’s HIPAA Audit Protocol and our wait is over. Today, without fanfare, OCR posted the protocol to its website here: http://ocrnotifications.hhs.gov/hipaa.html

All told, the protocol enumerates 165 areas of performance evaluation – 77 dedicated to the HIPAA Security Rule and 88 dedicated to the HIPAA Privacy and Breach Notification Rules. The protocol cites the specific section of the HIPAA Rules, the established performance criteria, the key activity and the audit procedures.  As we experienced in working with our client, one of the first 20 organizations audited, the audit procedures are largely inquiries as to whether, first, policies and supporting documentation exist, and second, whether processes and practices consistent with those policies can be observed.

That said, for organizations looking for a better understanding of what constitutes acceptable performance, or ranges of acceptable performance as we often see in other types of industry audits, the published protocol may still leave the industry wanting for more explicit guidance.

For example, the single most significant HIPAA Security Rule finding of deficiency across the first 20 audits was in the area of user activity monitoring, as reported by OCR’s Linda Sanches at the OCR/NIST conference on June 6, 2012.  In reviewing the audit protocol, here are some excerpts associated with user activity monitoring:

Performance Criteria:  §164.308(a)(1)(ii)(D):Security Management Process – Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Key Activity: Develop and Deploy the Information System Activity Review Process

Audit Procedure: Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices. Determine if the covered entity policy and procedures have been approved and updated on a periodic basis.

Performance Criteria: §164.312(b) Audit Controls – Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Key Activities: Determine the Activities that Will be Tracked or Audited, Select the Tools that Will be Deployed for Auditing and System Activity Reviews, Develop and Deploy the Information System Activity Review/Audit Policy, Develop Appropriate Standard Operating Procedures

Audit Procedure: 

Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI.

Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information.

Inquire of management as to whether a formal or informal audit policy is in place to communicate the details of the entity’s audits and reviews to the work force. Obtain and review formal or informal policies and procedures and evaluate the content in relation to the specified criteria to understand whether a formal audit policy is in place to communicate the details of the entity’s audits and reviews to the work force. Obtain and review an email, or some form of communication, showing that the audit policy is communicated to the work force. Alternatively, a screenshot of the audit policy located on the entity’s intranet would suffice.

Inquire of management as to whether procedures are in place on the systems and applications to be audited and how they will be audited. Obtain and review management’s procedures in place to determine the systems and applications to be audited and how they will be audited.

While this information is certainly helpful, many of our clients want to know how many patient records they should be auditing, how many user accounts they should be auditing, how frequently audits should be conducted, what constitutes acceptable monitoring practice, etc. The performance criteria in the protocol are just not that specific, despite the industry’s desire for more explicit guidance.

Another area of deficiency that both OCR and KPMG have commented on publicly is the performance of risk assessment among the first 20 audited organizations.  The protocol offers the following:

Performance Criteria: §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Key Activity: Conduct Risk Assessment

Audit Procedure: Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

Again, so many of our clients want to understand what “periodic basis” really means.  Is that annually?  What kind of change in the environment necessitates an update in the risk assessment?  One thing is clear from the audit procedure; covered entities need to know where ePHI is across the enterprise.  This is not something that can be accomplished manually if the ePHI discovery is going to be accurate.

Over the coming days, there are sure to be many articles, editorials, discussions and blog posts about the protocol and how it can best be employed to help organizations improve their privacy and security program performance.  We look forward to your questions and comments.

On the heels of our client’s audit, CynergisTek, in partnership with Davis Wright Tremaine partner, Adam Greene, established a portfolio of OCR audit readiness and investigation response services.  Our team will go about the work of further mapping the content of the protocol to our many lessons already learned to best serve our clients and the industry at large.

10 of the largest data breaches in 2012 … so far

Republished From Healthcare IT News on June 05, 2012 | Michelle McNickle, Web Content Producer

We’re six months into 2012, and numerous headlines have showcased some large health data breaches. Whether it’s outright theft, the actions of a disgruntled employee or overall carelessness, 2012 is already chock-full of noteworthy breaches. And according to recent research, the problem is only growing.

Here are 10 of the largest data breaches in 2012… so far.

1. Utah Department of Health. On March 30, approximately 780,000Medicaid patients and recipients of the Children’s Health Insurance Plan in Utah had personal information stolen after a hacker from Eastern Europe accessed the Utah Department of Technology Service’s server. Initially, the number of those affected stood at 24,000, yet, according to UDOH, that number grew to 780,000, with Social Security numbers stolen from approximately 280,000 individuals and less-sensitive personal data stolen from approximately 500,000 others. The reason the hacker was able to access this information? Ultimately, it was due to a weak password.

2. Emory Healthcare. On April 18, Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. The 10 disks held information on surgical patients treated between 1990 and 2007 at Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center. Of the 315,000 patient files, approximately 228,000 included Social Security numbers, with other sensitive information at risk including names, dates of surgery, diagnoses, and procedure codes.

3. South Carolina Department of Health. An employee of the South Carolina Department of Health and Human Services was arrested on April 19 after he compiled data on more than 228,000 people and sent it to a private email account. Approximately 22,600 people had their Medicaid ID numbers taken, which were linked to their Social Security numbers. Others had names, addresses, phone numbers, and birth dates stolen as a result of the act. The former employee, Christopher Lykes Jr., was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.

4. Howard University Hospital. Toward the end of March, Howard University Hospital in Washington D.C. notified approximately 34,503 patients of a potential disclosure of their PHI that supposedly occurred in late January. A laptop, which was password protected, was stolen from a contractor’s vehicle, yet, according to the hospital, no evidence suggested any patient files were accessed. The records stolen did contain Social Security numbers for many of the patients affected. Today, the hospital requires all laptops issued to Howard University Health Sciences employees to be encrypted.

5. St. Joseph Health System. In February, St. Joseph Health System, in California, alerted approximately 31,800 patients of a possible security breach at three of their organizations throughout the state. According to the system, security settings were “incorrect,” which allowed for the potential breach. Information accessed didn’t include Social Security numbers, addresses, or financial data, yet patients’ names and medical data were vulnerable. The records at risk were mostly for inpatients who received care from February through August of 2011. The data, the organization said, would have been available through Internet search engines from early 2011 to February 2012.

6. Indiana Internal Medicine Consultants. In early February, a stolen laptop resulted in a breach of 20,000 patient records at the Indiana Internal Medicine Consultants. The organization reported the incident about a month later, and the records were recovered. Although little information about the case exists, a lawsuit was filed as a result and an arrest was made.

7. Our Lady of the Lake Regional Medical Center. Between March 16 and March 20, a laptop was stolen from a local physician office at the Our Lady of the Lake Regional Medical Center in Baton Rouge, La. The laptop contained limited health information for more than 17,000 former ICU patients, including patient names, ages, races, and dates of admission and discharge from the ICU. The organization said there is no evidence the information had been misused, or that there was any malicious intent. As of May, the investigation was still underway.

8. Memorial Healthcare System. On January 27, Memorial Healthcare System in South Florida learned of an employee who accessed patient information, as well as a second employee who accessed patient information with the intent to process fraudulent tax returns. The organization notified 9,497 patients that information including names, dates of birth, and Social Security numbers were accessed, yet, according to their statement, no medical records were taken. Letters weren’t sent out to those affected until April 12^th, in an effort to not impede on investigations conducted by law enforcement. The two employees have since been fired.

9. The Kansas Department of Aging. In January, a laptop computer, flash drive, and paper files were stolen out of a car belonging to an employee of the Kansas Department of Aging. The Social Security numbers of approximately 100 patients were stolen, while 7,000 other seniors, and their information, were put at risk. The stolen data included names, addresses, dates of birth, gender, in-home services program participation information, Medicaid identification numbers, and more. The Social Security numbers stolen were of those patients participating in the Senior Care Act program. The organization contacted those patients via phone and sent mail notifications to all others affected.

10. The University of Arkansas for Medical Sciences. In April, the University of Arkansas for Medical Sciences investigated a breach after a document wasn’t properly redacted. Approximately 7,000 patients were affected after an unidentified physician sent financial information on a patient to someone outside of the UAMS offices in mid-February. The physician didn’t remove all identifiers of the patients, such as names, account numbers and dates of services. Of those affected, most were in the interventional radiology program at UAMS between 2009 and 2011. The man who received the information via email claimed he hadn’t released it to anyone.