Business Partners: A New Risk to Health Data Security?

by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

The HIPAA Privacy Rule refers to third parties as “business associates” and defines them as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity. The category may cover a range of companies, including data processing firms, IT consultants and cloud computing providers.

HIPAA’s Security Rule calls for covered entities to create contracts with business associates to ensure that the partner “will appropriately safeguard” PHI. The HITECH Act of 2009 further strengthened HIPAA’s rules regarding business associates and security obligations.

While the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.

Read John’s entire article here: http://www.ihealthbeat.org/features/2012/business-partners-a-new-risk-to-health-data-security.aspx

Mobile device security in healthcare: It comes down to common sense

The team at mHIMSS asked Mac to create a blog for them around mobile device security.  We hope you enjoy Mac’s inaugural post and will also make it a point to peruse the great online presence that mHIMSS has created at http://www.mhimss.org/ to further your learning about mobile device management in the healthcare industry.

Recently I took part in the Office of the National Coordinator for Health IT’s Mobile Device Roundtable in Washington, D.C., where three panels of experts (federal agency representatives, practicing providers and security practitioners) came together to discuss the use of mobile devices in healthcare, the legal framework that exists now and how to best protect sensitive information being transmitted via mobile devices.

As the discussions went on, one thing became clear – there is currently no coordinated approach to managing the mobile device spectrum. Because of this lack of a coordinated approach, it’s ultimately up to the users to manage mobile devices and, most importantly, ensure their security.

The physicians on the panel noted that they would like to use mobile technology to accomplish the following:

• Communication between themselves, the providers they work with and service organizations like labs, radiologists, etc.;
• Communication with patients to provide a rapid medium for communicating results;
• Education, primarily around giving patients detailed information with respect to their condition; and
• Real-time test results, x-rays, etc., to show to and discuss with patients.

The ability to text was also noted as an increasingly popular mechanism for physicians communicating from a workflow perspective. Studies have shown that more than 70 percent of physicians now use text as a regular means of communicating in the workplace.

While these are all valid uses of mobile devices for physicians, and they certainly offer the potential to enhance patient care and the patient/provider experience, it’s important to remember the vulnerability of most mobile platforms and their inability to secure sensitive patient information that’s being transmitted. In most of these cases, physicians seem to understand that mobile platforms and texting are not sufficiently secure to communicate electronic protected health information (ePHI), and they are looking to the mobile device manufacturers to deliver that level of protection. Under the HIPAA Security Rule, there are huge ramifications for failing to secure PHI, often resulting in significant monetary fines and reputational damage, and if the device companies are not going to step up, then we as an industry need to find ways to fill that gap.

So what’s the solution? How do we make it possible for physicians to use mobile devices in a way that would bridge communication gaps between colleagues and patients while ensuring the security of sensitive data?

On one level, the answer is pretty simple: use common sense. We use our cell phones and other mobile devices for personal reasons and carry them with us everywhere. So, as common sense would tell us, it wouldn’t be prudent to house sensitive information (such as patient data) on such devices. PHI and other data should not live on the mobile device itself because it puts the device and the physician at risk. To ensure mobile security in healthcare, mobile devices need to allow physicians to review and act on sensitive information, but in most cases that data should always remain on a secure server – when the physician disconnects, the device retains zero sensitive information.

The first step in making this “data-centric,” common-sense approach to mobile device security work is to get people to recognize the difference between needing the sensitive data on their mobile device and simply wanting it on there out of convenience. This is made more difficult and more important as the mobile device industry continues to focus on allowing access to data anywhere, anytime (the idea of “bring your own device,” or BYOD). If we begin to balance convenience around dissemination of data with the actual practical clinical requirements by using technologies that enable connectivity and only store data on the devices that are able to protect it properly, we can greatly reduce the magnitude of the risk. The proposed EHR implementation standard and certification criteria for encryption of devices that connect to EHRs and retain ePHI after termination of their session will certainly heighten this need.

By thinking about where the data needs to be, who needs to have access to it and what kind of access is required and building this “data-centric” security into mobile device strategies, physicians will be able to use their mobile devices in a way that optimizes workflow and quality of care while still ensuring the security of all sensitive data reasonably and responsibly.

4/18/12 Webinar – Continuous Privacy and Security Compliance: Healthcare’s New Performance Target

Register Here:  https://iatric.webex.com/mw0307l/mywebex/default.do?nomenu=true&siteurl=iatric&service=6&rnd=0.941068

One of the lessons learned coming out of The Office for Civil Rights (OCR) HIPAA Audit Program is the we must understand where our ePHI is and what our team members and business partners are doing with it.  Operational practices and controls must safeguard every record, all the time.  Audit controls must be designed and documented to account for ePHI and what activities around that ePHI need to be monitored, internally and with our business associates.  Most healthcare organizations have yet to make the leap to this new level of performance.

What will likely emerge in the omnibus rule related to breach notification, HIPAA enforcement and HITECH’s changes to the HIPAA privacy and security rules that may raise the bar even higher?

This 60-minute webcast will provide insight and knowledge that:

1.  Enumerates the lessons learned from the OCR HIPAA Audit Program through the experience of one of the “First 20” audited organizations

2.  Defines healthcare’s continuous compliance challenge for privacy and security and the potential impact of the omnibus rule

3.  Establishes the business case for evaluating technologies that contribute to continuous compliance

Presenters:

Mac McMillan CEO, CynergisTek and Chair, HIMSS Privacy and Security Policy Task Force

 

 

 

 

  James Lawson, VP, Strategic Integration Development, Iatric Systems, Inc.

“Shredding, Eliminating Risk, Literally” – A Free Webinar Sponsored by Fellowes on April 18th

To achieve Safe Harbor, organizations must render patient information as unreadable, indiscernible, or inaccessible by either encrypting the data appropriately using an approved technology and algorithm, or by destroying the information using an approved method of destruction.  One approach is to employ shredding as part of an information lifecycle and data destruction program.

The Office for Civil Rights (OCR) has included a thorough review of Breach Notification and proper destruction of patient information in its recently initiated random audit program.

What do you need to know about successfully integrating shredders into your data privacy and security program?

Webinar Program Objectives include:

1.  Increase awareness of the risks associated with healthcare information and breaches.

2.  Outline what HIPAA and HITECH say about protection and destruction of patient information.

3. Explain the specific requirements for shredders to meet Breach Notification Safe Harbor.

4.  Introduce data classification and information lifecycle management concepts and practices.
Register for the iQast at http://www.inquisit.org/Inquisit/getProgramInfo.aspx?type=iqast&product=IQ-0251

Our thanks to the team at Fellowes for sponsoring this program and for including CynergisTek!

 

NCHICA AMC Privacy and Security Conference 2012

CynergisTek is pleased to contribute again to the NCHICA AMC Privacy and Security Conference.  This is the DO NOT MISS conference for those serving in privacy and security roles in academic medical centers.

In its 8th year, the theme of this year’s conference is “Changing Risk and Requirements: The New World of Healthcare Privacy and Security.  The conference will be held at The Friday Center in Chapel Hill, NC from April 22 – 25, 2012.

CynergisTek CEO, Mac McMillan, joins Adam Greene, Esq., Davis, Wright and Tremaine, and Ross Janssen, JD, CIPP, CIPP/IT, Director of the Privacy and Security Office at the University of Minnesota, for a presentation on “Managing Medical Research, Residents and Security & Privacy Issues” on Tuesday, April 24, 2012 at 2:45 pm.

For more information and to register for the conference, please visit:  http://www.nchica.org/Activities/AMC2012/intro.htm.

Business associates under fire as security risk

Author: Beth Walsh

Featured as a CMIO.net Web Exclusive on March 1, 2012

 

Business associates (BAs) are a huge area of concern when it comes to healthcare data privacy and security. “If you look at the statistics, there were nearly 400 healthcare data breaches in the last two years and almost half are due to BAs. But, “that half accounts for more than 75 percent of all records involved,” said Mac McMillan, CEO of Austin, Texas-based health IT security firm CynergisTek, and co-chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force.

“While a covered entity has all the information for the patients it cares for, a BA could have data from 100 covered entities or more. You’re talking magnitudes of data.”

This area is a big problem because, while healthcare providers in general have gotten very little attention, BAs have gotten virtually none, McMillan said. That’s partly because providers and BAs aren’t concerned about it yet. Plus, there’s confusion about what constitutes a BA.

“A lot of BAs don’t really consider themselves BAs even though they are,” he said. “Hospitals have companies that perform some third-party service for them and have protected health information (PHI) but they don’t feel that it applies to them because they’re just a hosting service or pass through.”

These companies don’t realize that the way the rule was written, once they take PHI from a covered entity, the provision of access is met. That means that whether they access the data or not, they are a BA. Just because they don’t access the data doesn’t mean they can’t, and that is what makes a company a BA.

McMillan said many covered entities have sent out security questionnaires to their BAs, particularly those who have PHI, and gotten some surprising answers. Some BAs don’t even have the rudiments of a security program. They are almost completely focused on the business service and have not considered the data or HIPAA compliance.

Several factors contribute to the problem: lack of knowledge, lack of concern for enforcement and the general cost of doing business, according to McMillan. For example, if a company has to change its network then it probably has to charge for more services so it becomes harder to keep and get clients. Another aspect of many third-party providers is that they are very small companies just getting started and therefore, are more likely to take risks, he added.

As written, the breach notification rule places responsibility on the covered entity. The BA has to notify just the source of the data, but the covered entity has to make all the required notifications of the breach, which includes notifying patients and the media. “Unless the contract is written smartly, there is nothing in the law that transfers the responsibility for cost,” said McMillan. “It’s really something the covered entity has to pay attention to with their BAs and do a better job of due diligence.”

McMillan said that he is amazed at some hospital experiences in this area. For example, a big hospital in New Jersey had a longstanding BA with access to enormous amounts of data. When the hospital asked the BA some basic security questions, the response was “we don’t have that kind of security on our network, we don’t have those policies and procedures and we can’t afford it.”

This BA was performing a very important function for the covered entity, so it had to decide between continuing to use the BA as is, find another BA or invest in helping the BA become HIPAA compliant. The hospital decided it was in its best interest to help the BA become compliant.

“It was amazing,” said McMillan. “This is a BA doing business with multiple hospitals and nobody had ever looked under the hood. If it’s not in the contract, then they are not responsible for doing it.”

The idea that just because HIPAA is applicable to BAs would affect their behavior is nonsense, he said. He has told BAs they have the same responsibilities as covered entities and he said that nine out of 10 say they are not ready.

Three things could force change, asserted McMillan.

“The absolute, biggest, most effective pressure on BAs is the people they do business with,” said McMillan. “Hospitals must say they’re tired of having to deal with breaches and notifications and then do a better job of putting requirements for security in their contracts.” Having the right language in the contracts provides for clear cases of negligence and breach of contract.

There are lawsuits in progress that allege negligence as opposed to harm that also could force change. “Those lawsuits probably will have the biggest impact in the short run,” said McMillan. “You’ll see much bigger costs associated with that than you will with fines from the government.”

Third, government enforcement will play a role as well. However, “there is no way the government has enough resources to enforce HIPAA proactively and in a manner so dramatic that it would change behavior.” The $1.5 million maximum fine is a “game changer” for small companies but that amount won’t faze bigger companies.

“Companies follow rules because they get audited,” noted McMillan. “If they don’t, there are repercussions. In healthcare there is no active auditing of BAs. Unless the covered entity is monitoring or managing them proactively, basically they’re out there doing whatever they want. Nobody’s checking on them.

“Some companies are doing well with these requirements but unfortunately, a lot of folks are trying to manage costs,” he remarked. “Security is a cost.”

McMillan stated the Office for Civil Rights’ new audit program includes asking questions about BAs, such as: Have you done any due diligence with respect to BAs? Do you know if your BAs have a backup plan with respect to the data you’ve given them? Have they provided evidence they are backing up data or are capable of reconstituting it?

“These questions may cause covered entities to start telling BAs to meet their requirements or lose my business,” he said.