Mac McMillan, Accepted to Speak at HIMSS13

Mac McMillan,  has been accepted to speak at HIMSS13:

Mac McMillan, CEO of CynergisTek had his proposal accepted on “Business Associate Management under HIPAA: More than just a contract.”  Mac McMillan has accepted the opportunity and will await to hear details. This will be the third consecutive year he has been accepted to speak at HIMSS.

What is HIMSS: 

The Healthcare Information and Management Systems Society (HIMSS) is a nonprofit organization whose goal is to promote the best use of information technology and management systems in the health care industry.

Founded in 1961, HIMSS provides a forum for collaboration among the various stakeholders in health care IT, using advocacy, education and collaboration to further its mission. Its membership base of more than 44,000 individual and 570 corporate members includes health care providers, students, IT vendors, consultants and other stakeholders in the health IT industry. HIMSS currently focuses its attention on health IT topics such as electronic health record systems, HIPAA security and privacy provisions, software interoperability and technical standards.

HIMSS produces an annual conference that brings together health IT stakeholders for several days of education and networking. The organization also offers a research arm known as HIMSS Analytics and a philanthropic group known as the HIMSS Foundation.

NCHICA 18th Annual Conference and Exhibition

The Revolution in Healthcare: from Chaos to Coordinated Care

September 10th, 2012 Grandover Resort, Greensboro, NC.

Presented by:

• Mac McMillan CEO, CynergisTek
• Adam H. Greene, JD, MPH, Partner, Davis Wright Tremaine LLC

Agenda:

• Background
• Audit Selection
• The Audit Protocol
• Initial Audit Results
• Audit Readiness

About CynergisTek
CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

HIMSS 2012 – Mac McMillan

EHRtv presents HIMSS 2012 a video featuring Mac McMillan, CEO of CynergisTek as he speaks on multiple issues surrounding Healthcare Security.

Bloomberg Reports on Healthcare Data Security – Video

Our thanks to Bloomberg for inviting CynergisTek CEO, Mac McMillan, to contribute to the commentary on its recently published study on healthcare data security for Bloomberg Television’s “InBusiness With Margaret Brennan.”  See the video:

http://www.businessweek.com/video/#video=FieWVnMzoUmrcbAVSk56rgcsjIfXbw9v

Sponsored by Bloomberg Government and The Ponemon Institute, the study reveals that healthcare companies, today, spend about $23M each year to stop about 68% of data breaches but need to increase that spend to $155M to stop 95% of breaches.  This study, like those previously published by Ponemon and others, validates what we have known for years.  Healthcare’s spend on IT security falls woefully short of what is required to safeguard patient data and the delivery of care.

As more of our industry’s shortfalls become increasingly public, whether through global reporting like what we see here from Bloomberg, or through the local media when a data breach occurs in Anywhere, USA, how will we respond?

Governance for IT security and data protection must be seeded in the executive suite of every healthcare organization.  If your IT security program is cloistered away in the bowels of your data center, and your compliance and audit team’s only tools are paper and pencil to evaluate your data protection performance, it is time for a change.  That change starts at the top and it starts with translating data security risk into a common business framework that your executive team will understand.

Let’s get busy!

Can Healthcare learn from the Zappos Breach? You bet!

Some of you may be becoming numb to the reports of data breaches that seem to hit the headlines almost every week now.  Are we developing a mindset that these breaches are just going to happen and that they are just part of business in the digital age?  Boy, I sure hope not!  Because I care about my personal data, the data of my family members and really everyone’s data.  I fear the day that we become accepting of breaches as a business norm.

I read a lot of articles everyday from a variety of sources – blogs, industry press, etc.  I really appreciated Matthew Schwartz’s article in Information Week covering lessons learned from the Zappos breach this week.  It was nice to see an acknowledgement of the preparations and risk management steps that were in place, as well as the opportunities for improvement that exist for Zappos going forward.  It was also really nice to a simple, straightforward presentation and discussion of the points.  At CynergisTek, it is a core value to make security “accessible” to our clients, to relate security efforts to the business and to the people that make that business run.  For us, we are usually talking about hospitals, clinicians and the critical support staff that, 24 x 7 x 365, make healthcare happen.  Anyone can read Matt’s article, learn from it, and take something away from it, as an individual or as an organization.

Some of our healthcare clients might challenge the fact that Zappos or Amazon are a relevant reference point for them, that the business of retail is nothing like the business of healthcare.  For me, it always comes back to the ultimate arbiter – the denominator that is THE DATA and our responsibility for it.  I would argue that our industry assumes the stewardship for a much more significant amount of sensitive data than retail so the call to action or the sense of urgency to establish the technical safeguards and processes is even greater.

I don’t want to sound like a broken record, but there are things, even smaller things, that healthcare can do, which is why I really had an affinity for this article.  There are absolute takeaways for our industry here so read it.  Benchmark your current safeguards and processes against some of the positive attributes of Zappos’ program and response.  Then, make a plan to make ONE aspect of your breach risk mitigation program better.

We say it all the time in healthcare…”An ounce of prevention…”  We need take a healthy slurp of our own koolaid!

Enough of my musings, read Matt’s article here:

http://www.informationweek.com/news/security/attacks/232400457

Healthcare Security Policy: Top 4 Factors that Shape the 2012 Outlook

Prognostications always dominate the headlines as we turn the page to a new year.  While we tend to see lots of “Top 10” lists for project priorities or technology purchases, there have been fewer articles on what we might expect to see on the policy front in 2012.  An election year always makes for interesting policy discussions and debates, but we believe that this is just one of the top  4 factors that will (or should) influence healthcare security and privacy policy in 2012.

The policy discussion is almost guaranteed to be dominated by four factors.

1.  The impact of the 2012 elections and the lack of desire on the part of both politicians and the Administration to address controversial healthcare issues.

2.  The ever expanding impact of privacy and security legislation and outside influences on healthcare.

3.  The expansion of negative influencers such as breach notification and the rising tide of litigation.

4.  The very real need to embrace better security models to support important clinical technical initiatives such as Health Information Exchange, decision support, mobility, telemedicine, cloud computing, etc.

Healthcare, because of its almost universal applicability and expanding regulatory impact, is likely to become the focal point for the privacy and security policy discussion.  As a result healthcare could find itself shaping this debate in 2012.

Politics and the elections this year could very likely impact the privacy and security discussion for several different reasons.  Running for office (or trying to get reelected) is not a trivial process and this Administration and Congress are both expected to be distracted with the election campaign.  On top of this distraction, there is the almost certain trend of  “avoidance” that seems to take over incumbents with respect to  controversial issues. Healthcare reform, of which privacy and security policy is part,  is a lightening rod subject for certain in this election.  Therefore, no one should hold their breath waiting for movement in these policy areas.  That said, privacy and security issues are not going to go away nor will the public’s growing displeasure with the industry’s performance to date.  Privacy and security tend to be bipartisan issues where common ground can be found.  It will be interesting to see if the Senate Judiciary Committee hearings, chaired by Senator Al Franken last fall as a result of the spike in privacy breaches in healthcare, carry any momentum into 2012 or spur more interest in the debate on broader privacy legislation.

Congressional debate on a broader privacy law, one that would impact all industries, has been ongoing since the 1990s.  However, 2012 might be the year that helps focus this discussion.  Why?  Because now, more than ever, it affects more people and more organizations and is receiving much more attention.  HITECH will serve as the catalyst for transforming this discussion because of two important and interrelated policy changes.  HITECH expands HIPAA accountability to business associates and all downstream subcontractors.  This changes the reach of HIPAA from  several thousand covered entities to hundreds of thousands of entities.  This means that a broader representation of this already enormous industry will try to get involved and shape this debate.  Further, businesses that are already under pressure from other regulatory drivers and global business initiatives to embrace the EU privacy model mandates will also likely find their way to the table.  These new players could create new and greater external influences on the privacy and security requirements for healthcare.

The public’s growing awareness of breaches in healthcare and potential traction of recent high profile class action litigation are almost certain to be factors in 2012.  Closely related will be the outcomes from HHS’s random compliance audits launched in December, 2011.  The number of breaches last year got everyone’s attention.  The disastrous month of October, in particular, led to hearings and dominated the media until the end of the year.  The question is whether this will further fuel the Congressional debate for broader privacy protections, and ultimately, a Federal statute that applies to all.  Regardless of what happens on the legislative front, the legal front will definitely bear watching.

Breaches continue to lead to lawsuits which is nothing new.  What is new, however, is the nature of those lawsuits today.  In the past, lawsuits stemming from breaches alleging harm were rejected by the courts unless specific and identifiable damages could be substantiated.  Recent lawsuits have alleged negligence, breach of contract, and in the Sutter Health case in California, they are suing for statutory damages obviating the need to show harm.  If successful the number of lawsuits could grow significantly.  Whether this happens or not, organizations sued still have to deal with damage to their reputation and defense costs at a minimum.

The cost of compliance has also gone up.  In 2011 HHS received tens of thousands of complaints and nearly 20 new major breach investigations were initiated every month.  These investigations have led to Resolution Agreements, Compliance Action Plans and, on rare occasion, fines.  Recently HHS added to its oversight of HIPAA by initiating the random compliance audits called for under HITECH.  It is still too early to tell how the “First 20” will fair, but HHS does intend to use them to inform the process going forward.  Breach notification, lawsuits and HHS enforcement activities are sure to keep a bright light on healthcare and compliance.

Healthcare also has internal drivers that are applying pressure for better privacy and security measures.  Increased reliance on electronic medical records, decision support systems, business analytics, and other systems that support care services will demand absolute integrity.  Health Information Exchanges will need better authentication and identity solutions and specific governance structures.  Mobile devices will continue to proliferate and introduce risk.  Smarter approaches that place more emphasis on data management and device standards will be needed as end point strategies alone fail or become difficult to manage.  New strategies such as telemedicine and cloud computing will need privacy and security solutions.  The evolution in technology and the need to address new privacy and security challenges will see no abatement in 2012.

Healthcare will be a dominant topic in 2012 and there is a good chance that privacy and security will factor significantly because the data matters.  The data that is being generated by the industry is the holy grail that drives all transformation – clinical and financial.  Therefore, the safeguards around that data become more important than ever.    And because healthcare is not the only industry where data is tantamount to transformation, the developments in  healthcare could have a tremendous impact on privacy and security in general.  Political action, regulatory changes, adverse events and operational advancements will shape the privacy and security agenda.  Those who ignore privacy and security will do so at the risk of unwanted consequences.