HITECH Stage 2 Rules: An Analysis

Experts Sort Through Privacy, Security Provisions

By Marianne Kolbasuk McGee, August 29, 2012.

Some privacy and security experts that have dug into the 1,446 pages of final rules for Stage 2 of the HITECH electronic health record incentive program say they are mostly pleased with provisions included to protect patient data (see: HITECH Stage 2 Rules Unveiled).

Both rules are hefty – 474 pages for the electronic health record software certification criteria rule and 672 pages for the meaningful use requirements. And each contains key provisions related to data security.

The most notable security provision, experts say, is the software certification rule requirement that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

The requirement is significant, given that 54 percent of the largest health information breaches since 2009 have involved the loss or theft of unencrypted computing devices or storage media, according to the official breach tally from the Department of Health and Human Services’ Office for Civil Rights.

“Requiring encryption by default for end-point devices is a sound security control and will help to ensure the growing numbers of breaches caused by loss or theft of these types of devices will be prevented,” says Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates.

“By making the encryption transparent and automatic to the end-user, it will ultimately improve protection of patient information,” she says. “If you leave it up to each of the millions of physicians, nurses and other healthcare workers to do the encryption themselves, recent history shows that the encryption will simply not be done in millions of endpoints.”

Mac McMillan, CEO of the IT security consulting firm CynergisTek, says the software certification encryption provision is just one small step in the right direction. The provision “helps a little, at least with EHR encryption, but it doesn’t cover other systems that contain PHI [protected health information] once you’re disconnected from the EHR,” he notes. That means healthcare providers still will need to be vigilant in ensuring that PHI is protected in all applications where it resides, he adds.

Risk Assessment

In another encryption provision for Stage 2, the meaningful use rule requires that participants conduct a risk assessment that specifically addresses “the encryption/security of data stored in CEHRT [certified electronic health records technology].” The rule also requires providers to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.” But it does not explicitly mandate encryption.

Regulators included this requirement, which shines a spotlight on requirements that already exist within the HIPAA security rule, in hopes of improving the protection of stored information.

McMillan applauds the provision because it helps increase awareness that “you will be responsible for the decisions you make” on whether to encrypt stored PHI beyond the encryption that occurs by default through EHRs.

Similarly, Herold says calling attention to the need to consider encryption of stored data is a good idea.

“I know from seeing many inadequate risk assessment methodologies … that including an explicit requirement to check for encryption is good and will make covered entities and business associates think twice before simply deciding that they don’t want to invest in encryption.”

Bill Spooner, CIO at Sharp HealthCare in San Diego, says encrypting data at rest shouldn’t be too tricky for healthcare providers.

“The challenges will be around gaining support from those who view technologies like encrypted thumb drives as inconvenient, and ensuring that we have closed any potential detours around the requirement,” he says. “The focus on end-user device encryption is quite sensible, as loss of such devices has been the most common cause of breaches to date.”

Patient Data Access

Among the final provisions getting a mixed reaction are the meaningful use requirements for hitting a threshold for patients securely accessing their information, such as through a portal with appropriate protections.

The rule requires that 5 percent of all patients who are discharged from the inpatient or emergency department of a hospital view, download or transmit to a third party their information during the EHR reporting period for Stage 2. For physicians, the requirement is that 5 percent of patients take the same action within four days of an office visit. The proposed version of the rule, issued earlier this year, had set a 10 percent threshold for hospitals and physicians.

In addition to the patient record access requirement, another of the original proposed rule’s “most ambitious and controversial measures” deals with referral transactions, says Adam Greene, a partner at the law firm Davis, Wright Tremaine, who formerly worked at the Office for Civil Rights.

The proposed rule would have required that providers, for 10 percent of transfers and referrals, transmit a summary of care record to a recipient with no organizational affiliation and using a different EHR vendor than the sender, Greene says. The final rule, however, drops the specific percentage threshold and instead requires a provider to only send one referral to a recipient that uses different EHR technology than the sender or conduct a successful test, he notes.

The revised provisions on patients accessing their records and on transferring records for referrals “represent strong, continued commitment to the privacy and security issues of improved patient access and secure electronic health information exchange, but recognize that substantial challenges remain in these areas,” Greene says. “In the preamble, HHS makes clear that it will continue to focus on health information exchange and interoperability as it moves toward Stage 3.”

Meeting the Requirement

But Spooner of Sharp HealthCare says that even the reduced requirement for patient access to information could prove difficult to meet.

“I am not thrilled with the accountability for 5 percent of my patients accessing their data online,” Spooner says. “I wonder when the [regulators] last sat through a busy Saturday evening in an emergency room and thought ‘I can’t wait to get home and look up my information online’.”

Spooner calls including hospital emergency room patients in the data access requirement “worrisome,” adding: “These are occasional visits, many by patients without a regular doctor or insurance coverage. It will be a challenge to bring them back to our portals [to access information],” he says.

McMillan, however, does not believe that healthcare providers will find it difficult to get 5 percent of patients to access their data online. “I don’t subscribe to the ‘patients don’t want access [argument],” he says. “When you look at what’s happening online in other industries, people shop, bank,” he says. “My 82-year-old mother goes online for her and my father’s prescriptions.”

Dan Rode, vice president of advocacy and policy at the American Health Information Management Association, contends that some healthcare providers are concerned about the potential for being held responsible for breaches caused by patients once they download their information.

“Providers are concerned that individuals themselves might release their information by accident,” Rode says. “A patient might send their information to Facebook; providers don’t want to be responsible for something like that.”

Data Exchange Standards Lacking

The meaningful use rule includes a signal that more regulations related to health information exchange, which presumably would address privacy and security, could be on the way in Stage 3 if the industry fails to make adequate progress with standards-based information exchange, McMillan, the consultant, points out.

The rule states, “…As we look toward meaningful use Stage 3, we will monitor the ease with which EPs [eligible providers], eligible hospitals, and CAHs [critical access hospitals] engage in electronic exchange, especially across different vendors’ EHRs.” The rule notes that if HHS does not see sufficient progress for standards-based exchange goals being met, “we will … consider other policies to strengthen the interoperability requirements included in meaningful use as well as consider other policies and regulations.”

To exchange data efficiently and securely, “the real issues are interoperability, compatibility, and standards,” McMillan says.

A Nationwide Health Information Governance Rule, now in the works, would set voluntary standards for data exchange.

HITECH Stage 2 Rules Unveiled

EHR Incentive Program Regulations Address Encryption

By Howard Anderson, August 23, 2012.

The two final rules for Stage 2 of the HITECH Act’s electronic health record incentive program, which address encryption and other privacy and security issues, were released on the Federal Register Electronic Public Inspection Desk Aug. 23. Both rules from the Department of Health and Human Services are slated to be officially published in the Federal Register on Sept. 4.

The meaningful use rule spells out the requirements for how hospitals and physicians must use EHRs to qualify for a second round of incentives, beginning in 2014. The software certification rule spells out the requirements for EHR applications that qualify for Stage 2.

The HITECH Act incentive program, part of the economic stimulus package, is providing billions of dollars in incentives to hospitals and physician groups that meet the requirements for meaningfully using EHRs. The incentives are slated to be paid out in several stages.

Meaningful Use

The Stage 2 meaningful use rule, developed by HHS’ Centers for Medicare and Medicaid Services, requires that participants conduct a risk assessment, as was required in Stage 1. However, the Stage 2 rule specifically requires that the analysis address “the encryption/security of data stored in CEHRT [certified electronic health records technology].” The rule also requires providers to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

“We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA,” an explanation within the rule states. “We only emphasize the importance of a [physician/other professional] or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

The Privacy and Security Tiger Team, an advisory group that recommended the provision, said it was necessary to help call attention to the importance of protecting “data at rest” because so many major health information breaches have involved the loss or theft of unencrypted devices that stored patient information.

The meaningful use rule “continues to reaffirm the importance of doing security assessments and mitigation,” says Farzad Mostashari, M.D., who heads the HHS Office of the National Coordinator for Health IT. “People really rely legally, and in terms of the professional ethos, on an expectation that their providers will keep their information confidential and secure. And as they’re transitioning to electronic health records, they have to make sure they’re following all the administrative and physical safeguards, as well as technical safeguards.”

Software Certification

The Stage 2 software certification rule, developed by Mostashari’s office, requires that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

“The general policy we express in this certification criterion requires EHR technology designed to locally store electronic health information on end-user devices to encrypt such information after use of EHR technology on those devices stops,” the rule states. The rule also states that locally stored “is intended to mean the storage actions that EHR technology is programmed to take (i.e., creation of temp files, cookies, or other types of cache approaches) and not an individual or isolated user action to save or export a file to their personal electronic storage media. … We have clarified that in this scenario, the EHR technology must be set by default to perform this capability and, unless this configuration cannot be disabled by any user, the ability to change the configuration must be restricted to a limited set of identified users.”

The rule points out that an EHR technology developer would not have to demonstrate that its EHR technology can encrypt electronic health information locally stored on end-users devices “if the EHR technology is designed to prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops.”

(Marianne Kolbasuk McGee contributed to this story).

Patients worried about medical records going digital

Many Americans — 85% in a new survey — report having fears about the privacy of their records as more physician practices adopt EHRs.

By PAMELA LEWIS DOLAN, amednews staff. Posted Aug. 20, 2012.

It took some time to get a majority of physicians in the U.S. to agree that it would be beneficial to implement electronic health records in their practices. Now, a survey finds, the most skeptical audience for EHRs is patients.

A survey of more than 2,100 patients by Xerox found that only 26% want their medical records to be digital, down two percentage points from a year ago. Only 40% believe EHRs will result in better, more efficient care. And 85% expressed concern about digital records. Their main worries: privacy and security of their information.

When asked what, specifically, worries them about EHRs, respondents said they were concerned that their information could be stolen by a hacker (63%), the files could be lost, damaged or corrupted (50%), their personal information could be misused (51%), or a power outage or computer problem could prevent doctors from accessing their information (50%). Fifteen percent said they had no worries.

There are many things in medicine that patients tolerate but don’t necessarily like. If most physicians will be electronic soon anyway, some physicians may wonder why it’s important to convince their patients that EHRs are a good thing instead of just letting them learn to live with them.

As the health care system shifts from one that focuses on acute care and treating patients who are sick to one that promotes wellness, “We need the patients as active participants,” said Philip Payne, PhD, chair of the Ohio State University College of Medicine’s Dept. of Biomedical Informatics. The EHR is an important tool to engage patients, he said.

Despite the benefits an EHR might bring, major data breaches are announced on virtually a weekly basis. For example, in the summer of 2012, a computer containing the medical information of 2,500 patients from the Stanford (Calif.) Hospital & Clinics and the School of Medicine was reported stolen. In Connecticut, information on more than 7,461 VNA Healthcare patients and 2,097 Hartford Hospital patients was lost when a computer belonging to a data analysis vendor was stolen. Beth Israel Deaconess Medical Center in Boston announced that the health information of 3,900 patients was put at risk when a physician’s personal laptop was stolen.

How to give assurance

The main message physicians should be spreading to patients who are concerned about breaches is that “people do bad things, whether it’s in paper form or electronic form,” said Mary Griskewicz, senior director of ambulatory health information systems for the Healthcare Information and Management Systems Society.

Michael Hobaugh, MD, PhD, chief of medical staff at La Rabida Children’s Hospital in Chicago, said if patients express concerns about data safety, physicians can tell them that there are many safety features of an EHR that patients never had with paper.

“The biggest assurance that patients have regarding electronic medical records is that anytime anybody looks at something or prints something, there is a record of who did it,” Dr. Hobaugh said. “That was not true of paper charts.”

Christine Bechtel, vice president of the National Partnership for Women and Families, said a survey her organization conducted, similar to the one by Xerox, found respondents rating EHRs higher than paper across the board in various safety and quality measures. She said the survey, released in February, shows that even if patients worry about their own information, many are showing confidence in EHRs in general.

Griskewicz said physicians need to be educated on how and when to engage consumers when it comes to technology adoption. HIMSS launched the HIMSS eConnecting with Consumers Committee this year, whose focus is to provide physicians with tools and education surrounding patient engagement and technology.

Many patient concerns stem from the fact that the value of EHRs has not been made clear to patients, Payne said.

“We really have to figure out how we make the EHR a focal point of collaboration between patients and members of multidisciplinary care teams rather than just a thing that’s in the room that we have to use to document so we can bill,” he said.

What patients think about EHRs

A survey found that patients have concerns when it comes to electronic health records, mainly about risks to their private information.

63%: With EHRs my information could be stolen by a hacker.
51%: My personal information could be misused.
50%: Digital medical records could be lost, damaged or corrupted.
40%: Digital records mean better, more efficient care.
31%: I feel I am adequately informed about when and how my medical records are used.
26%: I want my records to be digital.
26%: EHRs have improved my interactions with my physician office.
24%: My doctor involved me in the conversion from paper to electronic.
21%: I expect EHRs to improve the quality of service I receive.
14%: I think my health care provider is technically savvy enough to use EHRs.

Source: Third annual electronic health records survey, Xerox, July

One Cheap and Easy Thing All Companies Can Do to Boost Security

Event logs are the basic text of what happens in your corporate systems. So why do so many companies ignore them?

We love this blog post by Constantine von Hoffman – http://advice.cio.com/security/17256/one-cheap-and-easy-thing-all-companies-can-do-boost-security which we have reposted below.

In fact, we had a vibrant discussion about this very topic internally yesterday.  We might take a bit of exception to the assertion that log review is “cheap and easy.”  I mean, if it were so cheap and easy, wouldn’t most organizations be doing it?

What we find in healthcare is that the logs are so voluminous because there are so many disparate systems and devices in play.  Most organizations report to us that it is simply impossible, based on the way they are resourced, to have any kind of meaningful log review and log management program.  Further, it is hard to translate for the “non-techies” in risk management how this process is vital to enterprise risk management.  So what happens?

Higher performing organizations are collecting and archiving the logs from most of their systems so that they have them “handy” in the event that they need them to support an investigation or incident response.  Maybe a few of those high performers review logs for their high value/high risk systems routinely.  The highest performers have dedicated the resources required – through the internal investment in tools and/or staff or via outsourcing to an MSSP – to implement an operationally-relevant and compliance-aware log management program.

That said, more often than not, we encounter organizations that don’t know what they are collecting, how they have auditing capabilities enabled in their systems, and have no log review or log management program in place.

The operational relevance is obvious, but in healthcare, we have that little regulation better know as the HIPAA Security Rule that specifically culls out “user activity monitoring” as an implementation specification.  An effective log management program goes a long way to meeting this compliance requirement.

Based on the recent summary report from the first 20 OCR audits,  what was the single greatest deficiency or area of non-compliance vis-a-vis the HIPAA Security Rule?  You guessed it (and if you are a regular reader, you’ve read it here before)…User Activity Monitoring.

In our discussions with OCR, it is clear that this facet of an organization’s information security program is going to continue to be carefully reviewed and scrutinized.  So, whether via a formal audit, breach or complaint investigation, be prepared to have your log management program under the microscope.

It is our belief, from our 10+ years of experience and service to the healthcare industry, that few organizations are on a trajectory for IT security staffing to effectively implement an organic log management program.  After all, your core business is healthcare and your team should be focused on the enablement of care.  As we have mused in previous posts, maybe this is the time for organizations to make an active choice to engage security experts to support their security functional requirements, particularly those that really lend themselves well to outsourcing, like log monitoring and management.

Of course, at CynergisTek, we have a solution for this and we would be happy to talk with you more about what we are doing and how we have chosen to help our clients address this gap.  But what we really hope this post compels, is a change in the conversation that you are having internally.  Does it really make sense to build an information security empire within your healthcare organization or does it make better sense to be a healthcare center of excellence that practices good security?  That is a strategy and tactical discussion that we would love to support you with if our experience can be of help.

Make it a good day!

 

————————————————————————————————————————————–

The business equivalent to the personal -security sin of using the word “PASSWORD” as your password: Not collecting and reviewing the data from all your system logs. Chances are you’re not doing that. And you should feel guilty about it. But you can take some comfort in knowing you’re not alone.

“Relatively few do it,” says Sherri Davidoff, co-author of the startlingly well-written new book Network Forensics: Tracking Hackers Through Cyberspace. “Mostly it’s companies in the financial sector which are at risk of losing money directly from being attacked.”

The truth is most companies don’t know when they’ve been hacked. That’s not just Davidoff’s opinion. I’ve been told the same thing by folks in the security industry and in law enforcement. One agent from the FBI said he stopped counting the number of times he told IT execs about attacks that they knew nothing about.

Why does this happen? Companies don’t regularly review their event logs to see what’s going on in their own systems.

It astounds me that checking event logs is so uncommon. It’s kind of like checking to make sure you didn’t leave the key in your door lock, folks. You’re probably wagging your head in disbelief, too, because no CIO.com reader could be that clueless…could they?

Just in case you decide to pass this post along to someone who works at one of those other companies, I will explain why event logs matter:

• They contain lots of info directly relating to your network, like DHCP lease histories and/or network stats.
• They include records of network activity including remote login histories.
• Because they have been transmitted over your network they create network activity.

If you want to find anomalies or unauthorized/unexpected users, the information is all there in event logs.

What is even more baffling about the fact that these logs so frequently go unreviewed is that companies don’t have to check logs manually. They don’t have to sort through all the different log formats to figure this stuff out. There are a lot of programs that will do all of this. All you have to do is read the report.

“You want to make sure you’re not the lowest fruit on the tree; that you’re not the most vulnerable,” says Davidoff. “Fortunately or unfortunately, that’s not that hard to do.”

PS: I read a lot of computer-related books. In most cases I would rather try to read machine code. That is why I have to point out that Network Forensics is actually well-written. It is a text book that you can read and really learn things from. You probably went to college, so I don’t have to tell you how rare that is.

Alaska DHSS settles HIPAA security case for $1,700,000

The $1.7M fine levied on the Alaska Department of Health and Social Services should peak the interest of compliance officers and risk managers across the healthcare industry.

One stolen USB storage drive.  501 Medicare beneficiaries.  A mandatory report to OCR with its customary investigation. A $1.7M fine. A Resolution Agreement. A Corrective Action Plan.   Three years of independent monitoring of its compliance.

These are the new stakes associated with data breaches. In looking specifically to the Corrective Action Plan documented for the Alaska DHSS, its obligations include:

1.  Remediation, Update and Dissemination of Policies and Procedures

2. Workforce Training

3. Risk Analysis and Risk Management Process Remediation

4. Designation of an Independent Monitory for a period of 3 Years

Visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html for the detail on the OCR’s enforcement in this case.

Would a reported breach open a Pandora’s Box in your organization?  Most of you that we speak with have a fair amount of anxiety about the health of your HIPAA/HITECH privacy and security compliance posture, but continue to struggle to get executive sponsorship and budget for activities that you consider essential and fundamental to your operations and compliance mission.

The circumstances of this breach provide you the “conversation starter” that you may need to engage or re-engage your leadership around HIPAA/HITECH compliance.  Further, the comments offered by OCR affirm what we have learned through the HIPAA Audit Program about our industry’s opportunities for improvement and compliance program priorities.

Contact us if we can be of assistance.

 

 

Where is your ePHI hiding? A data discovery/data loss risk assessment will tell you

One of the most recent cases of a data breach comes from what, on the surface, may appear to be an unlikely source – powerpoint charts derived from ePHI-rich source data, embedded in a professional presentation, posted on the websites of two medical associations, by one of the world’s leading cancer centers, Memorial-Sloan Kettering.  See the full story here:  http://www.healthcareinfosecurity.com/powerpoint-charts-led-to-breaches-a-4868.

While that may seem like a complicated “it cannot happen to us” scenario, think again.  How many of your esteemed clinicians conduct research, present, and publish?  Not so many?  Let’s try another scenario then.  How many of your employees create, access, use, manipulate, analyze, or transmit ePHI to perform their duties? Have you implemented technical controls that prohibit your employees from moving ePHI from what may be fortified assets to less fortified assets, like a USB drive or workstation hard drive?  In our ten years, we have not met a client yet that is not struggling to understand just how distributed ePHI has become in their environment and gain control over it.

The HIPAA Security Rule is clear – Covered Entities need to have control of their ePHI and safeguard it appropriately.  To gain control, one has to know where it is first.  For many, the challenge lies within unstructured data on employee workstations, file shares, portable media – documents, spreadsheets, databases that employees have created.  Such is the story with Memorial-Sloan Kettering.  But it could very likely be your organization’s story too.

Manual efforts to locate ePHI across the enterprise are fraught with inefficiency and inaccuracy.  As introduced in this follow up article, http://www.healthcareinfosecurity.com/how-to-avoid-exposing-patient-data-a-4891,  Data Loss Prevention (DLP) solutions cannot only help organizations effectively discover ePHI across the enterprise but enforce rules and policies to prevent data loss and data leakage.

For nearly three years, CynergisTek has offered clients a structured and affordable way to discovery ePHI across the enterprise and measure data loss/data breach risk by monitoring data-in-motion for a defined period of time.  Contact us  http://blog.cynergistek.com/about/contact-us/ for more information or to request a quote for this service.