Healthcare and Technology news
37.6K views | +2 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Safe Texting In HealthCare : Do’s And  Dont’s 

Safe Texting In HealthCare : Do’s And  Dont’s  | Healthcare and Technology news | Scoop.it

Texting is the most popular feature of a smartphone and 97% of Americans sent texts to their friends and family because texting is easy, quick and an effective method to communicate. However, texting is considered as an unsafe method of communication for healthcare purposes. In the healthcare world there are many rules that govern this form of communication.

 

The privacy and security rule of HIPAA/HITECH covers communication of electronic protected health information (ePHI) that includes social media, email and text messages. For example, the nurses at a nursing facility sent patient information to the medical providers through a text message. Though there was no evidence that an unauthorized person viewed the messages, CMS chalked out a ten point remediation plan to train staff and appoint a HIPAA security officer and change the HIPAA policies and procedures of the nursing facility.

 

Immediate action was taken by CMS because texting creates a record, unlike a telephone call. In a telephone call, it is easier to know that you are communicating to the right person. While texting sensitive patient information is not at zero risk, because at least one third of people who have text their medical information to public surveys say that they have sent it to the wrong person by mistake. Further, HIPAA/HITECH privacy violation rules can charge fines up to $50,000. It is advisable to avoid the tendency to text patient information to a colleague for a quick patient consultation.

 

HIPAA Compliant Texting

 

Even though texting has many downsides, a secure mobile messaging compliant with HIPAA can be used with the following rules:

  • Secure data centers – Offsite or onsite data centers must adhere to high levels of physical security and policies. This is to control and conduct continuous risk evaluation for data exchange through texts.
  • Encryption – ePHI must be encrypted both in transit and at rest.
  • Recipient authentication – Confirmation that text communication containing ePHI goes only to the intended recipient
  • Audit controls – The ePHI message must be automatically recorded and it should be available for any type of audit such as sender, receiver, content, etc.

The volume of text messages indicates the preference for all to follow this method of communication. The number of texts sent by American in 2008 was 1 trillion and the number of text sent by Americans last year was 1.92 which is almost the double. Therefore texting cannot be abandoned fully, but the HIPAA rules mentioned above can make it safer to send and receive patient information through texting.

 

Appointment and Wellness Reminders using Text message

 

It may be a practice in your clinic to send reminder texts to patients for appointments. There are statistical evidence that text reminders reduces the rate of patient no-show. HIPAA rules does not regulate communications that are not a part of ePHI.

 

Text reminders help patients to follow medication, healthcare and recommended lifestyle. Researchers point out that text reminder help patients with chronic disease to manage diabetes. It helps African Americans to take their medication for time, especially those suffering from high blood pressure. Reminder texts help people to exercise and maintain their physical activity levels. In addition to the above advantages, more research is required to find out more best practices in texting patients.

 

Secure texting for the above services are now made available by Healthcare vendors through simple apps that allow medical professionals and physicians to use texting within a HIPAA approved platform. Government agencies usually do not use these apps, so it is important to make sure that these apps are HIPAA compliant. If you wish to avail texting service using a third party secure texting platform check for the three guidelines that offer security to PHI: integrity, confidentiality and availability. Nowadays, more than 80% of medical clinics and physicians use EHRS to communication with patients. Electronic health record systems allow communication with patients through text or email over a secure patient portal that meet the Meaningful Use requirement.

Whichever method of electronic communication is used, train your staff at the medical clinic to never transfer ePHI over a non-secure mode to save yourself from being penalized.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Obama Gives Data Security Some Needed Momentum

Obama Gives Data Security Some Needed Momentum | Healthcare and Technology news | Scoop.it

Every year, I see Mac McMillan at HIMSS and wonder if he’ll ever be positive.

Of course I’m joking, but in a way you can’t blame McMillan—a renowned data security expert, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, and CEO of the consulting firm, CynergisTek—for being a “Debbie Downer.” Data security in healthcare has been and is abysmal.

Every year, the Traverse City, Mich.-based Ponemon Institute releases its annual patient privacy and security study and the results are somewhat startling. This past year, 90 percent of respondents say they’ve had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. The economic impact of a breach has remained steadily high.

And this is just one study of many, one voice of many, and one indication that healthcare has a big problem with data security. It’s not exactly far-reaching to say we have a long ways to go if these abysmal statistics are to reverse.

Moreover, it could get worse before it gets better. Hackers are now starting to target healthcare data holders. This week, Jason Roos, CTO at Stanford Hospital & Clinics and Stanford University Medical Center in Palo Alto, Calif., explained to me why the exposure of the threat is significant in healthcare, compared to other sectors.

 One of the big problems is that it seems like a lot of high-level executives in hospitals don’t care about data security until it’s too late. They don’t want to be put in protections, do a risk analysis, and pay for extensive training until they have the Department of Health and Human Services’ (HHS) Office of Civil Right (OCR) knocking at their door.

It’s not just healthcare that lags in this way. The retail, entertainment, finance, education, and government sectors seem to have this problem too. In our podcast conversation, McMillan called 2014 the year of the incident. You could say that again. Sony, JP Morgan, Community Health, Home Depot all had high profile breaches. Incidents were everywhere in 2014.

I guess that’s why I was excited to read about President Barack Obama’s dedication to data security, which made the news this week. Specific information on his proposal is sparse, with most details expected to be announced during the State of the Union on Tuesday, but let’s just acknowledge that something is better than nothing. As a privacy expert said in this CNET article, "This is a huge shot in the arm to a much-needed advancement for our legislative protections.”

A nationally recognized data security policy tells every higher up, whether they are in healthcare or not, “Respect the threat. Be prepared.”  

In New York, Attorney General Eric Schneiderman quietly took it a step farther. He proposed a bill that would expand the definition of private information to include email addresses in combination with a password or security question and answer; require entities that store private data have reasonable technical and physical safeguards, assess risks regularly, and obtain third-party certifications showing compliance with these requirements; incentivize companies to provide higher levels of data security and share forensic reports with law enforcement officials. I admire the fact that he wants the strongest data security law in the country.

While these measures are not directed at the healthcare industry specifically, they very well could have a trickledown effect that gives it the kick start that is so desperately needed. In other words, maybe in a few years, I’ll go to HIMSS and Mac McMillan will be a little less annoyed at the way things are with data security in healthcare.


more...
No comment yet.
Scoop.it!

Hospital employee gets indicted for fraud

Hospital employee gets indicted for fraud | Healthcare and Technology news | Scoop.it

A former employee at a major New York health system has been indicted, along with seven others, for stealing personal data of 12,000 patients, enabling more than $50,000 in fraud.


Manhattan's district attorney last week announced the indictment of Monique Walker, 32, a former assistant clerk at the eight hospital Montefiore Health System, for swiping patient data and supplying it to an identity theft ring. Walker, who had access to patient names, Social Security numbers, dates of birth, among others, reportedly printed the records of as many as 12,000 patients and supplied them to seven other individuals who used the data to make multiple purchases from department stores and retailers.


Walker, according to the New York County’s District Attorney’s office, sold the patient records for as little as $3 per record. Co-conspirators were able to open credit cards and make several unauthorized big ticket purchases at Barneys New York, Lord & Taylor and Bergdorf Goodman, among others. Defendants have been charged with grand larceny, unlawful possession of personal identification information, identity theft and criminal possession.


"In case after case, we've seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers," said New York County District Attorney Cyrus R. Vance Jr. in a June 18 press statement announcing the indictment. "I thank Montefiore Medical Center for taking immediate steps to alert authorities to ensure that those involved are held responsible, and moving swiftly and responsibly to notify and protect patients."

The case of insider misuse with patient data within healthcare organizations is nothing new. In fact, according toVerizon's annual data breach investigations report published this spring, security incidents caused by insider misuse – think organized crime groups and employee snooping – jumped from 15 percent last year to 20 percent in 2015.


"We're seeing organized crime groups actually position people where possible in healthcare organizations so they can steal information for tax fraud," Suzanne Windup, senior analyst on the Verizon RISK team, told Healthcare IT News this spring. "As organizations are putting in better monitoring and they're reviewing access logs, they're finding more cases of snooping."


As Cathleen A. Connolly, FBI supervisory special agent explained at Healthcare IT News' Privacy & Security Forum this past March, "your people that work for you are a very large threat," speaking in the context of combatting insider threats within healthcare.


What's more, according to data from the U.S. Department of Health and Human Services, unauthorized access or disclosure accounts for 5.3 million of the patient data compromised in HIPAA breaches. 

more...
No comment yet.
Scoop.it!

NIST to Address Medical Device Security

NIST to Address Medical Device Security | Healthcare and Technology news | Scoop.it

In an effort to address the cybersecurity challenges of networked medical devices, the National Institute of Standards and Technology, through the National Cybersecurity Center of Excellence, is launching a project to secure those devices from risks such as malware, hacking and access control.


The project, done in collaboration with the Technological Leadership Institute at the University of Minnesota and the medical device industry, is inviting comments on ways to properly secure medical devices that are increasingly being connected to central systems within hospitals, the NCCoE says, starting with draft use case on wireless infusion pumps.

While security experts see the move as a positive step forward in raising awareness on security risks to such devices, it may not be enough to get device manufacturers to address the issues. For one, NIST doesn't have any regulatory oversight, says Mac McMillan, CEO of security consulting firm CynergisTek. "Whatever they come up with is not going to get us where we need to go," he says. "What we need is for the Food and Drug Administration to put out a hard and fast rule that [manufacturers] have to pay attention to."

Still, NCCoE's initiative is a comprehensive effort to address medical device risks, says Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth, a healthcare system in the Pacific Northwest. "We need to start with a realistic use case, and infusion pumps are a high-use medical device."

The push by NCCoE to address medical device security comes two months after the Food and Drug Administration issued final guidance calling for manufacturers to consider cybersecurity risks as part of the design and development of medical devices.

In Aug. 2013, the FDA also issued guidance on the radio frequency of wireless medical devices, including recommending authentication and encryption for reducing security risks and related patient safety threats.

Project Details

The draft use case NCCoE is launching will focus on wireless infusion pumps, which transport fluids, drugs and nutrients into a patient's bloodstream. "A networked infusion pump can allow centralized control of the device's programming as well as automated cross checks against pharmacy records and patient data to ensure the right dose of fluids or medication are delivered," NCCoE says. "But these connected devices can introduce new risks in safety and security compared with stand-alone devices."

The case identifies the people and systems that interact with infusion pumps, defines their interactions, performs a risk assessment, identifies applicable security technologies and provides an examples method or implementation to secure the system, NCCoE says. Comments on the draft use case should be submitted by Jan. 18, 2015.

After the use case is finalized, the NCCoE will invite organizations to participate in developing a practice guide that contains materials and information needed to deploy an example solution of off-the-shelf products that address the technical security problems.

Moving into 2015, the NCCoE would like to have a set of practice guides dealing with different types of medical devices, says Gavin O'Brien, project manager at NCCoE. "For instance, MRIs ... have lots of computing power on them," he says. "They're very different than infusion pumps and all of those are different from say implantable [devices]."

But for now, the practice guide being developed around the infusion pump use case will be written in a way that people can use pieces from the guide to secure devices within their own organization, O'Brien says. "In the use case, we talk about issues that are specific to infusion pumps, but where those issues apply to other devices ... the [practice guide] will be beneficial to them."

Analyzing the Latest Effort

Before all medical devices are networked, standards and baseline security controls need to be in place, PeaceHealth's Paidhrin says. "Healthcare will leverage them, if they are available," he says. "Medical device manufacturers are wakening to the challenge, but the pace is slow compared to the advance of technology and exploits."

A key challenge will be getting the medical device manufacturers on board with the latest efforts around medical device security, says privacy and information security expert Rebecca Herold. "The overall sentiment coming from the manufacturers has been that they will basically do only the minimum necessary to secure the devices, as required by the FDA," she says.

And while the FDA recently released high-level guidance, "it really did not provide the details necessary to spur medical device manufacturers to take action and engineer their devices" with certain security controls built in, Herold says.



more...
No comment yet.