Healthcare and Technology news
50.9K views | +1 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Telehealth, Video Tech Tools and HIPAA Compliance

Telehealth, Video Tech Tools and HIPAA Compliance | Healthcare and Technology news | Scoop.it

Telemedicine has been around for years, but as a healthcare service it has been underutilized. Today, virtual visits for medical care have skyrocketed because of the COVID-19 outbreak and other factors.

 

Telehealth is experiencing a revolutionary moment like never before. By the end of 2020, virtual medical care usage is estimated to reach upwards of 1 billion interactions, according to analysts at Forrester Research. 

 

In addition, some restrictions that were barriers to entry before have been lifted in response to the public health pandemic. And in March 2020, the Trump Administration expanded Medicare's coverage allowing beneficiaries to receive more extensive care through telehealth visits. These are done using video and audio applications. 

 

With the advent of stay-at-home orders and social distancing, technology is healthcare's solution for delivering continuous patient care. Tech tools' enable widespread access, bringing an unprecedented reach to a larger patient population.

 

For medical practitioners, the shift of using video platforms to communicate can come with risk and HIPAA compliance concerns. OCR asks that telehealth sessions be conducted in a private environment.  Sometimes this could be achieved with a simple task such as closing an office door or lowering one's voice.  

 

The Office for Civil Rights has issued an announcement, guiding on which audio and video communication platforms are acceptable and not acceptable for patient interactions during the coronavirus pandemic. 

 

As stated officially by OCR on its website:

"OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency."

In this blog post, we will highlight some of the video communication platforms that follow OCR's public health emergency guidance. Of course, keep in mind that compliance regulations might change in upcoming months.

Telehealth video calling platforms to use amid the pandemic

Under OCR's notice, covered healthcare providers can use certain platforms for non-public facing video communications with patients, as these platforms are HIPAA compliant and will enter into Business Associate Agreements (BAAs).

Some of these are:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

Zoom is on this list, but with the recent rise in security attacks from threat actors joining Zoom meetings uninvited, we have seen advice from various  entities to use a different video platform when communicating with patients, until all security and privacy issues with Zoom are fixed. No one wants to deal with Zoom-bombing during an important medical visit. 

It's important to note that these technological tools are third-party providers and they may pose privacy risks. However, using FaceTime, for instance, during the pandemic is not necessarily a compliance violation, depending on a case by case basis. 

What if patient does not have access to video telehealth formats

If the telehealth session is being conducted in good faith during this public health emergency, then OCR permits the use of audio methods like wireless phone, landline phones to conduct the session. If using email or texting, they ask the covered entity to try and utilize safeguards whenever possible, such as secure email or secure texting.  

Avoid using TikTok for telehealth sessions

On the other hand, OCR stated the following public-facing applications are not to be used when providing telehealth services, even during the public health crisis. OCR is not the sole government agency warning about TikTok's security implications. The wildly popular app has come under fire for underage privacy and international security concerns by U.S. lawmakers and security professionals. 

 

Using public-facing communications could be an evidence of bad faith on the part of the provider, which could make the provider liable for OCR enforcement actions. 

Avoid using these platforms for telehealth:

  • Facebook Live
  • Twitch
  • TikTok

Not only that, the guideline explains to avoid using any public-facing technology, meaning the session can be seen by a group. 

 

For privacy protections and peace of mind, OCR advises to turn to HIPAA compliant technology platforms. There are vendors available, who will enter into a HIPAA Business Associate Agreement with a covered entity.

 

Check with the vendor to see if that's the case. When in doubt, reach out to third-party HIPAA experts to ensure your following compliance regulations as you transition to doing telehealth. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

Leone Mane's curator insight, May 25, 2:48 AM

WELCOME TO RX ONLINE PHARMACY

Buy Oxycodone Online HERE at RX Pharmacy Online Store. Patients should buy Oxycodone Online from RX Pharmacy Online store which is the best online store for your pain pills.  Oxycodone is an opioid analgesic medication synthesized from the base. It was developed in 1916 in Germany, as one of several new semi-synthetic opioids with several benefits over the older traditional opiates and opioids; morphine, diacetylmorphine(heroin) and codeine. It was introduced to the pharmaceutical market as Eukodal or Eucodal and Darkon. Its chemical name is derived from codeine – the chemical structures are very similar, differing only in that the hydroxyl group of codeine has been oxidized to a carbonyl group (as in ketones), hence the -one suffix, the 7,8-dihydro-feature (codeine has a double-bond between those two carbons), and the hydroxyl group at carbon-14 (codeine has just hydrogen in its place), hence oxycodone. So buy oxycodone online

 

Tendencies towards the use of the internet pharmacies are observed not only in developed countries such as the USA and Canada but also within the territory of other countries. The advantages of internet shopping cannot be overstated. Every user can order the delivery of medications in a couple of minutes.

 

Tendencies towards the sale of the over-the-counter (OTC) drugs are also observed because it helps to save money and time. If a person does not have insurance covering all medical services, it is necessary to pay for the doctor’s consultations and quality medications. Expensive drugs become less demanded and popular under the conditions of the modern pharmaceutical market.

 
 
 
 

FAST – FRIENDLY – DISCRETE – RELIABLE

At Marijuana weed online Shop, we have made it our mission to provide customers with high-quality services and high-quality marijuana at affordable prices! Marijuana weed online Shop is your one-stop-shop for affordable, quality marijuana delivered right to your door. We are a safe, secure, and discreet mail-order marijuana service in the USA. Easy to order, quick delivery, and some of the best quality marijuana, you’ll never have to stress about ordering your medical marijuana. Why did we choose the marijuana industry? Throughout the years we have seen just how amazing medicinal marijuana can be for people who suffer from a variety of different diseases, disorders, and conditions. We are passionate about helping people with the medicinal benefits of marijuana, which is exactly why we offer the services that we do. With our mail order service, we strive to get our customers the medical marijuana they need, when they need it. Buy kush online online dispensary | medicated marijuana

 

 

 

 

 

 
 
 

 

 
 
 
 

 


Buy Oxycodone Pills Online|Buy Oxycodone Pills Online without prescription

Adderall Online without a doctor's prescription|Buy Adderall Online

Buy hydrocodone online|Hydrocodone is an opioid pain medication

Buy Oxycontin Online Cheap Without Prescription|Buy Oxycontin Online

Buy Demerol Online Without Prescription|Buy Cancer pills online

Buy Dilaudid Online Overnight|Buy Dilaudid Online 

Buy Percocet Online without Prescription|Buy Percocet Online

Buy Morphine Sulfate Online Without Prescription|Buy Morphine Sulfate Online

Buy Roxicodone 30 mg Online Without Prescription|Buy Roxicodone 30 mg Online 

Buy Ambien Online|Order Ambien online without prescription

WERE CAN I BUY SODIUM CYANIDE ONLINE

buy sodium cyanide

sodium-cyanide-for-euthanasia

buy sodium cyanide online

buy sodium cyanide in china 

buy sodium cyanide in  USA 

buy sodium cyanide in Uk 

BUY RESEARCH CHEMICALS IN CHINA |Buy sodium cyanide online|Sodium cyanide for Euthanasia

Buy Etizolam Powder in the USA|BUY Etizolam online |BUY Etizolam online in China

WERE TO BUY Etizolam USA POWDER, PILLS, LIQUID

best-online-lab-to-buy-etizolam-pills

buy etizolam online

Buy Ketamine powder|Buy pills online in China|Order Ketamine online

Buy Flakka A-PVP online(alpha-PVP)|Buy Flaka A-PVP in china

Buy METHAMPHETAMINE Online|Buy Crystal meth online

muscle-builders

2 Month Hard Core Stack

AlphaSize Alpha GPC

Massacr3 with Laxogenin | 60 capsules

Laxosterone | 50 mg | 60 Capsules

Ecdysterone (95% Beta Ecdysterone) 90 Capsules



BUY AMBIEN 2MG


BUY OPANA 40MG ONLINE


BUY OXYMORPHONE ONLINE


PERCOCET 10MG


Buy 8 Mg Red Devil alprazolam online


Buy Adderall XR 30 MG


BUY CHEAP DILAUDID ONLINE


BUY MALEGRA FXT PLUS 160MG ONLINE


BUY KAMAGRA GOLD ONLINE


ECSTASY (MDMA) 100MG ONLINE


BUY CHEAP HYDROCODONE ONLINE


BUY CHEAP PRANDIN ONLINE


BUY LEXAPRO TABLET ONLINE


Buy Actavis Cough Syrup Online


Ecdysterone (95% Beta Ecdysterone) 90 Capsules


Buy Methamphetamine (meth crystal)


Buy Ketamine powder


JUUL Pod Menthol 4 Pod Pack


Buy Stiiizy online


Buy Golden Teacher Mushrooms online


BUY CHEAP CYMBALTA ONLINE


BUY CHEAP TRENTAL ONLINE


BUY TRAMADOL PILLS ONLINE


BUY CHEAP MAXALT ONLINE

 

Köp Valium (Diazepam) 10mg

 

Köp Oxikodon 30mg

Scoop.it!

HIPAA Compliant Cloud Storage

HIPAA Compliant Cloud Storage | Healthcare and Technology news | Scoop.it

HIPAA compliant cloud storage is contingent on several aspects. To use a cloud storage and be HIPAA compliant, it is important to ensure that the cloud service provider

 

(CSP) has sufficient safeguards to secure the protected health information (PHI) that is transmitted, stored, or maintained on behalf of their covered entity (CE) client. Additionally, they must be willing to sign a HIPAA business associate agreement (BAA).

Security Measures for HIPAA Compliant Cloud Storage

Cloud service providers must have certain measures in place to secure PHI and track access to PHI. These include the following:

  • Access controls: each person with the ability to access data stored by the CSP must have unique login credentials. The HIPAA minimum necessary standard requires access to PHI to be limited, so that it is only accessed for a specific purpose. Utilizing unique logins allows organizations to designate different levels of access to PHI based on an employee’s job function. 

 

  • Audit logs: unique login credentials also allows audit logs to be created. Audit logs establish normal access patterns for each employee (what information they access, how frequently they access it, and for how long). Being aware of each employee’s access patterns is the key to detecting insider breaches.

 

  • Encryption: HIPAA compliant cloud storage platforms should utilize end-to-end encryption (E2EE). E2EE is a means of protecting sensitive data by converting data into code that can only be read with a decryption key. E2EE is the best way to prevent unauthorized access to PHI.

 

  • Data backup:HIPAA requires healthcare organizations, and their business associates, to backup patient data. Data backup ensures that organizations that experience a breach, or natural disaster, are able to quickly restore data.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

The HIPAA Security Rule and Vulnerability Scans

The HIPAA Security Rule and Vulnerability Scans | Healthcare and Technology news | Scoop.it

Under the HIPAA Security Rule, covered entities must implement safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI).

 

ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. 

 

To this end, the HIPAA Security Rule requires covered entities to perform a security risk analysis (also known as security risk assessment), which the Security Rule defines as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Scans known as vulnerability scans may be performed to identify known vulnerabilities in applications, networks, and firewalls. 

What are Vulnerability Scans?

Vulnerabilities are weaknesses which, if triggered or exploited by a threat, create a risk of improper access to or disclosure of ePHI.

 

 Vulnerability scans are scans designed to identify vulnerabilities, or weaknesses, that have the potential to cause a security incident. 


Under the HIPAA Security Rule, a security incident is defined as:

  • The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information in an information system; or
  • The attempted or successful unauthorized access, use, disclosure, modification or interference with system operations in an information system. 

In plain English, a HIPAA security incident is an attempt (which can be successful or not) to do something unauthorized.

 

The “something” that is unauthorized, is an unauthorized access, use, disclosure, modification, destruction, or interference.

 

A HIPAA security incident may occur when:

  1. The unauthorized attempt to access, use, disclose, modify, destroy, or interfere, targets an organization’s information system.
  2. The unauthorized attempt is made to access, use, disclose, modify, or interfere with that information system’s system operations.

What are Examples of HIPAA Security Incidents?

Examples of a HIPAA security incident include:

  • Theft of passwords that are used to access electronic protected health information (ePHI).
  • Viruses, malware, or hacking attacks that interfere with the operations of information systems with ePHI.
  • Failure to terminate the account of a former employee that is then used by an unauthorized user to access information systems with ePHI.
  • Providing media with ePHI, such as a PC hard drive or laptop, to another user who is not authorized to access the ePHI prior to removing the ePHI stored on the media.

How Do Vulnerability Scans Identify Weaknesses?

HIPAA vulnerability scans to test for holes and flaws in information systems, and for incorrect system implementation and configuration.

Common flaws that can be revealed through a vulnerability scan include:

  • Flaws in software. Such flaws can be found in computer operating systems, such as Microsoft 7. Such flaws can also be found in software programs, such as Microsoft Office, Google Chrome, or Internet Explorer. 
  • Flaws in hardware. Vulnerability scans can reveal vulnerabilities that exist on hardware devices. Hardware devices include network firewalls, printers, or routers.  

If a vulnerability scan identifies a vulnerability, the vulnerability may be remediated if the software or network vendor at issue has released a security patch. Installation of the patch may eliminate the security weakness.  

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

How Does HIPAA Enforcement Work?

How Does HIPAA Enforcement Work? | Healthcare and Technology news | Scoop.it

HIPAA enforcement takes place on both the federal government and state government levels.

 

The Department of Health and Human Services’ Office for Civil Rights receives and investigates complaints, and issues penalties and fines.

 

Enforcement action can be taken with respect to any of the HIPAA Rules. These rules include the HIPAA Privacy Rule, the Security Rule, the Breach Notification Rule, and the HIPAA Omnibus Rule. 

 

When an individual reports a violation, files a complaint or discloses a breach, OCR reviews the complaint, report, or disclosure.

 

OCR may then pursue enforcement in the form of investigations or audits. Audits are randomly conducted. Thus far, HHS has publicly announced, with respect to each audit it has conducted, when the audit was to take place, and what the audit consisted of.  

 

Investigations, in contrast, are made in response to a specific complaint. Upon receiving a complaint, OCR seeks information from the entity against whom the complaint is filed, about the extent of its HIPAA compliance.

 

Investigation sometimes results in the entity that is the subject of the complaint taking voluntary steps to improve its compliance. In addition, after an investigation starts, HIPAA enforcement can take the form of OCR providing technical assistance to an entity to resolve the matter. Technical assistance consists of OCR’s advising the entity as to what is expected of it in terms of HIPAA compliance.

 

Typically, an entity agrees to make specified changes. 

In addition, state attorneys general can enforce HIPAA. The ability to do so was given to states in the 2009 amendment to HIPAA that appears in the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

 

States were reluctant to take enforcement actions in the initial years after the amendment; however, recently, states have not only engaged in more vigorous HIPAA enforcement activity but have joined together with other states in multistate litigation. 

 

There are significant consequences for breaking the HIPAA laws in new ways as well: The first multistate litigation was brought in December of 2018. Arizona and 15 other states filed suit, asserting claims under HIPAA as well as various applicable state data protection laws.

 

The suit was filed as a result of a data breach in which hackers infiltrated WebChart, and stole the electronically protected health information (ePHI) of approximately 4 million individuals. 

 

As shown above, consequences for breaking the HIPAA law can be severe. Covered entities can address their obligations under HIPAA by working with Compliancy Group.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What are HIPAA Operating System Requirements?

What are HIPAA Operating System Requirements? | Healthcare and Technology news | Scoop.it

The HIPAA Security Rule, requires covered entities and business associates to develop effective administrative, technical, and physical safeguards to ensure protected health information (PHI) is secure.

 

The Security Rule does not impose minimum HIPAA operating system requirements for a business’ computer systems.

 

Indeed, the HIPAA Security Rule generally does not impose any specific HIPAA software requirements (including HIPAA operating system requirements) on entities.

 

No provision of the Security Rule tells you, for example, what kind of antivirus, antimalware, or firewall software to purchase.

 

 The absence of a security rule grocery shopping list is very much by design. The Security Rule was written to provide flexibility for covered entities to implement HIPAA cybersecurity measures that best fit their particular organizational needs.

What are HIPAA Operating System Requirements?

HIPAA indirectly regulates operating system requirements.  

The Security Rule mandates requirements for information systems that contain electronically protected health information, or ePHI. ePHI is defined as any protected health information that is created, stored, transmitted, or received in any electronic format or media. Information systems must contain security capabilities, or features, that are sufficient to satisfy the technical safeguard implementation requirements of the Security Rule.

 

These HIPAA operating system requirements include (among others) audit controls, unique user identification, person or entity authentication, and transmission security.

 

The administrative safeguard implementation requirements of the Security Rule requires that entities perform a risk analysis, in which any known security vulnerabilities of an operating system should be considered. In performing the analysis, entities should ask themselves, “Is my operating system vulnerable to being exploited?

 

If an operating system is vulnerable to exploitation, the risk analysis must reflect that fact, and you must take whatever steps are reasonable to address the vulnerability.

When is an Operating System Vulnerable to Exploitation?

An operating system is vulnerable to exploitation when that operating system contains known vulnerabilities for which a security fix is unavailable.

 

Security fixes may be unavailable for a number of reasons. One reason why a fix might be unavailable is because the manufacturer of the operating system no longer provides support for that system, as in, no longer provides new security updates, non-security hotfixes, assisted support options, or technical content updates. This “dropping” of support for an operating system is colloquially referred to sunsetting of the operating system.

 

Microsoft “sunset” its popular Windows XP Operating System in 2014, advising users that security updates would no longer be provided for Windows XP. Microsoft advised users that “Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, are not considered secure.”

 

Windows XP was launched in 2001. In 2009, Windows released its Windows 7 operating system. The most current version of Windows, known as Windows 10, was launched in 2015.

 

Microsoft has announced that support for Windows 7 will end on January 14, 2020. After that date, Microsoft will no longer provide security updates or support for computers using Windows 10. Accordingly, Microsoft has advised Windows users, “Now is the time to upgrade to Windows 10.”

 

Continuing to use an operating system that has known vulnerabilities identified in a risk analysis, does not suffice to meet the required risk management component of the HIPAA Security Rule. 

 

Risk management requires organizations to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” By definition, if you are using an operating system that no longer offers security measure support, you are improperly managing your risk, and, if, as a result of that impropriety, your organization’s ePHI becomes compromised, you are subject to being audited and fined by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA and Medical Record Copy Fees

HIPAA and Medical Record Copy Fees | Healthcare and Technology news | Scoop.it

Patients often request copies of their medical records. Traditionally, state law governed the subject of medical record copy fees.

 

State laws typically permit providers to charge a per-page copy fee, of up to a certain dollar value, or to charge a flat fee of up to a certain amount for the entire medical record. Many covered entities simply charge the maximum amount that state law allows. 

Such state laws (and the healthcare providers acting in accordance with them), however, cannot do an end-run around the HIPAA right of access rules, the latter of which provide that medical record copy fees must be reasonable.

 

Medical record copy fees that are flat fees, untethered to the actual costs of reproduction, may be considered excessive under the HIPAA Privacy Rule’s right of access provisions. When the two laws are in conflict, HIPAA, the federal law, prevails.    

The HIPAA Privacy Rule’s Right of Access and Medical Record Copy Fees

This point – that HIPAA preempts contrary state law – has been reiterated under guidance provided by the Department of Health and Human Services’ (HHS) Office of Civil Rights. This guidance specifies that HIPAA, through its right of access provisions, limits the amounts that a covered entity may charge a patient requesting access to his or her medical records.

Under the HIPAA Privacy Rule Right of Access, medical record copy fees must be reasonable and cost-based.

This means that providers may only charge for the following:

  • Labor for copying the PHI requested by the individual, whether in paper or electronic form.  

           i)Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.

 

Labor for copying does not include:

  • Costs associated with reviewing the request for access; 
  • Searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other records, 
  • Segregating or otherwise preparing the PHI that is responsive to the request for copying.
  • Supplies for creating the paper copy (e.g.,  paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy is provided on portable media.  
    • However, a covered entity may not require an individual to purchase portable media; individuals have the right to have their  PHI e-mailed or mailed to them upon request.
    • Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged

 

In sum, costs associated with updates to or maintenance of systems and data, capital for data storage and maintenance, and labor associated with ensuring compliance with HIPAA (and other applicable law) in fulfilling an access request (e.g., verification, ensuring only information about the correct individual is included, etc.) and other costs not included above, even if authorized by State law, are not permitted for purposes of calculating the fees that can be charged to individuals.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

How to Meet HIPAA Compliance Requirements

How to Meet HIPAA Compliance Requirements | Healthcare and Technology news | Scoop.it

A Revolutionary Approach to HIPAA Compliance

We all know that meeting the requirements set forth in the HIPAA compliance policy is mandatory for any healthcare, medical records, insurance, or other healthcare-related business. Securing individuals’ electronic protected health information (ePHI) is the most critical step to complying with HIPAA.

 

Yet this is often easier said than done, especially when you consider the high number of complex requirements that must be met in order to prove compliance.

The challenges of abiding by the “Security Rule”

For example, one of the most critical items on any HIPAA compliance checklist is meeting the Security Standards for the Protection of Electronic Health Information. Commonly referred to as the “Security Rule,” this requirement establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule addresses the technical and non-technical safeguards that organizations referred to “covered entities” must put in place to secure individuals’ ePHI. All covered entities must assess their security risks, even those entities who utilize certified electronic health record (EHR) technology. Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule, and document every security compliance measure.

Related: Sorry for the Inconvenience – The Breaches Just Keep Coming (and so do the Ramifications)

CSPi’s HIPAA compliance solutions

If all of this sounds intimidating, we have some good news: CSPi’s security solutions are uniquely suited to address the requirements specified in the Security Rule (and in turn, to help you stay HIPAA compliant).

Our ARIA Software-Defined Security (SDS) solution and applications help healthcare organizations protect the security of individuals’ ePHI information with powerful tools and capabilities required to:

  • Know and prove what ePHI records were accessed (if any) through:

    • The automatic detection of intrusion or unauthorized access.
    • Continual and complete monitoring of ePHI data as it moves through the network (including east-west traffic), and is accessed throughout the environment.
    • The ability to stop or disrupt incidents that could lead to potential disclosure.
    • Block or redirect identified data conversations with ePHI repositories and provide the auditable documented detail of measures take to maintain HIPAA compliance.
    • Prevent unauthorized access of customer data through the use of encryption that can be applied on a per-customer basis.

Working in conjunction with ARIA, our nVoy Series provides additional proof of HIPAA compliance with:

  • Automated breach verification and notification, critical to giving healthcare organizations a better way to comply.
  • Detailed and complete HIPAA compliance reports, including recordings of all conversations involving ePHI.
  • Auditable proof of the exact impact of data breach, including:
    • What devices are involved and to what degree?
    • When did the breach start and when did it end?
    • What critical databases or files were accessed?
    • Who did the intruder talk to?

Visit CSPi at HIMSS19 in the Cybersecurity Command Center Booth 400, Kiosk 91.

Interested in learning more about CSPi, including how our innovative security tools are helping today’s healthcare leaders achieve compliance with HIPAA? Make your plans to visit with us at the upcoming HIMSS conference, or visit www.cspi.com, to learn more about our HIPAA compliance programs.

About CSPi

CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters. To learn more about how our cybersecurity products can help you with data privacy regulation compliance, check out our how-to guide, “Successfully Complying with Data Privacy Regulations.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

The Security Risks of Medical Devices

The Security Risks of Medical Devices | Healthcare and Technology news | Scoop.it
There are a large number of potential attack vectors on any network. Medical devices on a healthcare network is certainly one of them. While medical devices represent a potential threat, it is important to keep in mind that the threat level posed by any given medical device should be determined by a Security Risk Assessment (SRA) and dealt with appropriately.

So let’s assume the worst case and discuss the issues associated with medical devices. First off, it must be recognized that any device connected to a network represents a potential incursion point. Medical devices are regulated by the FDA, and that agency realized the security implications of medical devices as far back as November 2009, when it issued this advisory. In it, the FDA emphasized the following points:

Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner.
The agency typically does not need to review or approve medical device software changes made for cybersecurity reasons.
All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.


Software patches and updates are essential to the continued safe and effective performance of medical devices.


Many device manufacturers are way behind on cybersecurity issues. As an example, many devices are still running on Windows XP today, even though we are one year past the XP support deadline. They are often loathe to update their software for a new operating system. In other situations device manufacturers use the XP support issue as a way to force a client to purchase a new device at a very high price. All healthcare facilities would be well advised to review any purchase and support contracts for medical devices and make sure that things such as Windows upgrades do not force unwanted or unnecessary changes down the road. While there are options to remediate risks around obsolete operating systems, they are unnecessary and costly. Manufacturers should be supporting their products in a commercially reasonable manner.

Why would anyone be interested in hacking into a medical device? Of course there are those that would argue that anything that can be hacked will be hacked, “just because”. While it is possible that hacking could also occur to disrupt the operations of the device, the more likely reason is that getting onto a medical device represents a backdoor into a network with a treasure trove of PHI that can be sold for high prices on the black market. Medical devices are often accessible outside of normal network logon requirements. That is because manufacturers maintain separate, backdoor access for maintenance reasons.


Hackers armed with knowledge of default passwords and other default logon information can have great success targeting a medical device. For example, this article details examples of a blood gas analyzer, a PACS system and an X-Ray system that were hacked. Many times healthcare IT departments are unaware or unable to remediate backdoor access to these systems. These are perhaps more “valuable” as a hack because they are hard to detect and can go unnoticed for a long period of time. As a reminder, the Target data breach last year was initiated because the access that a third party had to the retailer’s network was compromised. A complete SRA should inventory all network connected medical devices and analyze the access/credentials that a device has, and any associated security threat. The best defense is a good offense – make sure that networked devices have proper security built in and implemented. Then your devices will no longer be “the weak link in the chain”.

No comment yet.
Scoop.it!

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst | Healthcare and Technology news | Scoop.it

CareFirst, a Blue Cross Blue Shield plan, on Wednesday became the third major health insurer in the United States to disclose this year that hackers had breached its computer systems and potentially compromised some customer information.

The attack could affect as many as 1.1 million of its customers, but CareFirst said that although the hackers gained access to customer names, email addresses and birthdates, they did not obtain sensitive financial or medical information like Social Security numbers, credit card information and medical claims. The company, which has headquarters in Maryland and serves the Washington area, said the attack occurred in June and described it as “sophisticated.”

Chet Burrell, CareFirst’s chief executive, said the company contacted the Federal Bureau of Investigation, which is investigating attacks against the insurers Anthem and Premera. “They are looking into it,” he said.



While it was not clear whether the attacks were related, he said the company was under constant assault by criminals seeking access to its systems.

Federal officials have yet to label the breaches at Anthem and Premera Blue Cross as state-sponsored hackings, but the F.B.I. is effectively treating them as such, and China is believed to be the main culprit, according to several people who were briefed on the investigations but spoke on the condition of anonymity. There are indications the attacks on Anthem, Premera and now CareFirst may have some common links.

Charles Carmakal, a managing director at Mandiant, a security firm retained by all three insurers, said in an emailed statement that the hacking at CareFirst “was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year.”

The Breaches at Anthem, which is one of the nation’s largest health insurers and operates Blue Cross Blue Shield plans, and Premera Blue Cross, based in Washington State, were much larger. The one at Anthem may have compromised the personal information of 79 million customers and the one at Premera up to 11 million customers.

Anthem has said the hackers may have stolen Social Security numbers but did not get access to any medical information. Premera said it was possible that some medical and bank account information may have been pilfered.

CareFirst said it was aware of one attack last year that it did not believe was successful. But after the attacks on other insurers, Mr. Burrell said he created a task force to scrutinize the company’s vulnerabilities and asked Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014.

Health insurance firms are seen as prime targets for hackers because they maintain a wealth of personal information on consumers, including medical claims records and information about credit card and bank accounts.

In recent years, the attacks have escalated, said Dr. Larry Ponemon, the chairman of Ponemon Institute, which studies security breaches in health care. He said the health care industry was particularly vulnerable and that the information it had was attractive to criminals who use the data to steal the identity of consumers.

“A lot of health care organizations have been historically laggards for security,” he said.

Insurers say they are now on guard against these attacks. But Dr. Ponemon said they had taken only small steps, not “huge leaps,” in safeguarding their systems.

The motivation of the hackers in these cases, however, is unclear — whether they are traditional criminals or groups bent on intelligence-gathering for a foreign government.

In the retail and banking industries, the hackers have been determined to get access to customer credit card information or financial data to sell on the black market to other online criminals, who then can use it to make charges or create false identities.

So far, there is scant evidence that any of the customer information that might have been taken from Anthem and Premera has made its way onto the black market. The longer that remains the case, the less likely that profit was a motive for taking the information, consultants said. That suggests that the hackers targeting the health care industry may be more interested in gathering information.

“It’s such an attractive target and it’s a soft target and one not traditionally well protected,” said Austin Berglas, head of online investigations in the United States and incident response for K2 Intelligence and a former top agent with the F.B.I. in New York. “A nation state might be looking at pulling out medical information or simply looking to get a foothold, which they can use as a testing ground for tools to infiltrate other sectors,” he said.

Paul Luehr, a managing director at Stroz Friedberg, a security consulting firm, said the health care breaches could be an entry point into other systems. “It could serve as a conduit to valuable information in other sectors because everyone is connected to health information,” he said.

Or the breaches could simply be crimes of opportunity. The hackers could be making off with information and waiting to determine what to do with it.

“We want to jump to the conclusion that there is an organized chain and command,” said Laura Galante, threat intelligence manager for FireEye, who was not commenting specifically on any particular breach. “But what could be happening here is much more chaotic. It’s simply, ‘Get whatever data you can get and figure out what to do with it later.’ ”


No comment yet.
Scoop.it!

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation | Healthcare and Technology news | Scoop.it

Senior executives at the Armonk, N.Y.-based IBM announced in a press conference held on Monday afternoon, April 13, at the McCormick Place Convention Center in Chicago, during the course of the HIMSS Conference, that it was acquiring both the Dallas-based Phytel and the Cleveland-based Explorys, in a combination that senior IBM executives said held great potential for the leveraging of data capabilities to transform healthcare.


Both Phytel, a leading population health management vendor, and Explorys, a healthcare intelligence cloud firm, will become part of the new Watson Health unit, about which IBM said, “IBM Watson Health is creating a more complete and personalized picture of health, powered by cognitive computing. Now individuals are empowered to understand more about their health, while doctors, researchers, and insurers can make better, faster, and more cost-effective decisions.


In its announcement of the Phytel acquisition, the company noted that, “The acquisition once completed will bolster the company’s efforts to apply advanced analytics and cognitive computing to help primary care providers, large hospital systems and physician networks improve healthcare quality and effect healthier patient outcomes.”


And in its announcement of the Explorys acquisition, IBM noted that, “Since its spin-off from the Cleveland Clinic in 2009, Explorys has secured a robust healthcare database derived from numerous and diverse financial, operational and medical record systems comprising 315 billion longitudinal data points across the continuum of care. This powerful body of insight will help fuel IBM Watson Health Cloud, a new open platform that allows information to be securely de-identified, shared and combined with a dynamic and constantly growing aggregated view of clinical, health and social research data.”


Mike Rhodin, senior vice president, IBM Watson, said at Monday’s press conference, “Connecting the data and information is why we need to pull the information together into this [Watson Health]. So we’re extending what we’ve been doing with Watson into this. We’re bringing in great partners to help us fulfill the promise of an open platform to build solutions to leverage data in new ways. We actually believe that in the data are the answers to many of the diseases we struggle with today, the answers to the costs in healthcare,” he added. “It’s all in there, it’s all in silos. All this data needs to be able to be brought into a HIPAA-secured, cloud-enabled framework, for providers, payers, everyone. To get the answers, we look to the market, we look to world-class companies, the entrepreneurs who had the vision to begin to build this transformation.”

No comment yet.
Scoop.it!

Healthcare cybersecurity info sharing still a work in progress

Healthcare cybersecurity info sharing still a work in progress | Healthcare and Technology news | Scoop.it

While President Barack Obama issued an executive order to use information sharing and analysis organizations (ISAOs) to boost cybersecurity awareness and coordination between private entities and the government, those efforts need more development before they provide useful information, according to an article at The Wall Street Journal.


About a dozen longstanding nonprofit Information Sharing and Analysis Centers (ISACs) serve specific sectors such as finance, healthcare and energy, and work with government on infomation sharing.


Though more narrowly focused, many ISAOs already exist, Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, told HealthcareInfoSecurity.


Executives who spoke with WSJ say large entities don't get much useful information from ISACs.


"Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities," Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the healthcare ISAC, tells the newspaper. As sharing standards are developed, he adds, "expectations will mount in terms of the kinds of specific data needed as everybody figures it out."


What's more, networking within the industry, Dworkin says, tends to provide more information about what's going on. ISACs generally are more useful to smaller organizations that lack security expertise in-house, the article adds.


The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of the ISAOs. HITRUST is working with providers to test and improve their preparedness for attacks through its CyberRX 2.0 attack simulations. The need for organizations to be more open about attacks was one of the early lessons from that program.


Participants in the recent White House Summit on Cybersecurity and Consumer Protection stressed that threat data-sharing doesn't pose the danger of exposing patients' insurance and healthcare information.


11 Paths's curator insight, April 8, 2015 4:30 AM

This is a great news story

Scoop.it!

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach | Healthcare and Technology news | Scoop.it
A new survey from TransUnion Healthcare found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach. Nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach.

Older and younger consumer groups responded differently to data breaches. While 73% of recent patients ages 18 to 34 said they were likely to switch healthcare providers, older consumers were less willing. Nearly two-thirds (64%) of patients older than 55 were not likely to consider switching healthcare providers following a data breach.

“Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider following a data breach,” said Gerry McCarthy, president of TransUnion Healthcare. “However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach. With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

Other survey insights on consumers’ expectations following a data breach include:

· Nearly half of consumers (46%) expect a response or notification within one day of the breach.

· 31% of consumers expect to receive a response or notification within one to three days.

· Seven in 10 (72%) consumers expect providers to offer at least one year of free credit monitoring after a breach.

· Nearly six in 10 (59%) consumers expect a dedicated phone hotline for questions.

· More than half of consumers (55%) expect a dedicated website with additional details.

“The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” said McCarthy. “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”
No comment yet.
Scoop.it!

Americans want health information shared easily among docs

Americans want health information shared easily among docs | Healthcare and Technology news | Scoop.it

Nearly three-quarters of Americans say it's very important that their critical health information can be easily shared among healthcare providers, a survey from the Society of Participatory Medicine reveals.

In addition, 87 percent of respondents oppose any fees being charged to either healthcare providers or patients for that transfer of information to take place.

The 1,011 adults polled were selected randomly from landline and cell phone numbers.

Nearly 20 percent of respondents said they or a family member had experienced a problem in receiving care because records could not easily be shared among providers.

Doctors are forced to pay anywhere between $5,000 to $50,000 to set up connections with blood and pathology laboratories, health information exchanges or governments, according to a recent Politico story. Sometimes additional fees are charged each time a doctor sends or receives data.

Just this week, Peter DeVault, director of interoperability at Epic Systems, revealed at a Senate committee hearing that the company charges $2.35 per patient, per year for Epic EHR clients to exchange data with other providers.

"We have the technology. What we need is for health care providers and systems developers to put patient interests ahead of business needs. None of them would exist were it not for the patients," Daniel Z. Sands, M.D., co-founder and co-chair of the Society of Participatory Medicine, says in the survey announcement.

Experts at the Senate committee hearing testified that vendors and healthcare organizations use patient data as a competitive advantage, and that data-sharing is less likely to occur in competitive markets.

In a paper from the Brookings Institution, Niam Yaraghi, a fellow in governance studies at the Center for Technology Innovation, posits that the fee-for-service reimbursement model serves as a disincentive to share data. He also argues that Stage 3 of the Meaningful Use program will likely set the interoperability bar too low and likely will help only the dominant vendors, who will need only to provide a minimum amount of interoperability.

No comment yet.
Scoop.it!

HIPAA Workers Compensation Disclosures

HIPAA Workers Compensation Disclosures | Healthcare and Technology news | Scoop.it
HIPAA Workers Compensation Disclosures

The HIPAA Privacy Rule dictates how a healthcare provider may share protected information, or PHI in the workers compensation context.

 

PHI disclosures to the employer and the workers compensation board must be HIPAA compliant. HIPAA workers compensation requirements are discussed below.

What is Workers Compensation?

Many employers are required, under state law, to purchase and maintain a workers compensation insurance policy (or to self-insure). When an employee sustains an injury or illness arising out of and in the scope of his or her employment, the employee may file a claim for benefits under that policy.

 

State workers compensation laws are a specific kind of “no-fault” law. That is, an employee who sustains an injury or illness is generally entitled to benefits even if the employee’s injuries were brought about by his or her own negligence. Whether an employee is or is not entitled to benefits is generally not determined by whose “fault” the injury was.

 

To demonstrate entitlement to benefits and reimbursement for healthcare provider treatment costs, employees are required, through their providers, to submit medical information to their employers, and to the state workers’ compensation board. 

What Must a Covered Entity Do for HIPAA Workers Compensation Disclosure Requirements?

The HIPAA Privacy Rule allows covered entities to disclose protected health information to workers’ compensation insurers, state administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization, when:

  • The PHI disclosure is authorized by, and is necessary to comply with:
    • State workers compensation laws; or
    • Similar “no-fault” programs established by law that provide benefits for job-related injuries or illness.
    • The PHI disclosure is required for purposes of obtaining payment for healthcare provided to the injured or ill worker.

In both instances, the “minimum necessary standard” applies. The PHI disclosure, under the HIPAA Privacy Rule, must be reasonably limited to the minimum information necessary to accomplish the HIPAA workers compensation purpose.

 

This means that the medical information that is disclosed must be relevant to the specific injury. Medical information having no relationship to the injury or to payment should not be disclosed.

What is HIPAA Compliant Reasonable Reliance?

When PHI is requested by a state workers’ compensation or other public official, the covered entity may reasonably rely on the state official’s representation that the requested PHI is the minimum necessary for the specific workers’ compensation purpose. 

 

In such circumstances, the covered entity is not required to make a minimum necessary determination when disclosing protected health information as required by state law. The provider will generally be deemed HIPAA compliant under such circumstances.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What is a HIPAA Limited Data Set?

What is a HIPAA Limited Data Set? | Healthcare and Technology news | Scoop.it
What is a HIPAA Limited Data Set?

Under HIPAA, a limited data set is protected health information (PHI) that excludes certain direct identifiers of an individual, or certain direct identifiers of relatives, employers, or household members of the individual. 

What is a Direct Identifier?

Under HIPAA, a direct identifier is Information that relates specifically to an individual. HIPAA designates the following information as direct identifiers:

  • Names
  • Postal address information, other than town or city, State, and zip code
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health-plan beneficiary numbers
  • Account numbers
  • Certificate and license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers (including fingerprints and voice prints)
  • Full-face photographic images and any comparable images

What is the Relationship Between Direct Identifiers and a Limited Data Set?

A “limited data set” is information from which the above direct identifiers have been removed. All of the above-listed identifiers must be removed in order for health information to be a limited data set.

Is a Limited Data Set Still Considered Protected Health Information?

Yes.  A limited data set is still protected health information or “PHI” under HIPAA (or electronic protected health information, if in electronic form).

For patient data to lose its status as PHI, that information must be de-identified. De-identified patient data is health information from a medical record that has been stripped of all “direct identifiers”—that is, all information that can be used to identify the patient from whose medical record the health information was derived, not just the direct identifiers listed above.

Therefore, since a limited data set is PHI, is still subject to the use and disclosure requirements and restrictions of the HIPAA Privacy Rule. 

What is the Significance of Information Comprising a Limited Data Set?

Disclosures of a “limited data set” are not subject to the HIPAA accounting requirements.

 

HIPAA accounting requirements mandate that a patient or research subject has the right to request a written record (an accounting) when a covered entity has made certain disclosures of that person’s protected health information (“PHI”).  The accounting must include all covered disclosures in the six years prior to the date of the person’s request.

 

A covered entity may also disclose a LDS for public health purposes, including those that are emergency preparedness activities. The covered entity must have a data use agreement in order to disclose the limited data set (LDS).

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What is HIPAA And How To Comply With The HIPAA Security Rule

What is HIPAA And How To Comply With The HIPAA Security Rule | Healthcare and Technology news | Scoop.it

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US legalization that requires healthcare professionals and institutions to secure health information from deletions and data breaches.

 

This law has become relevant in today’s dental practice due to increased data breaches caused by ransomware and cyber attacks.

 

The law’s requirements on HIPAA can be demanding and challenging to understand, but we’ve made it easy for you below. There are three areas you need to be compliant with HIPAA.

 

• PHYSICAL – these are measures that prevent loss of devices and physical theft on medical information e.g. keeping workstations away from the public eye and limiting physical access to computers.

 

• ADMINISTRATIVE – measures that make sure patient data is accessible to authorized personnel and is correct. For example, identifying which employees have access to medical information.

 

• TECHNICAL – these are measures that protect your devices and networks from unauthorized access and data breaches e.g. encrypting files that you upload to a cloud or send via email.

 

The components above represent every aspect of your dental practice from your record-keeping and policies to your building safety and technology.

 

HIPAA also requires all your staff members to work together to protect patient data and be on the same page.

 

HIPAA COMPLIANCE

 

The administrative, physical, and technical requirements for HIPAA security may be a lot of information for you to take in.

 

Additionally, it can be overwhelming for you to handle its compliance in your dental practice solely.

 

To make it easier, HIPAA compliance is an organization-wide issue. This means all your employees will have to understand and know their role in securing dental information.

 

Alternatively, you can outsource your HIPAA compliance to consultants, web services, and IT contractors.

 

This ensures your dental practice meets the required standards and makes your life easier.

 

However, outsourcing your HIPAA responsibilities doesn’t mean you ignore your legal obligations.

 

Your company should always stay on top of any HIPAA changes in recommendations and adopt advanced practices to improve medical information security.

 

Ultimately, ensure your dental practice upgrades all its old technology for better and efficient systems that contribute to medical information security.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Secure Mobile Messaging in Healthcare: 4 Recommendations to Remain HIPAA Compliant

Secure Mobile Messaging in Healthcare: 4 Recommendations to Remain HIPAA Compliant | Healthcare and Technology news | Scoop.it

A research study, the State of Clinical Communication and Workflow in healthcare organizations, revealed that 51% of IT respondents planned to implement smartphones for clinical communications.

 

This shows that secure mobile messaging is a priority for healthcare providers as they seek to improve patient care.

 

Email alerts that remind patients of an upcoming doctor’s appointment are useful reminders to prevent missed appointments. But the benefits of mobile messaging in healthcare extend far beyond this capability. 

 

Health industry professionals and IT professionals working in healthcare also overwhelmingly believe (90%) that a unified app that integrates communications with clinical workflows will achieve better clinical, financial, and operational outcomes. 

 

Mobile messaging can improve patient care through improved communications as well as allowing a care team to share information about a patient to improve collaboration.

 

But mobile messaging poses cybersecurity and privacy risks if not handled appropriately. One of the main compliance requirements for mobile messaging is HIPAA Privacy and Security compliance and that protected health information (PHI) must be secured. HIPAA compliance is not optional.

Is Text Messaging HIPAA Compliant?

Not always. Here’s why:

  • SMS messaging isn’t secure and the data is vulnerable to unauthorized access in transmission.
  • Messages on a wireless provider’s server aren’t encrypted.
  • Messages can be deleted at any time by either the sender or receiver.
  • Smartphones can be lost or stolen, increasing the risk of exposure of PHI on the device.

You cannot simply use your phone to text a patient a diagnosis or ask a colleague their opinion. 

 

However, the HIPAA Privacy Rule does not prohibit mobile messaging, though neither does HIPAA provide specific recommendations for protecting PHI sent via mobile messaging. 

 

As with any other technology used to store or transmit PHI, the HIPAA Security Rule provides a list of controls that will allow secure mobile messaging when followed: unique user identification, automatic logoff, encryption/decryption, auditing, integrity management, authentication, and transmission security. 

 

HIPAA-covered entities and business associates must apply these rules to be able to use mobile messaging securely. 

 

4 Recommendations for Secure Mobile Messaging in Healthcare

Healthcare providers want to be able to share patient information via mobile devices to improve patient care. How can a HIPAA-covered entity take advantage of mobile messaging and stay within the HIPAA rules? These four recommendations will get you started.

  1. Conduct a risk analysis. Before implementing mobile messaging, assess the level of risk. Will users need more training to use the tools properly? Is the infrastructure robust enough to secure PHI? . 
  2. Factors for a secure texting platform. There are five factors to check for in a secure mobile messaging solution:
    1. Messages are encrypted in transit and at rest.
    2. The platform requires recipient authentication.
    3. Where does the data live? If it’s in a cloud platform, does it have secure hosting to archive and/or download sensitive content?
    4. Are emergency recovery procedures (data backup, disaster recovery, etc.) in place?
    5. If using a third-party provider, will the vendor sign a business associate agreement and commit to implementing administrative, technical and physical safeguards to protect any PHI that the vendor accesses? 
  3. Audit trails and controls. Messages must have an audit trail to track who sent what data and when they sent it. Messages related to a patient should be stored as part of a patient’s health record. Document retention and disposal policies should be enforced as with any other record. 
  4. Policies for phone loss. Whether the smartphone used is personal or provided by the company, policies must be in place to prevent a breach of PHI. This can include the ability to retrieve and/or delete data remotely, requiring two-factor and/or biometric authentication to access the device, and extensive security training for users.

Mobile Messaging Can Be HIPAA Compliant

Solutions for secure, HIPAA-compliant mobile messaging exist and can be found on the Internet. Regardless of whether you create your own system or use an existing one, your organization is responsible for your patients’ PHI. 

 

Conduct reasonable due diligence, follow these four recommendations, and continually evaluate your cybersecurity defenses and your organization will reap the benefits of mobile messaging.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Compliant Laptops

HIPAA Compliant Laptops | Healthcare and Technology news | Scoop.it
HIPAA Compliant Laptops

HIPAA regulations require healthcare organizations and individual care providers to take measures to keep patient data secure. Failure to do so can result in fines if an organization suffers a breach of unsecured PHI. 

 

The HIPAA Security Rule requires that mobile devices be rendered secure. Security Rule requirements needed for HIPAA-Compliant laptops are discussed below.

What is a Security Risk Assessment?

The HIPAA Security Rule requires that covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-related transaction), and business associates implement security safeguards.

 

These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.

 

The HIPAA Security Rule requires covered entities and business associates to perform a security risk assessment (also known as a Security Risk Analysis). 


Performing a security risk analysis is the first step in identifying and implementing these safeguards. Performing this assessment is also required to have a HIPAA-compliant laptop.

 

A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. 

What are the Elements of a Security Risk Analysis?

The security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk to ePHI

What is the Relationship Between the Security Risk Assessment and HIPAA-Compliant Laptops?

A risk assessment encompasses a company’s entire IT infrastructure; company policies; administrative processes; physical security controls, and all systems, devices, and equipment that are capable of storing, transmitting or touching ePHI. 

 

These devices include laptops. To have HIPAA-compliant laptops, organizations must conduct a risk assessment, which will provide companies with vital information as to how laptop security measures can be improved or implemented.

 

What Safeguards Must be Implemented to have HIPAA-Compliant Laptops?

In order for covered entities to have HIPAA-compliant laptops, covered entities must:

  • Consider the use of encryption for transmitting ePHI, particularly over the Internet. 
    • If a risk assessment has determined that lack of encryption presents a risk, encryption should be implemented.
    • A covered entity violates HIPAA if it allows transmission of ePHI over an open network, such as via HHS messages.
    • Encrypt data in motion, if it has been determined that ePHI transmission, if not encrypted, would be at significant risk of being accessed by unauthorized entities.
    • Implement access controls to ensure users are authenticated. 
      • Organizations should implement multi-layered security controls to reduce the risk of unauthorized data access.
      • Put protections in place to ensure data cannot be altered or destroyed
      • Put controls in place to allow devices to be audited.
        • Organizations must have the capability to examine access (and attempted access) to ePHI, and any other activity performed on the device that has the potential to affect data security.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Cryptomining Malware Can Affect HIPAA Obligations

Cryptomining Malware Can Affect HIPAA Obligations | Healthcare and Technology news | Scoop.it

The well-established security firm Check Point recently ranked cryptomining as the leading cyber-threat in healthcare – ahead of ransomware. Cryptomining malware, also known as cryptocurrency mining malware, refers to software programs and malware components developed to take over a computer’s resources and use them for cryptocurrency mining, without a user’s authorization. This hijacking of computer resources can result in a shutdown and even total systems failure.  Cryptomining is not specifically addressed by the HIPAA security rule. However, the threat of cryptomining malware should make covered entities and business associates evaluate their Security Rule compliance efforts, and, if necessary, implementing additional cybersecurity measures as needed to protect against this unique and powerful threat.

 

Under the HIPAA Security Rule, covered entities and business associates must implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI). Cryptomining malware can compromise this confidentiality, availability, and integrity. To understand the nature of the threat posed by cryptomining malware, it is useful to first understand some basic concepts.


These include cryptocurrencycryptography, and cryptomining.

What is Cryptocurrency?

Cryptocurrency is digital money that can be purchased, transferred, and/or sold. Cryptocurrency exists solely on the Internet. This form of currency is not backed by anything tangible (such as gold), nor is it backed or managed by any bank or government. Cryptocurrency transactions, or trades, are changed and verified by a decentralized (not affiliated with anyone single entity) network of computers.

What is Cryptography?

Cryptography is a method of protecting information by encrypting it into an unreadable format known as ciphertext. Ciphertext can be converted to regular text through the process of decryption. Cryptography encrypts and protects the data used to help identify and track cryptocurrency transactions.

What is Cryptomining? 

Cryptocurrency miners engage in cryptomining to earn more cryptocurrency (often referred to as “coins” or “Bitcoins”). 

Here is how the mining process works:

Miners compete with other cryptominers to solve complicated mathematical problems. Solving the problems enables the miner to authorize a transaction and to chain together (blockchain) blocks of transactions. Once a transaction is included in a block, it is secure and complete.

For his or her mining activities, the miner receives a small amount of cryptocurrency of his or her own, The more currency a miner “mines,” the more currency a miner ends up owning. Cryptocurrency can then be sold for actual cash. 

So, you may now be thinking, …..

“What Does Any of This Have to do with HIPAA Health Care?”

Crpyotmining malware is surreptitiously installed on a user’s computer. Once it is installed, the  cryptomining malware turns the affected computer, in effect, into a mining operation – one through which the miners solve their math problems and “earn” their coins and cash.

Here’s the problem: Cryptomining has an enormous appetite for computer power.  As the malware is enabling the mining, the mining process consumes significant computing power, bandwidth, and even electricity.  Particularly persistent forms of malware consume resources even after a user has logged off.   

Eventually, a device or a network may simply become unable to mining malware’s energy requirements, causing the device or network to crash.

Since any Internet-connected device can be infected with cryptomining malware, those devices used by covered entities or business associates that are missing essential security features – which features include, but are not limited to, antivirus software, firewalls, updates and patches for operating systems – can, upon a malware attack, shut down or experience total system failure.  ePHI data thus becomes compromised. As in, lost, rendered inaccessible, or damaged beyond repair. The HIPAA Security rule thus becomes implicated, and, if an organization is found to have implemented ineffective security safeguards, the Department of Health and Human Services’ Office of Civil Rights (OCR) can audit and fine that organization.

Compliancy Group Simplifies HIPAA Compliance

Covered entities and business associates can address their HIPAA cybersecurity compliance obligations under the Security Rule by working with Compliancy Group.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA cybersecurity issues so they can get back to confidently running their business. 

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM  their HIPAA compliance!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past | Healthcare and Technology news | Scoop.it

Cybersecurity was identified as an increased business priority over the past year according to 87 percent of respondents in the newly released 2015 HIMSS Cybersecurity Survey

(http://www.himss.org/2015-cybersecurity-survey). Two-thirds of those surveyed also indicated that their organizations had experienced a significant security incident recently. Released at the Privacy and Security Forum, held in Chicago from June 30-July 1, this research reflects the continued cybersecurity concerns by healthcare providers regarding the protection of their organizations’ data assets.


“The recent breaches in the healthcare industry have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cybersecurity threats,” said Lisa Gallagher, Vice President of Technology Solutions, HIMSS. “Healthcare organizations need to rapidly adjust their strategies to defend against cyber-attacks. This means implementing threat data,incorporating new tools and sophisticated analysis into their security process.”


The survey of 297 healthcare leaders and information security officers across the industry also found that at least half of respondents made improvements to network security, endpoint protection, data loss prevention, disaster recovery and IT continuity. Despite the protective technologies available, most respondents felt only an average level of confidence in their organizations’ ability to protect their IT infrastructure and data.


Key findings from the survey include the following:


  • Respondents use an average of 11 different technologies to secure their environment and more than half of healthcare organizations surveyed hired full time personnel to manage information security
  • 42 percent of respondents indicated that there are too many emerging and new threats to track
  • More than 50 percent of information security threats are identified by internal security teams
  • 59 percent of survey respondents feel the need for cross-sector cyber threat information sharing
  • 62 percent of security incidents have resulted in limited disruption of IT systems with limited impact on clinical care and IT operations
  • 64 percent of respondents believe a lack of appropriate cybersecurity personnel is a barrier to mitigating cybersecurity events
  • 69 percent of respondents indicated that phishing attacks are a motivator for improving the information security environment
  • 80 percent use network monitoring to detect and investigate information security incidents
  • 87 percent of respondents reported using antivirus/malware tools have been implemented to secure their healthcare organizations’ information security environment
No comment yet.
Scoop.it!

Healthcare IT

Healthcare IT | Healthcare and Technology news | Scoop.it
Information technology plays a vital role in healthcare

The next decade will mark a turning point for the healthcare industry. As healthcare reform and the economy continue to present challenges, innovative advancements in healthcare information technology (IT) will provide the key not only to ensuring compliance with new legal requirements but also to reducing costs and improving patient care. 

Healthcare facilities across the United States are racing to meet the increased security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Data storage management systems are playing a fundamental role in keeping patient records in a timely, secure, and easily accessible manner. Advancements in picture archiving and communications systems (PACS), electronic medical records (EMR), and computerized physician order entry (CPOE) solutions are being implemented at a rapid pace. Physicians’ use of mobile computing is growing significantly, allowing healthcare providers to share electronic patient records and other information without delay. Almost all clinicians are using a software knowledge-based application or online reference tool each and every day. And hospitals are employing handheld mobile devices to access drug reference databases, reference manuals, and patient records. 

Advances in e-prescribing and healthcare information systems are reducing medical errors and improving health outcomes for patients. Practice management solutions for physicians such as electronic scanning and storage of records are increasingly being used to enhance productivity of administration, facilitate insurance claim processing, and centralize electronic record keeping and management. 

As modern medicine grows in complexity and moves beyond the capacity of human retention—there are thousands of diagnoses, drugs, and medical and surgical procedures available today—these technologies provide the necessary tools to advance patient care and service to the next level.

Protecting investments in innovative technologies

Backed by more than 350 intellectual property lawyers, Finnegan has a distinct advantage in assisting clients with protecting and leveraging new healthcare IT technologies. Among our valued clients are industry leaders in the fields of software, document management, wireless technologies, and mobile solutions, as well as many companies in the medical device area. We counsel them on the full range of IP issues:

  • Drafting and prosecuting patent applications.
  • Writing opinions and providing ongoing counseling for new and evolving technologies.
  • Developing licensing programs.
  • Conducting due diligence investigations.
  • Developing portfolio management strategies.
  • Protecting against infringement through litigation or other dispute resolution options.
  • Providing trademark protection and counseling.
The depth of our legal and scientific expertise offers a unique advantage

Many solutions in healthcare IT require professionals who understand not only the nuances of the healthcare field, but also the technologies behind the innovations. Others will require a multidisciplinary approach involving a team of specialists with in-depth knowledge of a particular aspect of healthcare IT. This is where Finnegan excels. The scope and depth of Finnegan’s technical experience spans electrical and computer technologies, software, biotechnology, industrial manufacturing, mechanical engineering, nanotechnology, and other related fields. Our extensive experience positions us to understand both the science at the foundation of our clients’ intellectual property assets and the relevant legal issues. More than 90 of our professionals have Ph.D.’s, and more than 100 have Masters of Science degrees. Our talent pool includes former in-house counsel, patent examiners, researchers, and engineers.

Understanding the software challenge

Many healthcare IT inventions involve a multidisciplinary approach with computer software. When evaluating our clients’ software for protection, we consider and balance many unique issues, such as development speed, ease of market entry, market fluidity, changing alliances, and ease of copying. We also evaluate current industry trends, pending legislation and case law, potential product and industry developments, and the effect of those developments on our clients’ software protection. We then advise our clients on how to best protect their software through patents, copyrights, and trade secrets, and we guide them around the intellectual property barriers created by others.

No comment yet.
Scoop.it!

The radical potential of open source programming in healthcare

The radical potential of open source programming in healthcare | Healthcare and Technology news | Scoop.it

Everyone wants personalized healthcare. From the moment they enter their primary care clinic they have certain expectations that they want met in regards to their personalized medical care.


Most physicians are adopting a form of electronic healthcare, and patient records are being converted to a digital format. But electronic health records pose interesting problems related to sorting through vast amounts of patient data.


This is where open source programming languages come in, and they have the ability to radically change the medical landscape.

So why aren’t EHRs receiving the same care that patients expect from their doctor? There are a variety of answers, but primarily it comes down to how the software interprets certain types of data within each record. There are a variety of software languages designed to calculate and sort through large amounts of data that have been out for years, and one of the most prominent language is referred to as “R”.

What is R?

According to r-project.org “R is an integrated suite of software facilities for data manipulation, calculation, and graphical display.” Essentially this programming language has been built from the ground up to handle large statistical types of data.


Not only can R handle these large data sets, but it has the ability to be tailored to an individual patient or physician if needed. There are a variety of other languages focused on interpreting this type of data, but other languages don’t have the ability to handle it as well as R does.

How can a language like R change the way in which EHRs function?

Take, for instance, the recent debate regarding immunization registry. EHRs contain valuable patient data, including information associated with certain types of vaccine.


If you were able to cross reference every patient that had received a vaccine, and the side effects associated with said vaccine, then you could potentially sort out what caused the side effect and create prevention strategies to deter that certain scenario from happening again.


According to Victoria Wangia of the University of Cincinnati, “understanding factors that influence the use of an implemented public health information system such as an immunization registry is of great importance to those implementing the system and those interested in the positive impact of using the technology for positive public health outcomes.”


This type of system could radically change the way we categorize certain patient health information.


Programming languages like R have the ability to map areas that have been vaccinated versus those that haven’t. This would be ideal for parents who wish to send their children to a school where they know that “x” number of students have received a shot versus those that haven’t. Of course, these statistics would be anonymous, but this information might be critical for new parents who are looking for a school that fits their needs.


This technology could have much bigger implications pertaining to personalized data, specifically healthcare records. Ideally, an individual could tailor this programming language to focus on inconsistencies within patient records and find future illnesses that people are unaware of.


This has the potential to stop diseases from spreading, even before the patient is aware that they might have a life threatening illness. Although such an intervention wouldn’t necessarily stop a disease, it could be a great prevention tool that would categorize certain types of illness.

Benefits of open source

One of the more essential functions that R offers is the ability to be tailored to patient or doctor’s needs. Most information regarding patient health depends on how a physician documents the patient encounter, but R has the ability to sort through a wide variety of documentation pertaining to important statistical information that is relevant to physician needs. This is what makes open source programming languages ideal for the medical field.


One of the great components associated with open source programming languages in the medical field is the cost. R is a completely free language to start working in, and there is a large amount of great documentation available to start learning the language. The only associated cost would be paying a developer to set up, or create a program that quickly sorted through personalized information.


Essentially, if you were well rounded in this language, the only cost associated with adopting it would be the paper you would need to print information on.


Lastly, because of HIPAA, the importance of information security has been an issue, and should be a primary concern when looking at any sensitive electronic document. Cyber security is always going to be an uphill battle, and in the end if someone wants to get their hands on certain material, they probably will.


Data breaches have the ability to cost companies large amounts of money, and not even statistical data languages are safe from malicious intent. A recent issue has been the massive amount of resources that are being built in R that have been shared online. Although this is a step in the right direction for the language, people are uploading malicious code. But if you are on an encrypted machine, ideally the information stored on that machine is also encrypted. Cloud based systems like MySQL, a very secure open source server designed to evaluate data, offer great solutions to these types of problems.


These are some of the reasons why more physicians should adopt these types of languages, especially when dealing with EHRs. The benefits of implementing these types of systems will radically alter the way traditional medicine operates within the digital realm.


More statistical information about vaccinations and disease registries would greatly benefit those that are in need. The faster these types of systems are implemented, the more people we are able to help before their diseases becomes life threatening.


No comment yet.
Scoop.it!

Doximity launching app for the Apple Watch

Doximity launching app for the Apple Watch | Healthcare and Technology news | Scoop.it

Doximity announced today that they are launching an app for the Apple Watch, which hits the shelves later this month.


Many physicians will be familiar with Doximity, now that more than half of us have become registered users. Designed as a social network for physicians, Doximity includes a number of features that physicians will find useful for a lot more than just staying in touch with colleagues. In the recent rush of registrations on Doximity related to their partnership with US News and World Report, we wrote a quick guide on those key features. Included was secure HIPAA compliant messaging as well as an e-fax number and a journal feed.


Doximity’s Apple Watch app will bring some of these key features to your wrist. In particular, you’ll be able to read messages sent to you and dictate messages to other – without taking out your phone or pager, jumping on a computer, or spending endless minutes on hold trying to reach a colleague. You can also get notifications when you have a new fax come in – you can automatically view the fax on your iPhone using the Handoff functionality.

This hits on one the key functionalities we put on our wish list of apps for the Apple Watch – HIPAA compliant messaging. There are some limitations here worth noting. In particular, Doximity is limited to physicians so this won’t help with communication among a multi-disciplinary healthcare team, such as in a hospital or clinic. I wouldn’t be able to let a nurse know about a new medication or a social worker about an at-risk patient. Other platforms, like TigerText, will hopefully step in to bring that functionality to wearables like Apple Watch. That being said, the ability to send messages more easily to colleagues both inside and outside my own institution can be incredibly helpful.


We’re excited to see big players in the digital health space like Doximity embracing the Apple Watch. One natural question that frequently comes up is “what about Android devices?” Well, as Doximity points out, 85% of their mobile traffic is from iPhones & iPads. Its well recognized that physicians have largely embraced Apple devices and so medical app developers are going to go there first. So while many solid options have been available for Android, we expect the Apple Watch to be a catalyst in the development of new tools for clinicians.

Doximity’s app is just the start.


No comment yet.
Scoop.it!

Study to Probe Healthcare Cyber-Attacks

Study to Probe Healthcare Cyber-Attacks | Healthcare and Technology news | Scoop.it

In the wake of the recent hacker attacks on Anthem Inc. and Premera Blue Cross that compromised personal data on millions of individuals, the Health Information Trust Alliance is attempting to launch a study to get a better understanding of the severity and pervasiveness of cyber-attacks in the healthcare sector, as well as the attackers' methods.


HITRUST, best known for its Common Security Framework hopes to recruit hundreds of participants for its "Cyber Discovery" study. Organizations that join the study will monitor for signs of attacks for a 90-day period using data gathered with Trend Micro's threat discovery technology, which works with security information and event management systems. "It's like a big sandbox that works in a passive mode and collects everything and tries to analyze everything that comes into the sandbox," Dan Nutkis, HITRUST CEO, tells Information Security Media Group.


Participants can use the data that's collected and analyzed by the technology for their own cyber-intelligence activities. For the study, the participating organizations will provide anonymized data regularly to HITRUST for analytical purposes. "We don't have the name of the organization, just the type of organization," Nutkis says.

Security expert Mac McMillan, CEO of security consulting firm CynergisTek, says that as long as HITRUST can guarantee the data collected from healthcare organizations is anonymized, the alliance might be able to attract participants. And if there are enough participants, "a study such as this based on empirical data can paint a relevant picture with respect to the risk that healthcare entities face, and therefore, would be very valuable if done correctly," adds McMillan, chair of the HIMSS Privacy & Security Policy Task Force.

HITRUST hopes to have the necessary software and hardware installed at all the participating organizations by the end of May, Nutkis says. It will publish an initial report of findings and recommendations approximately four months from the launch of the project.

Digging In

The organization is seeking about 210 voluntary participants from the healthcare sector, including insurers, hospitals, accountable care organizations and clinics. Each will participate for 90 days or longer, Nutkis says. Participants do not have to be members of HITRUST to qualify.


Each participating healthcare organization will get free use the Trend Micro technology during the study. Trend Micro will install the appliance and train organizations how to use it and how to conduct the forensics analysis, Nutkis says.


"The goal is to understand the threat actors, the methods and their targets," he says. Among the questions to be addressed, he says, are: "Are these actors targeting health plans or are they targeting specific types of equipment or types of data? Are they after PHI or PII? What's the level of persistence? What's the duration of them trying to get in? Do they keep coming back?"


The study aims to accurately identify attack patterns as well as the magnitude and sophistication of specific threats across enterprises, he says.

Recent Attacks

When it comes to the recent attacks on Anthem and Premera, and their significance to the healthcare sector, "there's a lot speculation and conjecture about what's going on," he says. "There was a great level of concern after the Community Health System attack" last year, in which hackers compromised data of about 4.5 million individuals. Because they were reported about six weeks apart, the Anthem and Premera breaches raised concerns about whether they were related, he says. While those breach investigations are still ongoing, the healthcare sector is trying to understand who's being targeted, how and for what data, he explains.


Nutkis says HITRUST will consider whether to repeat the study annually to track emerging trends.


McMillan, the consultant, says the value of the study to the healthcare sector will ultimately depend on what is examined. "For instance, will it address social engineering or things like phishing? Phishing is a huge issue for healthcare right now and is believed to have had a role in the many of the high-profile breaches of last year."


No comment yet.
Scoop.it!

Security audit of Premera identified issues prior to cyberattack

Security audit of Premera identified issues prior to cyberattack | Healthcare and Technology news | Scoop.it

Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.


Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.


However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.


At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.


No comment yet.