Healthcare and Technology news
48.0K views | +0 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Physical Security is Just as Important as Cyber-Security

HIPAA Physical Security is Just as Important as Cyber-Security | Healthcare and Technology news | Scoop.it
HIPAA Physical Security is Just as Important as Cyber-Security

There are many misconceptions when it comes to HIPAA and security controls for covered entities. While security is related to technical measures such as encryption, firewalls, and security risk assessments, it also addresses physical and administrative safeguards that must be in place to protect patient information. In order to comply with HIPAA regulation, healthcare organizations must address each standard and safeguard outlined in the HIPAA Security Rule.

 

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has now released new information further emphasizing the importance of physical safeguards for healthcare organizations across the country. HIPAA not only requires technical controls to protect the confidentiality, integrity, and availability of protected health information (PHI) but also proper physical security controls.

 

Physical safeguards are generally seen as the simplest and cheapest forms of protecting PHI, yet many organizations tend to overlook this important element of security. There are even some physical security controls that cost nothing- such as simply locking up portable electronic devices when they are not in use (laptops, portable storage devices, and pen drives).

 

Although this may seem like a very basic form of security, it is one of the most effective ways of preventing theft. To illustrate the importance of HIPAA physical security safeguards, OCR focuses on a 2015 HIPAA settlement with Lahey Hospital and Medical Center that affected 599 patients. This breach and subsequent HIPAA fine were triggered by the theft of an unencrypted laptop from the Tufts Medical School-affiliated teaching hospital.

 

The laptop was stolen from an unlocked treatment room off an inner corridor of the radiology department and contained ePHI. Lahey Hospital was fined $850,000 for failing to implement physical controls–a high price to pay for something that could have been avoided if some simple physical security safeguards were in place.

 

Prior to the Lahey Hospital settlement, QCA Health Plan paid $250,000 to OCR in 2014 for potential HIPAA violations. QCA Health Plan neglected to implement physical safeguards for all workstations to restrict access to ePHI to authorized users only. In this case, an unencrypted laptop was stolen from an employee’s vehicle.

 

Massachusetts Eye and Ear Infirmary (MEEI) also settled a HIPAA violation with OCR in 2012 for $1.5 million. Again, this incident was related to the theft of an unencrypted laptop, resulting in the exposure of patients’ ePHI.

 

In 2016, Feinstein Institute for Medical Research settled potential HIPAA violations with OCR for $3.9 million. Feinstein Institute failed to physically secure a laptop that was stolen from an employee’s vehicle containing the ePHI of 13,000 patients.

 

In July 2016, the University of Mississippi Medical Center was fined $2,750,000 for a failure to implement HIPAA physical security safeguards. An unencrypted laptop that contained ePHI of approximately 10,000 patients was stolen from its Medical Intensive Care Unit.

Preventing HIPAA Physical Security Breaches

It is up to covered entities and their business associates to decide on the most appropriate physical security safeguards that will protect their patients’ ePHI. One way organizations can implement these physical security controls is by adopting an effective compliance program.

 

Compliance Group gives health care organizations confidence in their HIPAA compliance with The Guard. The Guard is our HIPAA compliance web-app that covers every element of HIPAA compliance.

 

Our Compliance Coaches will guide users through every step of their compliance program with the help of our HIPAA compliance web-app. The Guard is built to address the full extent of HIPAA regulation, including everything needed to implement an effective HIPAA compliance program that will help safeguard your practice from violations and fines.

 

With The Guard, health care professionals will not only address their physical security safeguards but the technical and administrative safeguards as well, along with the other HIPAA requirements.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

How to Meet HIPAA Compliance Requirements

How to Meet HIPAA Compliance Requirements | Healthcare and Technology news | Scoop.it

A Revolutionary Approach to HIPAA Compliance

We all know that meeting the requirements set forth in the HIPAA compliance policy is mandatory for any healthcare, medical records, insurance, or other healthcare-related business. Securing individuals’ electronic protected health information (ePHI) is the most critical step to complying with HIPAA.

 

Yet this is often easier said than done, especially when you consider the high number of complex requirements that must be met in order to prove compliance.

The challenges of abiding by the “Security Rule”

For example, one of the most critical items on any HIPAA compliance checklist is meeting the Security Standards for the Protection of Electronic Health Information. Commonly referred to as the “Security Rule,” this requirement establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule addresses the technical and non-technical safeguards that organizations referred to “covered entities” must put in place to secure individuals’ ePHI. All covered entities must assess their security risks, even those entities who utilize certified electronic health record (EHR) technology. Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule, and document every security compliance measure.

Related: Sorry for the Inconvenience – The Breaches Just Keep Coming (and so do the Ramifications)

CSPi’s HIPAA compliance solutions

If all of this sounds intimidating, we have some good news: CSPi’s security solutions are uniquely suited to address the requirements specified in the Security Rule (and in turn, to help you stay HIPAA compliant).

Our ARIA Software-Defined Security (SDS) solution and applications help healthcare organizations protect the security of individuals’ ePHI information with powerful tools and capabilities required to:

  • Know and prove what ePHI records were accessed (if any) through:

    • The automatic detection of intrusion or unauthorized access.
    • Continual and complete monitoring of ePHI data as it moves through the network (including east-west traffic), and is accessed throughout the environment.
    • The ability to stop or disrupt incidents that could lead to potential disclosure.
    • Block or redirect identified data conversations with ePHI repositories and provide the auditable documented detail of measures take to maintain HIPAA compliance.
    • Prevent unauthorized access of customer data through the use of encryption that can be applied on a per-customer basis.

Working in conjunction with ARIA, our nVoy Series provides additional proof of HIPAA compliance with:

  • Automated breach verification and notification, critical to giving healthcare organizations a better way to comply.
  • Detailed and complete HIPAA compliance reports, including recordings of all conversations involving ePHI.
  • Auditable proof of the exact impact of data breach, including:
    • What devices are involved and to what degree?
    • When did the breach start and when did it end?
    • What critical databases or files were accessed?
    • Who did the intruder talk to?

Visit CSPi at HIMSS19 in the Cybersecurity Command Center Booth 400, Kiosk 91.

Interested in learning more about CSPi, including how our innovative security tools are helping today’s healthcare leaders achieve compliance with HIPAA? Make your plans to visit with us at the upcoming HIMSS conference, or visit www.cspi.com, to learn more about our HIPAA compliance programs.

About CSPi

CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters. To learn more about how our cybersecurity products can help you with data privacy regulation compliance, check out our how-to guide, “Successfully Complying with Data Privacy Regulations.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation | Healthcare and Technology news | Scoop.it

Senior executives at the Armonk, N.Y.-based IBM announced in a press conference held on Monday afternoon, April 13, at the McCormick Place Convention Center in Chicago, during the course of the HIMSS Conference, that it was acquiring both the Dallas-based Phytel and the Cleveland-based Explorys, in a combination that senior IBM executives said held great potential for the leveraging of data capabilities to transform healthcare.


Both Phytel, a leading population health management vendor, and Explorys, a healthcare intelligence cloud firm, will become part of the new Watson Health unit, about which IBM said, “IBM Watson Health is creating a more complete and personalized picture of health, powered by cognitive computing. Now individuals are empowered to understand more about their health, while doctors, researchers, and insurers can make better, faster, and more cost-effective decisions.


In its announcement of the Phytel acquisition, the company noted that, “The acquisition once completed will bolster the company’s efforts to apply advanced analytics and cognitive computing to help primary care providers, large hospital systems and physician networks improve healthcare quality and effect healthier patient outcomes.”


And in its announcement of the Explorys acquisition, IBM noted that, “Since its spin-off from the Cleveland Clinic in 2009, Explorys has secured a robust healthcare database derived from numerous and diverse financial, operational and medical record systems comprising 315 billion longitudinal data points across the continuum of care. This powerful body of insight will help fuel IBM Watson Health Cloud, a new open platform that allows information to be securely de-identified, shared and combined with a dynamic and constantly growing aggregated view of clinical, health and social research data.”


Mike Rhodin, senior vice president, IBM Watson, said at Monday’s press conference, “Connecting the data and information is why we need to pull the information together into this [Watson Health]. So we’re extending what we’ve been doing with Watson into this. We’re bringing in great partners to help us fulfill the promise of an open platform to build solutions to leverage data in new ways. We actually believe that in the data are the answers to many of the diseases we struggle with today, the answers to the costs in healthcare,” he added. “It’s all in there, it’s all in silos. All this data needs to be able to be brought into a HIPAA-secured, cloud-enabled framework, for providers, payers, everyone. To get the answers, we look to the market, we look to world-class companies, the entrepreneurs who had the vision to begin to build this transformation.”

more...
No comment yet.
Scoop.it!

Wearable HIPAA Security Concerns Grow for mHealth Apps & Devices

Wearable HIPAA Security Concerns Grow for mHealth Apps & Devices | Healthcare and Technology news | Scoop.it

Healthcare tech is moving more and more toward mHealth solutions for consumer use. Apple in particular has made major expansions into healthcare and mHealth technologies over the past few years. Many patients are using wearables such as the Apple Watch to monitor, track, and report health care data. But with this new field of mHealth, security issues abound and there are still many grey areas surrounding who is legally responsible for protecting the privacy of patient data. 

How Wearables Could Impact Your Business

In September, Apple made headlines with its newest version of the Apple Watch. CEO Tom Cook bragged about the watch’s fall detection capability, automatic workout tracking, and a heart sensor with ECG capability. With these advancements, Apple will continue to have a tremendous impact on the healthcare industry. In a recent CNBC interview, Cook said that the health-related work will be Apple’s “greatest contribution to mankind.”

 

Yet, there have already been HIPAA-related incidents stemming from multiple health tracking apps and wearables across the mHealth industry. In 2018, the popular fitness and nutrition tracking app MyFitnessPal experienced a breach, exposing the names, email addresses, and passwords of 150 million people. In addition, the fitness app Strava revealed the locations of U.S. military personnel on secret bases. According to Forbes, your electronic health records could be worth hundreds or thousands of dollars on the black market, which makes the Apple Watch and mHealth technologies like it prime targets for security breaches.

 

And of course, this affects health care professionals around the country. mHealth security vulnerabilities continue to pose a serious issue to patient privacy. And with these mHealth security and privacy concerns, HIPAA regulatory standards are in a grey area, especially where enforcement is concerned. Wearables like the Apple Watch expose privacy and security vulnerabilities for healthcare consumers, providers, and vendors working in the healthcare space alike.

Who’s Responsible for Wearable Data?

When it comes to HIPAA, covered entities must be compliant with the full extent of the regulation. A covered entity is any health care provider, health plan, or health care clearinghouse that uses protected health information (PHI) for the purpose of payment, treatment, or operations.

 

Under the HIPAA Privacy Rule, covered entities must implement the necessary safeguards to ensure that PHI is kept safe. PHI is any demographic information used to identify a patient. Some common examples of PHI include names, email addresses, addresses, and Social Security numbers, to name a few.

 

That means that if a doctor partners with wearable companies, and is using that biometric data over the course of care, then they are responsible for protecting patients’ PHI. However, the mHealth apps and wearable companies themselves are likely considered business associates under HIPAA. Business associates include any organization that handles PHI on behalf of another HIPAA-beholden entity. The liability in the event of a data breach concerning PHI collected by mHealth devices but used over the course of treatment for a patient presents a new challenge to HIPAA regulation.

 

However, changes to HIPAA regulation or HIPAA guidance in response to new and evolving technologies is not new. In 2009, the HITECH Act was passed, which made sweeping changes to HIPAA regulation in response to the rise of electronic health records (EHR) platforms and the increasingly digital shift across the healthcare industry.

 

HIPAA guidance regarding the use of mHealth tech, apps, and wearables will likely be addressed by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the years ahead. However, in the meantime, covered entities and business associates should guard against the potential for data loss, federal fines, and cyber-security risk by implementing an effective HIPAA compliance program to protect their business.

HIPAA Compliance Comes First!

As technology continues to develop, organizations within the healthcare industry will still need to comply with HIPAA regulations.

 

Compliancy Group gives healthcare professionals the tools they need to effectively address the full extent of HIPAA regulation. We give your organization confidence in your compliance with our proprietary achieve, illustrate, and maintain methodology, all housed in our cloud-based app, the Guard. The Guard allows users to address every element of what the law requires to give you peace of mind.

 

Users will also have help along the way. Our Compliance Coaches will walk you through every step of the process and ensure you have a complete understanding of HIPAA.

 

Compliancy Group is here to simplify compliance so you can confidently focus on your business. Find out how we can help!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst | Healthcare and Technology news | Scoop.it

CareFirst, a Blue Cross Blue Shield plan, on Wednesday became the third major health insurer in the United States to disclose this year that hackers had breached its computer systems and potentially compromised some customer information.

The attack could affect as many as 1.1 million of its customers, but CareFirst said that although the hackers gained access to customer names, email addresses and birthdates, they did not obtain sensitive financial or medical information like Social Security numbers, credit card information and medical claims. The company, which has headquarters in Maryland and serves the Washington area, said the attack occurred in June and described it as “sophisticated.”

Chet Burrell, CareFirst’s chief executive, said the company contacted the Federal Bureau of Investigation, which is investigating attacks against the insurers Anthem and Premera. “They are looking into it,” he said.



While it was not clear whether the attacks were related, he said the company was under constant assault by criminals seeking access to its systems.

Federal officials have yet to label the breaches at Anthem and Premera Blue Cross as state-sponsored hackings, but the F.B.I. is effectively treating them as such, and China is believed to be the main culprit, according to several people who were briefed on the investigations but spoke on the condition of anonymity. There are indications the attacks on Anthem, Premera and now CareFirst may have some common links.

Charles Carmakal, a managing director at Mandiant, a security firm retained by all three insurers, said in an emailed statement that the hacking at CareFirst “was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year.”

The Breaches at Anthem, which is one of the nation’s largest health insurers and operates Blue Cross Blue Shield plans, and Premera Blue Cross, based in Washington State, were much larger. The one at Anthem may have compromised the personal information of 79 million customers and the one at Premera up to 11 million customers.

Anthem has said the hackers may have stolen Social Security numbers but did not get access to any medical information. Premera said it was possible that some medical and bank account information may have been pilfered.

CareFirst said it was aware of one attack last year that it did not believe was successful. But after the attacks on other insurers, Mr. Burrell said he created a task force to scrutinize the company’s vulnerabilities and asked Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014.

Health insurance firms are seen as prime targets for hackers because they maintain a wealth of personal information on consumers, including medical claims records and information about credit card and bank accounts.

In recent years, the attacks have escalated, said Dr. Larry Ponemon, the chairman of Ponemon Institute, which studies security breaches in health care. He said the health care industry was particularly vulnerable and that the information it had was attractive to criminals who use the data to steal the identity of consumers.

“A lot of health care organizations have been historically laggards for security,” he said.

Insurers say they are now on guard against these attacks. But Dr. Ponemon said they had taken only small steps, not “huge leaps,” in safeguarding their systems.

The motivation of the hackers in these cases, however, is unclear — whether they are traditional criminals or groups bent on intelligence-gathering for a foreign government.

In the retail and banking industries, the hackers have been determined to get access to customer credit card information or financial data to sell on the black market to other online criminals, who then can use it to make charges or create false identities.

So far, there is scant evidence that any of the customer information that might have been taken from Anthem and Premera has made its way onto the black market. The longer that remains the case, the less likely that profit was a motive for taking the information, consultants said. That suggests that the hackers targeting the health care industry may be more interested in gathering information.

“It’s such an attractive target and it’s a soft target and one not traditionally well protected,” said Austin Berglas, head of online investigations in the United States and incident response for K2 Intelligence and a former top agent with the F.B.I. in New York. “A nation state might be looking at pulling out medical information or simply looking to get a foothold, which they can use as a testing ground for tools to infiltrate other sectors,” he said.

Paul Luehr, a managing director at Stroz Friedberg, a security consulting firm, said the health care breaches could be an entry point into other systems. “It could serve as a conduit to valuable information in other sectors because everyone is connected to health information,” he said.

Or the breaches could simply be crimes of opportunity. The hackers could be making off with information and waiting to determine what to do with it.

“We want to jump to the conclusion that there is an organized chain and command,” said Laura Galante, threat intelligence manager for FireEye, who was not commenting specifically on any particular breach. “But what could be happening here is much more chaotic. It’s simply, ‘Get whatever data you can get and figure out what to do with it later.’ ”


more...
No comment yet.