Tag Archives: HIPAA

Ransomware Healthcare

4 Steps for Fighting Ransomware in Healthcare

Malware is bad news for any venture, but healthcare seems particularly vulnerable.

Due to air-tight HIPAA regulations, a data breach or data loss by a healthcare facility costs more than just the ransom or the price of restoration. The fines for HIPAA breaches, just on their own, have been rising in price every year.

Studies from Cybersecurity Ventures show that the damage caused by ransomware was estimated at $8 billion in 2018. So how does a healthcare group or facility fight this rising tide? How can a hospital protect its medical computers systems, patient data, and bottom line?

What is Ransomware?

When a virus infects a computer system and makes either the whole system or just a part of it inaccessible, that’s ransomware.

The malicious software does this by essentially encrypting a portion of the victim’s hard drive so that it becomes inaccessible to the original user. Ransomware, true to the name, usually includes a message that the malware will hold the computer or data hostage until they’ve been paid a certain sum of cash (or, more accurately, bitcoin).

A variation of the practice is sometimes called “leakware,” where instead of locking away your files and selling them back to you, the program steals sensitive information and demands money in exchange for not releasing the data out into the world.

1. Limit Exposure to Ransomware

Step 1 of fighting ransomware is to not get infected by it. Sounds easy, of course, but the internet is a minefield of malware that brooks not the slightest slip in security.

In that case, the real step 1 of limiting exposure is training healthcare employees on how to handle emails. It seems a silly thing, but a doctor, nurse, or receptionist clicking the wrong email could compromise not only their PC, but every EMR computer, medical tablet, mobile device, and internet-connected device in the entire building (or further).

The “State of the Phish,” an annual report published by Proofpoint Security, found that in 2017, over 75% percent of organizations had been targeted by email phishing attacks. Phishing is the act of sending a seemingly-legitimate email from a business partner, bank, or other organization, in an attempt to trick employees into giving up personal information of their own volition. It doesn’t require an ounce of malicious software, just a clever hacker and an untrained employee.

Clinicians must be warned about proper email etiquette. Never open an attachment, if you can help it. Consider sharing files and PDFs through the proper encrypted cloud service instead. If you must open an attachment, only do so from a trusted source, and make sure you have an anti-virus program scan any downloaded files before opening them.

Also, Hackers can break into email accounts, and even spoof email addresses to appear to be someone they aren’t. If an email with an attachment from a trusted source feels suspect, it may be wise to call or text the individual who sent it to confirm that they really did.

2. Regulate Access to Medical Computer Systems

Once employees are trained we move on to step 2: limiting access to medical computers, file systems, and EMR programs by untrained individuals. If a section of hospital staff hasn’t been trained on these procedures, and in fact shouldn’t be accessing the medical computers in the first place, a strong security policy on computer access could further prevent damage from ransomware. It also lowers any potential HIPAA violations the hospital would otherwise be courting.

Passwords alone are seldom enough — they’re often broken, given away, or written down somewhere. Instead, make sure that all medical cart computers, tablets, and medical PCs on the network are locked down with two-factor authentication. Consider all-in-one medical PCs that come with RFID, Smart Card, and barcode readers built right into them to maximize security while minimizing unnecessary and cluttery peripherals.

3. Prevent the Spread of Ransomware

The third step for hospital administrators and HIT to take is to create a system where the spread of malware is much more difficult. That way, if one computer is infected with ransomware, it can’t necessarily grab everything on the entire network.  

Instead of a single network with a hard outer shell (ie, the firewall or other exterior security measures) and an entirely unprotected internal structure, a segmented network splits everything into many individual networks that have their own security measures.

Imagine the fire doors in a hospital, hotel, or large apartment building — in the event of a fire in the building, the fire doors seal automatically to contain the blaze to the smallest area it can. A segmented medical computer network performs the same function.

Most healthcare facilities (and other industries) put all of their connected gear on the same network — it’s much easier to manage for IT. However, do the computers in the billing department really need to be on the same network as the cart computers in the ICU or the medical tablets in the maternity ward?

Instead, considering separating all of the departments into their own separate networks to prevent any one room fire from burning down the whole building, so to speak. It’s a bit more work for IT, but it could pay huge dividends in the long run.

4. Restore Data After a Ransomware Attack

This is the step no one wants to think about, but the fact remains, sometimes the hackers get through. Sometimes ransomware can infect even the most secure network — all it takes is one clinician downloading something from the wrong site or opening the wrong email.

In the case of a successful attack, much of the damage caused by ransomware can be mitigated by a strong backup strategy. In the case of “leakware,” where sensitive information is stolen and threatened with public release, an encrypted cloud backup isn’t going to do much good. But in most ransomware cases, where the data is made inaccessible, a strong, redundant back-up policy may allow your HIT department a quick escape hatch.

Instead of trying to break the malware, figure out the encryption key, or paying the ransom, the IT department can simply nuke the affected medical computers right to the ground and then reimage them in minutes. Then, once the computer is verified clean and the operating system reinstalled, they can simply access the backup storage and return the computer to its old fighting weight.

Beating Ransomware Before the Fight Even Starts

To paraphrase an old saying, the best time to create a comprehensive ransomware strategy is yesterday. The second best time is right now.

Interested in increasing the security of your medical computer systems, and learning about medical computers and tablet that come with integrated security features like biometric scanners and RFID? Contact Cybernet today to learn more.

Rural Hospital Challenges

Battling the Unique Challenges Faced by Rural Hospitals

Sadly, not all hospitals are equal, and not all regions come with the same problems and solutions. Rural patients and rural hospitals have always had challenges, but the data says that lately, they’ve been suffering more than ever before.

How can we help rural areas improve the quality, quantity, and accessibility of their healthcare? What can training, medical computer systems, and incentive programs do to aid the health and long life of folks who don’t live in cities or suburbs?

It’s a Numbers Game

Did you know that 45% of the total world population lives in rural areas? In the United States, that number drops to 20%, but that’s still a sizeable chunk of the populace. Around 65 million people, to be more precise. To give that number some perspective, that equals the entire population of the United Kingdom.

However, the number of doctors available in rural areas doesn’t quite add up: less than 10% of the nation’s doctors practice in rural areas. For those doing the math at home, that’s right — rural areas in the US have less than half of the doctors required to match the population.

And, to make matters worse, since 2010, 95 rural hospitals have closed, despite the general increase in population across the entire nation. The number of closures is only speeding up, too — between 2013 and 2017, twice the number of hospitals closed when compared to 2007-2012. That means the situation is rapidly deteriorating.

What’s Causing the Rural Healthcare Crisis?

Unfortunately, there are a few factors at play that are contributing to the deterioration of rural healthcare options. However, it’s best to understand them objectively so we can learn how to combat them.

The Recession

Unsurprisingly, the recession hit rural hospitals hard. And, to compound the issue, recovery since then has been slow or non-existent. Rural jobs in industries like farming, manufacturing, coal, and timber have been disappearing as the United States moves further into a high-tech and service-based economy.

With the younger population moving toward cities, and income in the area decreasing, it’s no wonder hospitals and patients no longer have the resources needed for modern healthcare.

Federal Funding Troubles

56% of rural hospital revenue comes from Medicaid and Medicare, so when Medicaid or Medicare funding becomes the newest political dog bone, rural hospitals tend to suffer.

In fact, 80% of the hospital closures in rural locations corresponded with areas where Medicaid funding wasn’t expanded under the ACA.

Region-Specific Health Issues

Rural regions have always struggled with the mental and physical health issues that tend to become exacerbated in isolated communities.

A report from the CDC shows that suicide deaths had “the highest rates and greatest rate increase in rural counties.” Much of this is due to a lack of mental health care access. Obesity rates for men, women, and children were also around 10% higher in rural areas, which creates a greater strain on rural hospitals as well.

And, according to a study published by the Injury Prevention Research Center in Iowa, “rural populations have been shown to have disproportionately high injury mortality rates,” with 100% higher rates of workplace injuries, drowning, firearm wounds, car crashes, fires, and electrocutions.

The Drug Crisis

While the entire country has been struck by an opioid epidemic, rural areas seem to be losing ground even faster. A recent Morbidity and Mortality Weekly Report from the CDC shows that around 2015, rural areas eclipsed urban areas in the rate of drug overdose.

All of these increased risk factors put additional strain on underfunded, understaffed rural hospitals, which can, of course, have devastating effects on the health of the community.

Telemedicine Can Help

Many rural patients suffer from their isolation — distant hospitals create barriers for regular checkups, as do mountainous terrain, difficult weather, and lack of transportation infrastructure. The elderly in particular, the most common hospital patients, are less apt to go without some kind of transportation assistance.

What is Telehealth?

Telehealth is a burgeoning and exciting field that could change the game for rural hospitals.

A doctor with a video-equipped medical tablet or even just the nearest office medical computer can answer pressing patient questions without the patient even stepping out the door of their home. Video-conference software has never been easier to use, and even rural patients tend to have camera-equipped smartphones and decent LTE or wifi mobile connections.

How Does it Work?

Hospitals and healthcare groups around the country have had success with telehealth doctor visits in numerous fields. These include long-distance therapy sessions with mental health professionals, quick questions with nursing hotlines, and even full, face-to-face digital doctor’s appointments between patients and primary physicians.

Such telehealth visits have even been comprehensive enough for the doctor to prescribe medication for many conditions, or to extend medication prescription writs for already-existing health issues in still need of attention.

With a specialist shortage in rural areas, patients are often disconnected from the medical procedures they require. Telehealth can be okayed by a patient’s primary care physician to allow the patient to connect with specialists that might normally be inaccessible to them.

Streamlining Compliance

Regulations and paperwork are strangling most healthcare facilities, but the lower patient density means the price hits rural hospitals harder. It turns out that the average community hospital pays $7.6 million just in regulatory work — the kind of paperwork, employee man-hours, and training that has nothing to do with patient care.

HIPAA Compliance Made Easier

This is why streamlining the paperwork and EHR aspects of hospital life can net huge gains both in money and time for the hospital in the long run.

To stay HIPAA complaint for medical records, security is key. Biometric, two-factor authentication is a huge, important step toward eliminating the fuss and muss of both staff computer training and potential security breaches that could obliterate a hospital’s budget.

Rural hospitals need to embrace technology like medical cart computers with built-in RFID, barcode, smart card, and biometric capabilities. Constantly purchasing, repairing, and replacing dozens of different peripherals that “walk away” can take consistent bites out of the bottom line, which is why a medical all-in-one computer may end up being a safer investment in the long-term.

The faster and more securely clinicians can sign in to access or update EMR, the less time and money gets spent on compliance. It’s that simple.

More Reliable Computers

Rural hospitals don’t always have the cash at hand for the regular computer updates and repairs that come with an extensive medical computer system. That’s why it’s smart for rural hospital IT to look for medical computers with longer lifespans.

A consumer computer may only last two or three years under near-constant hospital use before it enters the neverending break/fix cycle, but a dedicated medical computer could last 6 or 7 years at peak condition with far less downtime during it’s run.

Seek Out Incentive Programs for Hiring More Doctors

With the previously mentioned doctor/patient discrepancy — 20% rural patients versus 10% rural doctors — attracting more clinicians to rural practice must be a priority.

Luckily, there are programs and grants that incentivize clinicians to operate in shortage-areas.

The Conrad State 30 Waiver Program allows a new doctor to skip the 2-year resident requirement and obtain a contract to work at a health care facility in Medically Underserved Areas and Health Professional Shortage Areas. Rural hospitals need to advertise this incentive, letting medical students know they can fast-track their career and help out those in need at the same time.

Rural hospitals can also help combat the drug abuse issue in their communities and find doctors, mental health professionals, and nurses at the same time with the “Patients and Communities Act of 2018.” In Subtitle H, section 7072, it states that clinicians who “complete a period of service in a substance-use disorder treatment job in a mental health professional shortage area” can have some or all of their student loans repaid.

Better Tech and More Doctors

There is no magic bullet to fix the difficult situation for healthcare in rural areas, but a combination of telehealth, better compliance technology, and clinician incentives could go a long way towards mitigating the worst of it.

Contact Cybernet today to learn about the kinds of medical computer systems a rural health care facility could truly benefit from.

blockchain healthcare data security

Is Blockchain Right for Healthcare?

You may have heard that blockchain is “the next big thing.” And while “next big things” seem to rain from the sky in the tech world, there may be some truth in this particular case.

Blockchain came on the scene in 2008, the brainchild of a still-anonymous person or team of people called “Satoshi Nakamoto.” Despite these tantalizingly mysterious origins, blockchain is well understood and implemented as a distributed ledger to both protect and disseminate important information.

But how does this apply to healthcare?

Does blockchain really have the opportunity to upend how medical computers, EMR, and even clinical studies operate?

What is Blockchain?

The “block” portion of “blockchain” refers to encrypted vaults of information, while the “chain” refers to the connections with other, similar blocks of data.

Blockchain, at its heart, is a way to safeguard digital data by sharing it with thousands of users simultaneously.

The basic idea is that blockchain keeps data safe by keeping it encrypted and redundant, not unlike how iCloud or Dropbox protects files by storing them in multiple locations.

The data is difficult if not impossible to corrupt, because it’s being compared with the same version of the file hosted on every other computer connected to the block. And this checking occurs nonstop, confirming the authenticity of each alteration and transaction.

This is where the term “distributed ledger” comes into the equation. Since everyone can see the changes and transactions done to any data in the block — and who made those changes —  the ledger is secure. It’s like having your own team of perfect, robot accountants auditing your EMR computer hundreds of times a day.

Why is Blockchain Needed in Healthcare?

Primarily, blockchain can help healthcare providers avoid the avalanche of HIPAA violations that have fallen on the industry as of late.

The number of breaches appears to be growing, and with it the price tag of the fines being levied. In 2014, Columbia University and New York Presbyterian Hospital settled a fine for a data breach to the tune of 4.8 million dollars, which at the time was the highest fine ever handed out.

In 2017, Memorial Healthcare System, a Florida-based healthcare group, suffered a data breach that compromised over 115,000 patient and staff records. They were forced to pay a $5.5 million settlement.

But in 2018, Anthem, one of the largest healthcare groups in the world, forked over a record-obliterating 16 million dollars in fines after 78.8 million member records were compromised by hackers.

Either hackers are becoming more adept, IT systems are falling behind, or the amount of digital information in unsecured storage has increased. In all likelihood, all three of these factors are responsible for the rise in both data breaches and ensuing fines.

Since laws and regulations around the country — and indeed, around the world — are only forcing more patient data to be digitized and shared, there’s only one way to securely move forward and protect both patient information and hospital liability: an encrypted, incorruptible distributed ledger like blockchain, with access availability right on the nearest medical cart computer in any exam or patient room?

Implementing Blockchain

Integration with EMR systems and EMR computers is priority one.

As it stands, many healthcare groups are on different EMR programs and standards, making transfer of medical data difficult. This transfer is also a common breach point for hackers and data thieves.

Electronic Medical Records

Unsecured transfer of data is an easy target, which is what makes blockchain so useful. Because data is encrypted, copied, and stored on every computer in the block, there’s no transfer to scoop up. There’s no single vulnerable point that can be hit by DDoS attacks or corrupted by a virus.

The implications of a secure, incorruptible system for electronic medical records point to a potential sea-change in how data is stored. Imagine storing patient consent forms like organ donor consent, living wills, and DNR directives, all easily accessible by the authorized users. Double down on security with a medical computer equipped with two-factor authentication like a smartcard (or RFID, or biometric) scanner and a quick pin code.

That’s a one-two punch of security that can make HIPAA compliance a breeze.

Clinical Trial Data

There are other, far-reaching uses for both secure and easily-accessible data. Clinical trials and medical studies, for instance, are often made difficult by the logistical issues of having to store and collate a wealth of data. In the case of multiple parties contributing to a trial or study, the problem is only compounded.

Then add in that clinicians often to have de-identify the patients in the trials (but also have the ability to re-identify them for implementation or health reasons), and you’ve got a multi-headed hydra of potential data breaches.

Storing clinical study data on a blockchain is a perfect use of the technology and something that health giants like Pfizer and Amgen are already considering.

Blockchain for Preventing Fraud

Of course, not all theft comes in the form of hacking. Both insurance fraud and drug fraud cost hospitals (and sometimes patients) millions of dollars a year.

Preventing Health Insurance Fraud

In 2014, there were 2.3 million cases of medical identity theft, and the number has only been rising ever since.

This identity theft was usually for the purposes of either scoring prescription drugs or for using a patient’s insurance for “free” medical procedures.

This particular form of fraud is particularly devastating because it affects patients and healthcare providers alike, both of whom can have their reputations and finances irreparably damaged.

And, even worse, if the thief does receive treatment, their information (blood type, risk factors, allergies, even diagnoses) can get mingled with the actual patient. If this happens, it could cause incorrect diagnoses, medication complications, or the infusion of incorrectly-typed blood which can seriously injure or even kill someone.

There are even other potential consequences of medical identity theft: a Utah woman, Anndorie Cromar, was nearly arrested (and almost had her children taken away) when an identity thief used her insurance to pay for maternal services. The thief’s baby tested positive for drugs, and since the name on the birth certificate was “Anndorie Cromar,” police and Child Protective Services descended quickly on the wrong person.

The mix-up was eventually sorted out, but not without money, frustration, and what turned out to be the scare of Cromar’s life.

Blockchain technology can mitigate some of the issues — the patient can have an encrypted ID vault on the block, one that the provider can use to make sure that the person standing in front of them is the real policyholder (or the policy holder’s authorized dependents or partner). This ID vault could contain a picture, all ID paperwork, and even biometric data depending on consent and regulations.

Then, the clinician need only check the data against the patient in front of them to prevent most forms of health insurance fraud. They don’t even need to be sitting at a computer — they could grab a nearby medical tablet and pull up the data then and there.

Tracking Drugs and Eliminating Counterfeits

The nature of blockchain’s distributed ledger is a perfect match for inventory and drug-tracking all throughout the supply chain.

The “Drug Supply Chain Security” act, established in 2013, mandates electronic drug tracking in the United States. A secure solution like blockchain is practically custom-built for verifying drug transactions, authenticating barcodes, and keeping every step of the shipping and use chain fully recorded and protected from illegal tampering.

Medical computers with integrated barcode scanners streamline the process. If you already have a USB-powered barcode scanner, medical panel PCs are capable of powering those peripherals on their own, just from the built-in batteries of the PC itself.

Those same medical PCs can also come with built-in two-factor authentication, making them compatible with the SUPPORT bill and a vital tool in combating the opioid crisis.

Combining Blockchain and Healthcare

Blockchain isn’t a perfect panacea to cure all data security problems forever, but its secure, incorruptible nature (combined with staff education and good network hygiene) makes it an excellent solution to many of healthcare’s current data-handling issues.

To learn more about integrating blockchain with EMR and secure medical computers, contact Cybernet today.

How Technology Prevents HIPAA Violations

HIPAA violations are growing in number and cost, and have affected medical facilities of all sizes.

While training and vigilance on the part of administrators and staff is a vital component to HIPAA compliance, the right technology can turn an open book into a bank vault. From secure medical grade all-in-one computers to software to online tools, here are some of the best ways technology is making ePHI (electronic protected health information) more secure.

HIPAA violations and costly fines don’t have to be an inevitability.

How Bad is It?

HIPAA violations and fines are practically raining from the sky. 2018 saw significant data breaches, some that affected millions of patients.

In January of 2018, it was revealed that the data of 30,000 patients was stolen by hackers from Florida Medicaid when an employee fell for a phishing email.

Also in January, a medical group in New York had a record breach that had nothing to do with malicious intent. A misconfigured database with an unsecured port accidentally exposed the data of 42,000 people to anyone who stumbled across it. Social security numbers, patient notes, and even names of family members were all up for grabs.

In April, the Center of Orthopaedic Specialists in California got hit by ransomware that may have exposed 85,000 patient records to hackers. In September, three hospitals settled a $1 million dollar fine for potentially compromising patient privacy while they were filming a documentary for ABC.

And, of course, Anthem paid a record-breaking $16 million in fines and violation settlements for a breach that affected 79 million patients. They were given a hefty penalty for not only the breach itself, but for failing to implement adequate access controls, not conducting a risk analysis before it happened, and for not regularly reviewing system activity to keep an eye on red flags.

Almost all of these breaches could have been prevented or mitigated by better technology, more robust security software, and improved employee education.

Online Training Programs Can Educate Staff Members

Hacking is a multi-headed hydra that is more than just ransomware and worms. “Social engineering” describes all of the methods deployed by hackers to gain access to secure systems from regular people in an organization.

Social engineering tactics can vary wildly, from dressing like an electrician to get access to a sensitive area, to calling up an employee and pretending to be an IT tech who needs their information, or even just employing a malware program that requires a victim to click, open, download, or install something they shouldn’t have.

Consider enrolling staff members into an online HIPAA compliance course, or a general data security training program. If you’re afraid of employees falling asleep during a dry infosec video, try SecurED, a data security training course that was actually written in part by Hollywood comedy writers.

And if you want the real skinny from an expert, world-famous hacker Kevin Mitnick actually created his own security awareness training to help illuminate the best techniques for avoiding malicious software and social engineering.

Install Security Software on All Devices

Cloud storage attached to medical all-in-one computers, medical tablets, and personal devices must be encrypted. Any messages, data, or images that back up to a cloud service are just as susceptible to interception as messages sent from one user to another.

Dropbox, OneDrive, and Google Drive aren’t automatically encrypted, and expose a weak point in any system. The solution isn’t to stop using cloud services — backing up data has never been more important — but to instead use a secure cloud storage program like Sookasa to encrypt files before they enter a cloud storage folder.

It also may be wise to consider HIPAA compliance tracking software like HIPAATrek. This software, and other brands like it, create a one-stop-shop for all current HIPAA regulations, training, assessments, risk analysis surveys, checklists, and a whole host of compliance tools to keep any medical facility in the green and out of the fast-growing list of HIPAA horror stories.

Secure Accounts with Two-Factor Authentication

A single password and login for staff members aren’t sufficient for sensitive accounts. Passwords can be guessed, cracked, or collected fairly easily, especially if employees aren’t maintaining proper password etiquette.

Two-factor authentication is recommended by all security professionals at this point, and a failure to do so could have dire consequences for any organization under HIPAA authority.

Smart cards, custom RFID tags, and biometric scanners can provide the physical authentication, while a PIN or password can be used in conjunction to add an extra layer of security. Medical all-in-one computers or medical tablets with built-in RFID and biometric scanners are highly recommended for this purpose because they are far more reliable than a USB scanner plugged into an off-the-shelf office computer.

Plus, USB readers are portable and have a tendency to get lost or disappear. Misplacing an integrated medical panel PC is slightly more difficult.

Only Use Messaging Software with HIPAA Associate Agreements

Texting and easy picture-sharing have completely changed the way our society communicates, even in the workplace.

However, HIPAA’s security standards mean that doctors and nurses can’t be as free as the general populace. While texting a coworker a question might seem innocuous, it can lead to breached confidentiality and a hefty fine if it contains patient details. Ditto for sending pictures — getting a second opinion from another nurse about a suppurating wound isn’t a bad idea in theory, but may, in fact, be a violation of HIPAA standards.

For workplace communication, make sure work devices are installed with encrypted messaging software from a HIPAA associate. If your practice is using a BYOD policy, make sure those devices have the same level of encryption. Or, it may be a wise idea to abandon a BYOD policy altogether — they’ve been shown to invite massive security breaches.

A messaging app made by a business under a HIPAA associate agreement is certified to provide the necessary security to meet HIPAA standards.

There are quite a few HIPAA compliant texting apps, like TigerConnect and OhMD, that can make a major difference in cybersecurity. Many of these apps, or similar email encryption programs (like Barracuda or Virtru ) can also be installed on medical tablets and medical all-in-one computers, creating an easy, encrypted communication system for any facility.

Don’t Forget the Real World

Consider those hospitals fined for filming a documentary — not all patient confidentiality breaches come from computer hackers.

Even something as simple as the placement of a computer screen or patient monitor can have HIPAA implications. Medical all-in-one computers with built-in privacy screens can reduce the angle where a monitor is readable, while a computer on wheels can be rotated away from prying eyes.

Cameras and video recording are obviously off-limits, but sometimes staff can be tempted by the social media machine in their pocket. A perfectly harmless photo from the wrong angle can unknowingly capture sensitive information on a chart, or the face of a patient in the background.

Of course, a malicious low-tech data thief could also snap a quick picture of sensitive information while a doctor’s back is turned.

Technology can help, of course, but common sense is even more important. Keep an eye on your surroundings, especially when viewing ePHI, to maintain maximum data security.

Employ and Document Digital Security Methods Today

A three-pronged approach of education, technology, and vigilance should hopefully keep any doctor’s office, hospital, or clinic away from major HIPAA violations. Even should a lax staff member cause a breach, a thorough and documented history of implementing all of these techniques should also lower the culpability and any potential fines for the organization.

Contact Cybernet today to learn more about medical all-in-one computers and medical tablets with built-in two-factor authentication, Imprivata single-sign-on compatibility, and built-in privacy screens.

 

BYOD Healthcare Policy

Are BYOD Policies in Healthcare a Mistake?

“BYOD” stands for “Bring Your Own Device,” and its potential implementation is a conversation being had in many workplaces, schools, industries, and hospitals.

In theory, it’s an effective cost-cutting measure: everyone is walking around with an advanced, mobile touchscreen computer in their pocket at all times. Why not leverage that ubiquitous technology, all the while saving the business some money on buying medical tablets for every employee?

While BYOD policies sound great on paper, are they actually effective? Do they do more harm than good?

Personal Devices Are a Hornet’s Nest of HIPAA Violations

The greatest flaw in any BYOD policy is almost always security — how do you ensure that the phone a staff member carries at home, at work, and out to the club is protected? How can you guarantee that the employee is always logging out of work applications, especially if they take work home with them as part of their job? Lines become even blurrier, and confidentiality suffers.

Imagine a doctor or nurse snaps a quick picture of an injury on their cell phone for later reference or sends it to another clinician for a second opinion. Even if the patient consented to this, is the text message software secure? Is the receiving phone or device secure? What happens if either is hacked or stolen?

Are all pictures snapped by the phone automatically backed up to the cloud? Some users may not realize this happens automatically, depending on the phone’s settings. Is the staff member’s Dropbox or iCloud shared with anyone else? How encrypted is it? What other, non-secure device is the cloud service backing up to? A home computer, a bedside iPad, a husband or wife’s laptop?

Of course, this doesn’t just apply to images. Ask yourself all of these questions regarding a text or email about a patient’s condition or personal details to another clinician. Think about what note-taking software is being used on the phone, and where that’s stored. Some staff members may record their thoughts or case reports into a phone recorder app, which may be backed up to the cloud or other, less secure devices.

Does the user even have a password on their phone or tablet? According to the “Consumer Security Risks Survey” from Kaspersky Labs, only half (53%) of mobile users have a security solution installed on their smartphones. And 20% weren’t even aware that mobile malware existed.

Each one of these avenues is a potential HIPAA violation, which can cause an individual or a branch thousands of dollars in fines and potentially more in active lawsuits.

Consider the Liability

Mobile devices get stolen or misplaced all of the time. Unlike dedicated hospital medical tablets,  a staff member’s personal cell phone or tablet is going home (or out) with them. And considering that 44% of smartphones were stolen in public places, and 14% from burglarized houses, the odds of losing their phone increase dramatically if they take it from the workplace.

If the device gets dropped or stolen at work, is the hospital liable? If the policy requires that staff bring their personal devices instead of using hospital-provided medical computers and medical tablets, there’s an argument that could be made. An argument that probably would be made, by an attorney.

Before implementing a BYOD policy, make sure employees know what’s required of them and what the liabilities are. Having employees sign documents that codifies this policy — to legally protect the hospital — will be job one.

Can Personal Devices be Managed by IT?

The IT department at a hospital or medical office (or, really, any facility or industry) performs a whole host of important jobs.

They maintain computer hardware and software, set up and manage the network, and ensure that data is protected and secure, just to name a few.

Devices that are officially owned by the hospital can all be managed with IT network software. Hospital or office-owned medical tablets are constantly under the watchful eye of the IT department. The IT team also keeps all device software updated to prevent bugs and known security breaches. They install anti-virus and firewall software on managed devices, and ensure that those programs are working and up to date.

Installing, troubleshooting, and maintaining all of these processes often requires that the tech have hours of access to the medical computer in question. With a BYOD policy, tech access to someone’s personal cell phone is extremely limited, if it’s even allowed.

Sometimes, due to liability concerns, the tech may have little to no access at all. This turns the individual user — a doctor or nurse — into the primary tech for their own device. And, unfortunately, many don’t have the time or aren’t up to the challenge.

This neglect or misunderstanding can lead to software patches not being installed and lax anti-virus maintenance, which can open up huge security holes for any device or network.

A SecureEdge Networks report indicated that as it stands, 80% of all BYOD devices are completely unmanaged by the IT team. Compare that to the standard practice of managing all medical tablets and computers in a facility, and the vast security gulf becomes more clear.

BYOD Policies Lack Standardization

Even with the proper policies in place, and a secure environment for users to log into confidentially, there comes the most frustrating feature of BYOD policies: lack of standardization.

The medical tablets and other medical touch screens purchased by the hospital typically come from the same vendor, and are running the same operating system and even use the same parts. This standardization allows IT to choose software and hardware peripherals that work with any device in the hospital.

With hundreds of unique personal devices, things get dicey.

While staff members may enjoy the familiarity of their own devices, that doesn’t mean productivity is necessarily increased across the board. When staff members have devices from a dozen different manufacturers, with different operating systems (on different versions, with different patches), trying to make software and communication work is no easy task.

Hospital apps, messaging services, and secure hospital data vaults have to be compatible with Android, iOS, Windows, and manufacturer-specific tablet OSes. Frequently used website portals must be compatible with Chrome, Safari, and half a dozen other mobile browsers.

And, most importantly, if there is a conflict, the IT department is responsible for maintaining access across dozens of different platforms and browsers. Assuming the policy even allows IT to maintain the BYOD devices, that puts a huge strain on the tech team.

To BYOD or Not to BYOD

According to an extensive study by the Ponemon Institute released in 2016, data breaches are a constant problem for almost every hospital.

In their study, they found that “nearly 90% of healthcare organizations…had a data breach in the past two years.” They then went on to report that “45% had more than five data breaches in the same time period.” Considering that the average cost of a data breach is somewhere upwards of $2 million dollars, the math speaks for itself.

BYOD policies are not without their benefits — they’re excellent short-term solutions, especially for facilities that don’t have the budget for as many dedicated medical tablets or computers as they need. BYOD has been known to boost morale, and when implemented properly can increase communication.

However, most of the studies that found this data looked at standard businesses who don’t have to worry about the stringent confidentiality and security requirements of HIPAA.

Still, with HIPAA violations costing companies like Anthem over $16 million, healthcare can ill afford to play it fast and loose with potential security breaches.

Contact Cybernet today to learn more about creating a secure network of purpose-built medical tablets and medical computers in your facility.

 

HIPAA

Understanding the Move to Mobile and HIPAA

Five years after the Internet went live to an unsuspecting public – one that had no idea how much it would need cat videos, online shopping and binge-watching –  the Health Insurance Portability and Accountability Act (HIPAA) was born in 1996. Fast forward more than 20 years and we’ve seen the birth of the smartphone, tablet and smartwatch; the rise of social media; the emergence of cloud-based hosting and data storage; and now the Internet of Things (IoT).

Translation? Healthcare information exchange can occur – and must be protected – in more ways than those early HIPAA architects ever dreamed of. The following details what HIPAA does specify, where it’s lacking, and some of the technologies and solutions that can help you stay protected.

A Brief History of HIPAA

HIPAA established the first set of national guidelines for healthcare data maintenance and exchange. Over the next 10+ years, HIPAA expanded to include the enactment of the Privacy, Security and Enforcement rules, which set standards for personal health information (PHI) protection, disclosure, and access. These rules also outlined the compliance infrastructure that healthcare providers, health plans, and clearinghouses should have in place to protect data, monitor HIPAA adherence, and report breaches.

What HIPAA Has to Say About Mobile

HIPAA Journal provides an excellent summary of what HIPAA does and does not mandate when it comes to mobile devices. For instance, HIPAA requires multi-layered user-authentication controls for the access, storage, and transmission of electronic patient health information (ePHI). It further requires protections against data alteration and destruction through the implementation of monitoring controls. Here are a few specific focal areas and technologies for HIPAA compliance:

  • Data tracking – Consider digital watermarking
  • Information access – Certify all devices, block the transmission/download of ePHI where necessary and segregate work/personal data on individually owned devices
  • Password and public wi-fi security – Create policies that specify requirements and mandate VPN for remote access
  • App control – Limit usage to those with certified security controls and ensure security updates occur.
  • Device scanning and maintenance – Install anti-virus software, perform regular scans, and ensure automated security updates.
  • Data erasure – Implement technologies that allow for remote data deletion.

Text Me, Maybe

The healthcare industry is now using text marketing automation tools, social media, chatbots, and SMS marketing tools for everything from appointment reminders to wellness engagement. Opt-out functionality is a must. And while message encryption is critical, HIPAA does not technically require it for data at rest. For data in motion, however, the Security Rule advises encryption for the transmission of ePHI, particularly over SMS networks.

One thing that’s not allowed? Texting patient orders. In December 2017, the Centers for Medicare & Medicaid Services (CMS) clarified that while providers may text patient information to one another, it must be via a secure platform and cannot include the texting of patient orders. Its position reinforces not only HIPAA but its own Conditions of Participation (CoPs) and Conditions for Coverage (CfCs) agreements.

Hey, You! Get on to My Cloud

HIPAA also allows cloud-based storage. The OCR issued guidance in 2016 outlining requirements for the cloud service providers (CSPs) that medical practices must inevitably turn to for secure system implementation. Google Drive is just one of those cloud-based options. HIPAA Journal reports that the company’s Business Associate Agreements (BAAs) address the HIPAA Security, Privacy, and Breach Notification Rules, allowing for the use of Google Drive and subcomponents such as Google Forms, which providers can use to gather and share information.

Left to Your Own Devices

There are four letters that might make anyone operating in the HIPAA spaces cringe: BYOD. It stands for Bring Your Own Device and marks a growing trend in some sectors for employees to use their own technology in the workplace. Adoption is currently higher in other countries than the U.S., but with personal mobile and the IoT entering healthcare in big ways, it’s time to at least start thinking about it. While HIPAA doesn’t speak specifically to these areas, the existing Security Rule is a good place to start and can help you create policies in such areas as:

  • Patient and guest data access
  • Network and software security
  • Email, web and medical device
  • Workflow and information logging

Compliance: Broader than HIPAA, More Important Than Ever

Because there is much that HIPAA doesn’t specify, any organization protecting healthcare data should be aware of what other agencies are advising, including:

  • Mobile security – The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) issued 2015 guidance addressing standards for company-owned and BYOD mobile devices.
  • App development – The Office of Civil Rights (OCR), the agency responsible for HIPAA enforcement, has created a portal for app developers that addresses components of the Privacy and Security Rules, along with BAA guidance. Meanwhile, ACT | The App Association, has called on the OCR to get more specific as technology grows by leaps and bounds.
  • Connecting the dots – The OCR has mapped the HIPAA Security Rule and NIST Cybersecurity Frameworks, which it acknowledges is more granular when it comes to outlining administrative, physical, and technical safeguards.

As healthcare innovation continues to move at lightning speed, those in the industry will remain continually challenged by the dual needs to keep up with technology while protecting patient data. Advancements shouldn’t be limited by lagging regulations, which puts healthcare providers, executives and manufacturers in a position to drive compliant solutions where federally defined standards are lacking.

Laura Beerman is a writer for TechnologyAdvice. Her insights have appeared in RevCycleIntelligence, Becker’s, InformationWeek and other outlets. She has spoken nationally on population health, long-term care, and been interviewed by The Wall Street Journal for her accountable care predictions. She resides in Nashville with her Canadian husband and American kittens. You can find her on LinkedIn.

 

Medical Tablets: Complying with HIPAA

Healthcare providers increasingly use clinical applications such as EHR, clinical decision support systems, order entry systems, radiology, laboratory and other systems. Health IT makes the medical workforce more agile, mobile and productive. Mobile devices let physicians check patient records on the go, in any location. Nonetheless, the rise of mobile technology increases the risk of data breaches. HIPAA aims to protect ePHI while still allowing hospitals to adopt new technologies & improve their efficiency and care quality.

The Health Insurance Portability & Accountability Act (HIPAA), 1996, consists of HIPAA Privacy Rule & the HIPAA Security Rule. The former establishes national standards for the protection of individually identifiable health information; the latter – security standards for protecting individually identifiable health information held or transferred in electronic form. The Security Rule dwells on the technical and non-technical safeguards covered entities must implement to secure patients’ electronic protected health information (e-PHI).

Understanding HIPAA

The HIPAA Security Rule covers health plans, health care clearinghouses and health care providers that create, receive, store or transmit e-PHI, as well as their business associates. Read the Summary of the HIPAA Privacy Rule [PDF].

Under HIPAA, covered entities must:

  • Ensure confidentiality, integrity & availability of e-PHI.
  • Identify threats to e-PHI and protect against them.
  • Protect e-PHI against disclosures or impermissible uses.
  • Ensure HIPAA compliance by the workforce.

The HIPAA Security Rule requires covered entities to perform a risk assessment to determine reasonable security measures for a particular organization. Risk assessment includes evaluation of the likelihood of a data breach, implementation of appropriate security measures, documentation of security measures, & rationalization of their choice, and continuous protection of e-PHI.

Safeguards

On the administrative, physical and technical levels, HIPAA requires for the organizations to implement certain safeguards.

Administrative

  • Security management process – identify & analyze risks to e-PHI, implement security measures for protection.
  • Appointing a security official overseeing HIPAA compliance.
  • Information access management – limit uses and disclosures of e-PHI, granting access to data only when appropriate, to authorized personnel only.
  • Providing the medical staff with data protection training, ensuring policy compliance by the workforce.

Physical

  • Limit physical access to the facility for unauthorized individuals, yet ensure authorized access is allowed.
  • Implement device security procedures, specify proper use of devices and access to them, have policies regarding device transfer, disposal or re-use.

Technical

Health care providers must implement:

  • Access control to e-PHI for authorized personnel only.
  • Audit controls of hardware, software and data access and use procedures.
  • Integrity controls to ensure e-PHI is not destroyed or altered improperly.
  • Transmission security measures that guard against unauthorized access to e-PHI in transit.

Features of Medical Tablets That Ensure HIPAA Compliance

So, when we talk about the features of the medical tablets that ensure HIPAA compliance, we are primarily concerned with the Technical Safeguards of the HIPAA Security Rule provisions.

Encryption

The HIPAA Security Series Guidelines require covered entities to “consider the use of encryption” for e-PHI in transit. Encryption for data at rest is not mandatory, but its implementation depends on the risk assessment.

End to end encryption ensures the data in transit is protected against data breaches and man-in-the-middle attacks, according to HIPAA Journal. Technology based on the end to end encryption helps providers avoid HIPAA violations.

HIPAA-compliant medical tablets are Windows or Linux-based, which enables the support of full disk encryption for data at rest, & implementation of end to end encryption programs for data in transit. Furthermore, Windows medical tablets have USB 3.0 and USB 2.0 ports and can encrypt data on external storage devices just like your normal desktop computers would.

One of the glaring security holes in consumer grade mobile devices is text messaging and consumer chat apps medical staff use to communicate with patients and colleagues. e-PHI details sent in a text message is a direct violation of HIPAA Security Rule. Skype, WhatsApp or Hangouts lack necessary protections for a secure data transfer, despite claims of encryption. Medical professionals must implement secure communication programs, with the end to end encryption and preferably from trusted, zero-knowledge providers.

Data Access

HIPAA requires the implementation of technical policies and procedures that allow access to PHI to authorized staff only. Medical tablets have access control mechanisms that enable advanced user authentication. Moreover, they make it easy to use, because end users tend to bypass any technical procedures they deem as difficult, time-consuming, or hampering their productivity in any other way.

Multi-factor authentication in medical tablets is ensured with RFID Imprivata Single Sign-On, biometric scanner, Smart Card or CAC reader, and Kensington lock. Multi-layered access controls reduce the risk of unauthorized data access. Medical staff can safely leave the device in hospital’s public places, such as corridors or patient rooms, and rest assured the confidential data is locked.

Data Integrity

According to HIPAA, any e-PHI data stored on a mobile device (or transmitted with its help) must be protected against unlawful tampering or destruction. Mobile devices used to store or transmit e-PHI in healthcare must have features that allow them to be audited for access to e-PHI, including attempted access instances, and other activity that could potentially affect data security.

Medical tablets can be configured to enable remote device management to give the IT admins full control over the data stored and transmitted from it. IT admins can push system and software updates and patches remotely, or troubleshoot issues without having physical access to the device. They can set up the device so that the complete log of data access and failed login attempts be documented for revision. They can wipe the device remotely, should it be lost or stolen. They can monitor network activity and spot suspiciously large volumes in upload or download to, again, suspicious servers.

IT admins can block or disable certain OS features, whitelist and blacklist programs, to protect the confidentiality of e-PHI from the inadvertent exposure by the end users. For example, disabling automatic connection to any available Wi-Fi network protects devices from connecting to insecure public networks.

From ad-block browser extensions to firewalls and sandboxing, Windows supports the full list of security measures an IT admin can deploy on a device. With Windows 10, the security features have advanced even further.

Windows makes the use of password managers easy since most enterprise programs are developed for Win OS. Also, administrators can disable access to app store, so that users cannot download and install unauthorized applications, or games. Alternatively, blacklist every app but a list of authorized applications from accessing the Internet.

Medical tablets ensure admins have necessary means of scanning them for malware and other malicious code, install antivirus, perform regular and random scans. When an employee is left or fired, admins can safely terminate access to PHI.