Tag Archives: HIPAA

How Technology Prevents HIPAA Violations

HIPAA violations are growing in number and cost, and have affected medical facilities of all sizes.

While training and vigilance on the part of administrators and staff is a vital component to HIPAA compliance, the right technology can turn an open book into a bank vault. From secure medical grade all-in-one computers to software to online tools, here are some of the best ways technology is making ePHI (electronic protected health information) more secure.

HIPAA violations and costly fines don’t have to be an inevitability.

How Bad is It?

HIPAA violations and fines are practically raining from the sky. 2018 saw significant data breaches, some that affected millions of patients.

In January of 2018, it was revealed that the data of 30,000 patients was stolen by hackers from Florida Medicaid when an employee fell for a phishing email.

Also in January, a medical group in New York had a record breach that had nothing to do with malicious intent. A misconfigured database with an unsecured port accidentally exposed the data of 42,000 people to anyone who stumbled across it. Social security numbers, patient notes, and even names of family members were all up for grabs.

In April, the Center of Orthopaedic Specialists in California got hit by ransomware that may have exposed 85,000 patient records to hackers. In September, three hospitals settled a $1 million dollar fine for potentially compromising patient privacy while they were filming a documentary for ABC.

And, of course, Anthem paid a record-breaking $16 million in fines and violation settlements for a breach that affected 79 million patients. They were given a hefty penalty for not only the breach itself, but for failing to implement adequate access controls, not conducting a risk analysis before it happened, and for not regularly reviewing system activity to keep an eye on red flags.

Almost all of these breaches could have been prevented or mitigated by better technology, more robust security software, and improved employee education.

Online Training Programs Can Educate Staff Members

Hacking is a multi-headed hydra that is more than just ransomware and worms. “Social engineering” describes all of the methods deployed by hackers to gain access to secure systems from regular people in an organization.

Social engineering tactics can vary wildly, from dressing like an electrician to get access to a sensitive area, to calling up an employee and pretending to be an IT tech who needs their information, or even just employing a malware program that requires a victim to click, open, download, or install something they shouldn’t have.

Consider enrolling staff members into an online HIPAA compliance course, or a general data security training program. If you’re afraid of employees falling asleep during a dry infosec video, try SecurED, a data security training course that was actually written in part by Hollywood comedy writers.

And if you want the real skinny from an expert, world-famous hacker Kevin Mitnick actually created his own security awareness training to help illuminate the best techniques for avoiding malicious software and social engineering.

Install Security Software on All Devices

Cloud storage attached to medical all-in-one computers, medical tablets, and personal devices must be encrypted. Any messages, data, or images that back up to a cloud service are just as susceptible to interception as messages sent from one user to another.

Dropbox, OneDrive, and Google Drive aren’t automatically encrypted, and expose a weak point in any system. The solution isn’t to stop using cloud services — backing up data has never been more important — but to instead use a secure cloud storage program like Sookasa to encrypt files before they enter a cloud storage folder.

It also may be wise to consider HIPAA compliance tracking software like HIPAATrek. This software, and other brands like it, create a one-stop-shop for all current HIPAA regulations, training, assessments, risk analysis surveys, checklists, and a whole host of compliance tools to keep any medical facility in the green and out of the fast-growing list of HIPAA horror stories.

Secure Accounts with Two-Factor Authentication

A single password and login for staff members aren’t sufficient for sensitive accounts. Passwords can be guessed, cracked, or collected fairly easily, especially if employees aren’t maintaining proper password etiquette.

Two-factor authentication is recommended by all security professionals at this point, and a failure to do so could have dire consequences for any organization under HIPAA authority.

Smart cards, custom RFID tags, and biometric scanners can provide the physical authentication, while a PIN or password can be used in conjunction to add an extra layer of security. Medical all-in-one computers or medical tablets with built-in RFID and biometric scanners are highly recommended for this purpose because they are far more reliable than a USB scanner plugged into an off-the-shelf office computer.

Plus, USB readers are portable and have a tendency to get lost or disappear. Misplacing an integrated medical panel PC is slightly more difficult.

Only Use Messaging Software with HIPAA Associate Agreements

Texting and easy picture-sharing have completely changed the way our society communicates, even in the workplace.

However, HIPAA’s security standards mean that doctors and nurses can’t be as free as the general populace. While texting a coworker a question might seem innocuous, it can lead to breached confidentiality and a hefty fine if it contains patient details. Ditto for sending pictures — getting a second opinion from another nurse about a suppurating wound isn’t a bad idea in theory, but may, in fact, be a violation of HIPAA standards.

For workplace communication, make sure work devices are installed with encrypted messaging software from a HIPAA associate. If your practice is using a BYOD policy, make sure those devices have the same level of encryption. Or, it may be a wise idea to abandon a BYOD policy altogether — they’ve been shown to invite massive security breaches.

A messaging app made by a business under a HIPAA associate agreement is certified to provide the necessary security to meet HIPAA standards.

There are quite a few HIPAA compliant texting apps, like TigerConnect and OhMD, that can make a major difference in cybersecurity. Many of these apps, or similar email encryption programs (like Barracuda or Virtru ) can also be installed on medical tablets and medical all-in-one computers, creating an easy, encrypted communication system for any facility.

Don’t Forget the Real World

Consider those hospitals fined for filming a documentary — not all patient confidentiality breaches come from computer hackers.

Even something as simple as the placement of a computer screen or patient monitor can have HIPAA implications. Medical all-in-one computers with built-in privacy screens can reduce the angle where a monitor is readable, while a computer on wheels can be rotated away from prying eyes.

Cameras and video recording are obviously off-limits, but sometimes staff can be tempted by the social media machine in their pocket. A perfectly harmless photo from the wrong angle can unknowingly capture sensitive information on a chart, or the face of a patient in the background.

Of course, a malicious low-tech data thief could also snap a quick picture of sensitive information while a doctor’s back is turned.

Technology can help, of course, but common sense is even more important. Keep an eye on your surroundings, especially when viewing ePHI, to maintain maximum data security.

Employ and Document Digital Security Methods Today

A three-pronged approach of education, technology, and vigilance should hopefully keep any doctor’s office, hospital, or clinic away from major HIPAA violations. Even should a lax staff member cause a breach, a thorough and documented history of implementing all of these techniques should also lower the culpability and any potential fines for the organization.

Contact Cybernet today to learn more about medical all-in-one computers and medical tablets with built-in two-factor authentication, Imprivata single-sign-on compatibility, and built-in privacy screens.

 

BYOD Healthcare Policy

Are BYOD Policies in Healthcare a Mistake?

“BYOD” stands for “Bring Your Own Device,” and its potential implementation is a conversation being had in many workplaces, schools, industries, and hospitals.

In theory, it’s an effective cost-cutting measure: everyone is walking around with an advanced, mobile touchscreen computer in their pocket at all times. Why not leverage that ubiquitous technology, all the while saving the business some money on buying medical tablets for every employee?

While BYOD policies sound great on paper, are they actually effective? Do they do more harm than good?

Personal Devices Are a Hornet’s Nest of HIPAA Violations

The greatest flaw in any BYOD policy is almost always security — how do you ensure that the phone a staff member carries at home, at work, and out to the club is protected? How can you guarantee that the employee is always logging out of work applications, especially if they take work home with them as part of their job? Lines become even blurrier, and confidentiality suffers.

Imagine a doctor or nurse snaps a quick picture of an injury on their cell phone for later reference or sends it to another clinician for a second opinion. Even if the patient consented to this, is the text message software secure? Is the receiving phone or device secure? What happens if either is hacked or stolen?

Are all pictures snapped by the phone automatically backed up to the cloud? Some users may not realize this happens automatically, depending on the phone’s settings. Is the staff member’s Dropbox or iCloud shared with anyone else? How encrypted is it? What other, non-secure device is the cloud service backing up to? A home computer, a bedside iPad, a husband or wife’s laptop?

Of course, this doesn’t just apply to images. Ask yourself all of these questions regarding a text or email about a patient’s condition or personal details to another clinician. Think about what note-taking software is being used on the phone, and where that’s stored. Some staff members may record their thoughts or case reports into a phone recorder app, which may be backed up to the cloud or other, less secure devices.

Does the user even have a password on their phone or tablet? According to the “Consumer Security Risks Survey” from Kaspersky Labs, only half (53%) of mobile users have a security solution installed on their smartphones. And 20% weren’t even aware that mobile malware existed.

Each one of these avenues is a potential HIPAA violation, which can cause an individual or a branch thousands of dollars in fines and potentially more in active lawsuits.

Consider the Liability

Mobile devices get stolen or misplaced all of the time. Unlike dedicated hospital medical tablets,  a staff member’s personal cell phone or tablet is going home (or out) with them. And considering that 44% of smartphones were stolen in public places, and 14% from burglarized houses, the odds of losing their phone increase dramatically if they take it from the workplace.

If the device gets dropped or stolen at work, is the hospital liable? If the policy requires that staff bring their personal devices instead of using hospital-provided medical computers and medical tablets, there’s an argument that could be made. An argument that probably would be made, by an attorney.

Before implementing a BYOD policy, make sure employees know what’s required of them and what the liabilities are. Having employees sign documents that codifies this policy — to legally protect the hospital — will be job one.

Can Personal Devices be Managed by IT?

The IT department at a hospital or medical office (or, really, any facility or industry) performs a whole host of important jobs.

They maintain computer hardware and software, set up and manage the network, and ensure that data is protected and secure, just to name a few.

Devices that are officially owned by the hospital can all be managed with IT network software. Hospital or office-owned medical tablets are constantly under the watchful eye of the IT department. The IT team also keeps all device software updated to prevent bugs and known security breaches. They install anti-virus and firewall software on managed devices, and ensure that those programs are working and up to date.

Installing, troubleshooting, and maintaining all of these processes often requires that the tech have hours of access to the medical computer in question. With a BYOD policy, tech access to someone’s personal cell phone is extremely limited, if it’s even allowed.

Sometimes, due to liability concerns, the tech may have little to no access at all. This turns the individual user — a doctor or nurse — into the primary tech for their own device. And, unfortunately, many don’t have the time or aren’t up to the challenge.

This neglect or misunderstanding can lead to software patches not being installed and lax anti-virus maintenance, which can open up huge security holes for any device or network.

A SecureEdge Networks report indicated that as it stands, 80% of all BYOD devices are completely unmanaged by the IT team. Compare that to the standard practice of managing all medical tablets and computers in a facility, and the vast security gulf becomes more clear.

BYOD Policies Lack Standardization

Even with the proper policies in place, and a secure environment for users to log into confidentially, there comes the most frustrating feature of BYOD policies: lack of standardization.

The medical tablets and other medical touch screens purchased by the hospital typically come from the same vendor, and are running the same operating system and even use the same parts. This standardization allows IT to choose software and hardware peripherals that work with any device in the hospital.

With hundreds of unique personal devices, things get dicey.

While staff members may enjoy the familiarity of their own devices, that doesn’t mean productivity is necessarily increased across the board. When staff members have devices from a dozen different manufacturers, with different operating systems (on different versions, with different patches), trying to make software and communication work is no easy task.

Hospital apps, messaging services, and secure hospital data vaults have to be compatible with Android, iOS, Windows, and manufacturer-specific tablet OSes. Frequently used website portals must be compatible with Chrome, Safari, and half a dozen other mobile browsers.

And, most importantly, if there is a conflict, the IT department is responsible for maintaining access across dozens of different platforms and browsers. Assuming the policy even allows IT to maintain the BYOD devices, that puts a huge strain on the tech team.

To BYOD or Not to BYOD

According to an extensive study by the Ponemon Institute released in 2016, data breaches are a constant problem for almost every hospital.

In their study, they found that “nearly 90% of healthcare organizations…had a data breach in the past two years.” They then went on to report that “45% had more than five data breaches in the same time period.” Considering that the average cost of a data breach is somewhere upwards of $2 million dollars, the math speaks for itself.

BYOD policies are not without their benefits — they’re excellent short-term solutions, especially for facilities that don’t have the budget for as many dedicated medical tablets or computers as they need. BYOD has been known to boost morale, and when implemented properly can increase communication.

However, most of the studies that found this data looked at standard businesses who don’t have to worry about the stringent confidentiality and security requirements of HIPAA.

Still, with HIPAA violations costing companies like Anthem over $16 million, healthcare can ill afford to play it fast and loose with potential security breaches.

Contact Cybernet today to learn more about creating a secure network of purpose-built medical tablets and medical computers in your facility.

 

HIPAA

Understanding the Move to Mobile and HIPAA

Five years after the Internet went live to an unsuspecting public – one that had no idea how much it would need cat videos, online shopping and binge-watching –  the Health Insurance Portability and Accountability Act (HIPAA) was born in 1996. Fast forward more than 20 years and we’ve seen the birth of the smartphone, tablet and smartwatch; the rise of social media; the emergence of cloud-based hosting and data storage; and now the Internet of Things (IoT).

Translation? Healthcare information exchange can occur – and must be protected – in more ways than those early HIPAA architects ever dreamed of. The following details what HIPAA does specify, where it’s lacking, and some of the technologies and solutions that can help you stay protected.

A Brief History of HIPAA

HIPAA established the first set of national guidelines for healthcare data maintenance and exchange. Over the next 10+ years, HIPAA expanded to include the enactment of the Privacy, Security and Enforcement rules, which set standards for personal health information (PHI) protection, disclosure, and access. These rules also outlined the compliance infrastructure that healthcare providers, health plans, and clearinghouses should have in place to protect data, monitor HIPAA adherence, and report breaches.

What HIPAA Has to Say About Mobile

HIPAA Journal provides an excellent summary of what HIPAA does and does not mandate when it comes to mobile devices. For instance, HIPAA requires multi-layered user-authentication controls for the access, storage, and transmission of electronic patient health information (ePHI). It further requires protections against data alteration and destruction through the implementation of monitoring controls. Here are a few specific focal areas and technologies for HIPAA compliance:

  • Data tracking – Consider digital watermarking
  • Information access – Certify all devices, block the transmission/download of ePHI where necessary and segregate work/personal data on individually owned devices
  • Password and public wi-fi security – Create policies that specify requirements and mandate VPN for remote access
  • App control – Limit usage to those with certified security controls and ensure security updates occur.
  • Device scanning and maintenance – Install anti-virus software, perform regular scans, and ensure automated security updates.
  • Data erasure – Implement technologies that allow for remote data deletion.

Text Me, Maybe

The healthcare industry is now using text marketing automation tools, social media, chatbots, and SMS marketing tools for everything from appointment reminders to wellness engagement. Opt-out functionality is a must. And while message encryption is critical, HIPAA does not technically require it for data at rest. For data in motion, however, the Security Rule advises encryption for the transmission of ePHI, particularly over SMS networks.

One thing that’s not allowed? Texting patient orders. In December 2017, the Centers for Medicare & Medicaid Services (CMS) clarified that while providers may text patient information to one another, it must be via a secure platform and cannot include the texting of patient orders. Its position reinforces not only HIPAA but its own Conditions of Participation (CoPs) and Conditions for Coverage (CfCs) agreements.

Hey, You! Get on to My Cloud

HIPAA also allows cloud-based storage. The OCR issued guidance in 2016 outlining requirements for the cloud service providers (CSPs) that medical practices must inevitably turn to for secure system implementation. Google Drive is just one of those cloud-based options. HIPAA Journal reports that the company’s Business Associate Agreements (BAAs) address the HIPAA Security, Privacy, and Breach Notification Rules, allowing for the use of Google Drive and subcomponents such as Google Forms, which providers can use to gather and share information.

Left to Your Own Devices

There are four letters that might make anyone operating in the HIPAA spaces cringe: BYOD. It stands for Bring Your Own Device and marks a growing trend in some sectors for employees to use their own technology in the workplace. Adoption is currently higher in other countries than the U.S., but with personal mobile and the IoT entering healthcare in big ways, it’s time to at least start thinking about it. While HIPAA doesn’t speak specifically to these areas, the existing Security Rule is a good place to start and can help you create policies in such areas as:

  • Patient and guest data access
  • Network and software security
  • Email, web and medical device
  • Workflow and information logging

Compliance: Broader than HIPAA, More Important Than Ever

Because there is much that HIPAA doesn’t specify, any organization protecting healthcare data should be aware of what other agencies are advising, including:

  • Mobile security – The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) issued 2015 guidance addressing standards for company-owned and BYOD mobile devices.
  • App development – The Office of Civil Rights (OCR), the agency responsible for HIPAA enforcement, has created a portal for app developers that addresses components of the Privacy and Security Rules, along with BAA guidance. Meanwhile, ACT | The App Association, has called on the OCR to get more specific as technology grows by leaps and bounds.
  • Connecting the dots – The OCR has mapped the HIPAA Security Rule and NIST Cybersecurity Frameworks, which it acknowledges is more granular when it comes to outlining administrative, physical, and technical safeguards.

As healthcare innovation continues to move at lightning speed, those in the industry will remain continually challenged by the dual needs to keep up with technology while protecting patient data. Advancements shouldn’t be limited by lagging regulations, which puts healthcare providers, executives and manufacturers in a position to drive compliant solutions where federally defined standards are lacking.

Laura Beerman is a writer for TechnologyAdvice. Her insights have appeared in RevCycleIntelligence, Becker’s, InformationWeek and other outlets. She has spoken nationally on population health, long-term care, and been interviewed by The Wall Street Journal for her accountable care predictions. She resides in Nashville with her Canadian husband and American kittens. You can find her on LinkedIn.

 

Medical Tablets: Complying with HIPAA

Healthcare providers increasingly use clinical applications such as EHR, clinical decision support systems, order entry systems, radiology, laboratory and other systems. Health IT makes the medical workforce more agile, mobile and productive. Mobile devices let physicians check patient records on the go, in any location. Nonetheless, the rise of mobile technology increases the risk of data breaches. HIPAA aims to protect ePHI while still allowing hospitals to adopt new technologies & improve their efficiency and care quality.

The Health Insurance Portability & Accountability Act (HIPAA), 1996, consists of HIPAA Privacy Rule & the HIPAA Security Rule. The former establishes national standards for the protection of individually identifiable health information; the latter – security standards for protecting individually identifiable health information held or transferred in electronic form. The Security Rule dwells on the technical and non-technical safeguards covered entities must implement to secure patients’ electronic protected health information (e-PHI).

Understanding HIPAA

The HIPAA Security Rule covers health plans, health care clearinghouses and health care providers that create, receive, store or transmit e-PHI, as well as their business associates. Read the Summary of the HIPAA Privacy Rule [PDF].

Under HIPAA, covered entities must:

  • Ensure confidentiality, integrity & availability of e-PHI.
  • Identify threats to e-PHI and protect against them.
  • Protect e-PHI against disclosures or impermissible uses.
  • Ensure HIPAA compliance by the workforce.

The HIPAA Security Rule requires covered entities to perform a risk assessment to determine reasonable security measures for a particular organization. Risk assessment includes evaluation of the likelihood of a data breach, implementation of appropriate security measures, documentation of security measures, & rationalization of their choice, and continuous protection of e-PHI.

Safeguards

On the administrative, physical and technical levels, HIPAA requires for the organizations to implement certain safeguards.

Administrative

  • Security management process – identify & analyze risks to e-PHI, implement security measures for protection.
  • Appointing a security official overseeing HIPAA compliance.
  • Information access management – limit uses and disclosures of e-PHI, granting access to data only when appropriate, to authorized personnel only.
  • Providing the medical staff with data protection training, ensuring policy compliance by the workforce.

Physical

  • Limit physical access to the facility for unauthorized individuals, yet ensure authorized access is allowed.
  • Implement device security procedures, specify proper use of devices and access to them, have policies regarding device transfer, disposal or re-use.

Technical

Health care providers must implement:

  • Access control to e-PHI for authorized personnel only.
  • Audit controls of hardware, software and data access and use procedures.
  • Integrity controls to ensure e-PHI is not destroyed or altered improperly.
  • Transmission security measures that guard against unauthorized access to e-PHI in transit.

Features of Medical Tablets That Ensure HIPAA Compliance

So, when we talk about the features of the medical tablets that ensure HIPAA compliance, we are primarily concerned with the Technical Safeguards of the HIPAA Security Rule provisions.

Encryption

The HIPAA Security Series Guidelines require covered entities to “consider the use of encryption” for e-PHI in transit. Encryption for data at rest is not mandatory, but its implementation depends on the risk assessment.

End to end encryption ensures the data in transit is protected against data breaches and man-in-the-middle attacks, according to HIPAA Journal. Technology based on the end to end encryption helps providers avoid HIPAA violations.

HIPAA-compliant medical tablets are Windows or Linux-based, which enables the support of full disk encryption for data at rest, & implementation of end to end encryption programs for data in transit. Furthermore, Windows medical tablets have USB 3.0 and USB 2.0 ports and can encrypt data on external storage devices just like your normal desktop computers would.

One of the glaring security holes in consumer grade mobile devices is text messaging and consumer chat apps medical staff use to communicate with patients and colleagues. e-PHI details sent in a text message is a direct violation of HIPAA Security Rule. Skype, WhatsApp or Hangouts lack necessary protections for a secure data transfer, despite claims of encryption. Medical professionals must implement secure communication programs, with the end to end encryption and preferably from trusted, zero-knowledge providers.

Data Access

HIPAA requires the implementation of technical policies and procedures that allow access to PHI to authorized staff only. Medical tablets have access control mechanisms that enable advanced user authentication. Moreover, they make it easy to use, because end users tend to bypass any technical procedures they deem as difficult, time-consuming, or hampering their productivity in any other way.

Multi-factor authentication in medical tablets is ensured with RFID Imprivata Single Sign-On, biometric scanner, Smart Card or CAC reader, and Kensington lock. Multi-layered access controls reduce the risk of unauthorized data access. Medical staff can safely leave the device in hospital’s public places, such as corridors or patient rooms, and rest assured the confidential data is locked.

Data Integrity

According to HIPAA, any e-PHI data stored on a mobile device (or transmitted with its help) must be protected against unlawful tampering or destruction. Mobile devices used to store or transmit e-PHI in healthcare must have features that allow them to be audited for access to e-PHI, including attempted access instances, and other activity that could potentially affect data security.

Medical tablets can be configured to enable remote device management to give the IT admins full control over the data stored and transmitted from it. IT admins can push system and software updates and patches remotely, or troubleshoot issues without having physical access to the device. They can set up the device so that the complete log of data access and failed login attempts be documented for revision. They can wipe the device remotely, should it be lost or stolen. They can monitor network activity and spot suspiciously large volumes in upload or download to, again, suspicious servers.

IT admins can block or disable certain OS features, whitelist and blacklist programs, to protect the confidentiality of e-PHI from the inadvertent exposure by the end users. For example, disabling automatic connection to any available Wi-Fi network protects devices from connecting to insecure public networks.

From ad-block browser extensions to firewalls and sandboxing, Windows supports the full list of security measures an IT admin can deploy on a device. With Windows 10, the security features have advanced even further.

Windows makes the use of password managers easy since most enterprise programs are developed for Win OS. Also, administrators can disable access to app store, so that users cannot download and install unauthorized applications, or games. Alternatively, blacklist every app but a list of authorized applications from accessing the Internet.

Medical tablets ensure admins have necessary means of scanning them for malware and other malicious code, install antivirus, perform regular and random scans. When an employee is left or fired, admins can safely terminate access to PHI.