<![CDATA[KINARA INSIGHTS Healthcare Technology Consulting MA - Blog]]>Mon, 14 Dec 2015 18:08:32 -0800Weebly<![CDATA[Health Information Security: Five Top Priority Must-Do Things for 2016]]>Tue, 15 Dec 2015 01:46:14 GMThttp://www.kinarainsights.com/blog/health-information-security-five-top-priority-must-do-things-for-20162015 was another banner year for cyber-criminals. High profile data breaches at Anthem, Excellus BlueCross BlueShield and Premera BlueCross have left millions of consumers exposed to medical identity theft and fraud. IT is a scary reality in the healthcare world when we consider the following facts:
  • 42 % of major data breaches are healthcare related
  • Average cost of a data breach for a healthcare organization is around $3.5M
  • Healthcare data is 5, 10 or even 50 times more valuable to criminals than other types of data
  • Healthcare fraud costs the industry anywhere from $74 billion to $247 billion a year in the US (FBI statistics)
  • Cybercriminals will compromise 1 in 3 healthcare records next year( IDC Health Insights)
Common scenarios that lead to data breaches:
  1. Loss / theft of laptops or mobile devices containing ePHI
  2. Lack of appropriate access controls to secure access to ePHI
  3. Software updates or system maintenance leaving critical security controls disabled
  4. Stolen passwords or weak passwords which are easy to hack
  5. Use of unsecure file sharing software/services
  6. Use of unsecure email or text messaging services
  7. Unintentional employee action or error
Here are five top priority steps that healthcare organizations need take in order to minimize the risk of a data breach.
  1. Conduct a risk analysis: Identity where confidential patient health information is stored in your organization (in both electronic records as well as paper records) and how this information flows through the organization. Identify risks to the data and take implement appropriate security controls to protect the data.
  2. Update HIPAA security policies and procedures: Develop/update your HIPAA security policies and procedures that govern the security of confidential data in order to ensure the confidentiality, integrity and availability of protected health information at all times.
  3. Encrypt electronic protected health information (ePHI): When feasible, encrypt all ePHI when it is stored (at rest) and when it is transmitted (in motion). Also encrypt data on all mobile devices such as laptops, cellphones, tablets, USB memory sticks, CDs etc.
  4. Implement a reliable backup and disaster recovery solution: Ensure that all ePHI is backed up at a remote location and can be recovered without loss of integrity in case of a disaster.
  5. Conduct HIPAA security training for all staff: Regularly train all your staff on HIPAA security requirements so that they understand their data security responsibilities under HIPAA and state laws. Work towards creating a “Culture of Security” in your healthcare organization.

<![CDATA[Telemedicine: No longer just a buzz word]]>Tue, 22 Sep 2015 18:56:32 GMThttp://www.kinarainsights.com/blog/telemedicine-no-longer-just-a-buzz-wordFor the past few years telemedicine was more of buzz word, mentioned frequently in the media and at conferences but remaining at the fringes of actual clinical practice. A lot has changed since those days.  As the healthcare business model shifts from a predominantly fee for service model to an outcomes based one, telemedicine has become a legitimate clinical healthcare delivery vehicle that provides patients convenient and cost effective care. It enables providers to fill gaps in their patient care model by increasing patient engagement and improving care coordination leading to better health outcomes.

Telemedicine is primarily a method of electronic communication (sharing data) between providers and patients for clinical healthcare purposes. That communication can take different forms including audio, video, images, and text.  Telemedicine delivery is hence a collection of telecommunication, IT, remote monitoring and diagnostic technologies which are grouped in to four main categories namely:
  1. Live Video conferencing (Synchronous communication): Also referred to as teleconsultation where there is a live interaction between the patient and the doctor via a secure video telecommunication link.
  2. Store and Forward (Asynchronous): There is no live interaction between the patient and the doctor, instead the patient data (History or Images) are recorded, stored and then transmitted to the doctor. For example - Transmission of an image of a skin rash from a primary care doctor to a teledermatoglogist via a secure communication channel for expert consultation.
  3. Remote monitoring: Monitoring of a patient’s blood pressure, heart rate and other symptoms using remote monitoring devices that can record the data at one location and securely transmit it via the internet to a provider in a different location for better care management.
  4. Mobile Health applications: Use of mobile applications for delivery of health related information to increase public awareness or increase patient engagement for treatment and management of chronic conditions. This could include the use of targeted text messaging to encourage healthy patient behavior in order to influence positive health outcomes.
Since all these telemedicine delivery modalities involve the exchange of confidential patient data also referred to as protected electronic health information (ePHI), compliance with the HIPAA Security Rule is mandatory. Healthcare organizations need to implement appropriate security measures to protect patient data at all times to avoid the consequences of a data breach.

There still exist issues of reimbursement, licensure, credentialing and state specific regulations that need to be addressed. These issues are being addressed at a state level and hence telemedicine adoption at the present moment is very state specific with some states more “telemedicine friendly” than others. There is no doubt about the benefits of telemedicine and despite existing issues providers and payers are moving forward undaunted.

In upcoming blogs I intend to talk more about telemedicine and will address topics such as:
  1. What technology do you need to set up a telemedicine practice?
  2. What safeguards need to be implemented to minimize the risk of a data breach?

<![CDATA[Protecting ePHI: Facility Doors Locked, Alarms Turned On…Don’t Assume, Make Sure.]]>Fri, 17 Jul 2015 17:55:05 GMThttp://www.kinarainsights.com/blog/protecting-ephi-facility-doors-locked-alarms-turned-ondont-assume-make-sureDuring a recent client visit, we were discussing the importance of conducting a comprehensive risk analysis. I emphasized that in order to identify and mitigate potential risks to the electronic protected health information (ePHI) one needs to evaluate the threats and vulnerabilities to all assets which store or transmit ePHI and examine the administrative, physical and technical controls in place.

As we discussed the existing physical safeguards at the healthcare facility, the client assured me that the ePHI was stored on a server in a locked room. When I asked him to show me the room, I was shocked. Not only did this room have a door that opened directly to the outside, I knew the door was unlocked as I had walked in to the practice through that very door!  Imagine the shock on my client’s face when he realized that anyone could have come in through that door and walked away with his server and other computer equipment. He had wrongly assumed that someone on his staff had locked the door.

This highlights following two key points:
  1. Don’t assume that the existing security controls at your facility are working properly. What good is the lock on the door when no one checks to see if the door is locked! That’s why having clearly written security policies and procedures is so important. Having a policy that designates a staff member to ensure that all physical safeguards (such as locks, alarms) are installed and working properly is critical in preventing unauthorized access to your healthcare facility.
  2. It is critical to conduct an onsite facility visit as a part of the risk analysis process. An onsite visit may reveal areas where security measures may be lacking or not working as they should. It could uncover potential risks to ePHI in computer systems such as a poorly ventilated server room causing the server to overheat or servers placed on the floor which could be prone to water damage from a flood. Additionally the physical location of the practice could be an issue such as being in a high crime neighborhood or being co-located with a company dealing with hazardous materials that may damage your systems that store ePHI. 

A comprehensive risk analysis looks at all the potential threats and vulnerabilities to the ePHI, security measures in place and classifies the risks as high, medium or low. The practice can then choose to accept, avoid, transfer or mitigate the risk through the appropriate implementation of security policies, procedures, technology and training.

<![CDATA[Are former employees still able to access your corporate data?]]>Mon, 01 Jun 2015 19:35:52 GMThttp://www.kinarainsights.com/blog/are-former-employees-still-able-to-access-your-corporate-dataPersonnel changes are a common part of any organization. What happens however when you decide to terminate the services of an employee or if the employee resigns on his/her own accord is vitally important. Does your healthcare organization have a process in place to ensure that your confidential data does not walk out the door with the employee?

Failure to revoke access to electronic protected health information (ePHI) for former employees is one of the potential causes of a data breach in healthcare organizations. Just recently Jacobi Medical Center (JMC) in NYC reported a data breach when they discovered that a former employee had accessed emails containing files of ePHI and sent these files to her personal email account. She also sent these files to the email account of her new employer, which is a New York City agency that works closely with her previous employer. According to the former employee, she accessed and sent the subject files to these email accounts in case she had to respond to questions in the future about her past work at JMC.

Even though this employee didn’t have a malicious purpose for her actions, it still constitutes a data breach. Luckily the healthcare organization had security programs that monitor and detect email communications that contain ePHI and so were able to detect this data breach. It however, does not condone the fact that this former employee still had access to the corporate network days after her termination. In fact her access privileges should have been revoked before she walked out the door on her last day. Ensuring the security of ePHI is critical in such circumstances. Technology in and of itself is not the answer. It has to be supported with proper policies and procedures that work in concert to keep patient data secure. Having well documented policies and procedures for employee termination (an employee exit strategy) is the first step. Training your employees to comply with the policy and enforcing it strictly, will help protect ePHI during such transitional periods.  Implementing the following termination policies will help your healthcare organization prevent a data breach when an employee resigns or is terminated:
  1. Collect all company owned property such as laptops, cellphones, tablets, ID badges, all relevant passwords/credential information to log in to any of your systems, and any other company material such as handouts from the employee before departure.
  2. Revoke all computer, systems, network, database access as well as remote access privileges for the former employee. Do not forget to disable building access card keys if you have provided them to the individual.
  3. Terminate access to the email, voicemail and text messaging systems for the former employee.
  4. Instruct all remaining staff to change their passwords. This is done to ensure that passwords that might have been shared with the former employee or those that may have been stolen by a disgruntled employee can no longer be used to gain access to your systems. Instruct your staff not share passwords with anyone and especially not divulge it to former employees, even if they are good friends with the former employee. 
  5. Depending on the former employees’ job/position, inform clients and important vendors that the employee is no longer employed at your organization and provide them with a new point of contact if needed.
  6. Set automatic e-mail notification to alert senders that the affected employee is no longer works at your organization. Make arrangements for how these accounts will be routed to ascertain that your organization will not lose contact with patients or important business associates.
  7. Monitor your systems for any unauthorized attempts to access your patient data.

<![CDATA[Minimize data breaches due to unintentional employee action ]]>Fri, 01 May 2015 02:37:47 GMThttp://www.kinarainsights.com/blog/minimize-data-breaches-due-to-unintentional-employee-actionLoss of confidential data due to unintentional employee action leads to numerous data breaches every year. Partners Healthcare of Massachusetts recently reported a data breach that affected about 3300 patients. According to the report “the breach happened when some Partners employees responded to phishing e-mails, which allowed unauthorized access to their e-mail accounts within the Partners Healthcare network. Some of the e-mails contained private patient information, including Social Security numbers, addresses, phone numbers, and information about medical treatments and health insurance.”

The easiest way for a cybercriminal to steal confidential data is by stealing employee login credentials.ie. user name and password. Cybercriminals get unsuspecting employees to reveal their login credentials to corporate email accounts and other important applications by posing as a trustworthy entity. This practice is known as “phishing”.  For example, criminals might send emails that look as if they came from a sender you recognize and trust. Usually the tone of message suggests that something is wrong with your account and provides a link for you to click on in order rectify the problem. Clicking this link takes you to a form that prompts you to verify your login credentials. An unsuspecting employee provides this information without realizing that he/she has just provided this information to a cybercriminal who can then access and steal sensitive personal and corporate data.

Here is an example of what a phishing scam in an email message might look like (Microsoft Security Center- http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx )

Employees can become the weakest link in the security chain.  Increase employee awareness of phishing scams and other potential data breach scenarios in your healthcare organization by regular employee training on data security. Periodic reinforcement of best security practices and policies coupled with appropriate use of security tools is the only way a healthcare organization can lower the risk of a data breach.

<![CDATA[Is your healthcare / dental practice inviting data breach trouble?]]>Mon, 30 Mar 2015 22:15:53 GMThttp://www.kinarainsights.com/blog/is-your-healthcare-dental-practice-inviting-data-breach-troubleHealthcare data breaches have been in the news quite a lot lately. Unfortunately this alarming trend does not show signs of slowing down. In fact all signs point to the fact that increasing number of healthcare organizations will experience a data breach this year. As a healthcare administrator or a practice owner, the following facts should be a cause of concern:
  • Healthcare organizations accounted for 42 % of reported data breaches in 2014 (Identity Theft Resource Center - Data Breach Reports 2014)
  • Data breaches are expected to increase in 2015. Cybercriminals increasingly targeting healthcare practices. (Experian 2015 Data Breach Industry Forecast)
  • Humans are the weakest link in the security chain. Employees are the leading cause of data breaches with 59% of security incidents last year attributed to people based breaches.
  • Theft or loss of laptops, USB memory sticks and other mobile devices containing ePHI is the most common cause of data breaches.
  • Cost of a data breach per record is around $300 for a healthcare organization. This includes HIPAA fines, legal fees, remediation costs, loss in revenue etc. For a dental practice with 2000 patients, it could be ~$600K which is a substantial.
  • Medical identity theft jumped 22 percent in 2014 from previous year and affected more than 500,000 people (Ponemon Institute - Fifth Annual Study on Medical Identity Theft).
  • Average cost to victims was $13,500 in legal and other expenses to resolve these fraud cases.
  • 48% of survey respondents indicated that they would consider changing their healthcare provider if their records were breached. 

How prepared is your organization to safeguard your confidential patient data?

Protecting patient data and preventing data breaches at your healthcare / dental practice is an on-going process. It takes a combination of technology, policies, process and training. Following security best practices can help prevent or minimize loss of patient and also bring your organization in compliance with the HIPAA security rule:
  1. Conduct a risk analysis to identify and mitigate risks to their ePHI (electronic protected health information).
  2. Encrypt ePHI stored on servers, desktops, laptops, tablets and smartphones.
  3. Use secure end-to-end encryption to email ePHI.
  4. Use secure messaging services to send ePHI and do not use regular SMS texting, which is insecure.
  5. Proactively monitor and manage computer systems / network for viruses, malware and other intrusions.
  6. Implement appropriate data backup and disaster recovery solutions to protect their data and in the event of disruptive situations such as natural disasters or server failures.
  7. Implement security polices and policies that employees must follow to safeguard ePHI.
  8. Conduct regular HIPAA security training for employees to increase awareness of data security, compliance and an appreciation of the disastrous consequences of data breach.

<![CDATA[Protecting Patient Data in Skilled Nursing Facilities (SNFs)]]>Fri, 27 Feb 2015 15:52:34 GMThttp://www.kinarainsights.com/blog/protecting-patient-data-in-skilled-nursing-facilities-snfsI recently had the privilege of being a guest speaker at the Harmony 2014 Interdisciplinary Health Care Symposium at the Foxwoods Casino Resort in Connecticut. This yearly event is a must attend for anyone working in Long Term Care. It is organized by Harmony Healthcare International (HHI), which is a premier Long Term Care Consulting firm specializing in Medicare Reimbursement and Compliance. 

My talk focused on the security of electronic health information in nursing homes, especially focusing on the HIPAA security rule compliance , data breach consequences and steps that nursing homes must take to prevent or minimize the risk of a data breach at their facilities.

During the conference I got a chance to sit down with Kris Mastrangelo, the CEO and President of Harmony. for a short discussion on the importance of keeping patient data secure in SNFs. Here’s the video of the chat.

<![CDATA[Conducting a proper HIPAA security risk analysis in your healthcare or dental practice ]]>Thu, 29 Jan 2015 21:30:18 GMThttp://www.kinarainsights.com/blog/conducting-a-proper-hipaa-security-risk-analysis-in-your-healthcare-or-dental-practiceConducting a risk analysis is a required implementation specification under the HIPAA Security Rule for all healthcare covered entities (includes almost all small and large physician offices, dental practices and hospitals) and their business associates. Yet many healthcare practices do not conduct a risk analysis as per the recommended guidelines or assume incorrectly that they have performed one just based on vulnerability scan conducted by their IT staff or service provider. This blog outlines essential steps of a proper risk analysis and also dispels some common misconceptions that many healthcare practices have regarding risk analysis.

Even though there is no one-size fits all blueprint for conducting a risk analysis that fits all healthcare organizations, the HIPAA Security Rule risk analysis methodology is based on the guidance and best practices outlined in these two publications NIST SP 800-30 Rev1: Guide for Conducting Risk Assessments and NIST SP 800-66 Rev1: An Introductory Guide for Implementing HIPAA Security Rule. You can also view this short video http://www.healthit.gov/providers-professionals/video/security-risk-analysis

Understanding how to conduct a proper risk analysis is key to protecting the patient data or electronic protected health information (ePHI) in your practice. The essential steps of the risk analysis process are:
  1. Identify and document all assets including mobile devices that may create, receive, store or transmit ePHI. This should encompass ePHI on all devices including workstations, servers, mobile devices like laptops smartphones and tablets, and removable media like USB memory sticks, CD’s etc.
  2. Document what kind of data resides on which device.
  3. Identify and document potential threats and vulnerabilities to each ePHI repository. For example: the theft or loss of a laptop is a threat, the vulnerability to the data could be lack of strong password or encryption.
  4. Assess current security measures in place to prevent loss of ePHI.
  5. Determine the probability or likelihood of the threat occurring. In the case of mobile devices, this threat occurrence is very high.
  6. Determine the potential impact of the threat occurrence.
  7. Based on the likelihood of threat occurrence and its potential  impact determine the level of risk with each mobile device containing ePHI
  8. Determine additional security steps that can be taken to lower the risk.
  9. Document the risk analysis.
  10. Conduct annual risk analysis reviews and make necessary changes to the existing security measures as required.

It is also important to avoid the following common misconceptions regarding a HIPAA Risk Analysis:

Risk Analysis (RA) is only an IT risk analysis: RA evaluates the impact of loss of EPHI or confidential patient information to the healthcare business. A through risk analysis examines the threats and vulnerabilities the electronic protected health information stored in computer systems( data at rest) of an organization and when it flows within a corporate network or outside it (data in motion). It seeks to determine the level of risk to the data taking in to consideration the likelihood of occurrence of potential threats and their business impact on the organizations. Needless to say, the higher probability of occurrence and impact leads to higher degree of risk to the organization.

RA takes in to account the administrative, physical and technical safeguards that the organization has in place to ensure the security of EPHI. It covers people, policies, processes and technology in place at an organization and helps healthcare organizations identify and address vulnerability gaps in their EPHI security.

Risk Analysis is a one-time event. Organizations change over time. New Technology is constantly updated, people leave, new employees join etc. RA is needed to be conducted /reviewed on a regular basis preferably annually or when major changes occur within an organization.  Security measures may need to be updated, new policies implemented and additional security training for staff might be required.

Risk Analysis is the responsibility of the IT department alone. RA should involve not only the IT personnel, but also senior management. One person, preferably in senior management, should be named the Chief Security Officer and be held accountable for all EPHI security and compliance activities

Risk Analysis is optional. RA is a primary implementation specification under the Security Management Standard of the HIPAA security rule and is also a core measure under the meaningful use attestation process.

Based on the findings of the risk analysis, a healthcare/dental practice can develop and implement reasonable and appropriate policies to protect the confidentiality, integrity and availability of ePHI in their organizations.

<![CDATA[How safe is your personal data with your employer?]]>Wed, 24 Dec 2014 15:32:47 GMThttp://www.kinarainsights.com/blog/how-safe-is-your-personal-data-with-your-employerThe recent data breach at Sony Pictures Entertainment (SPE) is really bad for so many people on so many different levels. The enormous amount of data that the hackers stole includes business data and personal information of employees such as social security numbers, names, passport numbers, and credit card information. In addition it also includes HIPAA protected health information such as date of birth, claims appeals information ( including diagnosis and disability code) submitted to SPE by employees, home address, member ID information in SPE health plans and health or medical information provided by employees to SPE outside of SPE health plans.

Imagine the plight of the affected employees. Just about all their confidential banking, legal and medical data has been compromised. They are susceptible to potential financial losses as well as social ramifications if their sensitive health information is made public. Sony Pictures on their part is in a whole boatload of legal, financial and regulatory trouble. The data breach costs will run in the millions of dollars. This scenario can easily unfold in a healthcare organization given that many of them do not have adequate security measures in place to protect sensitive patient as well as employee data and business data.

Employees need to feel secure that their employer is taking appropriate and reasonable measures to protect their confidential data. What can healthcare organizations do to instill that sense of confidence in their employees, clients and business partners?

As with any business strategy or philosophy, it always starts at the top. The CEO and the senior management team need to make data security a business priority and commit to a culture of data security in their organization. It not what they say but what they do that matters.  Understanding where security vulnerabilities exist within their computer systems and their network through a comprehensive risk analysis is a great start. Appropriate access and audit controls for authorizing and monitoring ePHI access need to be implemented, regularly reviewed and updated as required. The data security policy has to be clearly spelled out and documented. It must be reinforced through regular security and HIPAA compliance training and appropriate sanctions for non-compliant behavior.

Senior management should also encourage employees to report any potential data breach scenarios to the upper management. Employees should be able to do this done anonymously if they so choose. Many former SPE employees have stated that they aren’t surprised by the data breach at all, knowing the data security situation at SPE.  Many employees had brought their data security concerns to the management but nothing significant was done to address those concerns. This kind of management attitude needs to change.

Investment in data security is routinely looked upon as an expense as it does not directly add to the bottom line. The importance of data security measures is only apparent after a data breach. As medical records become increasingly electronic, the threat of a data breach is also increases exponentially. It is a matter of when and not if. The fact that most healthcare organizations, including physician practices and dental offices do not have adequate security measures in place make them easy and attractive targets for cybercriminals. Even a small physician or dental office is a treasure trove of personal information that can be exploited by criminals resulting in disastrous consequences for the practice and its patients. Hopefully the recent Sony data breach and others at Target and Home Depot will serve as a wakeup call for senior management in healthcare organizations to make data security and HIPAA compliance a business priority.

<![CDATA[$150,000 HIPAA Penalty -Unpatched and Unsupported Software ]]>Thu, 11 Dec 2014 16:28:56 GMThttp://www.kinarainsights.com/blog/150000-hipaa-penalty-unpatched-and-unsupported-softwareJust came across this HHS bulletin:

“Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.”

ACMHS suffered a data breach of its electronic protected health information (ePHI) that affected 2743 individuals due to malware compromising the security of its information systems. The OCR investigation found that ACMHS  “security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software”.

So what is an example of unsupported, unpatched and outdated software? Windows XP is the prime example. Microsoft ended the support for Windows XP in April 2014, which means that it no longer provides security updates for Windows XP. This leaves all computers and other medical devices running XP exposed to malware and viruses that can infect the operating systems, stealing information resulting in data breaches. Despite repeated warnings from Microsoft and security experts, a significant number of healthcare organizations are still using Windows XP

The threat to healthcare data from hackers is real and is rapidly increasing with time. According to Experian’s 2015 Second Annual Data Breach Industry Forecast, data breaches in healthcare are expected to increase in 2015 due to potential economic gain and digitization of records.  A healthcare organization is a gold mine of personal information for cyber criminals. This coupled with the fact that the healthcare industry as a whole is way behind other industries in securing its confidential data, makes healthcare organizations prime targets for criminals.

It does not matter whether you are a small healthcare practice or a large hospital. All Windows users must migrate to Windows 7 or Windows 8 operating systems which have enhanced security features and receive regular security updates. This will mean an investment in new hardware and/or software. Yes, it will take time, money and resources, but it is well worth the effort. A few thousand dollars spent now will prevent the loss of hundreds of thousands of dollars later.