Tag Archives: HIPAA

[ISN] A Review of Common HIPAA Technical Safeguards

http://healthitsecurity.com/news/a-review-of-common-hipaa-technical-safeguards By Elizabeth Snell Health IT Security June 26, 2015 HIPAA technical safeguards are just one piece of the larger health data security plan that covered entities and their business associates must put together. However, it is a very important aspect. Over the next few weeks, HealthITSecurity.com will discuss some common examples of all three HIPAA safeguards, and how they could potentially benefit healthcare organizations. Not all types of safeguards are appropriate or necessary for every covered entity. But by having a comprehensive understanding of what is required by HIPAA and the HITECH Act, and how various safeguards can be used, organizations will be able to identify which ones are most applicable. From there, they can create and implement the right data security protections for their daily workflow and ensure they maintain HIPAA compliance. As previously mentioned, HIPAA technical safeguards are an important part to keeping sensitive health data secure. Whether a small primary care clinic is debating health data encryption options or a large HIE is considering BYOD for employees, understanding the basics of HIPAA technical safeguards is essential. What are HIPAA technical safeguards? The HIPAA Security Rule describes technical safeguards as ““the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” However, an important note is that the Security Rule does not require specific technology solutions. Rather, healthcare organizations need to determine reasonable and appropriate security measures for their own needs and characteristics. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Coast Guard Needs Better PHI Security, Says OIG Report

http://healthitsecurity.com/news/coast-guard-needs-better-phi-security-says-oig-report By Elizabeth Snell Health IT Secutity May 21, 2015 The US Coast Guard (USCG) must do a better job in its PHI security measures, according to a recent report from the Office of the Inspector General (OIG). Specifically, USCG lacks a strong organizational approach to resolving privacy issues, the report stated, which leads to the agency having challenges when it comes to effectively protecting PHI. “We evaluated the safeguards for sensitive personally identifiable information and protected health information (privacy data) maintained by USCG,” OIG explained in its report. “Our objectives were to determine whether the USCG’s plans and activities instill a culture of privacy and whether the USCG ensures compliance with the Privacy Act of 1974, as amended, [HIPAA], and other privacy and security laws and regulations.” OIG outlined five areas that USCG needs to resolve in order to improve its PHI security: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] EHR audit catches snooping employee

http://www.healthcareitnews.com/news/ehr-audit-catches-snooping-employee By Erin McCann Managing Editor Healthcare IT News January 26, 2015 Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients’ confidential information, as one California hospital has observed this past week. Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients’ medical data for an entire year. The incident was discovered after the hospital conducted an EHR audit back in October 2014, when it was first discovered only 14 individuals had had their PHI compromised. Following an “expanded investigation,” hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having there information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Healthcare Security Will Benefit From Collaboration

http://healthitsecurity.com/2014/12/08/healthcare-security-will-benefit-collaboration/ By Elizabeth Snell Health IT Security December 8, 2014 With cyber threats on the rise, healthcare security systems must keep pace in order to best protect patient data, as well as their own clinical information. One of the best ways to do that is with organizations working together and communicating strategies to one another, according to Lynne Dunbrack, research president of IDC Health Insights. Dunbrack authored the recent IDC “Business Strategy: Thwarting Cyber Threats and Attacks Against Healthcare Organizations” report, and discussed the findings with HealthITSecurity.com. “You’re as strong as your weakest link,” Dunbrack said. “It means you’re sharing data more and there are more opportunities for data breaches if it’s not well-secured. There is a balance that healthcare organizations need to seek.” With more medical records being implemented into EHRs and more facilities using health information exchanges (HIEs) and other innovations, it’s crucial for organizations to balance healthcare security with new technology. As facilities make investments they also need to ensure they have the appropriate business associate agreements (BAAs) in place, Dunbrack said. Moreover, it’s important to monitor risk assessments and that all covered entities and their connected business associates (BAs) are complying with HIPAA privacy and security requirements. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Health Data Security Still Has Catching Up To Do

http://healthitsecurity.com/2014/11/17/health-data-security-still-catching/ By Elizabeth Snell Health IT Security November 17, 2014 There is no question that the healthcare industry and its subsequent health data security options have made great strides over the last several years. However, with cyber thieves more interested than ever before in medical information, it is essential for healthcare organizations to go beyond the standard HIPAA compliance standards. Mark Ford, Principle of Deloitte Cyber Risk Services, specializes in the healthcare industry and discussed the current cyber threats and health data security issues with HealthITSecurity.com. According to Ford, the healthcare sector has come a long way in the last five years alone. However, the industry is still behind others – such as manufacturing and financial services – in terms of implementing the necessary cyber risk prevention measures. “What I’ve seen over time is the industry is making progress,” Ford said. “It’s still kind of slow, it’s more reactive, and has a more compliant focus still. There’s a pretty significant gap between where they are today and where they ultimately need to be. The only way to close that gap is to obviously understand what it is and does to make sure they can lift themselves up to another level of maturity in the future.” For example, Ford explained that from the mid-1990s to the early 2000s, approximately 70 percent of the online threats to the healthcare industry were from insider threats. The rest was relegated to hacker threats. However, that has shifted as there are now different types of hackers. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Email hack makes for HIPAA breach

http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack By Erin McCann Associate Editor Healthcare IT News October 14, 2014 An academic medical center in California is notifying patients of a HIPAA breach after officials discovered a physician’s email account had been hacked by an outside source. University of California Davis Health System has notified 1,326 patients that their protected health information, which was contained on this physician’s email account, was compromised. The breach, which occurred at UC Davis Medical Center, was discovered Sept. 26, according to patient notification letters mailed out. The email incident had occurred one day earlier. “Our IT team has undertaken a review of the event, but the exact root cause of the incident remains unknown. We do not see evidence of a phishing attack,” said Shara Merritt Reed, privacy program director at UC Davis Health System, in an emailed statement. “We hesitate to speculate but deduce the credentials were obtained by other means in order to utilize the account.” In a letter mailed to affected patients Reed explained that UC Davis providers use their emails for patient care purposes, specifically, for example, upcoming appointments, or patient care exchange for a consultation or referral. “When this happens, limited amounts of patient information may be included in the provider’s email account,” she explained in the letter. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How are hospitals handling medical device security?

http://healthitsecurity.com/2014/09/30/how-are-hospitals-handling-medical-device-security/ By Patrick Ouellette Health IT Security September 30, 2014 Dale Nordenberg, moderator of the medical device security panel discussion at this year’s HIMSS Privacy and Security Forum, made an interesting point in saying that medical devices fit somewhere between BioMed, IT and security. Given the likelihood that they fall through the cracks, what are are the best ways for healthcare organizations to monitor the risks associated with these devices? Nordenberg, a medical device expert, discussed security experiences and safeguard tactics with panelists Kristopher Kusche, VP of Information Services, Technology Services at Albany Medical Center, and Darren Lacey, Chief Information Security Officer (CISO) of Johns Hopkins University and Johns Hopkins Medicine. The first major topic of conversation was the manner in which Kusche approaches risk assessments for medical devices. Kusche said he had 20,000 medical devices across two hospitals, which outnumbers the 18,000 managed IT products, such as computers, the organization has on the network. As a Joint Commission accredited hospital, he said that Albany Medical Center has been assessing every device for risk for a long time because it was a Joint Commission requirement. The only major difference now is the addition of cybersecurity to that risk assessment. “When the FDA released its cybersecurity recommendations in June 2013, we took them to heart,” he said. “After having done full cybersecurity assessments for our IT components and systems for HIPAA, the next logical step was to perform assessments on medical devices.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Developers want mHealth security talks

http://www.healthcareitnews.com/news/developers-want-mhealth-HIPAA-security-talks By Eric Wicklund Editor, mHealthNews September 18, 2014 App developers, who say they are being left out of important mHealth privacy and security conversations, are calling on the federal government to give them a little more transparency around the issues. In a letter to Congressman Tom Marino, R-Pa., several developers and the 5,000-member ACT/The App Association have asked to be brought up to date on mHealth regulations. They’ve also requested changes to the Health Insurance Portability and Accountability Act, or HIPAA, to make it more in tune with current technology. Specifically, the letter calls on the government to make existing regulations more accessible to developers, improve outreach to new companies in the mHealth space, and update “Security Rule Guidance Material” to help developers stay abreast of mobile implementations and standards. The letter was signed by ACT/The App Association, AirStrip, AngelMD, Aptible, CareSync and Ideomed. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail