Thursday, 08 June 2017 12:23

Help Stop Hackers from Robbing Healthcare

Written by

By now, you know that international ransomware attackers have hit health systems in the United States. While it’s up to the techs within your organization to apply security measures, it’s everyone’s job to thwart thieves by recognizing and avoiding their traps - often hidden in seemingly harmless emails.

Keep in mind that hackers are smart, and it’s their business to fool even the most conscientious employees in close proximity to patient information. That’s why it’s important to know the warning signs of ransomware.

Let’s start with some basics pertaining to email:

  • Beware of any kind of attachments or links within emails that are unknown to you or unsolicited. Malicious links in emails can link you directly to a malicious website the attacker uses to infect a data system. Opening an attachment can have the same effect.
  • Know that attackers may impersonate someone you know. Be extremely cautious of emails you are not expecting or that seem a little off. When in doubt, go to your supervisor or a tech before doing anything.
  • Make it a practice NOT to click on links and attachments you are not expecting.
  • If you get an automated message to update your computer’s antivirus software, click to update it. While the IT people should make sure this is done automatically, that doesn’t always happen in reality.

Of course the goal is to avoid the schemes of hackers, who typically “kidnap” information with the promise of releasing it back to its rightful owner in exchange for money. A joint study conducted by several security firms estimates that creators of one form of ransomware -- called CryptoWall 3.0 - have extracted more than $325 million from victims since January 2015.

In the event you fall victim to a ransomware scheme, you should know the tell-tale signs of being hacked so that you can seek help right away. One common scenario is that you click on a link or open an attachment and immediately realize it is suspicious. Get help, even if you’re not 100 percent sure it’s a problem.

Other indicators of a ransomware include:

  • Unusual activity on your computer for no apparent reason, due to the ransomware searching for, encrypting and removing data files, or, An inability to access certain files as the ransomware encrypts, deletes and renames and/or re-locates data.
  • Recently, attackers have been scanning the Internet for devices equipped with remote access to patient information portals. Once connected, they can try to guess passwords, or look for backdoors to gain entry. Once they’re in, they can operate just like they are logged onto your system from a monitor and keyboard.

So...

If you do not need remote access to a database containing patient information, disable the service on your computer. If you do need remote access, use it only as necessary. And make sure your password is next to impossible to figure out. By now you may wonder what the odds are that you may encounter a ransomware threat. Well, a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a 300% increase over the 1,000 daily ransomware attacks reported in 2015!

That is why everyone needs to have an eagle eye out for the crooks.

Here are just a few other things to keep in mind:

  • Never allow a third-party to have remote access to your computer if the caller’s authenticity cannot be verified directly through your organization or a verified Business Associate.
  • Do not trust unsolicited phone calls, and don’t give out information.
  • Do not download or purchase any unknown software or online services.
  • Follow safe practices when browsing the web - and don’t click on ads from unknown sources.
  • If you see any unauthorized people accessing patient information (including fellow employees), report the activity to your supervisor or a compliance manager.

Simple safety practices on the part of all can thwart thieves so the can’t do their dirty work. That’s the goal -- and it takes a community of dedicated workers to achieve it.

Note: Information included in this post has been compiled from email alerts distributed by the U.S. Office for Civil Rights (OCR) from May 12 through May 16, in response to interational threats impacting healthcare. Reference material includes: February 2, 2016, and March 30, 2016 cyber awareness updates, and a February 2017 newsletter, all from OCR, and a Ransomware Fact Sheet from the U. S. Department of Health and Human Services.

About the author: Diane Evans is Publisher of MyHIPAA Guide, a news and information service that gives organizations a clear and human-centered process for HIPAA compliance. Diane travels around Ohio and beyond, speaking on HIPAA-related topics and leading workshops in an interactive curriculum developed by the MyHIPAA Guide team. You may reach Diane at This email address is being protected from spambots. You need JavaScript enabled to view it..

Monday, 30 January 2017 08:42

2016 HIPAA cases give insights into HIPAA audits

Written by

With the onset of federally mandated enforcement of patient privacy laws, it’s a good time to review lessons from HIPAA cases announced in 2016. Common themes clearly prevail.

In reviewing these lessons, keep in mind that the feds continue to clarify the stricter rules in place since 2013 under the Health Information Portability and Accountability Act (HIPAA). Since federal audits began only last year, gray areas continue to muddle the murky waters.

Here are some overriding messages from recent federal cases and news releases:

1. Risk Assessment

Make this a top priority, and include all remote facilities in your assessment. Also account for the security of mobile devices and databases in the homes and cars of employees, including telecommuters. Multiple settlements drive home this point. Also remember that you need proper policies and procedures in place as part of risk analysis and mitigation.

Example: The case of St. Joseph Health (SJH), which operates hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations in California, Texas and New Mexico. SJH agreed to pay $2.14 million in a settlement with the U.S. Office for Civil Rights (OCR), relating to a report that files containing electronic protected health information (ePHI) became publicly accessible through internet search engines from 2011 until 2012. A server SJH purchased included a file sharing application, and the default setting allowed anyone with an internet connection to access the data, potentially breaching the privacy of nearly 32,000 patients.

The feds said: Although SJH hired a number of contractors to assess risks and vulnerabilities, evidence indicated a “patchwork” approach falling short of “enterprise-wide risk analysis.”

2. Business Association Agreements

Again, multiple cases reinforce this as a big priority. The point is that if any outside person or vendor can potentially access private information about your patients, then you need to hold those vendors or individuals to the same rules that apply to you. You need formal agreements with them. Also know that HIPAA audits extend to business associates.

Example: The Archdiocese of Philadelphia agreed to pay $650,000 to settle potential privacy violations relating to the theft of a mobile device containing protected health information for 412 nursing home residents. In this case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities. The potential breach happened as a result of a theft of a CHCS-issued employee iPhone, which was unencrypted and not password protected. The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.

The feds said: CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.

Click here to read more about what happened.

3. Smaller providers

You’re on hook, too. HIPAA-covered providers of all types and sizes are subject to audits. Last fall, OCR announced it is now working with its regional offices to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches.

4. Insider threats

In a recent newsletter, OCR discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.

According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.

Keep in mind, whenever patient information reaches unauthorized ears and eyes, nothing stops it from getting on social media. And yes, that does happen, especially among patients who are most vulnerable and unsuspecting.

Click here for more about how to guard against insider threats, and recommendations for preventing abuses.

Friday, 27 January 2017 06:58

Feds release info on public health reporting

Written by

The feds have released a new fact sheet that explains how HIPAA Rules permit disclosures of Protected Health Information (PHI) to support public health activities conducted by public health agencies, as authorized by state or federal law. The facc sheet offers examples of instances where the sharing PHI supports public health policies.

You may find the new fact sheet on the federal government's website at:  https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf

Monday, 07 November 2016 08:06

OPRA Attendees, here is your compliance charter

Written by

Thank you to all who attended the HIPAA compliance session last week in Columbus at the fall conference of the Ohio Provider Resource Association (OPRA).  For the benefit of those who requested a copy for our Compliance Charter Template, the attachment is below in a Word document.  The presentation is attached as well. Diane Evans, Publisher, MyHIPAA Guide


 

Wednesday, 02 November 2016 06:47

Read the CMS letter to nursing homes

Written by

If you haven't already, read the CMS memo to state survey agencies, ordering a crackdown on social media abuses.  Policies aren't enough, the memo says.  You also need ongoing, sustainable compliance plans.

Wednesday, 19 October 2016 06:29

Medicare, we're fact checking you!

Written by

By Diane Evans

Publisher, MyHIPAA Guide

If we “fact check” presidential candidates, why not also fact check Medicare? After all, Medicare’s newly announced physician-reimbursement plan will affect the health care coverage of more than 55 million Americans and will determine the kind of treatments that Medicare beneficiaries receive.

If you are enrolled in Medicare, this new paradigm means your particular treatment may be determined by statistics, presumably showing what has worked best for others like you. Of course, the success of such a data-driven approach depends on the quality of the data.

So, the very first question is: In moving away from fee-for-service payments to doctors in favor of so-called “value-based care,” will Americans benefit as Medicare promises? Let’s start fact checking!

In an open letter accompanying last week’s announcement, acting Medicare chief Andy Slavitt describes the government’s new approach as a “more modern, patient-centered program. . . promoting quality patient care while controlling escalating costs.’’ He further notes that by healthcare providers working cooperatively with Medicare, “we can all make real progress in improving the delivery of care in our country.”

In fact: The new system will award higher pay to doctors who base their medical decisions on “best practices” determined by statistics. However, health IT experts—including some in the federal government—warn that the technology simply isn’t available yet to do the high-quality data analysis necessary to standardize patient treatment plans. By the government’s own estimate in a report titled “Capturing High-Quality Electronic Health Records (EHR) Data to Support Performance Improvement,” the nation won’t have the advanced technology for such comprehensive data analysis until 2024.

In an Executive Summary explaining the new system, Medicare says that doctors can qualify for higher pay based in part on dispensing patient care according to models developed private insurers or Medicaid programs. This is presented as a means of achieving higher quality care.

In fact: In a 2011 study, McKinsey & Company refers to transparency as a key precondition to improved healthcare delivery. Yet commercial entities (such as big insurers) don’t readily reveal data for the sake of transparent analysis of best health care treatments. Says McKinsey: “Even in the United States, where health care data is abundant, political and commercial considerations have hindered attempts to use public reporting to drive outcome improvements.”

In addition, the government’s own report, “Capturing High Quality” (referenced above), points to the risks of deciding care based on unsubstantiated data. In one example, the report points to a federally funded project in Rhode Island that set out to improve the health of diabetes patients. However, researchers discovered data quality issues due to missing or inaccessible data or wide, inexplicable variations in outcomes.

The Capturing High Quality report concludes that “as the industry moves toward value-based reimbursement — reimbursement based on quality and cost measures — improving the quality of the data used for measurement is imperative.”

In his letter, Andy Slavitt explains plans for an information superhighway in healthcare, saying the focus is on “measures that support hospitals and physicians safely and securely exchanging information.”

In fact: Earlier this month, the federal agency responsible for healthcare technology hosted a webinar to address what the agency called the “important safety topic” of EHR usability. The webinar featured Dr. Andrew Gettinger, Executive Director of the federal Office of Clinical Quality and Safety, and leaders of the Pew Charitable Trusts, which has studied EHR usability. The issues covered in the webinar are summed up on Pew’s website and include this warning:

“Although the United States has invested tens of billions of dollars to encourage providers to adopt electronic health records, many clinicians have found that these systems have poor ‘usability.’ EHRs can put patients at risk of medical error, do little to enhance clinical care, and increase the time clinicians spend documenting patient care. Indeed, one study found that 15 percent of physicians reported that their EHR had caused a potential medication error within the past month.”

Other evidence supports Pew’s findings. Examples include:

  • Earlier this year, the Journal of AHIMA reported on survey results indicating widespread problems in accurately matching individuals with their healthcare records. Duplicate records commonly exist, creating greater likelihood of errors in treating people.
  • Last year, in a joint letter to the U.S. Department of Health and Human Services, 36 professional associations raised questions about the very security of patient information contained in EHRs. In the letter, the associations raised concerns about poorly functioning EHRs resulting in “medical record errors, inaccurate documentation, lack of interoperability, slow performance, lost patient information, and safety concerns.”

In the case of Medicare, the point of this exercise goes beyond half-truths and pertinent omissions. The issue here is one of medical ethics. If America lacks the technology for standardized patient care based on statistical analysis, then premature demands to move in this direction put the very health of Americans at unnecessary risk. Like the project in Rhode Island, the statistics used to determine patient treatments may be flawed. And yet doctors stand to make more money by playing along – dispensing care according to statistical outcomes that may or may not be valid. All the while, those physicians who buck the system face financial penalties.

In his letter last week, Andy Slavitt extols Medicare for “becoming more open, transparent and responsive (and) committed to paying close attention to the impact of our policies on care delivery.”

Really? Mr. Slavitt, please look Americans in the eye and explain.

Diane Evans is Publisher of MyHIPAAGuide.com, a news and information service that offers healthcare providers a clear program for HIPAA compliance, plus personal support in achieving compliance. In addition to regular updates, MyHIPAAGuide.com has cataloged 50+ carefully-picked federal government resources, including templates for security policies and procedures and risk assessment tutorials. Contact Diane Evans at This email address is being protected from spambots. You need JavaScript enabled to view it..

Tuesday, 11 October 2016 13:41

Medicare, you flunk the Hippocratic test

Written by

By Diane Evans

Publisher, MyHIPAA Guide

In a great paradox of 21st Century medicine, none other than Medicare is a violator of the timeless standard of medical ethics expressed in the Hippocratic rule: First do no harm.

The worst part? It’s that bonuses paid to physicians, from Medicare and Medicaid, are tied to activities that may actually harm some patients.

The issue relates to Electronic Health Records (EHRs). No question, electronic data holds the potential to greatly improve patient treatments based on proven results. However, it is also true that bad data can result in deadly mistakes. And therein lies the problem.

Currently, Medicare is pushing doctors to enter data and make medical decisions based on statistical analysis. Yet at the same time, health IT experts -- including some in the federal government -- are warning of hazards caused by shortcomings in EHR technology. The technology simply isn’t available yet to do the high-quality data analysis that Medicare is demanding prematurely.

Earlier this month, the federal agency responsible for healthcare technology hosted a webinar to address what the agency called “this important safety topic” of EHR usability. The webinar featured Dr. Andrew Gettinger, Executive Director of the federal Office of Clinical Quality and Safety, and Drs. Peter Provonost and Josh Rising from the Pew Charitable Trusts. The issues covered in the webinar are summed up on Pew’s website and include this warning:

“Although the United States has invested tens of billions of dollars to encourage providers to adopt electronic health records (EHRs), many clinicians have found that these systems have poor ‘usability.’ EHRs can put patients at risk of medical error, do little to enhance clinical care, and increase the time clinicians spend documenting patient care. Indeed, one study found that 15 percent of physicians reported that their EHR had caused a potential medication error within the past month.”

Fifteen percent within a month? That raises a huge question of how many people are being harmed - right now, today -- without anybody knowing about it.

In a blog post earlier this year, Kaiser Health News reported on the ease of medical mistakes happening with the slip of a mouse, creating particular concern in rushed emergency-room situations.

In a book on this topic, “The Digital Doctor: Hope, Hype and Harm at the Dawn of Medicine’s Computer Age,” Dr. Bob Wachter, Chief of Hospital Medicine at University of California San Francisco and the “Father of Hospitalist Medicine,” documents some of the harrowing real-life stories.

In one such incident, a teen narrowly escaped death following a hiccup in data processing. Quite routinely, a resident physician had learned she needed to make a change to her original orders for pediatric medication for a boy named Pablo Garcia. So, when the resident typed in 160 mg thinking that was the correct dose to be dispensed, the system changed it to 160 mg/kg. This, plus a series of seemingly minor events, culminated in Pablo taking a gigantic dose of pills.

In July 2015, in an effort to identify the root causes of EHR problems such as this, Pew Charitable Trusts, in collaboration with the Johns Hopkins Armstrong Institute for Patient Safety and Quality, convened a meeting of 70 experts, including EHR vendors, hospital representatives, clinicians, and patient safety advocates.

Following the meeting, Pew identified three primary issues:

1. Some EHR makers don’t fully assess usability of their products before delivering them to hospitals and doctors’ offices.

2.  There are no universal standards for measuring the safety and performance of EHR systems.

3. Heathcare providers fear the consequences of violating gag clauses that prohibit disclosure of problems involving their EHRs.

This latter point, relating to gag clauses commonly found in EHR contracts with health providers, means that the public can’t even intelligently assess the current state of EHR technology -- even though $30 billion in federal tax dollars subsidized the installation of EHRs!

Indeed, evidence is stacked high in support of everything Pew says.

Some examples:

  • A 2016 report by the nonprofit National Quality Forum (NQF) called for a coordinated effort to reduce risks associated with electronic health records, starting with an assessment of how well providers, vendors, and others are addressing IT-related safety concerns.
  • Also this year, the Journal of AHIMA reported on survey results indicating widespread problems in accurately matching individuals with their healthcare records. Duplicate records commonly exist, creating greater likelihood of errors in treating people.
  • In 2015, 36 professional associations raised questions about the very security of patient information contained in EHRs. In a letter to the feds, the associations raised concerns about poorly functioning EHRs resulting in “medical record errors, inaccurate documentation, lack of interoperability, slow performance, lost patient information, and safety concerns.”

Against this backdrop, Medicare persists in giving financial rewards to physicians for how well they score – by Medicare’s standards – in the use of EHRs. And the score-keeping gets into the minutia of everyday routines. For example, physicians get points (which can turn into real money) for generating and transmitting prescriptions electronically.

The end goal, ideally, is about creating a system that rewards doctors for treating patients based on best practices that can be confirmed by data.

However, at the moment, there is a foundational problem: The nation won’t even have the advanced technology for such comprehensive data analysis until 2024. That is by the government’s own estimate in a 2013 report titled, “Capturing High Quality Electronic Health Records Data to Support Performance Improvement.”

The report points to highly functioning EHRs as key to the implementation of payment reform tied to performance measures. It notes that “as the industry moves toward value-based reimbursement—reimbursement based on quality and cost measures—improving the quality of the data used for measurement is imperative.”

Meanwhile, contrary to red flags, Medicare keeps pressuring doctors to step up usage of EHRs in return for higher pay. Right now. Today.

If the functionality of EHR systems is in question, which it clearly is, then Medicare fails the Hippocratic test by forcing these systems to serve purposes they are currently incapable of serving. The only question is: In the process of data entry, how many people are suffering undocumented harm?

In a recent newsletter, the U.S. Office for Civil Rights (ORC) discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.

According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.

According to a survey conducted by the federal government, CSO Magazine, and Deloitte, common e-crimes committed by insiders include:

  • Unauthorized access to or use of organization information
  • Exposure of private or sensitive data
  • Installation of viruses, worms, or other malicious code

OCR says organizations should:

  • Consider insider threats in enterprise-wide risk assessments.
  • Document and enforce policies and controls.
  • Create awareness of insider threats in security training for employees.
  • Monitor and respond to suspicious or disruptive behavior.
  • Anticipate and manage negative issues in the work environment.
  • Implement strict password and account management policies and practices.
  • Enforce separation of duties and necessary-only access to PHI.
  • Define security in all cloud-services agreements, especially relating to access restrictions and monitoring capabilities.
  • Institute access controls and monitoring policies on privileged users.
  • Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
  • Monitor and control remote access from all points, including mobile devices.
  • Develop a comprehensive employee termination procedure.
  • Implement secure backup and recovery processes.
  • Formalize an insider threat program.
  • Establish a baseline of normal network device behavior.
  • Be especially vigilant regarding social media.

The U.S. Office for Civil Rights (OCR) says it is now working with its regional offices to more widely investigate the root causes of breaches affecting fewer than 500 individuals.”  The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches. 

Among other things, regional investigators will look for incidents involving inproper disposal or theft of unencrypted Protected Health Information (PHI), and inappropriate access to IT systems.

Here are examples of settlements in smaller breaches:

Catholic Health Care Services, relating to a business associate’s failure to safeguard nursing home residents’ PHI: $650,000.

St. Elizabeth’s Medical Center, relating to allegations that staff used an internet-based, document-sharing application to store PHI without having analyzed risks: $218,400.

Hospice of North Idaho, relating to an unencrypted laptop computer containing the electronic protected health information: $50,000.

While HIPAA rules require regular training of staff, it's not enough to simply go through the motions of attending a lecture or watching a video.  HIPAA education should address things that staff members working with ePHI really need to know.  And it should be re-enforced often.

 

Here are resources from MyHIPAA Guide that can help train staff in the following categories.  In addition, watch for our webinars on a variety of HIPAA subjects.

Social Media Guidelines for staff:

Online class, titled Social Media Rules for Healthcare Providers, accredited through our partner, Pedagogy Online Learning Systems.

A published guide on social media uses, from the National Council of State Boards of Nursing.

 

Risk Mitigation:

Security 101 videos on who to spot risks in your midst, and how to plan for natural disasters and interruptions

Basic security checklist for small practices

An advanced online course for compliance managers, titled Responsibilities for Managing HIPAA Compliance, accredited through our partner, Pedagogy Online Learning Systems.

Responsibilities for Managing HIPAA Compliance

 

Breach Reporting:

Instructions on how to report

 

Business Associates:

Information on who to hold accountable and how

 

Patient Rights:

Video on patient rights

 

 

 

 

Page 1 of 3

10 Step HIPAA Plan

  • Step 1: Confirm you are a covered entity +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Provide leadership +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
  • Step 3: Document processes, findings, and actions +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Manage and mitigate risks +

    What's Inside:
    Overview of expectations.
  • Step 7: Prevent breaches +

    What's Inside:
    • Form for reporting brief notification
    • Links to details on the notification process and what constitutes a breach.
  • Step 8: Communicate with patients +

    What's Inside:
    FOR ALL:
    Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Update or execute Business Associate Agreements (BAAs) +

    What's Inside:
    Sample Business Associate Agreement (BAA) provisions.
  • Step 10: Attest to Compliace with Security Objectives +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access