In MACRA (the Medicare Access and CHIP Reauthorization Act), it looks as though CMS is taking HIPAA compliance to the next level. The agency makes the security risk analysis a lynchpin in one of the primary MIPS measures. MIPS, the new Merit-based Incentive Payment System, incentivizes quality, improvement and advancing care information performance.
If clinicians / physicians are eligible to participate in MIPS, they must conduct a security risk analysis and implement a risk management program or see a decrease in Medicare payment. Some of this may sound familiar, and that’s because it’s much like Meaningful Use.
While ideally MACRA wouldn’t be all that startling, many clinicians simply do not conduct regular HIPAA security risk analyses, nor do they have an ongoing risk management program. Which means these are significant changes for many of our providers.
Physicians will have multiple ways to gain financially based on how they score under MIPS, aggregated under the categories of quality, resource use, clinical practice improvement activities and the meaningful use of certified EHR technology.
Scoring will be everything (that’s the MIPS Composite Performance Score). Also, if you haven’t had a recent security risk analysis or a risk management plan that’s implemented, you won’t be doing so hot.
The flip side is, if your Medicare practice is fairly low volume, as in you receive less than $30,000 in Medicare payments or have less than 100 Medicare patients, this won’t apply because you’re not eligible to participate. But you’d still do well to step up security best practices and assure HIPAA compliance.
HIPAA has been the underpinning of how clinicians work since its enactment. Practices that have managed to slide by with minimal effort in relation to an actual privacy and security compliance program will no longer cut it. MACRA tightening the link between quality, efficiencies and security to payments will drive the next chapter of care and who’s there to provide it.
Why not start now? Take the opportunity to lay the groundwork to maximize your MIPS CPS as well as your practice revenue. Go ahead and get your HIPAA security risk analysis done now and put the risk mitigation and risk management plan together. Your practice and your bottom line will benefit.
Apgar & Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support health plans, medical practices, dental clinics and hospitals, as well as their business associates. We also help businesses prepare for ISO, SOC II and HITRUST certifications. Call 877-376-1981 for assistance.
Product and gadget creators get in a tight spot when IoT (the Internet of Things) security takes a back seat. It sounds harmless: “Let’s get to market then release security updates.” Getting market share vs taking care of security seems like a matter of course. Until someone uses that security gap to shut down a power plant.
Security by design is more of a concept than a reality. – Chris Apgar, CISSP
So take a step back and prepare. Because even if you can’t prevent IoT attacks – and you can’t stop them all – you can be prepared. Not being so is indefensible. A few critical steps:
- Have your go-to vendor(s) contact info readily at-hand in case of an attack. The information should be part of your security incident response plan.
- Test – before the attack – security incident response, disaster recovery and business continuity plans. Make corrections and test again.
- Train your security incident response team on what to do when an attack happens. Repeat the training regularly.
- Make it difficult for hackers: encrypt. On mobile devices, portable media, in the EHR.
A quick, effective response to an IoT attack can mitigate damage. But it takes preparation, aka sound risk management; training, sharing information with critical staff, taking security incident response seriously. As I stated in a recent article about IoT attacks, “A risk management program is neither a one-time event nor static. Risks are constantly changing as new attack methods are being developed.”
One more point: Spread the training love. Training is too often overlooked. Talk about the clicks that bring down an organization in moments, like phishing. And try for something beyond the same old PowerPoint, perhaps use scenario-based training, look at all the ways everyday actions can halt business in its tracks. Otherwise people tune out.
If you’re not sure where to start, the guidance from the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) recommendations are very helpful when trying to figure out all the risks that can come with IoT device implementation. You can also give us a call: 877-376-1981.
Apgar and Associates, LLC helps you on your compliance journey, including conducting a security risk analysis, creating risk mitigation and risk management plans, and training workforce.
This article first published as an eletter. To subscribe, go here.
For some time now, we’ve been blogging about increases in cybercrime as well as what you can do about it. The Workgroup for Electronic Data Interchange (WEDI) has published a cybercrime issue brief that explores some of healthcare’s common vulnerabilities typically exploited by cybercriminals today. WEDI also recommends best practices you can apply to help mitigate these vulnerabilities. It’s a worthwhile read.
[Download the PDF: The Rampant Growth of Cybercrime in Healthcare]
A few startling points and excerpts from the brief:
- “Data breaches cost the healthcare industry approximately $6.2 billion each year, with the average breach incurring damages of $2.2 million and compromising 3,128 records per incident.”
- That’s a very significant set of statistics. Despite this, “only 40 percent of healthcare organizations express concern about cyberattacks or report that their cybersecurity budget has increased in response to threats.”
The cybercrime issue brief also reviews common threats to healthcare organizations, such as spyware, malware (i.e. ransomware, rootkits and worms), “hacktivist” activity, and the latest phishing methods such as spear phishing and whaling.
Chris Apgar, CISSP is a former WEDI Board Member, a longtime member of its HIE Workgroup, and the founder of Apgar and Associates, LLC. The privacy and security compliance consulting firm helps organizations with information security risk analysis, creating risk mitigation and risk management plans, and more. For more information: 877-376-1981.
That was the title of an early January eblast to our subscribers where we talked about insider risk and audit controls. Then OCR sends out an email about a recent $5.5 million settlement with Memorial Healthcare Systems (MHS) about PHI being “impermissibly accessed” and “impermissibly disclosed” to doctors’ staff.
The email serves as an expensive yet imperative reminder of how important audit controls are to protecting PHI. MHS didn’t follow the HIPAA Security Rule’s proper access controls, didn’t address risks it had identified as part of risk analyses conducted from 2007 to 2012 and has paid the price. Unfortunately, those whose PHI was shared with far more people than necessary still lose, because the information can’t be unseen.
It begs the question: Why do so many people get access to ePHI who clearly don’t need that access? As we’ve talked about in a previous blog article, “Who has access to your healthcare data?” the insider risk is all too real.
It’s worth repeating that training won’t stop bad people from doing bad things. However, often the privacy breach is due to inadequate monitoring of health information access, especially when you’ve noted that is a risk yet have done nothing about it. Someone with no malicious intent yet had no reason to access to ePHI can wreak unintentional havoc.
6 Essentials for ePHI Access & Monitoring
- Train everyone. While it’s not a cure-all, the need for regular (at least semi-annual) privacy and security training cannot be overstated.
- Don’t hesitate to do a thorough screening of every employee who could potentially have access to or cause risk to ePHI.
- For those who will have access, be sure that their access is appropriate to their “need to know.” Maybe it’s time to get more stringent.
- Conduct regular, timely audits of PHI access logs. Many organizations audit but far too infrequently. Step it up to reduce breach risk.
- Review employee access to PHI on a regular basis to make sure someone who has left your organization no longer has access to your patients’ PHI.
- Review and possibly revise your current audit control protocols.
What are your action steps? If you’re not sure, or if you want to see if your prevention measures are where they need to be, give us a call at 877-376-1981. We’ll discuss best next steps for your ePHI protection planning.
In the interim, we suggest you download the Common Sense Guide to Mitigating Insider Threats, 4th Edition, from US-CERT (U.S. Computer Emergency Readiness Team).
All indicators are that 2017 will continue to see healthcare data come under attack as its value on the black market holds. That means that healthcare organizations can expect to remain prime targets for malicious cyberattacks.
It doesn’t help that many healthcare organizations struggle with challenges that include outdated information systems and cybersecurity gaps, as well as the fact that medical device manufacturers haven’t traditionally focused on device security. While healthcare organizations are diligently working to close gaps on their side in both in cyber and workforce, the OCIA (Office of Cyber and Infrastructure Analysis) has released a product that may help.
Healthcare & Public Health Sector Cyber dependencies
This fairly extensive product addresses everything from the sector background to cyber incidents affecting medical devices to the path forward. It’s the culmination of a collaborative effort with the Department of Homeland Security (DHS), National Protection & Programs Directorate, National Cybersecurity & Communications Integration Center, DHS Office of Intelligence & Analysis, and the HHS’s office of the Assistant Secretary for Preparedness & Response.
You can download the 13-page PDF here.
Apgar and Associates helps you with questions and concerns about your privacy and security compliance program, including updates and training, at 877-376-1981.