We’ve been working with a number of clients lately who are trying to wrap their arms – and IT policies – around cloud computing and file sharing. You may remember last year when OHSU was fined $2.7 million for “widespread HIPAA vulnerabilities.” Well, part of those vulnerabilities came about because of improper use of cloud-based file sharing services.
Healthcare organizations or not, use of cloud computing to store or share sensitive information comes with risks. OCR regularly reminds covered entities and their business associates of the potential risks, as well as how to use them yet remain in compliance.
Often, human error is at the root of the breaches. All electronically based protections, firewalls, anti-malware programs and so forth may be in order, but one person accessing information without authorization skews everything. Flawed setup of services is another risk, and one usually not detected until it’s too late.
We like to start with the security risk analysis to detect any potential service misconfiguration or un-needful access of sensitive data. The security risk analysis, when combined with IT vulnerability scans, penetration tests and mock phishing exercises, helps organizations identify and address security gaps like missed security patches and software that’s out of date, as well as detecting the most likely potential for human error. (Of course, the security risk analysis is also a HIPAA Rules requirement – but you knew that.)
Check that you’re in compliance with OCR Guidance on cloud computing, particularly around storing ePHI in the cloud, the proper policies and procedures, and the appropriate Business Associate Agreements.
Remember: Cloud computing and file sharing isn’t prohibited by OCR, but you must have appropriate measures in place to secure sensitive data and assure compliance. If you’re not sure whether your use of the services is secure, or your security risk analysis is up to date, then stop and call us!
Our HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. We work across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well. You can reach Apgar & Associates at 877-376-1981.
Although the HHS HIPAA Breach Reporting Tool (HBRT) has been out since 2009, the revised and updated web tool is head and shoulders above the original. You can look for information on reported data breaches in your industry sector, what kinds of data breaches took place and the status as relates to HHS / OCR.
The tool is also educational, letting you see what actions OCR investigations initiated to resolve the vulnerabilities that let the breach happen in the first place. The hope is that the industry will use this information to help strengthen organizational security.
HBRT’s new features include:
- Breaches reported in last 24 hours
- Breaches currently under investigation
- Archive of breach resolution
- Better navigation to get to more breach information
- Consumer Help links if you think your privacy’s been breached
According to HHS, the updated and enhanced HBRT tool will continue to expand and improve. The HBRT encourages transparency to the general public and between organizations covered by HIPAA requirements. Its use helps emphasize how the privacy and security of our sensitive health information must remain at the forefront of covered entity and business associate operations.
Apgar and Associates, LLC helps you on your compliance journey, including helping you implement and improve your privacy, information security and cybersecurity programs. Let’s begin with a security risk analysis to see where your risks lie. Call 503-384-2538 to get started.
First published as an eblast, July 2017.
Recently, I was asked to share my thoughts on cloud computing. Industry experts have varying perspectives, and I encourage you to read all of our insights as published in the post “Ask the Thought Leaders: What’s the Future of Cloud Data Integration?” Here’s my contribution, as published:
“In 10 to 15 years, it is likely that cloud computing will have moved beyond what we call server-based computing. We’re already there with services offered by Amazon and Microsoft applications and processes can be run without the need to be concerned about servers that need to be configured and maintained. We’re looking at a world where unstructured and structured data reside in a virtual world where it’s feasible to create what I would call virtual artificial intelligence where thoughts may be turned into code or a process to interrogate vast amounts of data and perform precise functions such as what’s the best approach for advanced disease management and how to isolate genes that may be altered to combat cancer and chronic diseases. We’re looking at an environment where computing is at such an advanced state that data manipulation and advanced technological advances will occur at such a rapid pace that is impossible to believe today.
This all sounds like science fiction, but we’re already moving that direction at a rapid pace and it may turn out that my predictions are much more conservative than the reality of cloud computing in a decade. Now personal privacy and information security will be a concern as those vast amounts of data become even more of a tool to direct consumer engagement. We may be facing the potential of losing a fair amount of the privacy we have left.”
(segment from article by Nick Hastreiter published July 17, 2017 at http://www.futureofeverything.io/)
In MACRA (the Medicare Access and CHIP Reauthorization Act), it looks as though CMS is taking HIPAA compliance to the next level. The agency makes the security risk analysis a lynchpin in one of the primary MIPS measures. MIPS, the new Merit-based Incentive Payment System, incentivizes quality, improvement and advancing care information performance.
If clinicians / physicians are eligible to participate in MIPS, they must conduct a security risk analysis and implement a risk management program or see a decrease in Medicare payment. Some of this may sound familiar, and that’s because it’s much like Meaningful Use.
While ideally MACRA wouldn’t be all that startling, many clinicians simply do not conduct regular HIPAA security risk analyses, nor do they have an ongoing risk management program. Which means these are significant changes for many of our providers.
Physicians will have multiple ways to gain financially based on how they score under MIPS, aggregated under the categories of quality, resource use, clinical practice improvement activities and the meaningful use of certified EHR technology.
Scoring will be everything (that’s the MIPS Composite Performance Score). Also, if you haven’t had a recent security risk analysis or a risk management plan that’s implemented, you won’t be doing so hot.
The flip side is, if your Medicare practice is fairly low volume, as in you receive less than $30,000 in Medicare payments or have less than 100 Medicare patients, this won’t apply because you’re not eligible to participate. But you’d still do well to step up security best practices and assure HIPAA compliance.
HIPAA has been the underpinning of how clinicians work since its enactment. Practices that have managed to slide by with minimal effort in relation to an actual privacy and security compliance program will no longer cut it. MACRA tightening the link between quality, efficiencies and security to payments will drive the next chapter of care and who’s there to provide it.
Why not start now? Take the opportunity to lay the groundwork to maximize your MIPS CPS as well as your practice revenue. Go ahead and get your HIPAA security risk analysis done now and put the risk mitigation and risk management plan together. Your practice and your bottom line will benefit.
Apgar & Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support health plans, medical practices, dental clinics and hospitals, as well as their business associates. We also help businesses prepare for ISO, SOC II and HITRUST certifications. Call 877-376-1981 for assistance.
Product and gadget creators get in a tight spot when IoT (the Internet of Things) security takes a back seat. It sounds harmless: “Let’s get to market then release security updates.” Getting market share vs taking care of security seems like a matter of course. Until someone uses that security gap to shut down a power plant.
Security by design is more of a concept than a reality. – Chris Apgar, CISSP
So take a step back and prepare. Because even if you can’t prevent IoT attacks – and you can’t stop them all – you can be prepared. Not being so is indefensible. A few critical steps:
- Have your go-to vendor(s) contact info readily at-hand in case of an attack. The information should be part of your security incident response plan.
- Test – before the attack – security incident response, disaster recovery and business continuity plans. Make corrections and test again.
- Train your security incident response team on what to do when an attack happens. Repeat the training regularly.
- Make it difficult for hackers: encrypt. On mobile devices, portable media, in the EHR.
A quick, effective response to an IoT attack can mitigate damage. But it takes preparation, aka sound risk management; training, sharing information with critical staff, taking security incident response seriously. As I stated in a recent article about IoT attacks, “A risk management program is neither a one-time event nor static. Risks are constantly changing as new attack methods are being developed.”
One more point: Spread the training love. Training is too often overlooked. Talk about the clicks that bring down an organization in moments, like phishing. And try for something beyond the same old PowerPoint, perhaps use scenario-based training, look at all the ways everyday actions can halt business in its tracks. Otherwise people tune out.
If you’re not sure where to start, the guidance from the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) recommendations are very helpful when trying to figure out all the risks that can come with IoT device implementation. You can also give us a call: 877-376-1981.
Apgar and Associates, LLC helps you on your compliance journey, including conducting a security risk analysis, creating risk mitigation and risk management plans, and training workforce.
This article first published as an eletter. To subscribe, go here.