HIPAA

EHR Conference Speaker Emphasizes Importance of Protecting Patients’ Information

Posted in Electronic health records, Electronic Medical Records, Health IT, HIPAA on May 2nd, 2014 by MMS – Comments Off on EHR Conference Speaker Emphasizes Importance of Protecting Patients’ Information

By Vicki Ritterband

Ali Pabrai

Ali Pabrai

Encryption. Encryption. Encryption.

Those are the “three” most important activities doctors should do to protect the security of their patients’ electronic protected health information (ePHI), says cybersecurity expert Ali Pabrai, a  presenter at MMS’s recent conference, Electronic Health Records Next Chapter: Best Practices, Checklists and Guidelines.

Encryption is the conversion of data into a form that cannot be understood unless the reader has a key or password to unscramble the information. All sorts of electronic transmissions should be encrypted—including texts and emails—no matter what the device, said Pabrai. If data is encrypted, even if you have a security breach, it is protected.

“Unfortunately, application vendors in the healthcare industry have been lethargic about embedding encryption capabilities,” said Pabrai. “That makes it difficult for a practice or a healthcare organization to implement encryption.”

As more and health information moves between the cloud and mobile devices, organizations will increasingly need to focus their security efforts on those two areas, according to Pabrai. Healthcare data fetches a high price on the black market because it is so rich in identity information.

Cyber security attacks to all types of businesses are occurring at a breathtaking pace: the average organization experiences 1,400 attacks per week and of those attacks, approximately two accomplish their purpose, said Pabrai.  HIPAA fines for information security breaches can run into the hundreds of thousands and even millions of dollars. “Physician practices are more vulnerable to HIPAA fines than ever before,” said Pabrai. Often, organizations don’t know their systems have been broken into until months after the thieves have left the premises.

So what’s a practice to do? Here are the seven steps Pabrai suggests physicians take to ensure that their patients’ electronic protected health information (ePHI) is secure and complies with HIPAA regulations:

  • Assign someone in your practice to be the security or compliance officer. Make sure they have access to the appropriate resources to do their job.
  • Conduct risk analyses regularly, ideally on an annual basis.
  • Develop a security strategy and policies and document them. If HHS’s Office for Civil Rights investigates a security breach, the first thing they will ask is to look at your policies, said Pabrai.
  • Remediate when necessary: address any deficiencies in your protection strategy
  • Secure third parties: make sure your business associates are protecting your patients’ ePHI to the same degree you are.
  • Train your staff so they comply with your cyber security rules and regulations.
  • Evaluate your performance.

For an overview of what’s required from healthcare providers to comply with various aspects of the HIPAA Privacy and Security rules, the U.S. Department of Health & Services offers six free, CME-eligible online educational programs.

More information about the event and links to faculty presentations are available online.

Free white paper for MMS members: “MMS Guide to Health Information Technology”

Why Your Windows XP Computer Could Become a HIPAA Security Risk

Posted in Health IT, HIPAA, practice management on April 3rd, 2014 by MMS – 1 Comment

photo by stevendepolo via flickr.comIs your practice using computers that run Microsoft Windows XP? If so, you could be exposing your practice to security risks in the near future.

After April 8, Microsoft will stop supporting Windows XP, its venerable but aged operating system. This means that Microsoft will no longer send you regular software updates to correct new security holes and software bugs.

Will your XP computers suddenly become non-compliant? Not simply because Microsoft is withdrawing technical support. But without software regular patches, your computers may be increasingly vulnerable to the hackers and trolls who scour the internet. Usually they’re seeking credit card and bank account information, but if your system has security holes, they could access your patients’ protected health information more easily.

Will your computers continue to run on XP? If they’re functioning today, they probably will continue to function for a while. But many computer consultants are advising their clients to assess their risk and determine how they will modernize their systems.

Can I upgrade myself? Many computer users have tried upgrading to Windows 7 or 8 on their existing machines, but some have reported the process to be difficult, and sometimes a failure altogether. Many older machines simply don’t have the processing power or memory to run the newer versions of Windows. Sometimes the best solution is to get new hardware. Microsoft does offer brave, intrepid do-it-yourselfers  free data-transfer software.

Our advice? Talk to your computer vendor or consultant, and develop an upgrade plan. Granted, Microsoft derives commercial benefit from this decision, but security-sensitive users are left with little choice.You don’t necessarily have to upgrade today, but it’s not wise to delay the process indefinitely.