So far, the statistics on major health data breaches for 2013 look encouraging. And the stats for 2012 showed substantial improvement vs. 2011. But could we see a surge in breach reports after organizations begin using updated federal guidance about how to assess whether to report a breach? Only time will tell.

First, let’s take a look at the latest breach statistics. We’ve been crunching the numbers monthly since the Department of Health and Human Services’ Office for Civil Rights began posting its “wall of shame” on its website. That tally, mandated by the HITECH Act, includes breaches affecting 500 or more individuals that have been confirmed by federal investigators since late September 2009, when the original breach notification rule kicked in.

” What’s incredible is that the problem of lost or stolen unencrypted devices and media shows no sign of fading away. ”
Related Content

Let’s start with the big picture. As of May 21, the ongoing tally lists 600 breaches affecting more than 22 million people. More than half of breaches have involved lost or stolen unencrypted computer devices or media. And more than 20 percent have involved a business associate of some sort.

The wall of shame now shows more than 140 breaches occurred in 2012, affecting a total of almost 2.6 million individuals. Only six breaches affected at least 100,000; those incidents impacted a combined total of 1.7 million individuals.

The 2012 figures represent a significant improvement from 2011, when there were about 160 breaches affecting roughly 11 million individuals – including eight incidents impacting an astounding combined total of about 10 million.

Although federal officials continually add incidents – sometimes dating back a year or more – to the tally, it’s clear that the breach numbers look a lot better for 2012 than 2011. And that’s good news, indeed. But what about 2013?

So far, the tally lists about 29 breaches affecting a total of more than 120,000 individuals this year. That’s right, no whopper breaches are on the list – at least not yet. But it’s still way too early to jump to any conclusions about how the breach numbers will look for this year.

What’s incredible, however, is that the problem of lost or stolen unencrypted devices and media shows no sign of fading away. For 2013, almost 60 percent of incidents stemmed from this cause. Last year, the percentage was about the same. And the lack of improvement in this arena is mind boggling.
Hopeful Signs

Our recent Healthcare Information Security Today survey offers hope that healthcare organizations are taking the right steps to address this issue. The top two breach prevention action items for this year are stepping up training on privacy and security issues and encrypting mobile devices and removable media.

If encrypted devices are lost or stolen, the information they contain is far less likely to be breached. As a result, such losses or thefts don’t have to be reported to authorities.

Another important breach prevention strategy, but one that is not always practical, is to ban the storage of patient information on portable devices. Roughly half of the organizations we surveyed prohibit storage of patient data on mobile devices.

But training is also an essential breach prevention step. Folks need constant reminders; let’s face it, we’re all forgetful. Staff members needs to be reminded not to leave their laptops in plain view inside their parked cars. They need to be reminded to make sure any patient data on their computers is encrypted. They need to be told again and again that that they must use only secure e-mail for transmitting sensitive data. Annual training is insufficient.
Notification Guidance

But even if breach prevention efforts improve, we could soon see an increase in the number of major breaches reported to federal authorities. That’s because the HIPAA Omnibus Rule spells out objective guidance for how to assess whether a security incident is a reportable breach. The vague “harm standard” language in the original breach notification rule was far too tough to interpret. The new guidance outlines how to do a more precise risk assessment to size up the threat to patient data. And that guidance was long overdue.

Will the new breach notification guidance, in fact, lead to more breaches making their way to the federal wall of shame? That’s the expectation of many regulatory experts. We’ll have to wait and see. The omnibus rule won’t be enforced until September, and organizations can use the old – or the new – notification guidance until then.

My fingers are crossed that the trend toward far fewer gigantic breaches that we saw in 2012 will carry over into this year. And as federal officials continue to ramp up HIPAA enforcement and publicize hefty fines for violations, that will go a long way, indeed, toward motivating healthcare organizations of all sizes to ramp up breach prevention efforts.

Follow Howard Anderson on Twitter: @HealthInfoSec

The post Health Breach Tally: Cause for Optimism? appeared first on SPHER.

Pocatello, ID  |  May 23rd, 2013

ISU operates 29 outpatient clinics and is required to provide health information technology systems security at those clinics. Between four and eight of the ISU clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred, HHS officials say.

The post ISU hands over $400K for HIPAA violation appeared first on SPHER.

8,300 Patients Notified

SHREVEPORT, LA | May 17, 2013

The post LSU database gaffe leads to HIPAA breach appeared first on SPHER.

Background

Congress had long grumbled that HIPAA enforcement had no teeth, so within the HITECH Act they mandated that the OCR develop an audit program for all CEs and BAs, of all sizes.

The OCR began this program in 2011 with 20 audits, and found that some covered entities had done very little to fulfill the HIPAA privacy, security,  and breach requirements. No surprise perhaps!

In 2012 the OCR did 95 more audits and found the same thing, even though  the healthcare industry had seen the results of the 2011 audits. Perhaps the missing ingredients surrounding the OCR audits were the audits themselves. How were they being conducted?

Good News – Published Protocols

The good news is that in the summer of 2012 the OCR published the audit protocols that the OCR  through KPMG, are using to audit the healthcare industry. The protocols were updated in September 2012. There are a total of 169 protocols – 78 for HIPAA security, 81 for HIPAA privacy, and 10 for HIPAA breach.

You can find the protocols here.

Susan McAndrew, JD, leader of all things HIPAA – HITECH at the Office for Civil Rights has been out talking at conferences about both the audits and the Omnibus rules since 2009, saying that HIPAA CEs and BAs  should have a robust HIPAA Privacy and Security compliance program, including:

• employee training.
• vigilant implementation of policies and procedures.
• a prompt action plan to respond to incidents and breaches.
• regular internal audits.

You might remember that these bullets are 4 of the 7 parts that the Department of Health and Human Services (HHS), Office of Inspector General (OIG) had recommended for a healthcare compliance program beginning in 1999.

So why do we think all of this is good news?  Because now all CEs and BAs are in a position to know how to prepare for an OCR audit, and have another motivating factor to overcome organizational challenges that they may be dealing with, such as a limited budget or lack of an organizational mandate.

The combination of the OCR audits, the potential large financial penalties and lawsuits and bad press for a breach of protected health information along with CE attestation for Meaningful Use measures, including information security risk analysis, we believe that the healthcare industry is finally sensing a higher financial risk for non-compliance vs. the cost to comply.

For example, a recent industry survey found that the cost is an average of $200 per individual if you have a breach.  This alone is $100.000 if you have a violation of no more than 500 individuals.  Add to this the millions in fines that OCR is now handing out, plus the cost of mitigation.  So, the loss of a laptop may cost many large CEs $2 million, even if they self report.

The OCR Audit Letter

The first thing that arrives when you are audited is a letter from OCR and its contractor, KPMG, which includes a  two (2)-page list of requested documentation. The obvious requests are for policies and procedures. In addition there are requests for documentation that shows evidence of operational compliance with policies and procedures, such as ‘HITECH breach notification process, entity-level risk assessment documentation and capabilities’. Some documentation in the protocol list may need to be created from scratch based on actual processes. So it will take time to get it all together.

You can attain a copy of the 2-page document request free for download here. (Refer to the OCR Audit Document Request section).

Interesting Points

Here are some interesting points regarding the OCR audits. First, the mandate for the audits is within a law only, the HITECH Act. Second, the audits are not part of the HIPAA general administrative requirements that outline HIPAA enforcement, preemption of state law, compliance and enforcement, imposition of civil money penalties, and procedures for hearing.

However, there is an interconnection between the OCR audits and HIPAA enforcement in that if major HIPAA compliance gaps are identified during an audit OCR will do a further investigation as outlined in the HIPAA enforcement regulation.

Doing nothing can cost a lot!

While it is true that CEs and BAs are never 100% vulnerability free with HIPAA-HITECH compliance especially due to the need for change management,  doing little to nothing can no longer be perceived as a low risk / low cost decision. In other words, the cost of doing nothing is potentially and dramatically much higher than the cost of implementing a culture of compliance (aka-the opposite of willful neglect).  And if you have a good culture of compliance within your organization you should have less risk for security incidents or breach violations.

To implement a culture of compliance, CEs and BAs need to monitor HIPAA compliance continuously and mitigate gaps, especially the high and medium risk gaps. The key word is continuously which means that the process never ends.

Here are some of the elements that lead to a culture of compliance:

• Implementing written policies, procedures and standards of conduct.
• Designating a compliance officer and a compliance committee.
• Designating privacy and security officers.
• Conducting effective and on-going training and education of all of the HIPAA privacy, security, and breach requirements.
• Enforcing the HIPAA security, breach and privacy standards and implementation specifications through well-publicized disciplinary guidelines and developing policies and procedures that address sanctioning the workforce.
• Conducting periodic assessments, audits and mitigation.
• Responding promptly to detected offenses, developing corrective action, and reporting to OCR.
• Document, document, and then document.

2013 – More to come!

In 2013 the OCR may begin auditing BAs in addition to  CEs. Plus, the OCR has promised to review the 2012 audits against its audit protocols and update the protocols accordingly. We can expect to see a continual increase in the number of audits conducted each year going forward which increases the likelihood that your organization will eventually be audited.

Conclusion

The time to prepare for an OCR audit is now, if not yesterday. We recommend that CEs and BAs conduct internal audits based on the published OCR protocols and mitigate the gaps found. CEs and BAs may be surprised to see how difficult it is to show documented evidence of due diligence for compliance with their policies and procedures. Processes that support policies may be in place, but gathering documented evidence of the processes can be time consuming. So begin now. Two weeks is not enough time to prepare. And CEs and BAs should consider hiring an independent third party for guidance and to assess their audit readiness.

About the Authors

Gerry Blass has over 35 years of experience in healthcare IT and compliance. Gerry provides IT and compliance consulting services and software called ComplyAssistant that automates the management and documentation of healthcare compliance activities. Gerry is the President & CEO of Blass Consulting and Compliance LLC.

Susan A Miller, JD has 40 years of professional leadership experience spanning teaching, biochemistry research and law. Since 2002, Susan has provided independent consultation and legal services to numerous healthcare entities including NIST and HHS.  She has co-authored two OCR audit protocol prep-books, HIPAA Security Audit Prep Book, and HIPAA Breach & Privacy Audit Prep Book. They are published at http://www.malverngroup.com/New_Publications.html.

Blass and Miller are co-founders of HIPAA 411, a linked-in group.

The post OCR HIPAA Audits – We Now Know the Protocols appeared first on SPHER.

The post Half of healthcare orgs aren’t sure they can detect all patient data privacy & security breaches appeared first on SPHER.

The second annual Healthcare Information Security Today survey revealed six emerging healthcare security trends. It hit on all of the key healthcare security pain points for professionals and showed how organizations are dealing with new HIPAA rules and what they’re doing policy and technology-wise to improve their patient data security methods.

Participants in the survey gave responses during the fall of 2012 and hold titles that range from director of IT security to chief information officer, but all 200 respondents have a heavy hand in securing their organization’s health data.

1. Data breach prevention

Organizations believe training is the key to avoiding health data breaches, as 73 percent of respondents said they planned on ramping up internal privacy and security training.

Some other noteworthy data breach numbers included:

- 40 percent of respondents saying that they experienced misdirected fax or incidental postal mailing breaches in the past year, as opposed to only 8 percent suffering hacker attacks.

- Only 6 percent of respondents referred to their organization’s capabilities to prevent internal security threats as “excellent.”

- 60 percent of organizations say their training and awareness rank as needing improvement-to-adequate.

2. Data encryption still lagging

The encryption section explained that while organizations seem to be aware of the need to implement encryption, finding the best ways to deploy these technical safeguards seems to elude many of them. One surprising statistic was only 45 percent saying their organization encrypts mobile storage media and only 47 percent encrypt data being sent across their virtual private network (VPN). These numbers will have to continue to improve if healthcare organizations are going to keep up with enterprise and bank security innovation.

3. Risk assessment education need improvement

About one-third of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year and the majority of those (62 percent) of those organizations were spurred by the HITECH EHR Incentive Program. And while 83 percent of organizations updated their security policies in the past year, a mere 53 percent have enhanced security education as result of their risk assessments.

4. Data security priorities

The three highest-ranked priorities for healthcare security professionals were refining regulatory compliance efforts (55 percent), bettering security awareness/education (45 percent) and spotting data breaches (34 percent).

5. BYOD emerging as popular option

Not exactly a shocking development here, as 58 percent said they allow clinical staff to BYOD and about half use an automatic timeout technology or use remote wipe to safeguard the devices. But only 46 percent encrypt them, which should be a concern as BYOD numbers increase.

Remote access is another area of interest to security pros:

6. Cloud security still a worry

Because many organizations view security policy and HIPAA enforcement as barriers, only 64 percent store health data in the cloud and only 14 percent of those who do have high confidence in maintaining secure data. Out of all these categories, the cloud bears the most watching because implementing these technologies will continue to make more and more fiscal sense and technical safeguards for cloud data have improved more than most organizations realize. But with the new HIPAA omnibus rule in effect, there will be more pressure on cloud vendors (business associates) to prove they’ll sign a business associate agreement (BAA) and truly keep the data safe.

The post Survey reveals healthcare data security priorities appeared first on SPHER.

The post Utah health data breach: A lesson in the myriad benefits of prevention appeared first on SPHER.

(A Perspective on healthcare data breaches)  A common refrain among those outside the healthcare industry is that healthcare has a ways to go in catching up with the enterprise in security technology. While this is largely true, Verizon’s 2012 Data Breach Investigations Report revealed that healthcare is far from the most-afflicted industry when it comes to data breaches. A mere 7 percent of the industry groups represented in the study came from healthcare/social assistance. Instead, accommodation and food services led the way with 54 percent of total data breaches in 2012.

Though healthcare didn’t play a big part in the results, it’s important to look at other industries’ data breach struggles. The results didn’t deviate much from Verizon’s 2011 report, with the exception of new hacking technologies as hacking was involved in 52 percent of the 2012 report’s 621 confirmed data breaches and 47,000 reported security incidents. Another 40 percent used malware, 35 percent were physical attacks and 29 percent involved phishing.

Figure 3: Data Breaches: Including Healthcare

Threat agents

The report specifies three primary categories of threat agents, external, internal and partner.

- External threats originate from sources outside of the organization and its network of partners. Examples include former employees, lone hackers, organized criminal groups, and government entities, External agents also include environmental events such as floods, earthquakes and power disruptions.

- Internal threats are those originating from within the organization. This encompasses company executives, employees, independent contractors, interns, etc…, as well as internal infrastructure. Insiders are trusted and privileged (some more than others).

- Partners include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers, outsourced IT support, etc. Some level of trust and privilege is usually implied between business partners.

Figure:  Healthcare Data Breaches – Threat agents over time

Malware

Common malware functions are logging keystrokes (and other forms of user input), sending data to external locations, and backdoors. None of these functionalities are mutually exclusive and it’s common for a single piece of malware to feature several components.

Figure:  Healthcare Data Breaches – Malware

New hacking methods are also a factor:

The post Perspective on healthcare data breaches: Verizon report appeared first on SPHER.

The expert panel projects that 65 percent of primary care physicians in large group practices, 45 percent of primary care physicians in small group practices, and 44 percent of all other specialists could achieve the meaningful use of certified EHR technology by 2015. The expert panel also predicts that meaningful use rates could increase to 80 percent, 65 percent, and 66 percent in 2019 for these three groups, respectively. The information from this study is particularly valuable due to a high degree of uncertainty in a new policy environment and could help inform and evaluate CMS and ONC programs.

Click here or on the link above to view the entire report.

The post EXPERT PANEL PROJECTS GROWTH IN IN THE ADOPTION AND MEANINGFUL USE OF ELECTRONIC HEALTH RECORDS (EHRs) appeared first on SPHER.

The privacy and security provisions of the HIPAA Omnibus Rule and the HITECH Act electronic health record incentive program “dovetail together quite nicely,” says Joy Pritts, chief privacy officer at the HHS Office of the National Coordinator for Health IT.

The “meaningful use” EHR incentive program “doesn’t make providers do anything differently than they’re already required to do under the HIPAA Security Rule,” Pritts notes. But the program’s rules highlight the importance of certain HIPAA compliance issues, especially the need for a risk assessment, she stresses.

Pritts also points out in an interview with HealthcareInfoSecurity (transcript below) that the EHR software certification rule for Stage 2 of the HITECH incentive program, which begins in 2014, requires that “if an end-use device maintains protected health information after that device has signed off, it must be encrypted. … That’s one of the things that’s really a move forward because that’s where we’re having a lot of breaches right now … devices that are lost and stolen.”

Business Associates

The HIPAA Omnibus Rule “really expands the type of organizations and people that are directly responsible for protecting privacy and security of health information,” Pritts notes.

“All of the contractors [business associates] of health plans and healthcare providers who are covered by HIPAA are now going to be directly responsible for following all the security rules and many of the use and disclosure rules under the [HIPAA] privacy rule,” she says. “What this means is if there’s a breach at the business associate level, then HHS will be able to enforce directly against the party that’s responsible for it. That’s a great improvement over how things are now.”

In the interview, Pritts also:

• Says that the rule for Stage 3 of the HITECH EHR incentive program likely will include guidelines for robust authentication of providers remotely accessing records;
• Emphasizes that although the HIPAA Omnibus Rule requires providing patients with an electronic copy of their records, the patient can opt to receive their records without encryption or other security measures;
• Discusses how the upcoming voluntary ONC guidelines for health information exchange will include tips on giving patients the opportunity to make a “meaningful choice” on whether to have their data exchanged.

Pritts joined ONC, a unit of the Department of Health and Human Services, in 2010 as the office’s first chief privacy officer. In that role, Pritts provides advice to the HHS secretary and the National Coordinator for Health IT about developing and implementing ONC’s privacy and security programs under HITECH. Pritts also works closely with the Office for Civil Rights and other divisions of HHS, as well as with other government agencies, to help ensure a coordinated approach to key privacy and security issues. Before joining ONC, Pritts held a joint appointment as a senior scholar with the O’Neill Institute for National and Global Health Law and as a research associate professor at the Health Policy Institute, Georgetown University.

HITECH and Omnibus

HOWARD ANDERSON: I want to talk about how the HIPAA Omnibus Rule helps reinforce some of the privacy and security requirements of the HITECH Act electronic health record meaningful use incentive program, or vice-versa. How do they help each other?

JOY PRITTS: They really dovetail together quite nicely. One of the things that the [HIPAA Omnibus] rule does is it really expands the type of organizations and people that are directly responsible for protecting privacy and security of health information. All of the contractors [business associates] of health plans and healthcare providers who are covered by HIPAA are now going to be directly responsible for following all the security rules and many of the use and disclosure rules under the [HIPAA] privacy rule. What this means is if there’s a breach at the business associate level, then HHS will be able to enforce directly against the party that’s responsible for it. That’s a great improvement over how things are now.

When you look at the breaches that have been reported to HHS to date, more and more of them are coming at the business associate level, and that shouldn’t be surprising, given the way that things are evolving.

It segues very nicely with the [HITECH] meaningful use criteria. Meaningful use doesn’t make providers do anything differently than they’re already required to do under the HIPAA Security Rule. It is shining the light on some of the requirements in the security rule that providers may or may not have been aware of. For example, the security risk assessment is something that people should have been doing for many years, but time and again you see in these surveys where a good portion of providers still are not conducting a security risk assessment years after this was a requirement. We’ve reached a great opportunity that when people are starting to adopt clinical health information technology, they recognize, “I need to do this, and I probably should have been doing it with my billing data already.” But it’s a fine moment for getting people involved with this activity so that they know that they need to be doing it going forward.

Key Security Steps

ANDERSON: What are some of the key steps organizations should be taking now to prepare to meet the privacy and security requirements of Stage 2 of the meaningful use program under HITECH? Are these the same steps that should be taken to comply with HIPAA Omnibus or different?

PRITTS: There are some additional things that they should be aware of. For example, you have to use EHR technology that’s been certified for the meaningful use program. One of the key components of meaningful use and the certification criteria is that if an end-user device maintains protected health information after that device has signed off from an EHR, it must be encrypted. For example, if [someone] is using a laptop to access an electronic health record and it keeps that information, that device has to be encrypted. That’s one of the things that’s really a move forward, because that’s where we’re having a lot of breaches right now – with devices that are lost and stolen. This should really help because that’s going to make it much easier for the provider. They might not know about it, but in the background, if they’re buying certified EHR technology, they should feel comfortable that there should be some encryption already baked in which will make their life a little easier.

HITECH Stage 3

ANDERSON: What do you think are some of the key privacy and security requirements that might be added for Stage 3? What’s left that needs to be added?

PRITTS: We’ve heard from the policy committee that they’re very interested in exploring the level of authentication that providers need to have in order to be able to access an EHR system, particularly from a remote place. That’s an area that has been explored in the request for comments.

ANDERSON: So more details about authentication could be more prominent in Stage 3?

PRITTS: It’s one of the recommendations that we received as to if the technology would need to enable that and that providers would need to use it. Particularly, what they’re focusing on is moving toward two-factor authentication. That’s where the recommendations have been headed.

ANDERSON: That’s primarily for clinicians, not necessarily for patients, right?

PRITTS: Oh, yes. That’s primarily for clinicians because that’s how MU is set up. The meaningful use criteria focus on how the physicians are accessing the system. You raise an interesting issue about when providers in particular have to secure information when they send it to a patient. There’s a lot of information in the introductory section to the Omnibus Rule about how OCR views that issue. It’s a very interesting area because it’s a tradeoff between security and a patient’s right to access their own information. The bottom line is that if a patient is notified that sending information may not be secure, via e-mail for example, and the patient still wants to get it that way, then the provider is pretty much off the hook if they send it to the patient that way.

Health Information Exchange

ANDERSON: ONC is developing voluntary guidelines for health information exchange. What do you see as the most important steps to ensure information remains secure and the data remains private when it’s exchanged?

PRITTS: We look at the governance guidelines as a way for these organizations to start really building a network of trust. One of the ways of doing that is to make sure that everybody understands what their practices actually are – not what they’re legally allowed to do but what their practices actually are with respect to the information. Notice is one of the components of them.

Another piece of this is, depending on what kind of architectural model is being used, the policy committee has felt very strongly about patients having meaningful choice as to whether they participate in certain types of exchange, and that’s another key element – to make sure that there’s been buy-in by the patients in the system. That’s an essential element of trust, that the patients that you’re serving actually know what you’re doing and are comfortable with it.

The post Pairing HIPAA and HITECH Compliance appeared first on SPHER.