Art Gross, President and CEO of HIPAA Secure Now!, participated in an American Osteopathic Association (AOA) webinar on 2015 HIPAA Audits and How to Avoid HIPAA Related Breaches. The recorded webinar is below.
There are a large number of potential attack vectors on any network. Medical devices on a healthcare network is certainly one of them. While medical devices represent a potential threat, it is important to keep in mind that the threat level posed by any given medical device should be determined by a Security Risk Assessment (SRA) and dealt with appropriately.
So let’s assume the worst case and discuss the issues associated with medical devices. First off, it must be recognized that any device connected to a network represents a potential incursion point. Medical devices are regulated by the FDA, and that agency realized the security implications of medical devices as far back as November 2009, when it issued this advisory. In it, the FDA emphasized the following points:
- Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner.
- The agency typically does not need to review or approve medical device software changes made for cybersecurity reasons.
- All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.
- Software patches and updates are essential to the continued safe and effective performance of medical devices.
Many device manufacturers are way behind on cybersecurity issues. As an example, many devices are still running on Windows XP today, even though we are one year past the XP support deadline. They are often loathe to update their software for a new operating system. In other situations device manufacturers use the XP support issue as a way to force a client to purchase a new device at a very high price. All healthcare facilities would be well advised to review any purchase and support contracts for medical devices and make sure that things such as Windows upgrades do not force unwanted or unnecessary changes down the road. While there are options to remediate risks around obsolete operating systems, they are unnecessary and costly. Manufacturers should be supporting their products in a commercially reasonable manner.
Why would anyone be interested in hacking into a medical device? Of course there are those that would argue that anything that can be hacked will be hacked, “just because”. While it is possible that hacking could also occur to disrupt the operations of the device, the more likely reason is that getting onto a medical device represents a backdoor into a network with a treasure trove of PHI that can be sold for high prices on the black market. Medical devices are often accessible outside of normal network logon requirements. That is because manufacturers maintain separate, backdoor access for maintenance reasons. Hackers armed with knowledge of default passwords and other default logon information can have great success targeting a medical device. For example, this article details examples of a blood gas analyzer, a PACS system and an X-Ray system that were hacked. Many times healthcare IT departments are unaware or unable to remediate backdoor access to these systems. These are perhaps more “valuable” as a hack because they are hard to detect and can go unnoticed for a long period of time. As a reminder, the Target data breach last year was initiated because the access that a third party had to the retailer’s network was compromised. A complete SRA should inventory all network connected medical devices and analyze the access/credentials that a device has, and any associated security threat. The best defense is a good offense – make sure that networked devices have proper security built in and implemented. Then your devices will no longer be “the weak link in the chain”.
Now that the 2015 HIPAA Audits have begun, organizations are reevaluating their HIPAA compliance posture. This is a good thing being that an organization will have very little time to respond to pre-audit and audit inquiries from the Office of Civil Rights (OCR).
On the other hand, some organizations are evaluating the risk of being selected and might conclude that the risk is low. These organizations might decide that the low risk is not worth the effort to ensure HIPAA compliance. The risk of being selected by the IRS to audit your tax return is very low but most people and organizations file their taxes. Why is this the case? People fear the IRS. They fear the hassle associated with an IRS audit, they fear the penalty associated with an IRS audit and they fear the consequences of failing an IRS audit.
Right now people don’t really fear OCR or HIPAA audits. I am pretty confident that people didn’t fear the IRS audits when they first started. It took a few years and some very high profile cases, including putting people in jail, to get people to worry about IRS audits and ensuring that they are properly filing their tax returns. It is not hard to see an analogy with the start of the HIPAA audits. The question that organizations need to ask themselves is:
Do I want to be a high profile example if my organization is selected for a HIPAA audit?
There is no denying that the chance of being selected for a HIPAA audit is low. But a random audit is only one of the ways that OCR could investigate an organization. Let’s take a look at some of the other ways that an organization can come under the HIPAA microscope.
If an organization has a data breach (lost laptop or hacker steals protected health information -PHI) OCR may decide to investigate the incident. If OCR starts an investigation, they will want to see what safeguards the organization had in place prior to the data breach. It is almost guaranteed that OCR will want to see the following:
- The most recent HIPAA Security Risk Assessment (SRA) and documented work plan to address any issues discovered in the SRA
- Evidence of documented HIPAA Security and Privacy Policies and Procedures (including evidence that the organization has implemented and is following the Policies)
- Evidence that employees have received periodic HIPAA Security and Privacy training (this should be ongoing training that occurs at least once a year)
- Evidence of a security incident response plan
Business Associate Data Breaches
A data breach by a Business Associate may cause OCR to investigate the Covered Entity. If a billing company or IT support organization has a data breach there is a good chance that OCR will investigate both the Business Associate as well as the Covered Entity. The question that organizations need to ask themselves is:
Besides signing a Business Associate Agreement, do I have any proof that my Business Associate is protecting PHI that we disclose to them?
Another way that OCR may open an investigation into an organization’s HIPAA compliance is if a patient or former patient files a complaint. The patient may feel that their privacy or the security of their data has been breached and can file a complaint with OCR. OCR evaluates each of the complaints that have been filed and decides if they will investigate the organization.
Employees or former employees may feel that their employer is not protecting PHI and could file a complaint against the organization
Organizations that are participating or have participated in the CMS Meaningful Use (MU) Incentive Program can be audited by CMS or the Office of Inspector General (OIG). A common reason of failing a MU audit is the lack of a Security Risk Assessment (SRA) or the lack of a thorough SRA and documented work plan to address any issues discovered in the SRA
With over 100 million patient record breaches in the last few years it should come as no surprise that the government is increasing HIPAA enforcement. We have an epidemic of patient records breaches and the need to protect this very sensitive information is apparent. Organizations can no longer ignore HIPAA. Proper safeguards and increased security is needed to protect PHI. It is a lot easier and cheaper to proactively implement HIPAA requirements than it is to respond when OCR comes knocking on your door.
HIPAA Secure Now! Appoints Jonathan Krasner to Head Business Development, Grow MSP Partner Base, Help Partners Succeed
Krasner brings 25 years of IT and seven years of Healthcare IT, HIPAA and Meaningful Use experience to HIPAA Secure Now!
Morristown, NJ (PRWEB) June 04, 2015
HIPAA Secure Now!, a HIPAA compliance service provider, has named Jonathan Krasner to the position of Director of Business Development.
Krasner was hired to expand the company’s MSP (managed service provider) partner program and nurture those relationships. Krasner will help partners grow their businesses and increase sales of HIPAA Secure Now’s award-winning risk assessment, policies and procedures, and employee training program to their medical practice clients.
Krasner brings 25 years of IT and seven years of Healthcare IT, HIPAA and Meaningful Use experience to HIPAA Secure Now!, with positions held in account management, business development, strategic planning and consultative selling.
Most recently Krasner was director of sales at BEI Networks, a successful MSP in the Washington D.C. area, where he brought on more than 50 healthcare provider clients. He also sold HIPAA Secure Now!’s privacy and security services to help them maintain HIPAA compliance.
“Jonathan understands physicians’ businesses and especially the challenges they face meeting HIPAA requirements in the world of electronic health records,” Gross said. “He proved his knowledge by landing more than 20 accounts in the first four months of selling HIPAA Secure Now!, including performing risk analyses for clients. Jonathan brings focused HIT, HIPAA and direct MSP experience to our company.”
HIPAA Secure Now! reached a milestone of 200 partners, as of May, 2015. As the company continues to recruit MSPs to join its member program Krasner will make sure each partner is successful by showing them how to diffentiate their companies and compete in the marketplace. He will train partners in selling HIPAA Secure Now! to generate more business and to upsell to existing clients by offering HIPAA risk analysis and add-on IT services, such as encryption.
“At BEI our customers were always asking for HIPAA compliance services. After trying out multiple products, HIPAA Secure Now! finally met our criteria. It was affordable, timesaving, easy to use and didn’t require the client to be HIPAA experts.
“What HIPAA Secure Now! offers is a new concept – a complete set of compliance services that are done well for the masses. And it’s the right time for the product, with the increase in audits and patient data breaches.”
About HIPAA Secure Now!
HIPAA Secure Now! has been helping clients comply with the HIPAA Security Rule since 2009. The company’s all-in-one solution provides risk assessment, which also satisfies Meaningful Use requirements, as well as privacy and security policies and procedures, and training. HIPAA Secure Now! moves customers toward HIPAA compliance quickly and easily, and protects them in the event of an audit. Customers complete the entire process in two to three hours, and regularly comment that it is painless and has made HIPAA compliance very easy. For more information visit http://www.HIPAASecureNow.com.
There has been a lot of talk about the next round of HIPAA Audits. While the rollout of the audits have been delayed a few times, it now looks like they are about to start. The clear sign is that a the pre-audit survey has been approved by the Office of Management and Budget (OMB). Below is information that has been submitted for approval regarding the pre-audit survey:
Information that we know
The amount of organizations that will receive the pre-audit survey: 500
Estimated amount of time required to complete the pre-audit survey: 30 minutes
What questions will be asked: Here is a link to the pre-audit survey (PDF)
While we don’t know the exact date of when the audits will start, we do know that they are much closer and could begin any day.
Starbucks has a big problem. Don’t worry, they will still sell you their $5 cup of coffee. The problem they are dealing with is the repercussions of a data breach. The breach is connected with Starbucks’ mobile app. The Starbucks’ mobile app makes it incredible easy to buy a cup of coffee. Customers love the convenience and it helps to sell millions of cups of coffee. Here is a look at the details of the data breach:
Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.
It should be noted that this breach did not affect millions of customers like Home Depot or Target data breaches. And in some ways the breach may not be totally Starbucks’ fault. The breach may be possible because customers use weak passwords that are easy to guess. Although it should be noted that the full details of how and why the breach occurred have not been released yet.
The real issue here is that Starbucks is experiencing very real damage to their reputation. Yesterday 2 colleagues emailed me about the Starbucks’ breach, I was tagged on 3 Facebook posts regarding the breach and my Twitter feed was loaded with details of the breach. It can be said the breach is “going viral”.
One of the news articles that was sent to me contained quotes from breach victims:
Obando, who works in a Houston high school’s technology department, said he disabled the app.
“I think it’s too easy to dip into someone’s bank account,” she said. “The Starbucks app’s security measures need to be updated.”
Overton has since removed the Starbucks app from her phone as well.
If Starbucks’ customers decide to remove the app from their phones because they no longer trust the security measures that are in place, this will have a real impact on Starbucks. They have spent millions on building and marketing the application. The perceived benefits of the application that customers have will be lost.
Many clients of ours are worried about regulatory (HIPAA) or industry (PCI) fines they may receive if they have a data breach. The real concern should not be on fines but on what the impact to their reputation will be, what the impact on their revenue will be and what the impact on their customers / clients / patients will be.
If you look around you will see the overwhelming amount of mobile devices that are in use today including laptops, smartphones and tablets. Many organizations allow employees to use their own smartphones or laptops to access the organization’s email, network and data. Clients are starting to understand the risk of these devices and many have asked us the following question:
What does HIPAA say we should do to protect employee owned devices?
It is a good question and one that shows the well placed concern about all of these devices and the data that is accessed or stored on them. Clients are always looking for guidance and advice especially taking the complex HIPAA regulations and distilling them down to understandable actionable items.
Here is the bad news – HIPAA doesn’t say anything about these devices!
Back to the future – 2003
The first thing to realize is that the HIPAA Security Rule was written in 2003. Yep, 2003 which was 4 years before the first iPhone was released. Laptops started around $1,300 and were much heavier than they are today. A tablet was a stack of paper that was used for writing.
Doing a quick search of the HIPAA Security Rule Final Text reveals a few interesting things:
- The word “Smartphone” is not found in the Security Rule
- The phrase “Mobile Device” in not found in the Security Rule
- The word “Email” is not found in the Security Rule
- The word “Texting” is not found in the Security Rule
- The word “Laptop” is mentioned once in the Security Rule and only in reference to what a “Workstation” means
Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.
If the HIPAA Security Rule doesn’t mention mobile devices, laptops, smartphones, email or texting how do organizations know what is required to protect these devices? While there may not be specific guidance, the HIPAA Security Rule is clear that the required Security Risk Assessment needs to take an inventory of where protected health information (PHI) is accessed or stored AND “reasonable safeguards” need to be implemented to protect the data. Basically it says that if there is data on these devices then the data needs to be protected.
Let’s go back to employee owned devices. These devices are usually referred to as Bring Your Own Device or BYOD. A lot of organizations let employees use their own devices because it is cheaper than having to purchase laptops or smartphones for employees. Employees like BYOD as well because they can use the same personal device for business and not have to have both a personal and business laptop or smartphone.
While BYOD seems good for everyone, there is a common misconception; If an employee loses a personally owned device with PHI, the organization would not be responsible for the potential data breach.
This misconception is very widespread. Unfortunately, if an organization’s PHI is on a device and the device is lost, stolen or breached regardless of who owns the device, the organization is responsible for the data breach. Employee owned devices do not relieve an organization of its responsibility to protect the data.
Organizations need to put in place BYOD Policies that put clear guidelines around how personally owned devices should be used and the safeguards that should be in place to protect any data on the devices. BYOD Policies should include:
- Who is permitted to use a personally owned device and what authorization is required?
- What devices are permitted and what are not permitted?
- What data is allowed to be accessed or stored on the devices?
- Whether encryption is a requirement (it should be!)
- What happens if the device is lost or stolen?
- What steps should be taken before an employee disposes of the device including wiping any PHI that is on the device (think about an employee upgrading a smartphone and selling the old phone on eBay)?
- What rights the organization has to wipe the data from the device if it is lost or stolen? A key issue here is that personal data may be wiped or deleted along with the organization’s data.
- What happens to the data on the device if the employee is terminated?
The trend towards BYOD and personally owned devices is not reversing anytime soon. More and more personally owned devices will be in use in the coming years and more and more sensitive data will be on these devices. Organizations face a real challenge protecting personally owned devices. Having clear policies is the first step to managing personally owned devices and minimizing the risk of a data breach due to a personally owned device.
The Office of the National Coordinator for Health Information Technology has just released a valuable resource called:
Here is a look at the information included in the guide:
Understand a HIPAA / Meaningful Use
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process
The U.S. Health and Human Services Department’s Office of Inspector General (OIG) will begin auditing individual providers to determine if they met Meaningful Use requirements.
Currently the Centers for Medicare & Medicaid Service (CMS) is auditing providers through contractor Figliozzi & Co. The CMS audits look to see if providers met the Meaningful Use measures for a 1 year period (attestation period). The OIG audits will look at certain measure but over a three year period.
According to a story over at FierceEMR, the OIG audits will look at:
- Whether providers that received Medicare and/or Medicaid Meaningful Use incentive payments were entitled to the money
- How well CMS oversees the Meaningful Use payments being made
- CMS oversight of hospitals’ security controls over networked medical devices that are integrated with EHR systems
- Whether covered entities and business associates, such as cloud services and other “downstream service providers,” adequately secure electronic patient protected health information created or maintained by certified EHR technology. The OIG specifically states that hospitals must conduct security risk analyses
- The extent to which hospitals have EHR contingency plans, as required by HIPAA’s security rule
If providers fail the OIG audit they may need to return multiple years of Meaningful Use incentive funds.
However, if OIG determines that a provider has received incentive payments to which it is not entitled, the provider will have to repay it, Gottlieb says. Several Massachusetts hospitals will need to repay their incentives as a result of the Massachusetts audit.
We are already seeing many clients being audited for Meaningful Use through the CMS audits. The OIG audits will add more pressure and scrutiny to Meaningful Use incentive funds that providers have received. Just remember, what the government gives out, the government can take away.
Today started like every other day until I opened an email from a client. Below is a excerpt of the email:
I won the audit.
Many thanks to you.
I have been giving out your website and phone # to everyone I know.
I cannot thank you enough.
We help a lot of clients with Meaningful Use audits and it is always good to hear when they passed their audit. And when you get an email like this, it is a great way to start your morning.