Archive for December, 2013

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.

For assistance please contact RISC Management.

 

Modernizing your systems and keeping up to date is a daunting task in the healthcare industry. However, upgrades, replacements, or modernization of systems is the best option to improve data security and ensure optimal provision of healthcare services.

Informatics

Informatics is a broad term that includes a myriad of focus areas to meet the evolving needs of technology. There are various fields of study being offered such as social informatics, cheminformatics, security informatics, bioinformatics, and health informatics to name only a few. Degrees are available including a Bachelor of Science in Informatics where a student can study basic concepts of software architecture, a Master of Science in Informatics, and a Ph.D. in Informatics. The internet provides descriptions of many universities offering informatics such as Vanderbilt University School of Nursing, Chamberlain College of Nursing, the University of Michigan, and many more.

In healthcare those in the field of informatics are referred to as clinical informatics. Many clinical informatics are physicians, nurses, and other health care staff who received augmented training in the application of technology to investigate issues in their field. In addition, they are able to interpret, analyze and substantively use electronic health record technology to provide efficiency along with safety in their clinical practice. Knowledge of workflow and project management comes into play as well.

The HIMSS14 Sneak Peek, is a great starting place for those interested or curious about this evolving field. Parker (2013) the Chief Nursing Informatics Officer for Rubbermaid Healthcare, stated her reasons for attending including obtaining her required continuing education as well as the social aspect of networking. Researching new ideas is the main focus why Rabinowitz (2013), Director of Federal Markets, Socrata will attend HIMSS14. He said healthcare data can make the largest contribution in five areas: improving standards of living, improving quality of care, improving provider access, improving value, and improving access to innovation. Rabinowitz (2013) is an advocate for evidence based medicine and innovation.

HIMSS14 will be held in Orlando, Florida with the Nursing Informatics Symposium starting on Saturday, February 22nd, 2014. However, the actual start date begins Monday, February 24th. For more information please visit: http://www.himssconference.org/

Sponsored by: RISC Management, www.RISCsecurity.com

References

Parker, C.D.(2013). HIMSS14’s value to clinicians: It’s more than a shopping trip. Retrieved from http://www.himss.org/News/NewsDetail.aspx?ItemNumber=26241

Rabinowitz, S. (2013). Using health data in innovative ways. Retrieved from http://www.himss.org/News/NewsDetail.aspx?ItemNumber=26242&navItemNumber=17425

by CJ Michael

One of the most difficult systems to manage is change. Every organization undergoes change in their applications or operating environment; it is difficult to stay relevant in your industry without keeping up-to-date. One of the most convincing reasons to implement a formal process to document and approve changes is that it really only takes one oversight to create chaos in your organization and unintentionally expose information security problems.

Change control can be defined as “a formal process used to ensure that changes to an application or system are conducted in a systematic, controlled, and coordinated manner.”1 The benefits of having a system for implementing changes in the organization are numerous and include reducing unauthorized changes and/or downtime, improving communication, maintaining system integrity, and preventing unnecessary security exposures. These benefits can translate into better sales, improved margins, and a more productive workforce. In determining the processes to follow for tracking and approving changes, an organization-wide decision must be made with risk management in mind. Consider any current processes in place and their effectiveness or what change tracking system is most compatible with existing infrastructure. Remember that the goal of a project like this is to improve processes, not make them more difficult or complex!

Change control is a “standard method and set of procedures for handling changes within the IT environment to help minimize risk to the business” and is a part of the more comprehensive discipline of change management. When employing a change management system, your organization should consider including all or most of the following steps for effective change management. This is a pattern recommended by Michelle Bigelow, contributor to Implementing Information Security in Healthcare: Building a Security Program.

  • A change is requested
  • The change is reviewed
  • The change is either approved for testing or denied
  • An approved change request is tested
  • The change is documented
  • The change is scheduled
  • Information about the change is communicated to all affected parties
  • The change is implemented
  • The change is evaluated
  • Technical vulnerabilities are assessed
  • The change control database is updated

This is a very high-level process for managing changes within your organization. There are many other potential steps that are necessary depending on the importance of the system or regularity of the changes or updates. Unfortunately for many organizations, a lack of controls and documentation around change management is adding to risk exposure on a daily basis. If this type of program is something that your organization needs, please contact RISC Management for assistance. Remember that with any security program decision, the first step is always a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

Sponsored by: RISC Management, www.RISCsecurity.com

References

Implementing Information Security in Healthcare: Building a Security Program