Archive for the ‘Risk Analysis/Risk Management’ Category

The Office for Civil Rights (OCR) has assessed the largest settlement amount to date against Advocate Health Care Network . The OCR fined Advocate $ 5.55 Million for multiple potential violations of the HIPAA Security Rule.

The investigations that eventually led to the fine were initiated in 2013 after three successive self-reported data breaches by Advocate. Two of the three were related to a Business Associate of Advocate. OCR stated, “This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”

The press release and a link to the settlement agreement can be found here. Note that the link to the source document, the settlement agreement itself, stopped functioning a few hours after the press release went out. Please see: http://www.hhs.gov/about/news/2016/08/04/advocate-health-care-settles-potential-hipaa-penalties-555-million.html 

This settlement reinforces the importance of including all of an organization’s PHI in its risk analysis process, and a review and inclusion of all Business Associates and Business Associate Agreements.

March 16, 2016

From the HHS Press Office
media@hhs.gov

$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements

 North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at:http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

Risk Management

Risk Management is the practice of identifying potential risks in advance, analyzing them and taking precautionary steps to reduce or curb the risk.

What Is A Risk Analysis? A Risk Analysis is an assessment of the risks and vulnerabilities to any sensitive information that your organization may collect, store, process, transmit, or share with others.

After an organization has identified all of the risks to the confidential information that it collects, stores, processes, or transmits, a determination of “What to do with those risk elements?” must be made.

  • Risk Analysis is the First Step
  • Document and Analyze
  • An organization has only four choices to address all risks that are identified

Choices to address all risk elements

Accepting Risk

An organization has the choice to accept identified risk. However, that decision must be made with thorough and comprehensive knowledge of the potential damage or liability that acceptance implies. The acceptance of risk must be made by executive management, and be based upon all of the available information. Executive Management must make this determination clear, and security policies should be updated to reflect the determination.

Transferring Risk

An organization has the choice to transfer the risky behavior or the risk liability to another party. An example of transferring risk might be obtaining data breach insurance so as to reduce the liability in the event a risk is exploited. Another option is to transfer the risky activity to another party. An example of this might be outsourcing all credit card transactions to a third party that accepts the payment for a percentage of the charged amount.

​Eliminating Risk

​Another option includes the complete elimination of a risky activity. If risk cannot be reduced sufficiently so that it is acceptable to executive management, and it is not reasonable to transfer that risk to a third party, then an organization may decide to eliminate the risk entirely. In these cases an organization makes an executive decision that the revenue opportunity is not sufficient to justify the residual risk after mitigation strategies are applied.

​Reducing Risk

​By far the most popular option is risk reduction. Risk reduction is accomplished by many methods. An organization predominantly employs multiple strategies including those above and implementation of reduction strategies and controls.

Organizations might deploy techniques and controls to reduce risk. Controls typically fall into categories such as:

  • Administrative
  • Physical
  • Technical

Controls typically include policies, procedures, practices, processes, technology, logs, checklists, and the like. RISC Management employ experts with extensive experience in these techniques.

RISC Management and Consulting, LLC can assist your organization in identifying, documenting, addressing, and eliminating risk to all your sensitive information. Contact us today to find out how!

This past week, Sutter Health released a statement stating that they are notifying 2,582 patients that personal information was included in billing documents a former employee emailed to their personal account without authorization. For all but two of the affected patients, no Social Security numbers, financial information or driver’s license data were included.

Despite the incident occurring on April 23, 2013, the breach was only discovered “during a thorough review of the former employee’s email activity and computer access.” The internal investigation began on August 27, 2015, more than two years after the incident. What stands out in this instance was the inability for Sutter Health to discover, mitigate, and remediate this incident within a reasonable timeframe. When it comes to HIPAA, breaches must be reported to HHS and the individuals affected without unreasonable delay and in no case later than 60 days following discovery of a breach or when it reasonably should have been known that a breach occurred.

The last point is key and clearly indicates the need for tools that allow organizations to better understand when PHI or other types of sensitive data leave their network. The best option to track and stop data from leaving your network is a Data Loss Prevention (DLP) solution. In this incident, the third large data breach involving Sutter Health, they have found “no evidence that any of the patient information was used or disclosed to others.” Since the data was sent to a personal email account, it is unlikely, truly impossible, that Sutter Health can determine with 100% certainty that the patient information was not disclosed inappropriately and this is reflected in their offering affected individuals one year of free credit monitoring.

In some other breach cases, however, data is available to forensically determine with certainty what happened after a breach occurred, and sometimes long after a breach occurred. If this is the case, then the information existed when the breach actually occurred. The takeaway in those instances is that logs or other forensic data were not reviewed proactively to catch the breach sooner.  In a digital information world with bigger and bigger data hurtling down the road faster and faster, no one seems to be watching the gauges for trouble!

With the many tools available and the ease with which an employee can move data outside of an organization, a DLP solution is a necessity. Not only would your organization be able to watch sensitive information flowing into, throughout, and out of your network without impacting performance, you can lock down many of those outlets for data leakage. In addition to performing a HIPAA Risk Analysis and publishing policies and procedures, DLP can help your organization maintain compliance with regulations such as HIPAA, Red Flags Rule, PCI, and other state and Federal privacy regulations. As the costs for remediating a breach rise, DLP becomes a more prudent decision that can offer real value as well as peace of mind.

If you are interested in learning more about DLP or other related services, contact RISC Management and Consulting, LLC at 800.648.4358 or visit www.RISCsecurity.com.

 

References

http://news.sutterhealth.org/2015/09/11/sutter-health-informs-patients-of-unauthorized-document-handling-by-former-billing-unit-employee/

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

Challenges of Meaningful Use

Meaningful Use (MU) is the adoption of a certified Electronic Health Record (EHR) technology with a focus on improving quality, safety, efficiency, and reducing health disparities in the clinical/hospital setting. The idea is to increase patient engagement to improve care coordination while maintaining the privacy and security of the patient’s Protected Health Information (PHI).

According to Milan (July 27, 2015) “After a day spent hearing from health IT experts about information blocking practices, Republican Sen. Lamar Alexander, chair of the Senate Health, Education, Labor & Pensions Committee, said Thursday afternoon that he’s asked HHS to consider a delay of Stage 3 meaningful use”. The Department of Health and Human Services (HHS) is the U.S. government’s main agency for enhancing and protecting the health and well-being of all Americans.

Here are some quotes from Senator Lamar Alexander:

“Let’s not impose on physicians and hospitals a system that doesn’t work…”

“We want something physicians buy into, rather than something they dread…”

It is important to update and improve our current way of keeping health records as well as a more appropriate way to share health information with other providers. The quality of the EHR tool becomes the most desirable trait it seems. Remembering HIPAA where the importance of assessing all of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all Protected Health Information (PHI) is required. However, each medical provider is unique in their operational environment with their own set of variables and must be factored in to the equation.

Another important piece of information according to McCarthy (July 22, 2015):

“Stage 3 of meaningful use for EHR implementation requires providers to send electronic summaries for 50 percent of patients they refer to others, receive summaries for 40 percent of patients that are referred to them and reconcile past patient data with current reports for 80 percent of such patients. If other providers do not send electronic summaries, however, the provider who was supposed to receive them will fail to meet the second and third requirements.”

Probst (2014) mentioned from an interview that Intermountain Healthcare is Stage 2 Certified in 2014 but will not be attesting at this time.

The Agency for Healthcare Research and Quality (AHRQ, March 26, 2015) provided some research data on barriers to meeting the stage 3 criteria for Meaningful Use:

  • Lack of provider and practice staff time – 69%
  • Complexity of required workflow changes – 68%
  • Difficulty with electronic exchange of information – 65%
  • Direct Financial Costs – 54%
  • EHR design and functions do not easily support care coordination – 51%

Readiness to meet criteria results:

  • Only 11% of those who participated in the research are able to meet all of the criteria

AHRQ’s mission is to “bring about evidence to improve health care quality and safety, increase accessibility, equitability and affordability within the HHS and other partners. Their objective is to ensure that the evidence is understood and employed.

Stages of MU

For more information on Stages of Meaningful Use Click the link above

These are only some views on the subject of Meaningful Use, but there are many standards, policies, ideas that are available from other organizations that might be helpful.

Our work here at RISC Management has enabled us to view firsthand the privacy and security challenges of Meaningful Use, and of course HIPAA and HITECH. These are significant challenges that the Providers must meet, but they are reasonable and attainable.

OFFICIAL RISC Logo

For more information on Risk Analysis Click the link above

References

Agency for Healthcare Research and Quality. (March 26, 2015). Informing stage 3 meaningful use requirements through evidence: Webinar. Retrieved from https://www.youtube.com/watch?v=nQrMKcq0VAM

McCarthy, Jack. (July 22, 2015). Stage 3 meaningful use ignores market realities. Retrieved from http://www.healthcareitnews.com/news/brookings-meaningful-use-stage-3-ignores-market-realities

Meaningful Use. (2015) Definition. Retrieved from http://www.healthit.gov/providers-professionals/meaningful-use-definition-objectives

Miliard, Mike. (July 23, 2015). Senate suggests stage 3 MU delay. Retrieved from http://www.healthcareitnews.com/news/senate-call-stage-3-mu-delay?mkt_tok=3RkMMJWWfF9wsRohuKTPZKXonjHpfsX57e8uUKOylMI%2F0ER3fOvrPUfGjI4GRMVkI%2BSLDwEYGJlv6SgFQ7LHMbpszbgPUhM%3D

Probst (2014). CIO on MU stage 2: Certified but not attesting. Retrieved from http://bcove.me/kt82385m

Promote the National Cyber Security Awareness Month (NCSAM). Get involved and do your part! This is a job for everyone, make an effort to care! The theme for this year is “Our Shared Responsibility”. NCSAM will be observed in October, but make it part of your practice to start today.

Top 5 Reported Cyber Scams

 

 

Staff can do

 

For more information on keeping current on cybersecurity, vulnerabilities, data loss prevention, managing risks, and workforce members training, Contact RISC Management and Consulting, LLC at 800.648.4358 or visit www.RISCsecurity.com

To learn more about Cyber Security visit: https://www.staysafeonline.org/ncsam/landing-page/