Data Breach, Education, HIPAA / HITECH Enforcement, Tip of the Week, Trends & Technology

Part Three of the Practical Security Series: Solution



Solutions for cyber security

Note: Number nine pertains to Mobile Device protection, and a strong password is the best tip. For more information

  1. Use Strong Passwords and Change Them Regularly – Visit Microsoft Safety and Security Center to see if your password is strong enough:
  2. Install and Maintain Anti-Virus Software
  3. Use a Firewall
  4. Control Access to Protected Health Information
  5. Control Physical Access
  6. Limit Network Access
  7. Plan for the Unexpected
  8. Maintain Good Computer Habits
  9. Protect Mobile Devices
  10. Establish a Security Culture

Protect Mobile Devices

Mobile devices—laptop computers, handhelds, smart phones, and portable storage media— have opened a world of opportunities to un-tether EHRs from the desktop. But these opportunities also present threats to information security and privacy. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.

  • Because of their mobility, these devices are easy to lose and vulnerable to theft.
  • Mobile devices are more likely than stationary ones to be exposed to electro-magnetic interference (EMI), especially from other medical devices, such as MRI machines. This interference can corrupt the information stored on a mobile device.
  • Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the PHI displayed on a laptop or handheld device.
  • Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection that conforms to that described in Practice 1 . Many handheld devices can be configured with password protection and this should be enabled when available. Additional steps must be taken to protect PHI on the handheld, including extra precaution over the physical control of the device, if password protection is not provided.
  • Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from intrusion (Practice 6 describes wireless network protection). PHI transmitted unencrypted across public networks (e.g. the Internet, public Wi-Fi services) can be done where the patient requests it and has been informed of the potential risks. Generally, however, PHI should not be transmitted without encryption across these public networks.

Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. If healthcare data is stored on the mobile device, ensure that encryption is installed and enabled. The newest iPhone models have achieved FIPS 140-2 certification for their encryption modules. Mobile devices that cannot support encryption should not be used. This includes the inexpensive memory sticks or thumb drives that are widely available and often given away by vendors. Encrypted versions of these devices are readily obtainable at a modest cost—much less than the cost of mitigating a data breach. Remember to encrypt the removable media like the microSD card in your phone.

If it is absolutely necessary to take a laptop out of a secure area when the laptop contains patient data, the laptop’s hard drive should be encrypted. Encryption for laptops has become so affordable, and so easy to install and manage, it is hard to envision a reason that all laptops are not encrypted today. To leave a laptop unencrypted is to invite unnecessary risk to your organization and to ignore the benefits such as safe harbor from federal and state data breach laws.

Policies specifying the circumstances under which devices may be removed from the facility are very important and all due care must be taken in developing and enforcing these. The primary goal is to protect the patient’s information, so considerations of convenience or custom (e.g. working from home) must be considered in that light.

But I need to work at home today…

In today’s increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home, a travel hub, or a coffee shop. Those who have responsibility for protecting patient data must recognize that this responsibility does not end at the office door. Good security practices must always be followed.

Sponsored by: RISC

Contact us today for all your compliance needs:

References (2014). What makes a smartphone smart? Retrieved from

Bloomberg Business Week. (2013). How Samsung became the world’s no. 1 smartphone maker. Retrieved from CyberSecurity: 10 Best practices for the small health care environment. Retrieved from

Hill, M. (2010). 5 Terrifying ways your own gadgets can be used to spy on you. Retrieved from

Home Box Office, Inc. (2014). The Wire. Retrieved from

Microsoft. (2014). Safety and security center: Create strong passwords. Retrieved from

Tech Media Network. (2014). Top Ten Reviews: 2014 Best smartphone reviews and comparisons. Retrieved from

U.S. Department of Health & Human Services. (2014). Health Information Privacy: Guidance materials for consumers. Retrieved from

U.S. Department of Justice. (2013). Privacy and civil liberties: Electronic Communications Privacy Act of 1986. Retrieved from

Education, Tip of the Week, Trends & Technology, Upcoming Events

Informatics Data Security and HIMSS14

Modernizing your systems and keeping up to date is a daunting task in the healthcare industry. However, upgrades, replacements, or modernization of systems is the best option to improve data security and ensure optimal provision of healthcare services.


Informatics is a broad term that includes a myriad of focus areas to meet the evolving needs of technology. There are various fields of study being offered such as social informatics, cheminformatics, security informatics, bioinformatics, and health informatics to name only a few. Degrees are available including a Bachelor of Science in Informatics where a student can study basic concepts of software architecture, a Master of Science in Informatics, and a Ph.D. in Informatics. The internet provides descriptions of many universities offering informatics such as Vanderbilt University School of Nursing, Chamberlain College of Nursing, the University of Michigan, and many more.

In healthcare those in the field of informatics are referred to as clinical informatics. Many clinical informatics are physicians, nurses, and other health care staff who received augmented training in the application of technology to investigate issues in their field. In addition, they are able to interpret, analyze and substantively use electronic health record technology to provide efficiency along with safety in their clinical practice. Knowledge of workflow and project management comes into play as well.

The HIMSS14 Sneak Peek, is a great starting place for those interested or curious about this evolving field. Parker (2013) the Chief Nursing Informatics Officer for Rubbermaid Healthcare, stated her reasons for attending including obtaining her required continuing education as well as the social aspect of networking. Researching new ideas is the main focus why Rabinowitz (2013), Director of Federal Markets, Socrata will attend HIMSS14. He said healthcare data can make the largest contribution in five areas: improving standards of living, improving quality of care, improving provider access, improving value, and improving access to innovation. Rabinowitz (2013) is an advocate for evidence based medicine and innovation.

HIMSS14 will be held in Orlando, Florida with the Nursing Informatics Symposium starting on Saturday, February 22nd, 2014. However, the actual start date begins Monday, February 24th. For more information please visit:

Sponsored by: RISC Management,


Parker, C.D.(2013). HIMSS14’s value to clinicians: It’s more than a shopping trip. Retrieved from

Rabinowitz, S. (2013). Using health data in innovative ways. Retrieved from

Data Breach, Education, HIPAA / HITECH Enforcement, Social Media

Social Media’s Effect on HIPAA Privacy and Security

ImageRISC Management was recently featured as a guest blogger on Online Tech’s website discussing social media and its effect on HIPAA Privacy and Security. The full article can be found by clicking on the following link.

Data Breach, Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Social Media

Small healthcare provider pays huge security fine after the theft of an unencrypted laptop

If you think your organization is too small to attract the attention of the U.S. Department of Health and Human Services, think twice.
The department recently settled a security dispute with a hospice in Idaho for $50,000. The potential violation of the Security Rule of the Health Insurance Portability and Accountability Act of 1996 involved a data breach of health information affecting 441 patients.

Mobile devices collage
The Hospice of North Idaho agreed to pay $50,000 to settle potential violations after an unencrypted laptop computer containing the electronic protected health information of the patients had been stolen in June 2010.
Field workers for the hospice use laptops containing patient information as a regular component of their workflow. In an investigation by the Department of Human Services’ Office for Civil Rights, it was revealed the hospice had not conducted a risk analysis to safeguard the electronic patient information and didn’t have policies or procedures to address mobile device security. The lack of a risk analysis has become a regular theme in the publicly available settlement agreements published by the OCR.
The HIPAA Security Rule and HITECH Act Data Breach requirements mandate the existence policies and the reporting of inappropriate or unauthorized access to PHI or ePHI called breaches. The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to the government and the media within 60 days after the discovery of the breach, or when the breach should have been discovered. Smaller breaches affecting less than 500 individuals must be reported to the secretary of Health and Human Services on an annual basis.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a press release from the Department of Health and Human Services. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” RISC Management’s stance on encryption is that implementation has become easy enough, and cost has been reduced enough, that choosing not to implement encryption is difficult to justify. With the exception of “legacy systems” that were developed long before data encryption was readily available, there are few relational database platforms or operating systems that don’t support encryption today. And even for those systems, there are third party applications and technology that can implement encryption in such a manner that it both provides safe harbor, and, does not require the rewriting of legacy applications.
The Idaho hospice has taken steps to remedy its compliance since the 2010 theft.
The Department of Health and Human Services provides tips to physicians, health care providers and other healthcare professionals who use smartphones, laptops and tablets in their work here (visit
RISC Management and Consulting can help assess your encryption capabilities, identify supported encryption options, and assist you in implementing standards-based encryption that may provide safe harbor under the HITECH rules.

Data Breach, News Events

How a Stolen Computer Could Cost You Millions

When a thief broke into “Breaking Bad” star Bryan Cranston’s car earlier this year and took his iPad and a script from the show’s coming season, the media seized on the potential secrets that had been leaked.

For health care providers, secret leaking can have far more serious consequences than making the news on “Entertainment Tonight” or bad TV ratings; violating patients’ rights to privacy can mean literally millions of dollars in fines.

A Massachusetts medical care provider was ordered last fall to pay the federal government $1.5 million to settle potential violations of the Privacy and Security Rules of 1996’s Health Insurance Portability and Accountability Act (HIPAA).

The case began when a laptop with unencrypted, protected health information – including prescriptions and clinical data – was stolen.

In announcing the settlement, the Department of Health and Human Services stated that Massachusetts medical care provider had “failed to take necessary steps to comply with requirements of the HIPAA Privacy and Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that [the firm] created, maintained and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.”

Proper security protocols can ensure your firm protects the privacy of your patients and stays on the good side of the Department of Health and Human Services.

Have questions or concerns? RISC Management and Consulting can help. Contact us today.