Tag: RISC

Data Breach, Education, HIPAA / HITECH Enforcement, Tip of the Week, Trends & Technology

Part Three of the Practical Security Series: Solution

Rose

Solutions

SOLUTIONS

Solutions for cyber security

Note: Number nine pertains to Mobile Device protection, and a strong password is the best tip. For more information http://www.healthit.gov/providers-professionals/cybersecurity

  1. Use Strong Passwords and Change Them Regularly – Visit Microsoft Safety and Security Center to see if your password is strong enough: https://www.microsoft.com/security/pc-security/password-checker.aspx
  2. Install and Maintain Anti-Virus Software
  3. Use a Firewall
  4. Control Access to Protected Health Information
  5. Control Physical Access
  6. Limit Network Access
  7. Plan for the Unexpected
  8. Maintain Good Computer Habits
  9. Protect Mobile Devices
  10. Establish a Security Culture

Protect Mobile Devices

Mobile devices—laptop computers, handhelds, smart phones, and portable storage media— have opened a world of opportunities to un-tether EHRs from the desktop. But these opportunities also present threats to information security and privacy. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.

  • Because of their mobility, these devices are easy to lose and vulnerable to theft.
  • Mobile devices are more likely than stationary ones to be exposed to electro-magnetic interference (EMI), especially from other medical devices, such as MRI machines. This interference can corrupt the information stored on a mobile device.
  • Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the PHI displayed on a laptop or handheld device.
  • Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection that conforms to that described in Practice 1 . Many handheld devices can be configured with password protection and this should be enabled when available. Additional steps must be taken to protect PHI on the handheld, including extra precaution over the physical control of the device, if password protection is not provided.
  • Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from intrusion (Practice 6 describes wireless network protection). PHI transmitted unencrypted across public networks (e.g. the Internet, public Wi-Fi services) can be done where the patient requests it and has been informed of the potential risks. Generally, however, PHI should not be transmitted without encryption across these public networks.

Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. If healthcare data is stored on the mobile device, ensure that encryption is installed and enabled. The newest iPhone models have achieved FIPS 140-2 certification for their encryption modules. Mobile devices that cannot support encryption should not be used. This includes the inexpensive memory sticks or thumb drives that are widely available and often given away by vendors. Encrypted versions of these devices are readily obtainable at a modest cost—much less than the cost of mitigating a data breach. Remember to encrypt the removable media like the microSD card in your phone.

If it is absolutely necessary to take a laptop out of a secure area when the laptop contains patient data, the laptop’s hard drive should be encrypted. Encryption for laptops has become so affordable, and so easy to install and manage, it is hard to envision a reason that all laptops are not encrypted today. To leave a laptop unencrypted is to invite unnecessary risk to your organization and to ignore the benefits such as safe harbor from federal and state data breach laws.

Policies specifying the circumstances under which devices may be removed from the facility are very important and all due care must be taken in developing and enforcing these. The primary goal is to protect the patient’s information, so considerations of convenience or custom (e.g. working from home) must be considered in that light.

But I need to work at home today…

In today’s increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home, a travel hub, or a coffee shop. Those who have responsibility for protecting patient data must recognize that this responsibility does not end at the office door. Good security practices must always be followed.

Sponsored by: RISC Managementwww.RISCsecurity.com

Contact us today for all your compliance needs: Sales@RISCsecurity.com

References

About.com. (2014). What makes a smartphone smart? Retrieved from http://cellphones.about.com/od/smartphonebasics/a/what_is_smart.htm

Bloomberg Business Week. (2013). How Samsung became the world’s no. 1 smartphone maker. Retrieved from http://www.businessweek.com/articles/2013-03-28/how-samsung-became-the-worlds-no-dot-1-smartphone-maker

HealthIT.gov.(2014). CyberSecurity: 10 Best practices for the small health care environment. Retrieved from http://www.healthit.gov/providers-professionals/cybersecurity

Hill, M. (2010). 5 Terrifying ways your own gadgets can be used to spy on you. Retrieved from http://www.cracked.com/article_18532_5-terrifying-ways-your-own-gadgets-can-be-used-to-spy-you.html

Home Box Office, Inc. (2014). The Wire. Retrieved from http://www.hbo.com/the-wire#/

Microsoft. (2014). Safety and security center: Create strong passwords. Retrieved from https://www.microsoft.com/security/pc-security/password-checker.aspx

Tech Media Network. (2014). Top Ten Reviews: 2014 Best smartphone reviews and comparisons. Retrieved from http://cell-phones.toptenreviews.com/smartphones/

U.S. Department of Health & Human Services. (2014). Health Information Privacy: Guidance materials for consumers. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

U.S. Department of Justice. (2013). Privacy and civil liberties: Electronic Communications Privacy Act of 1986. Retrieved from https://it.ojp.gov/default.aspx?area=privacy&page=1285

Business Continuity, HIPAA / HITECH Enforcement, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

HIMSS14 Closing Remarks

Rose

February 27, 2014 Orlando, Florida

It’s all about aligning “the right information with the right people at the right time,” said HIMSS Executive Vice President Carla Smith in her closing message to attendees of the HIMSS14 Annual Conference & Exhibition. The meeting assembled some 38,000 healthcare professionals and 1,200 exhibitors in Orlando for a week focused on patient safety, care quality, access, affordability, privacy, and security.

HIMSS14 collage

At HIMSS14 we were educated on the savings from the financial and business end of healthcare, prevention and patient education, electronic information and data sharing, treatment efficiency while providing quality care and safety, and lastly improving the satisfaction of patients, providers, and staff.

In one educational session, a case study was presented from a large, multi-location Federally Qualified Health Center (FWHCs) where minors and adults were treated for STDs. The organization had a Business Associate Agreement (BAA) in place with the grant funder and data collector. However, computers were stolen from the grant-funding organization but it was never determined if patient data was accessed. It is important to note that once again stolen computers were not encrypted, as we’ve seen before a risk analysis was not performed, and a contingency plan for notification was not in place. The key findings can almost be copied from several previous breach events.

I remember thinking about what Chris Heuman, the Practice Leader of RISC Management and Consulting tells our clients “Know why, what and how; meaning understand why you need to protect information, such as regulations, what is required to protect that information, and how to implement and manage those protections.” It is very important to recognize where the HIPAA Privacy and Security Rule and the HITECH Act play a role in safeguarding the confidentiality, integrity, and accessibility of the patient’s protected health information. RISC worked to express that taking care of a patient’s health includes ensuring the privacy and security of their health, personal, and financial information as well. The last thing an individual needs to endure when recovering from or managing a condition is identity theft.

The breach referenced above serves to remind the industry that even the basics have not been addressed across the continuum. Foundational security program elements are still being ignored or abbreviated. It is important to have policies and supporting procedures in place to state the intent of the organization to prevent costly data breaches. Priorities should be approved by management, and strategies put in place to implement industry best practice, and to consult with resources that are subject matter experts in compliance. Begin always by performing a risk analysis and providing workforce training.

  • Develop, approve, publish and train on HIPAA Privacy and Security policies and supporting  procedures
  • Say what you are going to do, and do what you said you were going to do
  • Know the role of the Privacy and Security Officers and how they differ
  • Complete a comprehensive Risk Analysis
  • Have a data breach notification policy, develop and test a procedure, and ensure members of the response team are trained
  • Train all members of your workforce, consistently and constantly

The best part of the last day of HIMSS14 was the Keynote Speaker Erik Weihenmayer.  Weihenmayer is a World Class Blind Adventurer. He is the embodiment of overcoming adversity and leads an exhilarating and fulfilling life. He was the first and only blind person who made it to the top of Mount Everest in 2008. In this is a lesson for all of us; with the right drive and desire, training, preparation, and follow through, we can accomplish what we set out to do regardless of perceived obstacles.

Sponsored by: RISC Management, www.RISCsecurity.com