Online Tech is liveblogging from the Michigan HIMSS 2012 Fall conference, HITECH Status in Michigan: Navigating the Future of Electronic Health Records at the Crown Plaza Hotel Detroit-Novi. Stay informed with our updates throughout the conference!
If you’re attending, don’t miss Online Tech President and COO Mike Klein’s presentation, Security and Compliance for Processing Facilities, at 10:30AM ET with Gail Einhaus, Compliance, Education and Privacy Officer of Trinity Health.
9:00AM – Keynote Presentation: HITECH: Evolving to the Next Stage
MI-HIMSS Keynote
Mary Griskewicz, MS & HIMSS fellow, Senior Director Healthcare Information Systems, will kick off the MI HIMSS conference momentarily!
Meaningful Use Analogy
Some memorable quotes:
Mary’s challenge for those in healthcare: how will YOU bring meaning to #MU Meaningful Use? How will what you do today help patients, reduce costs, or improve care?
When you realize a small hospital can have over 100 different info systems, it’s no wonder #MU2 stresses “exchange” and “interoperability”.
Think internet connectivity isn’t holding healthcare back? Some clinicians still need 1G. – Mary Griskewicz, FHIMSS
We don’t need to invest in infrastructure? “Most countries in Africa have better internet connectivity than the rural US.” – Mary Griskewicz.
Michigan: until our physicians can answer what % of their patients received their flu shot, we have a LOT more #MU & #MU2 work ahead of us.
10:00 AM – Mike Klein discussing Security & Compliance for Processing Facilities
Mike Klein MI-HIMSSMike Klein Presenting at MI-HIMSS
Security and Compliance for Data Center Facilities:
Which audit should you look for? SSAE 16 is taking the place of SAS 70 as a new standard with the addition of attestation.
Mike is discussing the difference between all of these audits offered, and some of the main differences in components between the audits administered. It’s important to ask for the audit from your data center operator. Get a non-disclosure, and ask for that SSAE-16 audit to get the most information about what they’re going to do to secure their data.
PCI DSS is very prescriptive and includes some unnecessary costs and complexity. It requires an independent audit. However, HIPAA is specific to PHI (protected health information), and is not as prescriptive. It is much more about people, and the training that you follow. That includes how you manage a breach. It also includes physical, technical and administrative safeguards.
CE (Covered Entity) vs. BA (Business Associate) Responsibilities
Do BAs (business associates) get HITECH? Some do and some don’t. We [Online Tech] will never open a data file. It’s a fireable offense to open a file. It’s important to know who owns what when it comes to data. Other business associate and covered entity responsibilities that are important to clarify include timeline of breach notification, advance preparation, and breach insurance.
Beware of data centers that claim to be ‘HIPAA Certified’…you can’t do it. You can be ‘HIPAA compliant,’ which means that they’re going to help with audits or breaches. ‘HIPAA certified’ doesn’t necessarily mean that they’ve been audited, so be sure to ask for their audit report.
Compliance is a culture, not just a checkbox. Being process-oriented and being transparent with your clients are values of a compliant culture.
HITECH Impact Admin Safeguards include:
Risk analysis and management
HIPAA training (training for every employee)
Disaster Recovery (we provide this for all customers, colo to cloud)
Solid Business Associates Agreement(there are a lot of things that can’t go into a BAA)
Technical Safeguards include:
Antivirus (will not sign BAA unless the CE has anti-virus)
Data Encryption (different in HIPAA and PCI. Not required for HIPAA. Highly recommended for mobile devices)
Physical Safeguards include:
Facility Security
Offsite backup and DR (we require that HIPAA folks have DR in order to sign BAA)
Proper Data Destruction and Disposal (what happens when we turn down these servers? If you lose your drives, how do you guarantee that it’s been destroyed).
Show me the HIPAA report. If someone’s not going to show you the report, you should be asking the tough questions.
Win-Win culture:
Compliance, Trust, Process-Oriented, Transparency, Embraces Independent Input. Culture is extremely important to make sure that you’re getting all the tools at your fingertips so you can be sure you know what’s going to happen with your data.
Most people are just looking for their checkmark, but it’s not their business like it is for us. It’s key to understand the technology. You may or may not want some of those safeguards, but you need to be knowledgeable of what they are so you can make an informed decision.
Business Associate HIPAA Compliance – Impact on the Business Associate and Covered Entity:
Speakers Joe Dylewski of Health Care Management and Meredith Philips
Joe: Defining the ‘certain functions or activities’ safeguards: people are seeing them as vague language. HITECH: Health Information Technology for Economic Recovery and Reinvestment Act was developed to educate and enforce HIPAA and meaningful use.
The idea of security was out there, but there was no one to enforce it, before HITECH.
A few changes include:
Physician attestation for meaningful use
Office of civil rights is now auditing for meaningful use
Improved enforcement
HIPAA ignorance no longer tolerated.
BAs (business associates) now have the same responsibilities as CEs (covered entities) they service
When it came to breaches with 500+ people affected, not only did they have to report it, but the media had to be notified as well.
BAs were involved in 58% of breaches. From the the CE’s perspective:
Increased effort and decreased risk.
When a breach happens, even if a BA is involved, the CE is still responsible. It’s necessary to have a BAA (business associates agreement) in place if you’re working with BA.
The BA needs to have done some sort of due diligence, by conducting a risk assessment, then seeing that your BA is working toward compliance, and the last step is having proof of HIPAA compliance.
Common Qs:
Is the CE responsible for their BA’s HIPAA compliance, and vice versa? No
Is the CE responsible for engaging in relationships with HIPAA compliant BAs? Yes
If the BA claims HIPAA compliance, does this imply that the CE is HIPAA compliant? No – the CE has their own responsibility to be compliant.
Protected Health Information is being touched by potentially:
EMR
DR site
Physician Practice
IT services of practice
Document Destruction of practice
Data center
Health System
Lab
These all need to be compliant.
What constitutes compliance?
Policies
Privacy/security
Proof (most important, to be able to show that the policies and securities are in place, and being able to show how you execute that)
Who enforces HIPAA compliance?
US Dept. of Health and Human Services
Office for Civil Rights
Individual state’s Office of The Attorney General
Speaker: Meredith R. Phillips, CHC, CHPC, Chief Privacy Officer of the Henry Ford Health System
Data Breach Responses Involving Business Associates
The HFHS Landscape:
Founded in 1915 and has:
4 acute care facilities
1200 member medical group
Health plan serving 640,000 members
Home health, retail pharmacy, optical care, Hospice, Occupational Health, Extended care divisions
In 2011:
Awarded Malcolm Baldrige Natl Quality Award (big part of that was being transparent about the struggles that they’ve had within their system)
Around 31,000 workforce members
3.3 million outpatient visits,
around 550 BAs
Now everything is streamlined, standardized, and centralized.
Vendor Compliance: the group that manages BAAs to make sure that they don’t agree to things that they don’t like about vendors. They take part in notification in the event that there’s a breach. They created a manual process for conducting breach risk assessments and applied the plan to previous breaches to vet approach. Create plan to notify all known BAs about the HITECH implications. Your exposure is not going to come from someone breaking into the network. Exposure is going to come from someone making a spreadsheet, and then saving it on a device that gets lost or stolen.
They created a HFHS branded data breach response program so the workers could get more information and understand what the program does, and what protocol is in the event of a breach. That way people can react appropriately. Decided that it was the hospital’s responsibility to educate the BA on what their responsibility is in order to protect patient data.
Lessons Learned:
BAs don’t always understand requirements and you are ‘protector’ of data
Ensure incident response plan is communicated effectively to BAs
Document any education or risk assessments that you provide or conduct on your BAs
Ensure your BAA gives you ability to terminate relationship in the event of a breach or failed risk assessment with no penalty to you.
Things to Consider:
Assess your organization’s culture to determine the best approach for BA breach response
Risk tolerance assessment
Rapid response teams
Branding opportunities
Communication strategy
Breach response partners
Continuous education
Elimination of immediate risk (the low hanging fruit. Get encrypted flash drives, for example.)
Implement the following formalized programs:
BA educational program
BA risk assessment program
IT Security – Indirect Threats to Patient Data
Adam Goslin, Chief Operations Officer with High Bit Security
IT security trends:
Medical community targeted
Increase in small scale breaches (different than in the past, when it was big businesses. Now, bigger businesses have raised their security bar, so hackers have moved to smaller businesses where security is still lagging)
Lost/stolen devices (phones, laptops, tablets)
Social networking exposure (causing problems by exposing data more easily and frequently)
Data encryption (not the end-all solution)
Data breach notification regulations
Mobile threats (with the upswing of mobile devices, mobile device insecurities and vulnerabilities)
Critical infrastructure attacks
Consumers leave/avoid after security attack
Recent medical security events:
9.12.12 CSO for Alaska Dept Health fined 1.7M
8.31.12 Cancer Care Group 55,000 records exposed
7.25.12 15% of FDA medical device recalls raise security and privacy concerns
6.15.12 Memorial Sloan-Kettering Cancer Center gives patient data away via PowerPoint presentation
Targeted attacks
Specific institutions or companies.
Insider threats (disgruntled employees, for example)
Hacktivism
Defacing web pages
Denial of Service attacks
Outing of private information (passwords and credit card lists)
Head of interpol stated:
May 2012 – Cost of cybercrime is larger than the combined costs of cocaine, marijuana, and heroin trafficking.
The US government is building a ‘hacking monitoring facility.’
Breach costs are presently averaged at $194 per record.(this includes detection, escalation, notification, resolution and after-the-fact response). At 2000 records, you’re already up to $388,000. There are huge costs associated with a breach.
Why is it so difficult to maintain security?
Security covers a huge range of devices and channels, from websites to mobile apps to special medical equipment.
Security is a specialty. Developers and administrators may be good at what they do, but they may not be the best security advisors, because that’s not their specialty.
Two questions to ask about your security:
Where are my security holes today? Found via testing
How do I create an environment that is as secure as possible? This is a big, and very difficult question to answer.
75% of total data loss happened or were targeted towards medical facilities/business.
Malware and Worms:
These pieces of software show up from email, the web, USB drives
Malware: usually working to get protected data, display adware, stop operations
Worms: these replicate themselves.
Phishing is working to get data by acting like it’s something it’s not (an example would be an email that looks like it’s from Facebook, but then when you click on the link, it takes you to a malicious site)
Botnets: computers that are controlled by a different server. Your computer becomes something of a puppet in order to administer a malicious attack.
