Viewing entries in
HIPPA
In healthcare, there is absolutely no escape from the mandatory utilization of technology. From the simple task of setting an appointment to billing and procedure codes, everything requires an intensive use of protocols that can be implemented only through the use of technology. HHS mandates these processes across the board, from a doctor who is operating solo to the largest hospitals. All HIPAA covered entities must adhere to rules and standards set forth in ANSI 5010 starting Jan. 2012 and ICD-10 starting Oct. 2015. Needless to say, all providers need help using the technology that is designed to bring efficiency and accuracy to the health care system.
Let's discuss why doctor's offices and clinics need managed IT services.
- You're a Medical Professional: As a doctor you don't have the knowledge to repair your own networks in case there is a failure. Your support staff is trained to make appointments and take blood pressure, draw blood along with several other medical-related responsibilities. They don't fix computers for a living.
- The prohibitive cost of an in-house IT team: Hiring an IT staff even as part-time employees can be very costly, and even full-time staff may not provide all your support needs. System failures can be very unpredictable and technology can be a 24/7 concern. IT support based solely on your own payroll is not typically a practical choice for doctors or clinics.
- Data security: This is a very serious issue in health care. Medical records of patients must be protected according to HIPAA requirements. Laws governing health care provides stiff penalties and fines in the case of a breach in patient's private information. You need to make sure that your networks are impenetrable. There are even requirements now to prove that you've had a qualified professional attempt to hack your systems on a routine basis. Managed Service Providers (MSPs) specialize in technologies that will safeguard your data. There are also software maintenance and upgrade issues to be addressed. Outdated software and hardware can expose your systems to hackers. An in-house IT team may be too busy to keep up with the changes, thus making your data vulnerable.
- Monitoring: The best way to avoid critical breakdowns and security breaches is 24/7 monitoring. This is the surefire way to avoid and control security breaches, viruses and hacker attacks, but it isn't something a small firm can do on its own. It requires the presence of 24/7 labor plus investment in exceptionally sophisticated software and hardware. This sort of investment is not practical for smaller firms.
- Government regulations: Now there are new government regulations in place that all health care providers must comply with. The purpose is to speed up the billing process and promote more accurate diagnostic records, all while protecting patient privacy.
- ICD-10 and ANSI 5010: The World Health Organization has updated the international system of coding diseases. It is called ICD-10, with implementation mandated by Oct. 1st 2015. Implementation of ICD-10 requires the use of the new billing system called ANSI 5010, which was to take effect on Jan. 1st 2012. These regulations are designed to improve the information flow between systems so the providers will get paid faster and the patient's conditions will be diagnosed more precisely.
- Electronic Health Records (EHR): The government now mandates that all the patient's health records be maintained electronically. Also, this mandate provides for the patient's right to know who has accessed their medical records and when. The patient portals that are gaining popularity will be another task to manage.
So what does all this mean for health care providers in terms of managing their networks? More data volumes, more software packages, and more privacy headaches.
At the end of the day, you have to decide what your priorities are as a health care provider. It should be to provide the best care to your patients without having to worry about your infrastructure. As a MSP, we can ensure your focus remains on healthcare.
SERVICE PATIENTS, NOT TECHNOLOGY: ACHIEVING HIPAA COMPLIANCE & HIGH LEVEL DATA SECURITY IN THE CLOUD
Prioritizing Security & Privacy in Healthcare Sector
Physician offices, hospitals and health insurers take practical steps each day to protect private patient health information (PHI) and comply with HIPAA regulations. Anyone interacting with patients and regularly accessing or discussing confidential medical records is obligated to adhere to certain requirements to uphold privacy and security. For example, employees must be mindful of what is said aloud pertaining to an individual patient. Doors must be closed when patient conditions, treatments and procedures are discussed in person or over the phone. Staff should never leave voice mails with specifics about patient health conditions or test results.
Even simple acts like summoning patients from the waiting room must be carried out with patient discretion in mind. Failure to do this can result in a reported HIPAA breach that can be accompanied by potentially heavy monetary fines and often-irreparable reputation damage. The industry’s need to prioritize the integrity of patient data is even more pronounced in this time of flux within the healthcare sector.
Transitioning to the Electronic Age
Healthcare service providers today are in the process of converting all paper medical records to electronic health records (EHRs) or electronic medical records (EMRs) to meet the meaningful use requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA). The ARRA incentivizes the healthcare sector to accelerate the adoption of enterprisewide electronic medical data by 2015 or face possible penalties.
We are entering a period in our history where volumes of confidential patient health information (PHI) will be stored, shared, and accessed electronically for the very first time ever. There has never been a more critical time for healthcare service providers to ensure that patient rights are protected, confidential information is safeguarded, and this transition from the immovable locked file cabinets to today’s electronic-system is completely HIPAA compliant and secure.
How HIPAA Breaches Most Commonly Happen
The U.S. Department of Health’s Office of Civil Rights found that there have been 21 million HIPAA security breaches since 2009. These breaches have resulted in an average of 2,769 records being lost or stolen per breach.
Among them:
48% were stolen medical files
48% were stolen billing and insurance records
20% were stolen prescription details
13% were stolen monthly statements
24% were stolen patient billing/ payment details
19% were stolen payment details
During this period, 66 percent of the reported large-scale HIPPA violations were due to the physical loss or theft of electronic equipment or storage media such as a laptop or flash drive that held unencrypted PHI. Another 8 percent of the large-scale HIPAA breach incidents were the result of hacking and cybercrime.
Physical Thef
Based on the above findings alone, one can come to the obvious conclusion that storing such unencrypted data on a physical hard drive or any portable storage media device elevates the risk of an HIPAA breach. Therefore, eliminating the need to store or transfer this data on equipment such as laptops or flash drives should significantly minimize the risk of many of the HIPAA violations reported today.
Cybercrime
Cybercrime is a growing threat within the healthcare sector since the industry has been slow to adopt new technology.
The aging technology commonly used by healthcare service providers is rife with software and security flaws making it susceptible to data breaches resulting from hacking and other cyber attacks.
Data thieves view private medical records as a high valued commodity - a gateway to identity theft. Safeguarding this data is challenging. With the shift to electronic records, data thieves have upped their game, finding new ways to gain unauthorized access to patient data by exposing vulnerabilities.
Defending against cybercrime requires constant monitoring for intrusion attempts and security upgrades. In this era where the volume of stored data is increasing, new cyber threats seemingly surface everyday, and there is continuous demand to comply with regulations; healthcare service providers securing their own infrastructure will inevitably become overburdened and more vulnerable to attacks and HIPAA breaches.
The Case for Moving Data to the Cloud
Although many healthcare service providers have shown a reluctance to abandon their in-house IT infrastructure and security measures, on-premise data center attacks are proving to be more prevalent, costly, and difficult to rebound from. Healthcare providers who have resisted the cloud due to privacy and security concerns could be making a grave mistake. Increasing evidence suggests that the cloud can actually enhance data security. It does this while also freeing up manpower and budget dollars that can be better allocated toward the principle objective of improving patient care.
Decreased Instances of HIPAA Breaches Due to Physical Thef
In a cloud-based infrastructure, only the PHI that the user has accessed via their web browser resides on their computer. All other data is hosted virtually on a secure cloud-based server from a guarded physical storage facility.
Decreased Instances of HIPAA Breaches Due to Hacking
Another advantage of the cloud is that encryption requirements are better enforced, regardless of whether data is in transit or at rest. Even in the event of unauthorized access to data, the encryption key would also have to be obtained or else the data is secure and unreadable to the intruder. While data encryption is also possible when data is physically stored at an on-premises data center, it is much more difficult to facilitate.
Reduced Investment to Defend Against HIPAA Breaches
If a HIPAA breach does occur, security audits, certifications, and assessments are necessary to defend against civil or criminal prosecution. They demonstrate that the best effort was made to comply with the security requirements of HIPAA and improve your defense. They also come at a significant cost that is more affordable to cloud providers than a healthcare service provider with a private data center.
Leveling the Playing Field with Major Healthcare Institutions
Shared Accountability with Business Associates When it comes to the physical and technical safeguards required by the HIPAA Security Rule, most cloud service providers implement physical security measures exceeding those practical for most small-to-medium-sized businesses. Safeguards to ensure data confidentiality and integrity are also implemented - such as advanced authentication, encryption, automated session timeouts and audibility logging – all less likely to be utilized in an on-premise data center environment.
Shared Accountability with Business Associates
A “Business Associate” is defined by HIPAA as any entity outside of your practice or organization who either performs services on your behalf or requires the use or disclosure of public health information to complete tasks they’ve been contracted to execute. Until recently, some ambiguous language in the act left it up to interpretation whether or not cloud-service providers were to be classified as business associates. Although most cloud-service providers accepted accountability and signed a business associate agreement, some refused and argued that the act’s definition, citing “routine regular access”, didn’t apply to them since they primarily stored encrypted PHI to which they neither held the key to, nor routinely accessed.
This prompted many skeptics in the industry to doubt if cloud-service providers had the processes and protocols in place to protect PHI and bear their share of accountability in the event of a HIPAA breach in the cloud.
The new HIPAA Omnibus Final Rule has clarified that any cloud data operator who maintains PHI is to be classified as a business associate. This means liability and compliance is extended to cloud data operators with a signed business associate agreement. Cloud operators are accountable, and subject to monetary fines or related fees, for any failure to protect patient data security and privacy if they sign a business associate agreement. Healthcare service providers are advised to refuse to work with anyone who still refuses to sign a business associate agreement.
Proactive Remote Monitoring
Leading cloud-service providers offer an around-the-clock remote monitoring service that maximizes uptime while monitoring each node in the cloud infrastructure, each access point, and the data center platform as a whole. This is an extremely important function that detects and addresses potential issues before they become serious breach incidents. Metrics are collected and alerts are triggered whenever faulty conditions such as a data backup failure or an authorized attempt to access data are detected.
What to Ask Your Cloud-Service Provider
As you can see, as it becomes obvious that the cloud is establishing a foothold in the industry as the data management system of choice for many healthcare service providers, cloud security continues to evolve for the better. However, you must still choose a cloud-service provider wisely and ensure that patient data is secure at all levels of workflow. We’ve compiled a list of several things you should ask your cloud-service provider regarding EHRs and PHI data.
1. Who has access to this data and the systems supporting it? - Any cloudservice provider should be able to tell you who has access to the physical storage facility, the hardware, operating systems and data.
2. Is there an audit trail and can unauthorized access to patient data be easily verified? – Is there an auditing mechanism in place tracking all PHIrelated system activities, warnings and failures? Any unusual system activity such as suspected unauthorized access should be easily detectable.
3. Is the data password-protected and accessible to only those authorized? – Are users prompted to enter a unique username and password with each log on? Do active logged-in sessions time out after periods of inactivity?
4. Is the data encrypted? Is it only viewable to those with proper authentication or accessing it through an application? – Is SSL-based encryption performed at the application level when healthcare sites and the data center communicate? This ensures endto-end protection from the service access point to the data center and prevents any unauthorized network provider employee from accessing the data. Data also can’t be read while in transit to an end user’s viewing software over the Internet.
5. What kinds of backup processes are in place to ensure business continuity? – How often is data backed up and what is the method of backup to reduce data loss? Are copies made on removable media and stored off-site if a disaster impacts the data center? Are the two copies continuously synchronized? What authentication processes are in place to ensure data integrity?
6. How are the threats of viruses and Trojans handled? – Is there anti-virus software running every time files and disks are scanned or accessed? Is the anti-virus software frequently updated with the latest virus signature databases?
7. What Kind of Physical Security Exists at the Data Center? – Is security at the data center manned 24-hours with appropriate identification required and recorded with each visit? Are security cameras, motion detectors or alarms present throughout the facility?
Conclusion
The necessary investment to buy and maintain physical equipment, hardware and software, and supply personnel with the continuous training they need to deliver top-level data security is unaffordable and overtaxes the resources of smaller healthcare entities. Converting to cloud-based services enable practices and companies of any size to achieve industry-leading HIPAA compliant data security while benefiting from a slew of cost-efficient benefits that liberate them from security problems – bringing them back to caring for patients, not patient technology. If you’re interested in a cloud-service provider who follows the administrative simplifications referenced under HIPAA, and can satisfactorily assure the safeguarding of electronic patient health information, contact us today.
2013 was the year the healthcare industry embraced cloud computing thanks to modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules. With these modifications extending the definition of a Business Associated (BA) to cloud service providers, many of the data breach concerns that had previously kept the healthcare sector from taking to the cloud have been quieted.
But as more patient health data is electronic and residing in a virtual environment, the availability of this data is just as important, if not more important, than securing it. Unlike Google, Amazon, and Microsoft, the disastrous effects of data outages in the healthcare sector can have potentially deadly consequences.
Not only is high uptime mandatory in a healthcare cloud, business continuity and disaster recovery (BCDR) plans are also crucial. The good news is the cloud’s virtualized infrastructure, coupled with the expertise and cloud monitoring of a trusted Managed Service Provider (MSP) can help healthcare organizations maintain uptime and reliability. Here are three helpful steps:
Risk Assessments Are Absolutely Necessary
While risk assessments are critical to protecting patient health information.These evaluations must be conducted regularly and require an honest assessment of probable risks ranging from malicious cybercrime attacks to acts of nature such as natural disasters, flood, earthquakes and power outages. Analyze both the architectural vulnerabilities relative to data availability and security as well as the effectiveness of the counteractive measures in place. The goal is to minimize the plausible impact of such an event and prevent service disruption.
Proactively Monitor for Cybercrime
It is often months before a security breach is detected. By this time, hackers have had ample time to infiltrate your system and feast on its data. Since cybercriminals use an unpredictable array of methods to strike, such as viruses, malware and phishing schemes to steal credentials, the strength of your detection system is key. Alerts should be set up to identify anomalies such as unusual application requests, forced entry attempts, suspicious spikes in traffic, and abnormal data patterns that suggest a breach. The proactive monitoring tools available through a MSP can help scan, pinpoint, and remediate such attacks.
Any BCDR plan must be built upon your organization’s recovery time objective (RTO) and recovery point objective (RPO). Your RTO is the duration of time in which your service level must be restored to avoid dire consequences. Your RPO is the maximum age of the recoverable files in storage to resume normal operations. A MSP can help determine the optimal scenario for your healthcare organization and prioritize the most critical health care information with near real-time replication.
Through this preparation and foresight, your organization can lay the groundwork to not only protect healthcare information in the cloud but potentially save patients’ lives in the event of an unforeseen outage.