The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).
Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.
Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.
More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.
Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.
Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.
Beginning on February 18, HHS will have the legal authority to enforce the breach notification laws set forth last year as part of section 13402 of the HITECH Act, within the American Recovery & Reinvestment Act (ARRA). The penalties can now be up to $1.5 million and require media notification in cases where 500 or more records are breached. Business associates, as well as covered entities, must now comply with the HITECH Act breach notification rule (which essentially makes modifications to the HIPAA Security Rule).
Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
Create a plan on protecting PHI.
Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
Identify public facing extranet portals and web applications that can allow access to PHI.
Identify databases that hold PHI.
Execute the plan
Implement data encryption where practical.
For databases, implement a database security product to monitor database requests and protect from intrusion.
For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,
Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.
In the coming months healthcare IT administrators will see many products come to market that claim to solve the compliance issues of safeguarding unsecured protected health information (PHI). A bit of caution and understanding of the issues is required here:
- Whole disk encryption is clearly needed for mobile devices
- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.
- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.
- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.
- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?
So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.
It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.
On Wednesday, December 30th, the U.S Department of Health and Human Services (HHS) released its Interim Final Rule on Meaningful use. This rule is applicable to covered entities who chose to participate in the Medicare and Medicaid EHR Incentive Programs. Essentially, healthcare providers must prove that they are using the EHRs and meet HHS’s standards of meaningful use in order to receive reimbursement for implementing the EHR system.
Stages
Stage 1 (starting in 2011): Focused on electronically capturing health information, implementing clinical decision support tools to facilitate disease and medication management, and reporting clinical quality measures and public health information. Note that in this stage electronic protected health information (PHI) is being captured and stored, and as a result, must be secured. It is this specific information that must be protected from security breaches.
Stage 2 (starting in 2013):Focused on using captured information to improve care, electronic transmission of diagnostic test results, and computerized provider order entry (CPOE).
Stage 3 (starting in 2015): Focused on decision support and improvements in quality and safety.
Role of Security & Privacy in Meaningful Use
In general, HHS has specifically included encryption as a requirement for a Certified EHR system (only Certified EHR systems are eligible for cost reimbursement). The inclusion of encryption in meaningful use is indicative of the Federal government’s recognition that encryption is a critical technology in securing protected health information (PHI).
Certified EHRs must be able to provide the patient an electronic copy of their health information upon their request. This information must be provided within 96 hours from the time the provider obtains the information, such as lab results, for example. This patient information must secured with at least a symmetric 128 bit fixed-block cipher algorithm capable of using 128, 192, or 256 bit encryption key.
Certified EHRs must protect electronic health information by implementing controls and encyption, such as:
- Assigning a unique user name for each user
- Encrypt and decrypt health information for backups, removable media, etc.
- Event recording such as deletion of records
- Audit review log
- Systems to ensure health information has not been altered using a hash algorithm
- Record disclosures made for treatment
- Ensure identity management is in place
Systems outside of Certified EHRs
As a matter of policy HHS has decided NOT to dictate standards on privacy and security in the context of meaninful use for systems other than Certified EHRs. In other words, they acknowledge that there are other systems that are part of the electronic health IT ecosystem, such as backup systems, hard drives, removable media, domain name systems (DNS), time servers (NNTP), etc. They acknowledge that these systems should be protected. However, for the purposes of the scope of the ruling they decided not to dictate standards or requirements beyond those for the actual EHR system.
HHS took the time to reiterate that using a Certified EHR “does not change existing HIPAA Privacy Rule or Security Rule requirements, guarantee compliance with those requirements, or absolve an eligible professional, eligible hospital, or other health care provider who adopts Certified EHR Technology from having to comply with any applicable provision of the HIPAA Privacy or Security Rules.
This essentially means that you must still consider the security of systems outside the Certified EHR system and, if necessary, secure these systems. Implementing a Certified EHR system does not absolve your organization from the HIPAA Privacy and Security Rules. They go on further to say:
“While the capabilities provided by Certified EHR Technology may assist an eligible professional or eligible hospital in improving their technical safeguards in order to meet some or all of the HIPAA Security Rule’s requirements or influence their risk analysis, the use of Certified EHR Technology alone does not equate to compliance with the HIPAA Privacy or Security Rules.
Make sure you look at out healthcare IT system holistically. Implementing a Certified EHR is only part of the overall security equation in your organization.
Today HHS came through with its promise to issue the interim final rule to define “meaningful use”. This is an important rule and will essentially spell out the terms and conditions of the forthcoming reimbursements for implementation of electronic health records.
A call is scheduled for 5:15pm on 12/30 to discuss the IFR.
"As for enforcement, Congress promised in ARRA "periodic audits" to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren't sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010."
Sounds like 2009 was the year of the healthcare law revisions. 2010 looks like it may be the year of enforcement.
Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.
Seems like it’s been a tough week for Verizon to try and prove their point about how encryption is unimportant to securing protected health information (PHI).
..
According to ModernHealthcare.com Peter Tippett, Vice President of Technology and Innovation and Chief Medical Officer, recently said “Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”
In addition, Tippett says current security standards and methods are “too complex, are based on dogma instead of science, are both ineffective and inefficient, and are too static.”
..
But facts and reality prove otherwise. The following RECENT breaches were revealed while Verizon is literally putting its head in the sand and marginalizing encryption (and all of them could have protected patient information had encryption been installed):
US Army loses hard drive with 60,000 with social security numbers and other personal information.
A laptop containing clinical information on 2,000 patients was stolen from the Guam Memorial Hospital.
And all this within 2 weeks! The fact is that data in use, like data at rest, and data in motion needs to be encrypted if it contains protected health information.
Health Net, a Woodland Hills, California-based managed healthcare provider realized that a missing hard drive contained protected health information (PHI). It affected 1.5 million customers, and 466,000 in Connecticut alone.
“The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification
Connecticut Attorney General Richard Blumenthal comments: “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”
Although disk encryption could not have prevented the drive from being lost it certainly could have prevented unsecured protected health information from being accessible to unauthorized individuals. Federal breach notification rules under HIPAA/ARRA/HITECH Act took effect in September, 2009, but will be start being enforced until February, 2010.
“On October 30, 2009, the Department of Health and Human Services (HHS) issued an interim final rule pertaining to the enforcement provisions of the HI-TECH Act. The final rule serves to conform HIPAA’s enforcement regulations to the revisions to the HIPAA statutes made by the HI-TECH Act.”
…
This is the government’s way of saying “we’re made a rule, and we are now going to enforce it”. The enforcement ruling is an indicative of the federal government’s interest in protecting the privacy and identity of patients. As patient records get converted from paper to electronic security has become a very important part of the healthcare IT ecosystem.
..
Bricker and Echler, LLC go on further to say “The HI-TECH Act significantly increased the penalty amounts for HIPAA violations, as reflected in the final rule. Covered entities should understand the financial risks associated with HIPAA non-compliance and the changes to the available affirmative defenses. It is critical to have an effective HIPAA compliance program to avoid HIPAA violations and to identify and correct HIPAA violations in a timely manner, which can shield the organization from substantial financial penalties”
Copyright 2009 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.comwww.arra13402.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3a0266f6-3270-43a7-9d5d-72d3000b6dd6)
- Encrypt and decrypt health information for backups, removable media, etc.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6e87899c-e6e7-4f3a-9683-3d2ac9ec511b)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=edf1062b-fc9f-4ed9-9b7f-d82f9a2a66ba)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ddb01d91-1efe-4f93-ba81-d409929f5e90)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ceeb7a49-78eb-4910-bb8f-dc57a91f3616)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=0f8109dd-4181-4d3b-a3fb-759163ab8308)
