The HIPAA Audit Program

On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

According to the OCR, the number of audits done in this phase will be relatively small. This  smaller number of audits reflects the OCR’s primary goal of better understanding the compliance efforts of covered entities and their business associates. The audit results will hopefully provide information to help them to determine what support is necessary for successful compliance.

This could be good news for companies that experience an audit; while the OCR maintains the option to initiate a compliance review in the case of egregious compliance issues, it will probably not be focusing primarily on enforcement actions.

HIPAA’s Privacy Requirements vs. the Spread of Social Media

How to maintain patients’ privacy in the face of widespread social media use is an ongoing challenge. With privacy rules that were originally written in 2000, then updated only once in 2009, it’s no wonder that HIPAA is lagging behind the rapid pace of technological change.

Although current regulations don’t completely cover the changing technological landscape, there are some common sense steps businesses can take to protect themselves. A good practice is to carefully remove all identifiers from PHI if it must be shared without the patient’s prior consent.

But be warned: modern search engines mean that surprisingly small amounts of information can unexpectedly be enough to identify patients. This means even a seemingly vague post on a site like Facebook could contain enough information to identify a patient, leading to liability concerns for the poster and their employer. Examples in the past few years include a Rhode Island physician who lost her privileges to work in the Emergency Room and faced a monetary fine for posting information online about a trauma patient. According to a Boston Globe article, “… [the] posting did not include the patient’s name, but… enough that others in the community could identify the patient.”

Your company will need to have clear, well-planned policies regarding social media use and will need to be certain that all employees have been made aware of these policies.

If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations.

[action full_width=’no’ content_in_grid=’yes’ type=’normal’ icon=’fa-ticket’ icon_size=” icon_color=” custom_icon=” background_color=” border_color=” show_button=’yes’ button_text=’REGISTER HERE’ button_link=’http://events.constantcontact.com/register/event?llr=hxcf8qcab&oeidk=a07ecnjnfc31de5b02d’ button_target=’_blank’ button_text_color=” button_hover_text_color=” button_background_color=’blue’ button_hover_background_color=” button_border_color=” button_hover_border_color=”]

PLEASE REGISTER FOR OUR EVENT HERE (YOU MAY BRING 2 GUESTS)

[/action]

Additional information on HIPAA:

• For a detailed look at dealing with Protected Health Information online, read The Hospitalist’s article on avoiding data breaches and HIPAA violations when posting online.
• For a basic introduction to what the Health Insurance Portability and Accountability Act is, you can check out our previous blog post “What Does HIPAA Mean?”
• To learn more about what your IT team will face when dealing with HIPAA compliance, take a look at our blog post “What Does Your IT Team Need to Know about HIPAA Compliance?”

U.S. hospitals have been faced with an alarming surge in ransomware attacks this year. In these attacks, hospitals find themselves without access to critical patient information. In addition to seriously threatening patient safety, hospitals themselves are also harmed. Necessary interruptions to services while recovering from the attacks damage organizations’ reputations, and financial costs can include ransoms along with costs associated with liability.

Ransomware attacks are a growing threat. Organizations need to focus on necessary steps to protect their data and to stay current on new security requirements arising to meet this threat.

In the first part of this two-part series, we’ll look at what ransomware is, and what makes hospitals and healthcare organizations particularly vulnerable to ransomware attacks. In the second part, we’ll take a look at solutions all organizations (not just hospitals) can employ to mitigate the risk from these attacks, and also discuss possible future changes to security requirements that may develop in response to the increase of ransomware related cybercrime.

What is ransomware?

In their January 2016 brief, “Hacking Healthcare IT in 2016,” the Institute for Critical Infrastructure Technology refers to  ransomware as “the primary threat to organizations in 2016.” Ransomware is a specific type of malware that works by preventing or limiting users from accessing their systems or data, often by encrypting the data. This kind of malware requires payment of a ransom in order to regain access to systems or data. Of course, even after a ransom is paid, there is no guarantee that access will actually be returned or that data will be undamaged. Some examples of ransomware include Locky, CryptoLocker, and CTB Locker.

Why are healthcare organizations so vulnerable to ransomware attacks?

Within just the past few months, hospitals that have reported attacks include Hollywood Presbyterian Medical Center in Los Angeles, Methodist Hospital in Kentucky, and MedStar Health’s ten hospitals and over 250 outpatient clinics in Maryland and Washington D.C. Officials suspect that additional attacks may have gone unreported by organizations choosing to deal with such matters internally rather than risking the damage to their reputations that publicly acknowledging vulnerabilities can bring.

What makes hospitals such tempting targets for cyber criminals? One reason is that hospitals rely on having fast access to accurate and up-to-date information in order to provide care for patients. This means they are more likely to pay a ransom than other organizations might be, as they are trying to avoid harm to their patients (up to and including death) and of course, lawsuits.

Another less obvious reason is that hospitals have until present been focused primarily on educating their employees mainly in HIPAA compliance, and much less on cybersecurity. This leaves hospitals employees especially likely to fall victim to social engineering attacks such as phishing, which can give ransomware attackers the entry they need.

The older software used by some hospitals can also provide a tempting point of entry for ransomware attackers. For example, a recent alert from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team warns that certain systems used to automate the tracking and dispensing of medical supplies contain numerous security vulnerabilities.

Additional Links:
TrendMicro – History of ransomware.
Wired.com – Why hospitals are the perfert target for ransomware.
DataBreachToday.com – Security flaws in legacy medical supply systems.