The HIPAA Privacy rule was aimed to protect the privacy of individually identifiable health information. Along with this the OCR also brought out the HIPAA Security Rule, which sets national standards for the security of electronic protected health information. The HIPAA Breach Notification Rule requires covered entities and business associates to notify following a breach of unsecured protected health information and the confidentiality provisions of the Patient Safety Rule that protect identifiable information used to analyse patient safety events and improve patient safety.

HIPAA is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat private health information. With penalties for HIPAA violations being substantially high, legal experts are analysing the impact of Connecticut Supreme Court’s ruling whether plaintiffs can sue a healthcare provider for negligence if HIPAA regulations have been violated by not protecting the privacy of patients. As per the HIPAA Security Rule, OCR has set national standards for the security of protected health information (PHI) that is created, stored, transmitted, or received electronically.

However, as methods to ensure the confidentiality, integrity, and availability of ePHI data, the HIPAA Security Rule requires medical practitioners, covered entities, business associates and consumers to implement a series of administrative, physical, and technical safeguards when working with ePHI data. The Connecticut case of Emily Byrne vs. Avery Centre for Obstetrics and Gynaecology which involved a patient who sued a healthcare clinic that released her medical records to a third party without her authorization, falls into one of 10 types of HIPAA violation. Failure to comply with HIPAA requirements leads to civil and criminal penalties that applies to both covered entities and individuals.

The covered entities and business associates should therefore take adequate steps to ensure that the patient data is safe from any sort of data breach. The HIPAA/HITECH Security and Compliance management solution, Aegify, is a continuous security monitoring and compliance management solution that is built on a framework approach and allows covered entities and business associates to gain control and improve compliance levels across HIPAA, HITECH, PCI, SOX, ISO, COBIT including country-specific regulations. Its built-in vulnerability scanning technology makes security and compliance monitoring simple and effective and is designed to facilitate both large hospitals as well as small and medium healthcare establishments and their business associates to continuously monitor security of PHI against any data breaches.

The post Don’t let ePHI make your business another Connecticut case of HIPAA Negligence appeared first on Aegify.

Experts believe that the HIPAA violations seen during the past year will be overshadowed by those coming in the next 12 months. The Office for Civil Rights has so far levied nine fines since June 2013, totaling over $10 million. This total also includes the record fine of $4.8 million announced against New York- Presbyterian Hospital and Columbia University in May.

Forbes lists out some of the major costs that may follow a healthcare data breach incident:

1. Technical, legal, and administrative remediation costs
2. Fines levied by OCR for HIPAA violations
3. Costs associated with Identity Theft Protection or Credit Monitoring for affected patients
4. Paying for defending against patient and shareholder lawsuits and settlements
5. The unimaginable cost of potential insurance fraud stemming from millions of exposed Social Security Numbers

For example, the Blue Cross Blue Shield of Tennessee estimated the total cost of breach at $17 million two years ago for compromise of 1 million patient records. This cost included $7 million for improving internal security and $1.5 million settlement with OCR. However, there were no patient or shareholder lawsuits in this case.

In the Community Health Systems breach however, the biggest potential cost is associated with the compromise of 4.5 million Social Security Numbers which could be used for medical insurance fraud. According to experts, hackers used the computer bug Heartbleed in this case, to access the systems. As per reports from Reuters, FBI has issued a ‘flash’ alert last week, warning entities that hackers are targeting healthcare organizations.

With Digital Signature and electronic data capture rapidly replacing manual, paper-based processes in medical practice, next-generation solutions are quickly emerging to help physicians and healthcare organizations to move ahead and optimize their workflows. The fact however is that with increasing volumes of electronic data, the risk of them being breached also increases. This is why healthcare organizations should adopt comprehensive data security solutions such as Aegify Security Posture Management, Aegify SecureGRC, or Aegify Risk Management to enable optimal use of technology while also ensuring that the risks associated with it are curbed.

The post Community Health Systems to Pay Huge Price for Breach appeared first on Aegify.

While these 10 breaches have been listed on the ‘Wall of Shame’ website, one common cause has been identified in all these breaches – theft/loss of unencrypted computing devices or storage media. It has been noted that lack of encryption has accounted for nearly half of all major breaches in the federal tally. Although the importance of encryption has been stressed by experts time and again, a considerable number of healthcare entities and their associates are yet to encrypt their data.

Security experts believe that while encryption is one of the fundamental steps to be taken by every healthcare organization, lack of encryption is not the only security deficiency that worries them. Unencrypted data is often just a sign of deeper security deficiencies that need to be addressed. Experts also believe that failing to encrypt is a bad management decision and not just a security mistake,such as not identifying where data resides or what security risks surround the data.

Several healthcare entities also fail to manage user access efficiently. All this points to the fact that these entities are not practicing security fundamentals, and that they are making fragmented efforts without formally integrating security essentials and aligning them with risk functions in the organization. The lack of an effective risk assessment process and frequent failure to identify internal and external threats and vulnerabilities can also be attributed to the absence of security fundamentals.

What have these security breaches taught us?

There are a few valuable lessons to learn from every information security breach that has been reported so far:

• Every breach is completely avoidable if basic security practices are in place
• Most breaches are not high-end sophisticated attacks but merely result from lapses of judgment and sound application of security measures
• Simple deviations from good security practices can have major consequences for the business
• Encryption of data is of primary importance, and can come a long way in mitigating risks to information
• Business associates have been responsible for some of the largest breach incidents, and are directly liable for HIPAA compliance just like all covered entities. Hence ensuring that data processed by business associates and subcontractors is well-protected, is critical.

What should healthcare entities do?

• Define security policies and standards clearly, and ensure they are being executed as intended
• Establish well-defined ownership and accountability for all security practices, improve poor practices and drive improvements where gaps are identified
• Train employees adequately and help them understand the need to protect the privacy of patients’ health information
• Adopt a comprehensive security solution such as Aegify Security Posture Management or Aegify SecureGRC that can considerably simplify security processes and compliance, while mitigating risks and adequately protecting health data.

The post Health Breach Tally Hits a New Milestone appeared first on Aegify.

Patient medical records are a popular target for cybercriminals, and although healthcare IT is evolving, there are often security loopholes that are typically not found until a major compromise takes place. Integrating cyber security into everyday business operations is vital to lessen the chances of a major data breach. Most often, with no system in place to monitor the internal network in real-time, attackers get many opportunities to compromise and exploit the network at their leisure. Often, when mission-driven hackers initiate an attack, they leverage legitimate existing network resources, like user credentials, for the next phases of the attack. And though there is no evidence or reports of identity theft or personal information compromise in this case, breach prevention isa very crucial goal for every healthcare entity.

Lack of continuous security monitoring makes it difficult to detect an attack, says Dan Berger, CEO of Redspin, and incidents such as the Montana Breach, where hackers gained access to a health department server, reiterate this fact. Although DPHHS has taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, unfortunately, it may not be enough! Every healthcare entity requires a comprehensive, documented, verifiable, and effective information security program to ward off security incidents. Security policies per-se, though essential, do not suffice! Right technologies to automate security procedures make policies realizable combined with training.

Adopting a comprehensive security and compliance solution like Aegify SecureGRC that provides complete security to the data in an organization helps make continuous security, risk, and compliance management much simpler. Try out the community edition before using the standard, professional and ultimate editions of Aegify to get a feel of what Aegify offers.

The post Data Breach Incidents Rising!! This Time it’s the Information of 1.3 Million Individuals in Montana that’s At Risk! appeared first on Aegify.

In a settlement that stemmed from a 2009 complaint filed from a retiring physician, it was found that Parkview took custody of medical records of nearly 5,000 to 8,000 patients, packed into 71 boxes. The complaint alleged that Parkview Health employees left these boxes unattended on the driveway, accessible to unauthorized persons at a close distance to a high traffic shopping venue. The medical records were therefore simply stolen! Considering that OCR has been warning about cracking down on strict HIPAA enforcement, Parkview had to pay a hefty sum of $800,000.

As there are still a lot of paper based PHI in practice, effective policies and protections against improper disposal are crucial. Although this incident occurred five years ago, it is an expensive reminder for every healthcare organization workforce member to think about how they handle the patient information in particular. Christina Heide, acting deputy director of health information privacy at OCR, reiterates that it is imperative, HIPAA covered entities and their business associates protect patient information records at all times, even during normal routines such as their transfer and disposal, since healthcare entities and business associates are directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Incidents like the Parkview violations remind us that protecting health information needs a careful and comprehensive rethinking of the myriad ways that health care data can get lost. Workforce awareness and training are some essentials in averting paper-based breaches, according to Kate Borten, president of security and privacy consulting firm, The Marblehead Group. But what is more important, is for you to think out of the box to define, assess and manage the risks involved in existing processes, find established ways of securing patient health information as such regulatory violations cost significant amount of money in settlements!

To prevent similar issues arising in the future, Parkview Health implemented a comprehensive electronic health record system that is more secure than a paper record system. Information security and compliance would get much simpler, if you could explore comprehensive security solutions such as Aegify Security Posture Management (for continuous security monitoring), or Aegify Risk Manager (for assessing and understanding the business risks), or Aegify SecureGRC (to remain continuously compliant the requirements of the law). With built-in policies, procedures, best practices, and a rich knowledgebase on security, risk, and compliance, supporting multiple regulatory / standard requirements, Aegify framework can greatly simplify your security, risk and compliance processes.

The post Imagine leaving boxes full of medical records on the drive way! It happened and it cost $ 800,000. Can you prevent it? appeared first on Aegify.

The penalties issued to non-compliant healthcare entities till date clearly reveal the seriousness of OCR’s HIPAA enforcement efforts. Jerome B. Meites, OCR chief regional counsel for the Chicago area, believes that the office aims to put out a strong message through high-impact cases. The penalties for HIPAA violations over the past year are most likely to “pale in comparison” to the next 12 months, a U.S. Department of Health and Human Services attorney recently told an American Bar Association conference.

The OCR Focus

According to the OCR, the investigations are to have a limited focus, with fewer onsite visits when HIPAA audits resume this fall. Meites further stated that the OCR is yet to decide on the organizations that are to be selected from a list of 1,200 candidates (comprising of 800 healthcare providers, health plans or clearinghouses–and 400 of their business associates).

Stay Prepared

Ever since federal reporting was mandated in September 2009, the records of nearly 31.7 million people have been exposed. Clearly, the need of the hour is to be fully compliant with HIPAA rules at all times! Considering that the number of breaches on the U.S. Department of Health and Human Services’ “wall of shame” topped 1,000 this month, with almost 34 breaches in June – every health care organization needs to essentially “Stay Prepared”. Furthermore, given the potentially dire consequences of HIPAA violations, it is highly imperative for every healthcare enterprise to assess its HIPAA compliance status and check its readiness for the audit.

A step in the right direction

Besides implementing best practices and conducting risk analysis on an ongoing basis, it is time to take a step in the right direction. Adopting a solution like Aegify Security Posture Management, Aegify SecureGRC and Aegify Risk Manager can prove beneficial if you wish to give your entity a security advantage. With built-in vulnerability scanning technology, security and compliance monitoring become simple and effective. This platform can keep breaches away and help avoid HIPAA penalties with a comprehensive information security and HIPAA compliance framework.

The post Whopping HIPAA Fines in the Offing – Stay Prepared appeared first on Aegify.

HIPAA expert, Reza Chapman, deems it necessary for healthcare organizations and their business associates, to take the necessary crucial steps to prepare for the potential breach investigations and HIPAA compliance audits. Chapman, a senior manager in the healthcare advisory services practice at consulting firm EY (formerly Ernst & Young), says in an interview with Information Security Media Group, that the OCR is not only warning covered entities and business associates about ongoing enforcement, but is also effectively responding to the [HHS] Office of Inspector General that the OCR did not do enough to enforce the rules last year.

It is evident that all healthcare entities and their business associates need to step up their measures, more than ever, and be ready for intense regulatory scrutiny. Covered entities and business associates need to accelerate compliance and security measures, and make certain they leave no avenue for any breach. Although the primary focus should be on updating security and privacy policies, and procedures to meet the HIPAA requirements, it is also vital for healthcare organizations to ensure they have a breach response and notification plan in place. While preparing for the upcoming audits, Chapman emphasizes, that it is essential for organizations to take necessary measures to lower their risk of expensive enforcement actions. Going further Chapman reiterates that,

• All organizations looking to stay away from the scrutiny of OCR, must essentially carry out a thorough risk analysis, and implement "positive steps to remediate the findings".
• Entities must "demonstrate a culture of compliance that shows privacy and security are not new concepts to the organization".
• Besides ensuring that all policies and procedures are scrupulously documented, it is also essential to evaluate potential breaches, and report them quickly.

All healthcare organizations involved in an active HIPAA investigation by OCR, need to fully cooperate with the agency. Organizations that take evasive or combative stances are likely to be penalized the most. Healthcare organizations can greatly benefit by adopting comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC to ensure compliance with HIPAA regulations and be ready to effectively handle the upcoming audit.

The post Surviving OCR Breach Investigations & Audits with Tips from HIPAA Expert appeared first on Aegify.

Officials have confirmed that the stolen computers contained sensitive data including Social Security Numbers, billing information, demographic data, dates of birth and other protected health information such as medical diagnoses.

Making a statement on March 6th, Vice President and Head of Healthcare Compliance at Sutherland Global Services, Karen J. Pugh said that the organization regrets the inconvenience caused and is reviewing policies and procedures concerning information security, while also providing additional training to the workforce.

Since the compromised information includes Social Security Numbers, Sutherland is offering credit monitoring services to the patients involved.

Encryption- The Key Security Mantra

Time and again the Department of Health and Human Services’ Office for Civil Rights has been emphasizing the importance of encrypting data to protect patient information. Even in the past month, Susan McAndrew, Deputy Director for Health Information Privacy at OCR reinforced the importance of encryption while speaking at HIMSS14, where she particularly emphasized the need to encrypt each and every device that leaves the office. However, breach incidents like this one continue to occur, revealing that several healthcare entities and their business associates are yet to take the need for encryption seriously.

It is worthy of noting that theft currently accounts for a major share of HIPAA privacy and security breaches, representing 48 percent of all breaches reported. Till date, covered entities and business associates have settled $18.6 million in penalties for HIPAA violation, out of which, $3.7 million has been settled last year alone. And these numbers do not include the state and private legal settlements.

The disturbing fact is that protected health information of about 30 million individuals has been compromised due to HIPAA privacy and security breaches till date. And this number only seems to be growing. With HIPAA audits all set to begin this year, healthcare providers and their business associates have to take serious steps to protect health information. Comprehensive security solutions such as Aegify Security Posture Management and Aegify SecureGRC can ensure data encryption, periodic risk assessments, and help them steer clear of security incidents.

The post Latest HIPAA Breach Brings Bad News to 169k Individuals appeared first on Aegify.

The Three Focus Areas

According to Rodriguez, the three areas of focus for enforcement actions will be:

1. Major deficiencies or breakdowns in security. Often, a data breach is the catalyst for an investigation, but the security breakdown that is identified by OCR has little to do with the cause of the breach that triggered the investigation.
2. Egregious disclosures of patient information. This is with reference to cases where the exposure of PHI was totally unwarranted, and had nothing to do with the ‘quantity’ of patient records involved.
3. Failure to provide access. The HIPAA Omnibus rule allows patients to have access to information in their electronic medical record. Quoting the Cignet case where access was not provided, and no cooperation was extended to OCR during its investigation, Rodriguez described it as the ‘sleeper’ category for enforcement.

Following this, Rodriguez stated that OCR has a new portal where complaints will be captured, and that around 18,000 complaints are expected on this portal annually. He also said that the majority of these complaints will be potential HIPAA violations.

Advice and Guidance

Rodriguez provided valuable advice to covered entities and business associates about complying with the omnibus rule and avoiding breach incidents. Emphasizing the importance for every organization to know where PHI is stored and what the most significant vulnerabilities are, he reiterated that the key to compliance begins with a thorough security risk analysis which can identify the weakest link that may be the one causing an entire organization to face scrutiny.

Speaking about the value of encryption, Rodriguez said that there is a widespread misperception that encryption is not a cost-effective solution to avoiding unauthorized disclosure of PHI, but in reality encryption is of great value for any covered entity or business associate.

Permanent Audit Program

Delving into the learnings of the recently concluded pilot audit program, Rodriguez also gave some perspective into what would be the key focus of the permanent audit program. Reiterating the importance of the role played by security risk analysis, he said that one of the key findings of the pilot audit was that failure to conduct risk analysis increases the chances of a breach.

Rodriguez also said that he would like the permanent audit program to address a larger population of entities, and that in order to accomplish this, OCR is in the process of adding permanent staff to complement outside auditors. Another noteworthy point is that OCR will continue to use civil monetary penalties as a tool in their enforcement actions going forward.

Key Takeaways

Rodriguez’s talk clearly expressed themes that have been constantly emphasized by OCR. He stressed the need for a security risk analysis, and its value as the cornerstone of a positive HIPAA compliance posture. He also highlighted the value of encryption technology for maintaining an appropriate security posture.

With ‘meaningful use‘ driving more healthcare entities to adopt electronic health record (EHR) systems, there may be an increase in the number of complaints arising from challenges that patients will have in gaining access to their health records. So entities should address these challenges even as they adopt EHR systems.

OCR is likely to carry out rigorous enforcement actions under the permanent audit program, which will cast a wider net to identify many more entities lacking in security and privacy controls and compliance. At this juncture, healthcare organizations can greatly benefit by adopting comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC to ensure compliance with HIPAA rules and to effectively handle the upcoming audit.

The post Rodriguez’s Thoughts & Guidance on HIPAA Enforcement appeared first on Aegify.