Healthcare Data Security

Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies

A Government Accountability Office report has shown federal agencies are struggling to implement effective information security programs and are placing data systems and data at risk of compromise.

In its report to Congress – Federal Information Security – Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices – GAO explained, “The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security.” However, “Systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown.”

GAO explained that “The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness.”

Every year, each federal agency is required to have information security program and practices reviewed by its inspector general, or an external auditor, to determine the effectiveness of the program and practices. In 2016, 24 federal agencies were inspected, but only 7 of those agencies were determined to have effective information security programs.

Critical security weaknesses were discovered during those audits that could lead to a system compromise and the exposure and theft of sensitive data. Security weaknesses were found at 24 federal agencies, including the Department of Health and Human Services, Department of Veteran Affairs, and Internal Revenue Service.

Most of the agencies were discovered to have weaknesses in five control areas, including access controls, segregation of duties, configuration management controls, contingency planning, and agency-wide security management.

The Food and Drug Administration (FDA) was found to have “A significant number of security control weaknesses that jeopardize the confidentiality, integrity, and availability of its information systems and industry and public health data.”

“The National Aeronautical and Space Administration, Nuclear Regulatory Commission, Office of Personnel Management, and the Department of Veteran Affairs had not always effectively implemented access controls over selected high-impact systems.”

“The Internal Revenue Service had weaknesses in information security controls that limited its effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data.”

All agencies had weaknesses in their access controls, 223 configuration management weaknesses were identified at 23 of the 24 agencies. More than half of the agencies did not segregate incompatible duties to prevent unauthorized actions or unauthorized access to assets or records. 623 security management weaknesses across the 24 agencies, and 20 of the 24 agencies had weaknesses in implementing a security training program.

No new recommendations were made in the report, as previous audits have highlighted the vulnerabilities and hundreds of recommendations have previously been made by inspectors general to address those vulnerabilities.

GAO points out that “Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise. We continue to monitor the agencies’ progress on those recommendations.”

The post Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies appeared first on HIPAA Journal.

Privacy and Security Awareness Lacking in 70% of Employees

When it comes to privacy and security awareness, many U.S. workers still have a lot to learn. Best practices for privacy and security are still not well understood by 70% of U.S. employees, according to a recent study by MediaPro, a provider of privacy and security awareness training.

For the study, MediaPro surveyed 1,012 U.S. employees and asked them a range of questions to determine their understanding of privacy and security, whether they followed industry best practices, and to find out what types of risky behaviors they engage in. 19.7% of respondents came from the healthcare industry – the best represented industry in the study.

Respondents were rated on their overall privacy and security awareness scores, being categorized as a hero, novice, or a risk to their organization. 70% of respondents were categorized as a novice or risk. Last year when the study was conducted, 88% of U.S. workers were rated as a novice or risk.

Last year, only 12% of respondents ranked as a hero. This year the percentage increased to 30% – A good sign that some employees have responded to training and are taking more care at work. Worryingly, while the percentage of novices fell from 72% last year to 51% in 2017, the number of individuals classed as a risk increased from 16% in 2016 to 19% this year.

Tom Pendergast, chief strategist for security, privacy, and compliance at MediaPro explained that in the risk category, there are two areas that have been consistently poor over the past two years: Physical security and safe remote working/mobile computing. In the latter category, one of the biggest risks was connecting to insecure Wi-Fi networks. The percentage of respondents that admitted doing this jumped from 45% last year to 62.3% this year – Overall, 19% of respondents admitted to risky practices when working remotely.

The overall scores across six of the eight categories being tested improved year over year, with notable improvements in identifying malware and phishing threats, reporting incidents, working remotely, identifying personal information, and cloud computing.

The two areas where there was decline were physical security – such as allowing individuals into a facility without checking identification – and social media security  – such as posting personal and sensitive company information on social media accounts.

Perhaps the biggest risk faced by organizations today is phishing. Phishing emails are the primary method of delivering malware and ransomware and obtaining sensitive information such as login credentials.

Respondents were tested on their phishing awareness and were presented with four emails, which they were asked to rate as legitimate or phishy. 8% of respondents were unable to identify the phishing emails correctly. Out of the phishing emails tested, the email offering a stock tip from a well-known investor fooled the highest number of respondents. 92% of respondents were able to identify a phishing email with a potentially malicious attachment, up from 75% last year.

The post Privacy and Security Awareness Lacking in 70% of Employees appeared first on HIPAA Journal.

NIST Updates its Risk Management Framework for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published.

NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made.

The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that organizations often fail to communicate issues effectively with the C-suite.

One of the main aims of the update is to provide closer linkage and communication risk management processes at the system and organization level with those of the C-Suite. More C-suite involvement will help to ensure that the Risk Management Framework is more effective when it is implemented.

The update will help to institutionalize critical enterprise-wide risk management preparatory activities enabling more cost-effective execution of the Framework at the system and operational level. NIST has also unified security and privacy concepts into the Framework to help organizations develop a more integrated approach to risk management.

The discussion draft of the updated NIST Risk Management Framework is open for comments until November 3, 2017. NIST said, “This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0.” Public comments will accepted when the public draft of the guidance is issued in November 2017.

NIST hopes to release the final draft of the updated Risk Management Framework for Information Systems and Organizations in January 2018, and the final publication in March 2018.

The post NIST Updates its Risk Management Framework for Information Systems and Organizations appeared first on HIPAA Journal.

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens.

National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners.

Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure.

DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month:

National Cyber Security Awareness Month Summary

  • Week 1: Simple Steps to Online Safety (Oct. 2-6)
  • Week 2: Cybersecurity at Work (Oct. 9-13)
  • Week 3: Today’s Predictions for Tomorrow’s Internet (Oct. 16-20)
  • Week 4: Careers in Cybersecurity (Oct. 23-27)
  • Week 5: Cybersecurity and Critical Infrastructure (Oct. 30-31)

Week 1 focuses on basic cybersecurity and cyber hygiene – simple steps that can be taken to greatly improve resilience to cyberattacks.

These basic cybersecurity measures are likely to have already been adopted by the majority of businesses, but these simple controls can all too easily be overlooked. The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal is littered with reports of security incidents that have resulted from the failures to get the basics of cybersecurity right. Week 1 is the perfect time to conduct a review of these basic cybersecurity measures to ensure they have all been adopted.

This year has already seen several major data breaches reported, including the massive breach at Equifax that impacted 143 million Americans. In May, WannaCry ransomware attacks spread to more than 150 countries and the NotPetya wiper attacks in June causes extensive damage. FedEx and Maersk have both announced that the attacks could end up costing $300 million.

All three of those cyberattacks occurred as a result of the failure to implement patches promptly. Then there is the recently announced Deloitte data breach. That security breach has been linked to the failure to implement two-factor authentication – Another basic cybersecurity measure.

Stop. Think. Connect

During the first week of National Cyber Security Awareness Month, the NCSA will be promoting its “STOP. THINK. CONNECT.” security awareness campaign, which was developed with assistance from the Anti-Phishing Working Group in 2010. The campaign makes available more than 140 online resources that can be used by U.S. citizens to keep themselves secure and by businesses to improve security awareness of the workforce.

Week 2 will focus on cybersecurity in the workplace, highlighting steps that can be taken by businesses to develop a culture of cybersecurity in the workplace. DHS and NCSA will also be encouraging businesses to adopt the National Institute of Standards and Technology Cybersecurity Framework.

Week 3 will focus on protecting personal information in the context of the smart device revolution, highlighting the importance of secure storage, transmission, and handling of data collected by IoT devices.

Week 4 will focus on encouraging students to consider a career in cybersecurity. By 2019, there is expected to be around 2 million unfilled cybersecurity positions in the United States. Advice will be offered about how to switch careers and embark upon a career in cybersecurity.

National Cyber Security Awareness Month finishes with two days of efforts to improve the resiliency of critical infrastructure to cyberattacks.

OCR Encourages HIPAA-Covered Entities to Go Back to Basics

Late last week in its monthly cybersecurity newsletter, OCR sent a reminder to HIPAA-covered entities about the importance of securing health data, saying, “The security of electronic health information is more critical than ever, and it is the responsibility of all in the regulated community to ensure the confidentiality, integrity, and availability of electronic protected health information.” These basic security measures are essential for HIPAA compliance.

OCR suggests HIPAA-covered entities should go back to basics during National Cyber Security Awareness Month and use the tips and advice being issued to ensure all the i’s have been dotted and the t’s crossed.

OCR suggests a good place to start is conducting a review to make sure:

  • Strong passwords have been set – Consisting of passphrases or passwords of at least 10 characters, including lower and upper-case letters, numerals, and special characters.
  • Regular training is provided – To improve phishing awareness, reporting of potential attacks, and covering other important cybersecurity issues.
  • Use multi-factor authentication – So that in the event that a password is obtained or guessed, it will not result in an account being compromised. MFA is strongly recommended for remote access, privileged accounts, and accounts containing sensitive information.
  • Review patch management policies – To ensure that software updates and patches are always applied promptly, on all systems and devices, to fix critical security vulnerabilities.
  • Devices are locked – All devices should be physically secured when they are not in use.
  • Portable device controls are developed – To prohibit the plugging in of personal portable devices into secure computers or networks without first having the devices scanned to make sure they do not contain malware.
  • Policies are developed on reporting threats – Educate the workforce on the importance of reporting potential threats immediately to ensure action can be taken to mitigate risk.

The post National Cyber Security Awareness Month: What to Expect appeared first on HIPAA Journal.

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant?

Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files.

Microsoft Supports HIPAA-Compliance

There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules.

That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA).

Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well as Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

Under the terms of its business associate agreement, Microsoft agrees to place limitations on use and disclosure of ePHI, implement safeguards to prevent inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also ensure that if any subcontractors are used, they will comply with the same – or more stringent – restrictions and conditions with respect to PHI.

Provided the BAA is signed prior to the use of OneDrive for creating, storing, or sharing PHI, the service can be used without violating HIPAA Rules.

Microsoft explains that all appropriate security controls are included in OneDrive, and while HIPAA compliance certification has not been obtained, all of the services and software covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification.

Appropriate security controls are included to satisfy the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are established using 2048-bit keys.

There is More to HIPAA Compliance Than Using ‘HIPAA-Compliant’ Services

However, just because Microsoft will sign a BAA, it does not mean OneDrive is HIPAA compliant. There is more to compliance than using a specific software or cloud service. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of users. As Microsoft explains, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Prior to the use of any cloud service, a HIPAA-covered entity must conduct a risk analysis and assess the vendor’s provisions and policies. A risk management program must also be developed, using policies, procedures, and technologies to ensure risks are mitigated.

Access policies must be developed and security settings configured correctly. Strong passwords should be used, external file sharing should be disabled, access should be limited to trusted whitelisted networks, and PHI must only be shared with individuals authorized to view the information. When PHI is shared, the minimum necessary standard applies. Logging should be enabled to ensure organizations have visibility into what users are doing with respect to PHI, and when employees no longer require access to OneDrive, such as when they leave the organization, access should be terminated immediately.

So, Is OneDrive HIPAA compliant? Yes and No. OneDrive can be used without violating HIPAA Rules and Microsoft supports HIPAA compliance, but ultimately HIPAA compliance is down to the covered entity, how the service is configured and used.

The post Is OneDrive HIPAA Compliant? appeared first on HIPAA Journal.

Why Dental Offices Should be Worried About HIPAA Compliance

In 2015, Dr. Joseph Beck became the first dentist to be fined for a HIPAA violation, which sent a warning to dental offices about HIPAA compliance.  Until that point, dental offices had avoided fines for noncompliance with HIPAA Rules.

The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for the alleged mishandling of the protected health information of 5,600 patients.

Since then, many settlements have been reached with covered entities for HIPAA violations. No further penalties have been issued to dental offices, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing to comply with HIPAA Rules and settlements for alleged HIPAA violations are now being reached much more frequently than in 2015. Last year was a record year for settlements and 2017 has continued where 2016 left off.

The probability of HIPAA violations being discovered has also increased. OCR has already commenced the much-delayed second phase of its HIPAA compliance audit program and dental office may still be selected for an audit.

During the first phase of compliance audits in 2011/2012, at least one dental office was audited. That round of audits revealed multiple areas of noncompliance with HIPAA Rules, although OCR chose not to issue any financial penalties. Instead non-compliance was addressed by issuing technical guidance. Now, five years on, covered entities have had plenty of time to implement their compliance programs. Financial settlements can be expected if HIPAA violations are discovered by OCR auditors.

Last year, the threat of HIPAA compliance audits for dental offices prompted Dr. Andrew Brown, chair of the ADA Council on Dental Practice, to issue a stern warning to dental offices on HIPAA compliance, urging them to take HIPAA compliance seriously. Brown said, “There are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”

If your dental office has not been selected to demonstrate compliance with HIPAA Rules already, that does not mean an investigation will not be conducted. OCR has only conducted the first round of its phase 2 HIPAA audit program. The second round will involve on-site visits, which are expected to start in early 2018.

OCR also investigates all covered entities that experience a breach of more than 500 records. There has been an increase in cyberattacks on healthcare organizations in recent years, and dental offices can could all too easily come under attack.

Laptop computers containing ePHI can easily be lost or stolen, employees may snoop on records or steal sensitive information, errors can easily be made configuring software, and unaddressed vulnerabilities can easily be exploited. This year, the hacking group TheDarkOverlord exploited a vulnerability and gained access to the records of Aesthetic Dentistry of New York City and stole data – a reportable breach under HIPAA Rules.

If a data breach is experienced, OCR will need to be provided with evidence that HIPAA Rules have been followed. Complaints about privacy violations and other potential HIPAA failures can be submitted via the HHS website, and can easily lead to HIPAA investigations.

It would be a serious error to think that OCR will not investigate small practices. OCR has made it clear that all covered entities, regardless of their size, must comply with HIPAA Rules. It is not only large healthcare organizations that may have to pay a financial penalty for non-compliance with HIPAA Rules, as Dr. Beck could confirm.

The threat of data breaches is greater than ever before and OCR is taking a harder line on healthcare organizations that fail to comply with HIPAA Rules and keep electronic protected health information secure. Dental office should therefore take HIPAA compliance seriously and ensure HIPAA Rules are being followed.

The post Why Dental Offices Should be Worried About HIPAA Compliance appeared first on HIPAA Journal.

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure.

Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed.

A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level.

It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform provider.

Cloud Service Providers are HIPAA Business Associates

A HIPAA business associate is any person or entity who performs functions on behalf of a covered entity, or offers services to a covered entity that involve access being provided to protected health information (PHI).

The HIPAA definition of business associate was modified by the HIPAA Omnibus Rule to include any entity that “creates, receives, maintains, or transmits” PHI. The latter two clearly apply to providers of cloud computing platforms.

Consequently, a covered entity must obtain a signed business associate agreement (BAA) from the cloud platform provider. The BAA must be obtained from the cloud platform provider before any PHI is uploaded to the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to unlock the encryption is not given to the platform provider. The only exception would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.

The BAA is a contract between a covered entity and a service provider. The BAA must establish the allowable uses and disclosures of PHI, state that appropriate safeguards must be implemented to prevent unauthorized use or disclosure of ePHI, and explain all elements of HIPAA Rules that apply to the platform provider. Details of the contents of a HIPAA-compliant BAA can be obtained from the HHS on this link.

Cloud computing platform providers and cloud data storage companies that have access to PHI can be fined for failing to comply with HIPAA Rules, even if the service provider does not view any data uploaded to the platform. Not all cloud service providers will therefore be willing to sign a BAA.

A BAA Will Not Make a Covered Entity HIPAA Compliant

Simply obtaining a BAA for a cloud computing platform will not ensure a covered entity is compliant with HIPAA Rules. HIPAA Rules can still be violated, even with a BAA in place. This is because no cloud service can be truly HIPAA compliant by itself. HIPAA compliance will depend on how the platform is used.

For example, Microsoft will sign a BAA for its Azure platform; but it is the responsibility of the covered entity to use the platform in a HIPAA-compliant manner. If a covered entity misconfigures or fails to apply appropriate access controls, it would be the covered entity that is in violation of HIPAA Rules, not Microsoft. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Penalties for Cloud-Related HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights has already settled cases with HIPAA-covered entities that have failed to obtain business associate agreements before uploading PHI to the cloud, as well as for risk analysis and risk management failures.

St. Elizabeth’s Medical Center in Brighton, Mass agreed to settle its case with OCR in 2015 for $218,400 for potential violations of the HIPAA Security Rule after PHI was uploaded to a document sharing service, without first assessing the risks of using that service.

Phoenix Cardiac Surgery also agreed to settle a case with OCR for failing to obtain a business associate agreement from a vendor of an Internet-based calendar and email service prior to using the service in conjunction with PHI. The case was settled for $100,000.

In 2016, OCR settled a case with Oregon Health & Science University for $2.7 million after it was discovered ePHI was being stored in the cloud without first obtaining a HIPAA-compliant business associate agreement.

HIPAA Compliant Cloud Computing Platforms

Both Amazon’s AWS and Microsoft’s Azure platforms can be used by HIPAA-covered entities. Both have all the necessary privacy and security protections in place to satisfy HIPAA requirements, and Amazon and Microsoft will sign BAAs with healthcare providers and agree to comply with HIPAA Rules.

AWS has long been the leading cloud service provider, although Microsoft appears to be catching up. If you are unsure of the best cloud computing platform provider to use, you can find out more information in this comparison of Azure and AWS.

Cloud storage companies that support HIPAA-compliance and can be used by HIPAA-covered entities for storing ePHI (after a BAA has been obtained) include Box, Carbonite, Dropbox, Google Drive, and Microsoft OneDrive.

The post HIPAA Compliance and Cloud Computing Platforms appeared first on HIPAA Journal.

HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance

HITRUST has announced it has partnered with the American Medical Association (AMA) for a new initiative that will help small healthcare providers with HIPAA compliance, cybersecurity, and cyber risk management.

Small healthcare providers can be particularly vulnerable to cyberattacks, as they typically lack the resources to devote to cybersecurity and do not tend to have the budgets available to hire skilled cybersecurity staff. This week has underscored the need for small practices to improve their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord.

Recent ransomware attacks have also shown that healthcare organizations of all sizes are likely to be attacked. Organizations of all sizes must practice good cyber hygiene and have the right defenses in place to improve resilience against ever changing cyber threats.

HITRUST and AMA will be hosting 2-hour workshops where physicians and other healthcare staff will be educated on key areas of risk management, HIPAA compliance, and cybersecurity, with the workshops specifically focused on small healthcare providers.

The initiative runs alongside HITRUST’s Community Extension Program that was launched earlier this year, with the workshops taking place in the two hours prior to the HITRUST Community Extension Program events, which are taking place in 50 cities across the United States.

HITRUST explained, “Many clinics, physician offices, and other small providers are looking for local, community-based resources to help guide them through the journey of establishing governance and risk management programs to avoid a cyber-related breach or event that would disrupt their organization and expose the confidential information of their patients or members.” One of the aims of the workshops is to make good cyber hygiene manageable for small healthcare providers.

These workshops will provide the information small healthcare providers need to make significant improvements to their cybersecurity posture and help them meet the requirements of the HIPAA Security Rule.

While many topics will be covered in the workshops, they will be primarily focused on teaching the fundamentals of good cyber hygiene, explaining the need for cyber and HIPAA risk assessments, and will cover cost-effective technologies that can be implemented to improve cyber security.

“Trying to determine the best way to secure my practice from cyber threats was a significant – and at times, overwhelming – undertaking,” said Dr. J. Stefan Walker, a practicing physician in a small practice in Corpus Christi, TX. “Many existing cybersecurity resources and education programs are geared toward larger health care organizations and are not practical for a practice with only a handful of employees.” These workshops will help small healthcare organizations by providing relevant, useful, and practical advice specific to practices of their size.

The first workshop is being hosted by Children’s Health in Dallas, TX and will take place on October 9. Details of further events will be posted on the HITRUST website.

The post HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance appeared first on HIPAA Journal.

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security?

The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients.

Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems.

Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA covered entities and their business associates to implement technical safeguards to ensure the confidentiality, integrity, and availability of protected health information. However, each entity implements their own security controls.

The more entities have access to health data, the greater the potential for errors to be made that result in the data being exposed. As the Department of Health and Human Services’ Office for Civil Rights Breach portal clearly shows, HIPAA-covered entities and their business associates are not always as careful as they should be when storing and transmitting data, and even when they are, it is often not possible to prevent breaches. However, using blockchain for medical records could dramatically improve data security.

Blockchain, as the name suggests, is a chain of data blocks which contain details of transactions, each of which is encrypted to ensure privacy. Rather than store data in a single location, blockchain keeps data in an encrypted ledger, which is distributed across synchronized, replicated databases. Each block is linked to the previous block by a unique public key with access to data carefully controlled.

As has been shown with the massive Anthem and Equifax data breaches, single entities cannot be trusted to hold vast quantities of data and keep it secure in a centralized system. Storing data in a decentralized system could be a viable alternative.

With blockchain, each data block in the chain can be encrypted using public key cryptography which can be unlocked with the use of a private key or password, which could be held by a patient.

If blockchain is used for health data, rather than multiple healthcare providers storing their own copies of a patient’s data, the patient would grant each access to their data and provide them with a key.

Without access to the key, the data stored in blockchain would be inaccessible. It would not be possible to hack a single block of data, at least not without simultaneously hacking all the others in the chain’s chronology. It would also not possible for changes to the data blocks to be made and for those changes to be hidden.

With a cryptocurrency such as Bitcoin, blockchain is used for transactions – the buying and selling of the currency. With health records, the transactions would be consultations with physicians, X-ray images or blood test results, prescriptions, or surgical procedures. Each time data is added, it would need to be validated by a trusted entity who has been given an access key. Once validated, it would be added as a block in the chain in chronological order, with the blockchain comprising a patient’s entire medical history.

The use of blockchain for medical records could prove highly beneficial for providers and patients. Not only for keeping medical records secure, but pulling together fragmented medical records stored by multiple healthcare providers.

This would allow full medical records to be easily shared between providers. Medical records would not need to be transmitted electronically between providers, new providers would just be required to be told where to access the information and given the access key.

Blockchain has potential to make it far easier for patients to access their healthcare records. Rather than submitting a request for copies of their health data with several different healthcare providers, one request could be submitted and their full healthcare record could be accessed. Currently, that process can be complicated, time-consuming, and potentially costly for the patient, since each provider is permitted under HIPAA to charge a fee for providing copies of data.

When data is provided through patient portals, the process of piecing together health records can be even more complicated, as is sharing the information. Blockchain could also help sort out the issues that exist with multiple patient identifiers.

Blockchain clearly works for financial transactions but what about blockchain and medical records? Could it work in practice? Trials using Blockchain and medical data have shown very promising results.  One trial conducted by MIT Media Lab and Beth Israel Deaconess Medical Center has shown blockchain to work well for tracking test results, treatments, and prescriptions for inpatients and outpatients over 6 months. In that trial case, data exchange between two institutions was simulated using two different databases at Beth Israel. Plans are now underway to expand the pilot.

There are still issues that must be resolved. Blockchain is not anonymous but pseudonymous. There is also the problem of how to make certain records private, such as psychotherapy notes, to prevent patients accessing that information.

It would also be necessary for blockchain to be extensively tested with health data and healthcare organizations would need to be convinced to adopt blockchain medical records systems. Encouragingly, earlier this year, IBM conducted a survey on 200 healthcare organizations. 16% said they expected to have a commercial blockchain solution in place this year.

The post The Benefits of Using Blockchain for Medical Records appeared first on HIPAA Journal.