Healthcare Information Technology

iPhone Users Can View Their Health Records Through the Apple Health App

Posted by HIPAA Journal

Patients are being encouraged to obtain copies of their health records and to take a more active role in their own healthcare. Many hospitals are now providing patients with access to some of their health records through patient portals. Apple has now taken ease of access one step further. The company’s Health app has been updated to include a section that allows users to view their medical records directly on their iPhones.

The health app will show allergies, test results, diagnoses, procedures, immunizations, and medications and other health information that is typically available through patient portals. When new information is added to patients’ records, they will receive a notification from the app.

The Health app is available with iOS 11.3, and is based on Fast Healthcare Interoperability Resources (FHIR) – a standard for transferring and sharing electronic medical records. Data transmitted to the user’s iPhone is encrypted to prevent unauthorized access, and the app is protected by the user’s iPhone passcode to keep the records confidential.

Participating hospitals and clinics will be able to use the system to push out health records directly to patients who have installed the app on their iPhones. The beta version of the updated app is currently being tested at 12 hospitals, including those run by Johns Hopkins Medicine, Cedars-Sinai, Geisinger Health System, and Penn Medicine. After the app has been fully tested, other healthcare providers will be signed up.

“We’ve worked closely with the health community to create an experience everyone has wanted for years — to view medical records easily and securely right on your iPhone. By empowering customers to see their overall health, we hope to help consumers better understand their health and help them lead healthier lives,” said Apple COO Jeff Williams.

“Putting the patient at the center of their care by enabling them to direct and control their own health records has been a focus for us at Cedars-Sinai for some time,” said Darren Dworkin, Chief Information Officer at Cedars-Sinai. “We are thrilled to see Apple taking the lead in this space by enabling access for consumers to their medical information on their iPhones. Apple is uniquely positioned to help scale adoption because they have both a secure and trusted platform and have adopted the latest industry open standards at a time when the industry is well positioned to respond.”

“Streamlining information sharing between patients and their caregivers can go a long way towards making the patient experience a positive one,” said Stephanie Reel, Chief Information Officer at Johns Hopkins Medicine. “This is why we are excited about working with Apple to make accessing secure medical records from an iPhone as simple for a patient as checking email.”

Hospitals currently participating in the Health Records app are:

  • Johns Hopkins Medicine – Baltimore, Maryland
  • Cedars-Sinai – Los Angeles, California
  • Penn Medicine – Philadelphia, Pennsylvania
  • Geisinger Health System – Danville, Pennsylvania
  • UC San Diego Health – San Diego, California
  • UNC Health Care – Chapel Hill, North Carolina
  • Rush University Medical Center – Chicago, Illinois
  • Dignity Health – Arizona, California and Nevada
  • Ochsner Health System – Jefferson Parish, Louisiana
  • MedStar Health –  Washington, D.C., Maryland and Virginia
  • OhioHealth – Columbus, Ohio
  • Cerner Health e Clinic – Kansas City, Missouri

The post iPhone Users Can View Their Health Records Through the Apple Health App appeared first on HIPAA Journal.

Amazon Seeks HIPAA Expert for New Healthcare Venture

Posted by HIPAA Journal

Amazon has posted a new job vacancy for a HIPAA Compliance Lead, confirming the retail giant is making a move into the healthcare sector.

The HIPAA Compliance Lead will be responsible for creating a HIPAA compliance program to ensure its technology and business processes meet the terms of its BAA and the management of all aspects of that compliance program.

The new recruit should have at least 5 years of HIPAA experience in an enterprise, experience with the FDA and 519(k) process, 7+ years’ experience in an information technology setting including exposure to software development/auditing, a thorough understanding of HIPAA/HITECH and OIG compliance standards, and experience with business intelligence and analytics tools. Applicants must also have an understanding of HIPAA privacy and security requirements, and how those standards map to ISO 27001, SOC 1/2/3, NIST 800-53.

Amazon already offers its cloud platform – Amazon Web Services (AWS) – to healthcare organizations, with AWS supporting HIPAA compliance and Amazon prepared to sign a business associate agreement with healthcare organizations.

However, the new position is not related to AWS. The HIPAA compliance expert Amazon seeks will be working on “a new initiative” according to the job listing, which has fueled speculation about new products and services for the healthcare industry.

Over the past year there has been much speculation about Amazon moving into the pharmacy business, with the retailer able to use its resources to speed drug delivery. Goldman Sachs predicted Amazon would likely move into this area last summer, either by making certain pharmaceutical products available through its online store or by creating a separate Amazon online pharmacy.

There has also been speculation about Amazon developing a HIPAA-compliant version of Alexa specifically for the healthcare industry. In April 2017, the Alexa Diabetes Challenge was launched by Merck, with developers challenged to come up with new ways for Alexa – and Lex on which Alexa is based – to be used to improve the lives of patients with diabetes. There are many potential uses for Alexa in healthcare, including using the service for transcribing patient notes. Currently, Alexa is not HIPAA-compliant and cannot be used with any PHI.

Amazon could also launch a new telemedicine platform. Last year, Amazon set up a new tech lab named 1492 which is focused on hardware and software projects related to healthcare. One of the projects being explored by the lab is a hardware/software solution that would make accessing health records much easier for physicians and patients.

While Amazon’s new products and services for healthcare are currently a mystery, it is clear that Amazon sees healthcare as a major area of future growth and the new recruit will be instrumental in helping bring those products/services to market.

The post Amazon Seeks HIPAA Expert for New Healthcare Venture appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

Posted by HIPAA Journal

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.

CMS Clarifies Position on Use of Text Messages in Healthcare

Posted by HIPAA Journal

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy.

SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI.

The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms.

In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information being transmitted. This resulted in the no texting determination.”

In December, the Health Care Compliance Association (HCCA) published an article questioning the stance of the CMS. HCCA said in its Report on Medicare Compliance, that at least two hospitals had received emails from the CMS explaining all forms of text messaging were prohibited.

Nina Youngstrom, Managing Editor of the Report on Medicare Compliance, said in the article that several compliance officers and healthcare attorneys were horrified about the position of the CMS. One attorney said a total ban would be “Like going back to the dark ages.”

CMS explained that concern about text messages in healthcare was not just about transmission security. There was the potential for a lack of access controls on the senders’ and receivers’ devices, stored data may not necessarily be secure and encrypted, and the privacy of patients is not guaranteed. Another concern was information transmitted via text messages also needs to be entered into the patient record and made available for retrieval.

Last year, the Joint Commission relaxed its ban on the use of text messages in healthcare for sending patient orders, only to later backtrack and reinstate the ban. The Joint Commission’s current position is the use of text messaging in healthcare is permitted, provided a secure messaging platform is used. However, the ban on the use of text messages for sending orders for patient care remains in place.

The CMS appeared to be saying no to all forms of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare.

A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% percent of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.

CMS Confirms The Use of Text Messages in Healthcare is Permitted

On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” specifically stating §489.24(b) and §489.24(c) apply.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders. The CMS explained that, “An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communication between care team members. However, in order to comply with the CoPs and CfCs, healthcare organizations must use and maintain text messaging systems/platforms that are secure.

Those platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that “It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”

The stance of the CMS is therefore aligned with that of the Joint Commission. Secure text messaging platforms can be used in healthcare, just not for texting orders. Even though secure text messaging meet HIPAA requirements for privacy and security, the ban remains in place over concerns about inputting orders sent by text messages into the EHR. CPOE is still the preferred method of entry to ensure accuracy.

The post CMS Clarifies Position on Use of Text Messages in Healthcare appeared first on HIPAA Journal.

70% of Healthcare Organizations Have Adopted Off-Premises Computing

Posted by HIPAA Journal

A recent survey of 144 U.S-based healthcare organizations has shown the majority have already adopted off-premises computing for applications and IT infrastructure.

The popularity of off-premises solutions is growing steadily. The KLAS Research study revealed 70% of healthcare organizations have moved at least some of their applications and IT infrastructure to the cloud. Out of the organizations that have, almost 60% are using a cloud or hosting environment for EHR applications.

69% of healthcare organizations said they would consider utilizing off-premises cloud solutions, or are actively expanding the use of those solutions.

Cerner is the leader in off-premises computing for EHR applications, although Epic is attracting considerable interest, with many of its customers considering switching from its on-premises solutions to its data center.

One of the fastest growing areas is Infrastructure-as-a-Service (IaaS) as it enables healthcare organizations to leverage off-premise infrastructure rather than having to build a data center.

Amazon leads the way in this area and is the market leader and the most commonly considered provider for IaaS and PaaS, although Microsoft is a close second. Microsoft is also the most commonly considered provider for all off-premise options. Microsoft is also most commonly chosen by organizations that are just venturing into cloud computing, starting off with Office 365 before exploring other Microsoft cloud-based products.

The biggest driver that is pushing healthcare organizations to the cloud is the opportunity to reduce costs – both capital outlay and operational costs. Many healthcare organizations that having started transitioning to the cloud have done so to free up capital investments in on-premise hardware and infrastructure to allow them to invest in other areas.

51% of organizations are considering the cloud to reduce costs, 40% said the cloud was being researched to address resource constraints, 29% saw the cloud as a way to enhance services and capabilities, while 11% said the cloud could help them improve their system performance. Only 9% saw the cloud as a way to improve security.

It is security and privacy of off-premises solutions that is causing the most concern. 31% of provider organizations said they are concerned about cloud computing, especially security vulnerabilities that could place the privacy of data at risk.

Out of the organizations that are considering using the cloud, most are considering using the cloud for backups, email archives, storage, file sharing, and non-clinical applications. Most healthcare organizations were apprehensive about moving sensitive protected health information to the cloud.

One area that has seen significant growth is use of the cloud for enterprise resource planning (ERP) or human capital management (HCM) applications. 17% of surveyed companies had already moved ERP and/or HCM applications to the cloud with almost three quarters doing so through a hosted deployment model.

KLAS believes more healthcare organizations will choose to switch to the cloud in the future as more options become available. KLAS reports that most software vendors have started developing cloud-based solutions in addition to their on-premises solutions, and many healthcare organizations are likely to make the switch.

The post 70% of Healthcare Organizations Have Adopted Off-Premises Computing appeared first on HIPAA Journal.

Is GoToMeeting HIPAA Compliant?

Posted by HIPAA Journal

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules?

GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations.

In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA.

Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance.

It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality, integrity, and availability of ePHI, it is still possible to use a ‘HIPAA-compliant’ service in a non-compliant manner. It is up to a HIPAA-covered entity or business associate to ensure that any software or communication platform is configured correctly, is used appropriately, that PHI is only shared or communicated to people authorized to receive the information, and that when information is disclosed, the minimum necessary standard applies.

How secure is GoToMeeting? Is GoToMeeting HIPAA compliant?

Is GoToMeeting HIPAA Compliant?

In order to consider GoToMeeting HIPAA compliant, technical safeguards would need to be incorporated to meet the requirements of the HIPAA Security Rule.

To protect data in transit, GoToMeeting employs full end-to-end data encryption. All transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.

Protecting data in transit is only one element of HIPAA compliance. If PHI is to be transmitted – via email, secure text messages, or conferencing solutions – there must be audit controls. An audit trail must be maintained allowing activity relating to PHI to be examined. GoToMeeting creates logs of connection and session activity, and access to reporting and management tools are available to account managers.

Controls must also be present that ensure only authorized individuals are able to gain access to the system. GoToMeeting is protected by unique meeting codes and includes the option of setting strong passwords. When meetings are set up they are not publicly listed, and meeting organizers have full control over who can join the meetings.

Each user that wishes to join a meeting must identify themselves using a unique email address and/or number along with a unique password, and users are automatically logged off after a period of inactivity, which can be set by the meeting organizer.

GoToMeeting also confirms on its website, “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.”

While the technical safeguards meet HIPAA requirements, HIPAA-covered entities must also enter into a HIPAA-compliant business associate agreement with service providers prior to using a service for communicating PHI. GoToMeeting offers a business associate agreement which covers use of the service, meeting this regulatory requirement.

So, is GoToMeeting HIPAA-compliant? Provided HIPAA-covered entities and business associates enter into a BAA with GoToMeeting prior to using the service for communicating PHI, GoToMeeting can be used in a HIPAA-compliant manner.

However, as GoToMeeting explains, “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”

The post Is GoToMeeting HIPAA Compliant? appeared first on HIPAA Journal.

How to Make Your Email HIPAA Compliant

Posted by HIPAA Journal

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations?

How to Make Your Email HIPAA Compliant

Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant.

If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI.

If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant.

There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all of the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. To make your email HIPAA compliant there are several things to consider:

Ensure you have end-to-end encryption for email

Email is a quick and easy way to communicate electronically, but it is not necessarily secure. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant. To make your email HIPAA compliant you should ensure you have end-to-end encryption, which encrypts both messages in transit and stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.

Some email service providers require individual emails to be encrypted by clicking a button or using a portal. Since it is easy to forget to turn on encryption and accidentally send an unencrypted email, it is a better choice to encrypt all emails, not only those that contain ePHI. This will reduce the potential for human error.

The type of encryption used is also important. While previously Data Encryption Standard (DES) was considered secure, that is no longer the case. You should consult NIST for advice on suitable encryption standards. Currently AES 128, 192, or 256-bit encryption is recommended.

For many HIPAA-covered entities, especially smaller healthcare providers that do not have in-house IT staff to ensure their email is HIPAA-compliant, the use of a third-party HIPAA compliant email service provider is strongly recommended.

Research potential HIPAA compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers.

Enter into a HIPAA-compliant business associate agreement with your email provider

If you use a third-party email provider, you should obtain a business associate agreement prior to using the service for sending ePHI. The business associate agreement outlines the responsibilities of the service provider and establishes that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity and availability of ePHI.

If an email service provider is not prepared to enter into a business associate agreement, you should look elsewhere. There are several email service providers who are prepared to sign a BAA to allow them to work with HIPAA-covered entities and their business associates.

Ensure your email is configured correctly

Even when a BAA is obtained, there are still risks associated with email and it is possible to fail to configure the email service correctly and violate HIPAA Rules. Simply using an email service that is covered by a BAA does not make your email HIPAA compliant.

Google’s G Suite includes email and is covered by its business associate agreement. Though G Suite, email can be made HIPAA compliant provided the service is used alongside a business domain. Even if you want to use G Suite, care must be taken configuring the service to ensure end-to-end encryption is in place.

Note that G Suite is not the same as Gmail. Gmail is not intended for business use and cannot be made HIPAA compliant. Google does not sign a BAA for its free services, only for its paid services.

Develop policies on the use of email and train your staff

Once you have implemented your HIPAA compliant email service it is important to train staff on the correct use of email with respect to ePHI. There have been several data breaches that have occurred as a result of errors made by healthcare staff – The accidental sending of ePHI via unencrypted email and the sending of ePHI to individuals unauthorized to view the information. It is important to ensure that all staff are aware of their responsibilities under HIPAA and are trained on the use of the email service.

Ensure all emails are retained for 6 years

HIPAA requires covered entities and business associates to retain past email communications containing ePHI. The retention period is six years. Even for small to medium-sized healthcare organizations, storing 6 years of emails, including attachments, for all members of staff requires considerable storage space. Consider using a secure, encrypted email archiving service rather than email backups. Not only will this free up storage space, since an email archive is indexed, searching for emails in an archive is a quick and easy process. If emails need to be produced for legal discovery or for a compliance audit, they can be quickly and easily retrieved.

As with an email service provider, any provider of an email archiving service will also be subject to HIPAA Rules as they will be classed as a business associate. A BAA would need to be entered into with that service provider and reasonable assurances obtained that they will abide by HIPAA Rules.

Obtain consent from patients before communicating with them via email

HIPAA-covered entities should note that while it may be convenient to send emails containing ePHI to patients, consent to use email as a communication method must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA compliant email provider is used. Patients must be advised that there are risks to the confidentiality of information sent via email. If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.

Seek legal advice on HIPAA compliance and email

If you are unsure of the requirements of HIPAA with respect to email, it is strongly recommended that you speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.

The post How to Make Your Email HIPAA Compliant appeared first on HIPAA Journal.

Survey Reveals Poor State of Email Security in Healthcare

Posted by HIPAA Journal

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard.

The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security.

For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network.

The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC.

Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting patients from phishing attacks spoofing their domains. NH-ISC reports that only 30% of its members have adopted DMARC.

The impersonation of domains is a common tactic employed by phishers to fool victims into believing emails have been sent by trusted organizations. The healthcare industry is at the highest risk of being targeted by fraudulent email, according to the report. Over the past 6 months, 92% of healthcare domains have been targeted by phishers and scammers using fraudulent email. 57% of all emails sent from healthcare organizations are fraudulent or unauthenticated.

DMARC has been widely adopted in industry, although the healthcare industry lags behind. The same is true of federal agencies, which have been slow to implement the email security standard. Last month, the U.S Department of Homeland Security addressed this by issuing a Binding Operational Directive, which required all federal agencies to implement DMARC within 90 days.

The healthcare industry is being urged to do the same. NH-ISAC is already encouraging its members to adopt DMARC, while the GCA has launched a ‘90-Days to DMARC’ challenge, which commences on December 1. Under the challenge, GCA will be releasing guidance, conducting webinars, and making resources available to help healthcare organizations plan, implement, analyze, and adjust DMARC.

“GCA is challenging organizations in all sectors to follow the path set forward by DHS. We applaud NH-ISAC for calling upon its members to implement DMARC,” said Phil Reitinger, President and CEO of GCA.

Jim Routh, CSO, Aetna, said “The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members.”

“Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications,” said Patrick Peterson, founder and executive chairman of Agari.

The post Survey Reveals Poor State of Email Security in Healthcare appeared first on HIPAA Journal.

Electronic Records and HIPAA Compliance

Posted by HIPAA Journal

Make sure you understand the relationship between electronic records and HIPAA compliance. It can be more complicated than many Covered Entities believe.

Security Officers in the healthcare industry with a responsibility for electronic records and HIPAA compliance have plenty to keep themselves occupied. In the majority of healthcare-related organizations across the country, thousands of electronic health records (ePHI) are being created every day before being used, transmitted and stored.

Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rule; yet, when you look at the big picture, the scale of the requirement is staggering. Not only does ePHI created and used within an organization have to be safeguarded, but also ePHI transmitted outside of an organization´s network, and ePHI stored in the cloud.

Start by Conducting a Risk Analysis

One of the primary issues with electronic records and HIPAA compliance is that the technical, physical and administrative safeguards of the HIPAA Security Rule were published three years before Amazon´s cloud-based web services were launched, and four years before the first Apple iPhone was released. At the time, mHealth apps such as Fitbit were still many years into the future.

Therefore, in order to identify issues relating to electronic records and HIPAA compliance in a modern healthcare environment, Security Officers must conduct an accurate assessment of potential risks and vulnerabilities. The nature of risks typically falls into three categories:

  • Unauthorized disclosure, modification of deletion of ePHI (both malicious and accidental).
  • IT disruptions due to man-made or natural disasters.
  • Business Associates and the failure to conduct due diligence.

Each category has a huge scope for potential breaches of ePHI and covering everything related to electronic records and HIPAA compliance is a huge task. Some Covered Entities have inventoried and analyzed the use and disclosure of all PHI (not just ePHI) as part of their efforts to comply with the HIPAA Privacy Rule, and this level of data can be invaluable for risk analysis.

Assess Your Current Security Measures

Once the risks have been identified and documented, the next step is to assess the organization´s current security measures. Both technical and non-technical security measures have to be assessed in order to determine whether the security measures required by the HIPAA Security Rule are already in place and, if so, are they configured and used as intended.

This assessment will lead to a risk analysis, from which Security Officers will be able to establish whether certain risks need to be addressed immediately, and what additional security measures and policies need to be implemented in the future. It is not advisable to make too many changes to work practices at the same time, so the risk analysis can also be used to identify priorities.

HHS has Issued Guidance on Cloud Computing

As part of its “special topics for HIPAA professionals” series, the US Department of Health & Human Services (HHS) has issued guidance for Covered Entities and Business Associate on Cloud Computing. This area of electronic records and HIPAA compliance is evolving all the time and – as with the HIPAA Security Rule – HHS – does not endorse specific technologies to safeguard the integrity of ePHI.

The same rules apply for electronic records and HIPAA compliance as if a medical professional was sharing PHI in paper format. Covered Entities are expected to conduct due diligence on the Business Associate (in this case the Cloud Services Provider), a Business Associate Agreement must be in place, and the Business Associate is responsible for notifying the Covered Entity of any breach of ePHI.

Further Information about Electronic Records and HIPAA Compliance

For further information about electronic records and HIPAA compliance, it is recommended Security Officers download and review our “HIPAA Compliance Guide”. In the Guide, we elaborate on the information provided above, and include a section relating to “Secure Communications and HIPAA Compliance” which should assist all Security Officers with their risk assessments.

The post Electronic Records and HIPAA Compliance appeared first on HIPAA Journal.