Healthcare Information Technology

L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals

Posted by HIPAA Journal

Members covered by the L.A. Care Health Plan in Los Angeles are now benefiting from improved health information sharing with healthcare providers following the launch of a new health information exchange platform.

L.A. Care Health Plan (formerly known as Local Initiative Health Authority of Los Angeles County) is a public entity providing an accountable care program and other health plans (such as L.A. Care Covered, L.A. Care’s Healthy Kids and PASC-SEIU Homecare Workers Health Care Plan) for Los Angeles residents. Through its 6 health care plans, L.A. Care Health Plan provides coverage for more than 2 million individuals including some of the most vulnerable populations in the County, and is now the largest publicly operated health plan in the United States.

Last year, the health plan conducted a pilot with the eConnect information exchange platform supplied by Safety Net Connect. The eConnect platform enables users to provide real-time alerts on admissions, discharges, and transfers using the HL7 Admit Discharge Transfer Protocol.

The pilot was a success and in August 2015, L.A. Care Health Plan started rolling out the platform to high-volume hospitals throughout L.A. County. Now, just over a year later, L.A. Care Health Plan has announced that 21 hospitals are signed up and using the platform to obtain real-time data on health plan members.

Keith Matsutsuyu, CEO of Safety Net Connect said “Timely access to actionable data is the essential goal of most any health information technology, but a lack of interoperability between systems and organizations often makes that goal challenging, if not impossible.”

The platform will help with the coordination of patient care by providing efficient access to actionable data; in particular, the system will help with post-discharge management. It is hoped that hospitals signed up to use the platform will be able to solve many of the challenges associated with patient admissions, transfers, and discharges.

According to L.A. Care CEO John Baackes, the eConnect system “helps overcome connectivity barriers between the hospitals’ systems,” and will help to ensure that all health plan members benefit from better care co-ordination.

Hospitals in the County appreciate the value of the information exchange platform and the benefits it offers. Baackes said “Engaging twenty-one institutions in just over a year is a true testament to the value of this kind of data in improving outcomes for our hospital providers.”

The post L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals appeared first on HIPAA Journal.

Patients Holding Back Health Information Over Fears of Data Privacy

Posted by HIPAA Journal

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers.

However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited.

Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider.

Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data.

Important Medical Information is Being Withheld by Patients

The extent to which patients are withholding information has recently been highlighted by a Black Book survey. Between September and December 2016, Black Book conducted a national poll on 12,090 adult consumers to assess patients’ confidence in healthIT and the extent to which they have been willing to share their health information.

The results of the survey clearly show that patients are extremely concerned about the privacy of their data and believe that sensitive health information is being shared without their knowledge. There are also serious concerns about healthcare organizations’ abilities to protect health information and ensure that it remains private.

For the Black Book survey, consumers were asked about the contact they had had with technology used by their physician, hospital, and other healthcare organizations over the past 12 months, including mobile apps, patient portals, and electronic health records.

57% of respondents who had experience of these health technologies said they were concerned about the privacy protections put in place and whether their data could be kept private.

87% of Patients Unwilling to Share their Full Medical Histories

Consumer confidence in privacy and security measures put in place by healthcare providers appears to be at an all time low. In the last quarter of 2016, Black Book reports that 87% of patients were unwilling to comprehensively share all of their health information with their providers. 89% of consumers who had visited a healthcare provider in 2016 said they had withheld some information during their visits.

While certain types of information are openly shared, healthcare patients are particularly concerned about sharing highly sensitive data. Many feel that those data are being shared without their knowledge.

90% of respondents said they were concerned about details of their pharmacy prescriptions being shared beyond their chosen provider and payer, and that information was being shared with the government, retailers, and employers. 81% were concerned that information about chronic conditions was being shared without their knowledge, and 99% were concerned about the sharing of mental health notes. 93% of respondents said they were concerned about their personal financial information being shared.

According to Black Book Managing Partner Doug Brown, “Incomplete medical histories and undisclosed conditions, treatment or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk based analytics, care plans, modeling, payment reforms, and population health programming.” In a statement issued about the findings of the survey he said, “This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability.”

Providers’ Expertise with Technology Inspires Trust

Providers can do more to improve patients’ confidence in technology by demonstrating that they know how to use it. Patients do not appear to have an issue with the technology itself. Only 5% of respondents said they mistrusted the technology. However, 69% of respondents said their current primary care physician did not display enough technology prowess for them to be able to trust that individual with all of their data. 84% of respondents said their level of trust in their provider was influenced by how that provider used technology.

Patients are also having trouble using technology. 96% of consumers said they had left physicians’ offices “with poorly communicated or miscommunicated instructions on patient portal use,” and 83% reported having difficulty using the portal at home. Only 40% of patients said they had tried to use the portal in their physician’s office.

The survey also revealed that patients believe the data they are collecting via personal wearable devices is important. 91% of consumers said their physician practice’s medical record system should store any health-related data they request. However, most physicians do not want access to so much information. 94% of physicians that responded to this section of the survey said much of the personally collected health information is redundant and would be unlikely to make a clinical difference. Furthermore, so much information is now being collected that they are becoming overwhelmed by data.

The post Patients Holding Back Health Information Over Fears of Data Privacy appeared first on HIPAA Journal.

New Report Published on Privacy Risks of Personal Health Wearable Devices

Posted by HIPAA Journal

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics.

Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data.

The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure.

If a wearable device is provided to a patient by a HIPAA-covered entity, the data the device collects, records, and transmits must be secured at all times. If the same device is provided by a non-HIPAA-covered entity, personal data collected by the device will not necessarily be protected to the same standards. Consumers are afforded a certain level of privacy protection as the Federal Trade Commission (FTC) regulates wearable technology, although HIPAA Rules are far more stringent.

Consumers may not be aware that health data collected by wearable technology may not be protected to the standards demanded by HIPAA and that lack of knowledge may result in consumers unwittingly giving up certain privacy protections. The Department of Health and Human Services’ Office for Civil Rights has responded to the issue by issuing a report warning that wearable devices may not be covered by HIPAA Rules and consumers may be providing consent for their health data to be used by non-HIPAA covered entities without knowing exactly how their data will be collected, protected, and used.

However, more must be done to ensure consumers are informed about how their data will be collected and used and greater privacy controls must be put in place to ensure sensitive data are adequately protected regardless of which entity collects the data.

This month, researchers from the American University in Washington, D.C., and the Center for Digital Democracy published a report – Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection – on the problem. The report raises awareness of the privacy and security gaps in current federal legislation and calls for further regulation of wearable devices to ensure consumer data are adequately protected and users of the devices are informed about how their data will be used.

In the 122-page report the researchers explain that while there are current privacy and security concerns surrounding wearable technology, those issues will become more serious as new and more sophisticated devices come to market. They explain that in the not-too-distant future, “Biosensors will routinely be able to capture not only an individual’s heart rate, body temperature, and movement, but also brain activity, moods, and emotions.”

It is not only the information collected by the devices that is a cause for concern. The researchers point out that data collected by the devices “can, in turn, be combined with personal information from other sources—including health-care providers and drug companies—raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”

As the devices become more integrated into everyday life, the researchers warn that the ability of consumers to make informed decisions about privacy and the use of their data will depend, to a large extent, on the effectiveness of government and self-regulatory policies.

However, at present there are insufficient privacy controls in place and major gaps in coverage exist due to “limited and fragmented” government privacy laws. Unless new policies are put in place to ensure the privacy of consumers is protected, Americans could be exposed to serious privacy risks by using these devices.

The report makes a number of recommendations for protecting consumers’ privacy and suggests ways the government, academic institutions, and consumer and privacy groups can join forces to develop a new and more effective strategy for protecting the health data collected by wearable devices.

The recommendations include:

  • The creation of a Public Interest Connected-Health Task Force incorporating privacy experts from a broad range of consumer, privacy, and civil liberties organizations to enhance privacy protections in the big data-era. The task force should be responsible for “analyzing new developments, developing public policy and self-regulatory proposals, conducting outreach to other key stakeholders, and engaging in constructive dialogue with industry and government officials.”
  • Classifying all data collected by wearable technology as sensitive, regardless of which organization or entity collects and uses those data. The researchers also call for an affirmative and effective consent process to be implemented before any consumer data can be collected and used.
  • Consumers should be allowed to place limits on the types of data that can be collected and used by wearable devices, while companies should clearly explain how, and under what circumstances, data will be collected, used, and shared.
  • Companies that collect data should make it clear how consumers can access those data, correct any errors, and arrange for their data to be deleted should they so wish. Any requests must be dealt with in a timely manner and at minimal cost to the consumer.
  • The use of usability testing to ensure consumer privacy policies can be easily understood by consumers, regardless of the size of screen used to access the information. Companies should also publish the results of their studies.
  • The creation of standards by self-regulatory organizations that are applied to all organizations, not only those covered by HIPAA Rules.
  • The use of fair marketing practices to ensure data collected from the users of wearable devices are not used to discriminate based on “ethnicity, gender, sexual orientation, age, community, or medical condition.”
  • The placing of limits on the sharing of heath data to prevent organizations from sharing data with third parties where advertising, marketing, or the promotion of other services are involved and the provision of data to other entities without the knowledge or consent of consumers.

The post New Report Published on Privacy Risks of Personal Health Wearable Devices appeared first on HIPAA Journal.

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure vulnerabilities can be addressed before they are exploited by hackers.

The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure.

The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm.

Earlier this year, short-selling firm Muddy Waters issued a report on a number of security vulnerabilities that had allegedly been identified in certain St. Jude Medical devices. The FDA is currently investigating those claims, although St. Jude Medical has denied that those vulnerabilities exist. Johnson & Johnson also discovered a flaw in its insulin pump which could potentially be exploited by hackers.

Final FDA Cybersecurity Guidance for Medical Device Manufacturers

The new 30-page guidance document encourages manufacturers of medical devices to implement a system for monitoring their devices and associated software for potential security vulnerabilities that could be used by hackers to take control of the devices, obtain sensitive data, or used to launch attacks on healthcare networks.

The guidance has been a year in the making and follows the release of cybersecurity guidelines for device manufacturers in October 2014. The previous document makes recommendations for incorporating better cybersecurity protections into medical devices before they come to market.

The latest guidance is concerned with the continued protection of medical devices after they have come to market. The document suggests steps that should be taken by manufacturers of the devices to make it easier for vulnerabilities to be identified and reported by security researchers. The FDA suggests device manufacturers should develop channels of communications to allow vulnerabilities to be reported back to them by white hat hackers.

The FDA also recommends manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share cybersecurity threat information, including how they have responded to threats and made their devices more secure.

Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, helped develop the guidelines. She explained in a recent blog post that

“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan.” She also explained that device manufacturers need to develop “a structured and comprehensive program to manage cybersecurity risks.”

The cybersecurity guidance for medical device manufacturers can be used to develop and implement policies and procedures to better protect medical devices once they have come to market. Schwartz also strongly recommends device manufacturers to apply the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

The new guidance – Postmarket Management of Cybersecurity in Medical Devices –can be downloaded on this link.

The post FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers appeared first on HIPAA Journal.

ONC Publishes Final 2017 Interoperability Standards Advisory

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA).

The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs.

The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used.

The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online platform to enable stakeholders to “fully engage with and shape the ISA on an ongoing basis.”

The ISA is a fluid resource and will be updated periodically to cover a much broader range of health IT interoperability needs. This year’s updates include specific references to public health and research as well as including interoperability needs relating to personal health devices, research, nutritional health, Social Determinant, and nursing.

Since there may be more than one standard for any specific interoperability need, discussion will take place via the ISA public comment process. The new web version will make this process more transparent and threaded discussions will be viewable which should help to promote further dialogue.

Following the publication of the draft ISA in August this year, ONC has made a number of updates after taking on board the feedback received from the public and the Health IT Standards Committee.

ONC has dropped the use of ‘best available’ as a concept in the ISA. This is to ensure that stakeholders do not take that to mean standards and interoperability specifications are ‘the best’, when each may have a number of limitations or may not have been widely adopted. This will also help distinguish between standards that may be better suited for organizations’ needs.

The scope of the 2017 ISA has been expanded to include public health and health research interoperability and covers electronic health information that is created by healthcare providers and subsequently used for purposes for which interoperability is required. However, the ISA falls short of including interoperability standards for administrative and payment oriented HIPAA transactions, which are covered by the standards maintained by the Centers for Medicare & Medicaid Services (CMS).

The Final 2017 ISA is split into the following categories:

  • Section I – Vocabulary/Code Sets/TerminologyStandards and Implementation Specifications (i.e., “semantics”).
  • Section II – Content/StructureStandards and Implementation Specifications (i.e., “syntax”).
  • Section III – Standards and Implementation Specifications for Services (i.e., the infrastructure components deployed and used to address specific interoperability needs)
  • Section IV – Models and Profiles
  • Section V– Questions and Requests for Stakeholder Feedback

The post ONC Publishes Final 2017 Interoperability Standards Advisory appeared first on HIPAA Journal.

Security Cameras Could Be Your Biggest Security Weakness

Posted by HIPAA Journal

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility.

Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients.

The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks.

Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available online.

Poor security controls on any IoT device could result in it being added to a botnet or used as a Launchpad for other attacks. However, security and surveillance camera security weaknesses are the most concerning, according to a new report by cloud security firm Zscaler.

Zscaler recently conducted a review of security controls on a number of popular home and enterprise security cameras and identified multiple weaknesses that could be exploited by hackers.

The Flir FX wireless HD monitoring camera for instance was found to communicate in plaintext and did not use any authentication tokens. Additionally, firmware updates were not digitally signed. An attacker could update the devices with custom-crafted firmware and take full control of the cameras. The Foscam IP surveillance camera similarly transmitted user data in plaintext over http, including passwords. The passwords were even included in the URL.

The vulnerabilities were not present in isolated devices, but appeared to be much more of a general problem with a multitude of security cameras and other IoT devices found to have serious vulnerabilities.

Security researchers at SEC Consult recently discovered two backdoors in more than 80 models of professional surveillance cameras manufactured by Sony. The devices had hard-coded credentials in a web interface that would enable hackers to remotely enable the Telnet service on the devices. A hard-coded password was also used for the root account that would enable hackers to take full control of the devices via Telnet.

The backdoors were believed to have been installed by Sony for development purposes rather than being introduced by other parties, although flaws such as these could all too easily be exploited. After being notified of the flaws, Sony released a firmware upgrade for the devices last week.

According to SEC Consult, “An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet, or to just simply spy on you.”

Zscaler has warned organizations to take steps to restrict access to IoT devices and, as far as is possible, improve security controls to prevent the devices from attack. Zscaler recommends blocking external ports and updating default credentials with strong passwords. The devices should also only be connected to isolated networks. If compromised, the damage can therefore be limited.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a warning to healthcare organizations about the risks that can be introduced from IoT devices. OCR recommends following US-CERT advice to secure the devices.

The post Security Cameras Could Be Your Biggest Security Weakness appeared first on HIPAA Journal.

OCR Warns Covered Entities of Risk of DDoS Attacks

Posted by HIPAA Journal

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action.

DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action.

Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable.

The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen attacks performed well in excess of 600 Gbps. One French hosting company registered a DDoS attack of 1Tbps.

The attackers behind the recent DDoS attacks have taken advantage of poor security controls on IoT (Internet of Things) devices such as the failure to change default passwords. The devices have been used to create huge botnets – devices infected with malicious software that are used to flood systems with traffic.

The recent attacks have primarily used surveillance cameras and DVRs; however, any IoT device could be compromised and used for the attacks.

Hospitals now have many IoT devices connected to their networks, which could all potentially be compromised and added to botnets and used for attacks on other organizations, or for attacks on other systems used by hospitals.

The attacks are likely to continue. Further, as more IoT devices with weak security controls are installed, the scale of the attacks is likely to increase. Healthcare organizations have been attacked in the past and further attacks are likely.

This week, the Department of Health and Human Services’ Office for Civil Rights has contacted healthcare organizations to raise awareness of the threat and urged to take action to protect their systems from attack and to take steps to prevent their IoT devices from being added to botnets.

There are a number of actions that healthcare organizations can take to protect their devices – and their networks – from DoS and DDoS attacks.

Organizations should perform scans of their networks for vulnerable IoT devices, continuously scan for compromised devices, apply security patches promptly to address known vulnerabilities and change all default passwords on every IoT device. Default passwords are easily guessed or can be found online.

OCR recommends following the advice of US-CERT:

prevention-of-ddos-attacks

The post OCR Warns Covered Entities of Risk of DDoS Attacks appeared first on HIPAA Journal.