What Is The Best Healthcare Compliance Software?

Posted by Ian

The best healthcare compliance software is a comprehensive management tool, that helps chief compliance officers to effectively oversee compliance efforts across all their organization’s facilities, by proactively managing risks, streamlining workflows, improving collaboration, and demonstrating the achievement of compliance objectives to stakeholders.

What Are The Benefits Of Healthcare Compliance Software?

For the chief compliance officer of an organization, the benefits of using healthcare compliance software  that are:

1. Streamlined Workflow: Compliance software automates many administrative tasks related to compliance management, such as tracking compliance activities, scheduling self audits and managing documentation. This saves time and reduces manual effort.

2. Increased Visibility: Compliance software provides real-time visibility into compliance activities, allowing the chief compliance officer to monitor progress, track key metrics, and identify areas that require attention. This increased visibility enhances the CCO’s ability to effectively oversee compliance efforts across the organization, reducing the likelihood of compliance failures.

3. Enhanced Reporting Capabilities: Regulatory compliance software offers customised reporting and analytics, allowing the chief compliance officer to generate detailed reports on compliance activities, performance metrics, and audit findings. These reports help communicate compliance efforts to senior management, regulators, and other stakeholders effectively, and showcasing a commitment to compliance excellence.

4. Centralized Documentation Management: Healthcare compliance management software provides a centralized repository for storing and managing compliance-related documents, such as policies, procedures, training materials, and audit reports. This centralization ensures that all relevant documentation is organized, up-to-date, and easily accessible when needed.

5. Improved Collaboration: Compliance software facilitates collaboration and communication among compliance team members, stakeholders, and other departments within the organization. This improves coordination and alignment on compliance initiatives, enhancing the chief compliance officer’s ability to drive compliance culture and initiatives across the organization.

6. Reduced Failure Risk: By automating compliance processes, providing real-time visibility into compliance activities, and facilitating proactive risk management, the best healthcare compliance software helps compliance officers minimize compliance risk and mitigate potential compliance failures.

What To Consider When Purchasing Healthcare Compliance Software?

How to make a decision about HIPAA compliance softwareBy following our buyer’s guide framework, you can make a thorough assessment of the best healthcare compliance software options and select the most suitable solution to support your organization’s compliance objectives. There are three aspects to consider when purchasing healthcare compliance software which are discussed in detail below:

1. Essential Functionality

2. Software Specifications

3. Business Considerations

1. What Essential Functionality Is Required For Healthcare Compliance Software?

The best healthcare compliance software solution should include functionality to identify and manage risk, report and track incidents, educate employees, manage vendors, and it should include sophisticated reporting that demonstrates in real-time that all compliance objectives are being met across all the organization’s facilities.

Any solution worth consideration needs to be a flexible all-in-one compliance system that follows a recognized framework like the OIG-HHS Seven Fundamental Elements Of An Effective Compliance Program. Because all organizations are different, it should offer both a prebuilt approach and fully customizable options.

The following essential functionality will allow you to confidently address your organization’s compliance requirements:

1. Risk Assessment

  • Risk assessment tools
  • Risk scoring
  • Gap identification
  • Remediation planning

2. Policies & Procedures

  • Templated and customisable policies and procedures
  • Policy and procedure management
  • Central storage of policies and procedures

3. Employee Training

  • Train, track and manage HIPAA compliance training for employees
  • Up-to-date HIPAA compliance training modules
  • Personized, individual employee training certificates

4. Vendor Management

  • Identify and track business associates
  • Customisable business associate agreement templates
  • Store and track business associate agreements

5. Incident Response

  • Anonymous incident reporting for employees
  • Breach incident reporting
  • Breach management tools

5. Reporting

  • Customisable reporting templates including reports to demonstrate compliance to stakeholders or regulators
  • Centralized documentation storage
  • Audit logging and reports

Healthcare Compliance CategorieWhat other features should you consider for your HIPAA compliance solution?

Consider if you also need OSHA (Dental or Medical) and SOC 2 compliance, and if so, ensure your chosen software can provide this as an all-in-one healthcare compliance solution.

2. What Are The Software Specifications To Consider For HIPAA Compliance Solutions?

Software specifications are aspects of a solution, such as usability or scalability, that are not about specific functionality but describe the broader qualities of the software. Specifications will help inform your decision when comparing HIPAA compliance software solutions.

1. Ease Of Use

  • Assess the software’s overall user experience, including the user interface and navigation around the solution.
  • Does it have an intuitive interface that includes guided workflows for conducting compliance activities? This is vital to make it easier for individuals without deep compliance expertise to navigate the compliance process.
  • How user-friendly are the training modules that employees will be required to take as part of the organization’s compliance?

Best HIPAA Compliance Software Dashboard

2. Scalability & Flexibility

  • Can the software accommodate your organization’s current scale, for example, to manage multiple locations?
  • Can it scale up and adapt to your organization’s evolving future needs?

3. Integration Capabilities

  • How will the software integrate with your existing IT infrastructure and the other third-party applications used within your organization?
  • Cloud-based solutions are the easiest to implement, and have the advantage that ongoing infrastructure maintenance is the responsibility of the software vendor.

4. Future Proofing

  • How will the software vendor address regulatory changes and updates to ensure ongoing compliance in a timely manner?

3. What Are The Business Considerations When Choosing HIPAA Compliance Software?

You may find that when evaluating functionality and specifications, a favoured vendor will emerge and you feel ready to award them the business right away. It is highly recommended that you don’t allow yourself to be pressured into a fast decision before fully examining the commercial and business considerations.

1. Vendor Reputation

  • Is the software endorsed by any medical associations?
  • Do they have current case studies and testimonials from other healthcare organizations that have successfully implemented the software?
  • It is always a good idea to request references i.e. to directly speak with existing customers about their experiences with both the software and the vendor.

2. Vendor Training & Support

  • Does the vendor offer live support to guide you through the setup of their HIPAA compliance software solution?
  • Is there a separate cost for this, or is it included in the price?
  • After setup what ongoing support is offered and it is this included in the vendor’s annual charges?

3. Costs

  • Look for a transparent breakdown of pricing structures, including initial setup costs, licensing fees, and any additional charges for support or updates.
  • Is there a one-time purchase cost or is it a subscription-based model? Subscriptions have become the most common way to purchase cloud based software.
  • If cost is an issue and it appears that the solutions on your shortlist are similar, ensure you create a price comparison table taking all factors into account, such as extra costs for training or support. For example, if HIPAA training is included or not.
  • Does the vendor offer discounts? For example, they may offer a group discount for an association you may already be a member of. It’s always worth asking as often this can be 15% or more off the list price annually.

4. Free Trial Or Money Back Guarantee

  • A full demonstration may be enough to help you make your decision, but sometimes a short trial period can be helpful if you have any doubts. It also allows you to ask your colleagues take a look before a final decision is made.
  • Not all software is suitable for a free trial because of the effort required for the setup by both vendor and the customer. In this scenario you could ask for a guarantee that if you are not satisfied you have the option to back out of the agreement within a certain period like 30 days.

5. Software Licence Period

  • What is the commitment period you are signing up for? Is it month-by-month or year-by-year. Is there a minimum period such as three or five years? Read the small print on any agreement.
  • The advantage with shorter periods is that onus is on the software vendor to ensure you are kept happy because they won’t want you to cancel. Alternatively, if you are willing to sign up for a longer period then the annual costs may be reduced.

Buyers Guide Best HIPAA Compliance SoftwareFree Buyer’s Guide

We have compiled a free buyer’s guide to choosing HIPAA compliance software that includes a checklist for the three aspects discussed in this article. This can be downloaded by filling in the form on this page.

The post What Is The Best Healthcare Compliance Software? appeared first on HIPAA Journal.

OSHA Publishes 2023 Injury and Illness Data

Posted by Steve Alder

The Occupational Safety and Health Administration has published injury and illness data for 2023, which was collected under OSHA’s July 2023 new Improve Tracking of Workplace Injuries and Illnesses final rule. The final rule requires some establishments with 100 or more employees to electronically submit data from their OSHA Forms 300 and 301 to OSHA once a year. The data are collected through OSHA’s Injury Tracking Application (ITA). The deadline for submitting injury and illness data for 2023 was March 2, 2024; however, if any establishment has missed the deadline, they are still required to submit their data.

Aside from certain low-risk industries, many employers with more than 10 employees are required to maintain records of serious workplace injuries and illnesses. Records must be maintained at the worksite for 5 years, and a summary of the injuries and illnesses recorded over the previous year must be posted each February through April. Copies of the records must be provided to current and former employees or their representatives on request. Fatalities must be reported to OSHA within 8 hours, and severe injuries involving amputation, loss of an eye, or hospitalization must be reported within 24 hours.

Throughout 2023, OSHA has been conducting outreach through webinars, social media, and educational videos to ensure that establishments are aware of their obligations. OSHA is actively enforcing compliance with the reporting requirements by identifying establishments that have failed to submit the required data.

Submitting data to OSHA on injuries, illnesses, and fatalities in the workplace allows OSHA to identify the safety and health problems that workers face and determine the extent of workplace illnesses and injuries. Accurate and detailed data are vital to OSHA’s mission to prevent and control workplace hazards, injuries, and illnesses. OSHA reviews the data and intervenes through strategic outreach and enforcement to reduce worker injuries and illnesses. The data improves research into the occurrence, prevention, and control of workplace hazards, injuries, and illness types, and provides the public with information about the risk of injuries and illnesses in specific sectors. Workers and employers can also use the data to make more informed decisions about safety and health in their workplaces.

The published data for 2023 includes illness and injury data collected from more than 375,000 establishments via their submitted OSHA Form 300A Summary of Work-Related Injuries and Illnesses, data on individual injuries and illnesses collected from employers with 100 or more employees in high-hazard industries, and partial data collected via 850,000 Form 300 Log of Work-Related Injuries and Illnesses and Form 301 Injury and Illness Incident Report records.

The post OSHA Publishes 2023 Injury and Illness Data appeared first on HIPAA Journal.

NY Attorney General Finds Northwell Health Deceptively Advertised COVID-19 Testing Sites

Posted by Steve Alder

New York Attorney General, Letitia James, has announced a settlement with New York’s largest health network, Northwell Health, to resolve allegations it deceptively advertised its emergency departments as COVID-19 testing sites during the COVID-19 public health emergency. Northwell Health claimed in advertisements that three emergency departments in New York City and Long Island were COVID-19 testing sites; however, when patients visited to be tested they were billed for emergency room visits.

The Office of the Attorney General (OAG) investigated Northwell Health after complaints were received from patients who claimed they had been overcharged for testing. OAG investigated and found that Lenox Hill Hospital, Lenox Health Greenwich, and Huntington Hospital had signs advertising their emergency departments as COVID-19 testing sites between March 2020 and March 2021. Hundreds of patients visited the emergency departments solely to be tested for COVID-19 but were billed standard emergency department charges. In the case of Huntington Hospital, even patients who used the drive-in testing facility were charged for emergency room visits. OAG determined that Northwell Health collected $81,761.46 in out-of-pocket payments from 559 New Yorkers for COVID-19 tests and related services, and patients visiting the emergency department for other reasons were also charged for COVID-19 tests.

OAG found that the actions of Northwell Health violated New York Executive Law § 63(12) and General Business Law §§ 349 and 350. Under the terms of the settlement, Northwell Health has issued more than $400,000 in refunds to 2,048 patients and will pay a civil monetary penalty of $650,000 to the state. “During a time of great stress at the height of the pandemic, Northwell Health caused more worry and frustration for New Yorkers who were sent emergency room bills for simply taking a COVID-19 test,” said Attorney General James. “Today we are putting money back in New Yorkers’ pockets after Northwell Health misled them. New York patients should not get surprise fees, and I encourage anyone who thinks they’ve been taken advantage of through deceptive advertising to file a complaint with my office.”

The post NY Attorney General Finds Northwell Health Deceptively Advertised COVID-19 Testing Sites appeared first on HIPAA Journal.

Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center

Posted by Steve Alder

Cyberattacks have been reported by the University of Tennessee Health Science Center, SysInformation Healthcare Services (EqualizeRCM/1st Credentialing), and Jackson Medical Center. Moveable Feast has discovered the improper disposal of documents containing PHI.

University of Tennessee Health Science Center – Ransomware Attack

The University of Tennessee Health Science Center (UT-HSC) said a cyberattack on one of its vendors has resulted in the exposure and possible theft of the protected health information of 19,353 patients who received obstetrics and gynecology (OB/GYN) services at Regional One Health (ROH).

UT-HSC contracted with a company called KMJ Health Solutions which provided patient handoff software that is used to support OB/GYN patients and ensure they receive the appropriate care when they are transferred to another healthcare provider. UT-HSC was notified by KMJ on or around November 29, 2023, about a security incident discovered while investigating a server outage. KMJ erased and reformatted the server and hired a cybersecurity firm to investigate the incident but was unable to make a definitive determination about whether there had been unauthorized access. On January 18, 2024, KMJ’s hosting provider, Liquid Web, found evidence of a ransomware attack but could not determine whether the attackers downloaded a copy of the data stored in the eDocList.

The potentially affected individuals had received OB/GYN services at ROH between November 2014 and November 2023. The information potentially compromised included first and last name, medical record number, age, date of admission, allergies, service, resident assigned, parity, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, type of infant feeding, and information regarding follow up care.

KMJ has implemented new technical safeguards including vulnerability scans, penetration testing, and configuration reviews. Due to the nature of the exposed data, UT-HSC does not believe there is any significant risk of identity theft or harm to credit; however, the affected individuals have been advised to be on the lookout for any letters, emails, or phone calls, and other communications from unknown individuals wanting to discuss any of the services received from ROH.

SysInformation Healthcare Services (EqualizeRCM/1st Credentialing) – Cyberattack

SysInformation Healthcare Services (SysInformation), an Austin, TX-based provider of revenue cycle support to medical billing companies and hospitals that does business as EqualizeRCM and 1st Credentialing, has experienced a cyberattack that caused a network outage. SysInformation said suspicious activity was detected within its network in June 2023. IT systems were secured, and third-party forensics experts were engaged to investigate the incident. The investigation revealed unauthorized access to its network between June 3, 2023, and June 18, 2023, and certain files had been exfiltrated.

SysInformation said an extensive review was conducted to determine the types of information involved and the individuals affected and notification letters were mailed to the affected individuals on April 17, 2024. The types of data involved varied from individual to individual and may have included one or more of the following: name, government identification number, date of birth, Driver’s license number, employer identification number, electronic signature, financial account information, health insurance information, medical history/treatment information, login information, mother’s maiden name, government-issued identification number, passport information, Social Security number, and/or tax identification number.

Complimentary credit monitoring services have been offered to the affected individuals, security policies and procedures have been reviewed, and additional safeguards have been implemented to prevent similar incidents in the future. The breach has been reported to regulators; however, it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jackson Medical Center – Cyberattack

Jackson Medical Center in Alabama has notified 509 patients about the exposure of some of their protected health information in a cyberattack that disrupted some of its IT systems. The attack was detected on February 22, 2024, and third-party forensics experts were engaged to investigate the incident and confirmed that an unauthorized third party had access to its network between February 17, 2024, and February 22, 2024. During that time, files were accessed or removed from its network.

A review of the affected files confirmed on March 8, 2024, that they contained patients’ protected health information including names and one or more of the following: contact information, dates of birth, driver’s license or state identification numbers, diagnoses, treatment information, and/or health insurance information. Notification letters have been mailed to the affected individuals and complimentary identity monitoring services have been offered to patients whose Social Security numbers, driver’s license numbers, or state identification numbers were potentially involved. Jackson Medical Center said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

Moveable Feast – Improper Disposal of Documents

Moveable Feast, a Baltimore, MD-based non-profit that provides care to individuals living with HIV/AIDS and other life-threatening illnesses, has discovered that documents containing sensitive data were disposed of incorrectly. Moveable Feast’s policies require sensitive documents to be placed in shredding bins, but some were inadvertently disposed of in regular recycling bins. The HIPAA violation was discovered when a recycling bin awaiting curb pickup was blown over, scattering its contents.

Staff collected most of the documents, but some pages could not be retrieved. The missing pages contained the information of 568 individuals such as their client number, name, gender, race, and age, and for a subset of Moveable Feast clients, the last 4 digits of their Social Security numbers. Notification letters have been sent to all affected individuals and 12 months of credit monitoring services have been made available at no cost. Staff members have also been retrained on handling sensitive information.

The post Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center appeared first on HIPAA Journal.

CISA & Partners Share New Threat Intelligence on Akira Ransomware

Posted by Steve Alder

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) have issued a joint cybersecurity advisory about the Akira ransomware operation, which has conducted more than 250 attacks and has been paid around $42 million in ransom payments. The group’s operators are highly skilled and are associated with the infamous Conti ransomware operation.

Akira is a relatively new ransomware group that emerged in April 2023 that mostly targets small- to medium-sized businesses and demands ransom payments from around $200,000 to millions of dollars. The group has attacked many verticals including finance, real estate, manufacturing, and healthcare. Attacks on healthcare targets prompted the Health Sector Cybersecurity Coordination Center to issue a Sector Alert about Akira ransomware in September 2023. The latest cybersecurity advisory from CISA and Partners shares information on the latest tactics, techniques, and procedures (TTPs) used by the group, updated indicators of compromise (IoCs), and recommended mitigations for network defenders.

Akira has been observed gaining initial access to victims’ networks through a Virtual Private Network (VPN) service without multifactor authentication, primarily through the exploitation of the Cisco vulnerabilities CVE-20203259 and CVE-2023-20269. The group also targets external facing services including Remote Desktop Protocol (RDP), abuses valid credentials, and conducts spear phishing attacks.

When a corporate network has been breached, the group moves laterally and attempts to obtain Windows domain credentials, then deploys ransomware to encrypt files. The group engages in double extortion tactics, stealing sensitive data from victims and demanding payment to prevent stolen data from being leaked and for the keys to decrypt files. Initially, the group only attacked Windows systems but has developed a Linux encryptor and now also targets VMware ESXi virtual machines. The group uses Kerberoasting techniques and Mimikatz to obtain credentials, LaZagne to help with privilege escalation, PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes, and FileZilla, WinRAR, WinSCP, and RClone for data exfiltration.

The cybersecurity advisory includes several recommended mitigations to prevent and reduce the impact of Akira ransomware attacks, some of the most important of which are ensuring that patches are applied to fix known exploited vulnerabilities – especially CVE-20203259 and CVE-2023-20269, enforcing phishing-resistant multifactor authentication across the organizations in particular for VPNs, webmail, and accounts linked to critical systems, and ensuring that software is kept up to date.

The post CISA & Partners Share New Threat Intelligence on Akira Ransomware appeared first on HIPAA Journal.

Palo Alto Networks Updates Mitigations as Exploitation of 0Day Firewall Vulnerability Grows

Posted by Steve Alder

Exploitation of a recently disclosed zero-day vulnerability affecting Palo Alto Networks firewalls has grown since proof-of-concept exploits were released, and a previously recommended mitigation is ineffective at preventing exploitation of the flaw.

The vulnerability, tracked as CVE-2024-3400, is a command injection flaw in versions 10.2, 11.0, and 11.1 of the PAN-OS operating system that powers its firewalls. The vulnerability is thought to have been exploited since March 26, 2024, initially by a nation-state-affiliated group tracked as Operation MidnightEclipse; however, Palo Alto Networks has detected an additional 20 IP addresses attempting to exploit the flaw.

The vulnerability affects the GlobalProtect gateway or portal VPN feature on certain PAN-OS devices, and can be exploited by an unauthenticated attacker to execute arbitrary code with root privileges. The vulnerability has a maximum CVSS v3 severity score of 10. According to security researchers at Rapid7, the vulnerability is being exploited as part of an exploit chain, along with a second vulnerability that has yet to have a CVE assigned. The second vulnerability is a file creation vulnerability in the GlobalProtect web server.

Initially, Palo Alto Networks said PAN-OS firewalls are vulnerable to attack if GlobalProtect gateway and device telemetry are both enabled. Palo Alto Networks released an initial security advisory about the flaw on Friday, along with recommended mitigations. A secondary mitigation action suggested by Palo Alto Networks was disabling device telemetry; however, Palo Alto has now confirmed that the mitigation is no longer effective, as vulnerable firewalls do not need device telemetry to be enabled to be exposed to attacks.

According to SharowServer, around 156,000 vulnerable Palo Alto Networks devices are exposed to the Internet, although it is unclear how many of those devices have been patched. To remediate the vulnerability, customers should ensure a hotfix is applied. Rapid7 has confirmed that the hotfixes released by Palo Alto networks are effective at preventing the exploitation of CVE-2024-3400.

The hotfixes are PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later versions. On Thursday and Friday, Palo Alto Networks released hotfixes for other commonly deployed maintenance releases, as detailed in an updated HC3 Sector Alert from the Health Sector Cybersecurity Coordination Center (HC3).

The post Palo Alto Networks Updates Mitigations as Exploitation of 0Day Firewall Vulnerability Grows appeared first on HIPAA Journal.