Archive for the ‘Electronic Medical Records’ Category

ransomwareRansomware is like the elementary school bully who steals your lunch and won’t give it back until you give him a quarter. Except in this case, it is all or most of the files on your computer’s hard drive, and the cost to restore your data is hundreds of dollars.

The first known ransomware attack was back in 1989. Widespread ransomware attacks started in Russia in 2005. By 2012 the attacks had spread outside of Russia, especially to Europe and North America. They work by either encrypting your files or locking access to your system via a variety means, from constantly putting pornographic pictures over everything on your screen to running a fake version of Windows that won’t do anything until you pay.

There are ransomware attacks for Windows, Mac OS, iOS, and Android systems.

Payment is almost always through some form of electronic currency like Bitcoin. These virtual monetary systems are anonymous and it is very difficult for authorities to track the destination of the payments. However, some ransom notes have you call a “toll-free” number to get a key to release your files or system, except the phone number is routed through a country with very high long-distance rates, and the operator “needs” to put you on hold for several minutes before giving you the code. You could end up with a several hundred dollar item on your next phone bill.

Sometimes the pop-up on your screen looks like it came from a law enforcement agency like the FBI in the US, Scotland Yard in the UK, or your local police agency. The notification page claims the agency locked your computer because they detected illegal files on your computer: usually porn or terrorism-related material. Once you get over the official looking notification with all the correct logos and badges and can read it calmly, it looks like a scam. Often the wording is awkward, and, really, is the FBI going to ignore your alleged terrorism-related activities if you Bitcoin them a few hundred dollars?

By the end of 2013, Security expert Symantec reported 600,000 ransomware attacks a month, and expects these attacks to increase substantially in 2016 across all platforms.

If you get a ransomware notification on your business or personal computer, tablet or smart phone, do not pay the ransom. They may give you the key, or they may not. These are cybercriminals, not necessarily known for their ethics. Once the malware is loaded, they can bully you again as often as they want until you clean it off of your system. Have a five-minute rant, calm down, reload a fresh copy of the OS and then restore your files from your latest backup.

The solution, of course, is not to be attacked by ransomware. While you can never be completely protected, here are four things that you should already be doing.

  1. Practice safe clicking. Always check the link in an email or on a website that you are not positive is friendly. Check out my last post for how to do that. Most ransomware comes in through a standard malware attack.
  2. Keep your software up-to-date. Cybercriminals and cyberterrorists are always looking for new vulnerabilities, and they are very good at it. Once they find one, they pass the information on to other cyber attackers. Fortunately, the good guys are also looking for vulnerabilities and making updates to their software to close vulnerabilities as they find them. But if you do not have the latest software, you still have those vulnerabilites.
  3. Use a good security software package that is more than just anti-virus.
  4. Often. No, even more often than that. Periodically, ask yourself when you or your automated backup mechanism made your last backup. Then ask how much grief it would be to redo everything you had done since then. Macintosh Time Machine and Windows 10 File History backup changed files every hour, but only if you have an external hard drive and the option turned on.

In one recent example, Hollywood Presbyterian Medical Center paid cyber-terrorists 40 bitcoins (about $17,000) to get the key to release the hospital’s data. I call this a cyber-terrorist attack because it put every patient in the hospital at risk of death or serious injury when doctors and nurses can no longer access the patients records or get access to diagnostic information from monitoring or diagnostic equipment. Hollywood Presbyterian Medical Center is a private hospital in Los Angeles with 434 beds. The hospital CEO, Allen Stefanek, said the paying the terrorists was the “quickest and most efficient way” to regain control of their data systems. The malware attack was first noticed on February 5, and was fully functioning until 10 days later. Clearly, this hospital IT department was not prepared for any kind of a disaster. I expect they will be attacked again, probably by the same terrorists.

The FBI is investigating, but I would not expect them to catch anybody.

The last word:

Packages like Time Machine and File History are great for automatically backing up in the background while you are working, and in general meaning you never have more than one hour’s worth of work to recover. They also make recovery easy, and can give you the file as it was yesterday or last week in case you really messed it up and do throw away the last change effort.

However, they are not very effective in two cases:

  1. If you have a building failure, they are likely to also get destroyed. A building failure is a case where you cannot get back into the building, perhaps because of a fire, earthquake, biological contamination, police or military action, or terrorist act.
  2. Some ransomware not only makes the files on your computer’s hard drive inaccessible, but will also destroy or encrypt the files on any attached hard drives, like your Time Machine or File History drive.

If you are paranoid, like me, you should also have an offsite backup. It is now fairly easy and inexpensive to do this with packages like Microsoft OneDrive, Apple iCloud, Carbonite, and a host of others.

Comments solicited.

Keep your sense of humor.



Read Full Post »

I recently wrote about some of the impacts that government regulations around the Affordable Care Act are having on small medical practices. One of those differences has to do with coding. These codes are established by the World Health Organization, part of the United Nations, in a medical classification list called the International Statistical Classification of Diseases and Related Health Problems, usually just called “ICD.” This is really two lists: a list of diagnosis codes and a separate list of procedure codes.

The current set, ICD-9, has about 13,000 diagnosis codes and 3,000 procedure codes. The 30-year old ICD-9 suffers from several problems: it lacks detail, uses generic terms, is based on outdated technology,and has limited capability to add new codes.

The new set, ICD-10, addresses those problems. It provides for up to 68,000 diagnosis codes and 87,000 procedure codes.

In a recent one-week nation-wide test involving over 127,000 claims from 2,600 health care providers, suppliers, billing companies and clearinghouses, only 89% of the claims were accepted without issues. This test involved claims from only about 5% of potential claim submitters, and only included those who agreed to be part of the test and had been working on this conversion for years. After October 1, 2015, claims that do not use ICD-10 or have issues with the ICD-10 codes will not be processed, and claims not processed will not be paid. The official position: physicians are urged to set up a line of credit to mitigate any cash flow interruptions that may occur.

As you can imagine, there are some fairly unusual codes. One that has made the NPR circuit is V91.07: burn due to water-skis on fire. But NPR did not get the story correct. V91.07 is an invalid code; you must use one of the three subservient codes to describe the diagnosis in greater detail:

  • V91.07XA – initial encounter
  • V91.07XD – subsequent encounter
  • V91.07XS — sequela

A “sequela” is a chronic condition that is a complication of an initial event.

Before you scoff at this diagnosis, check out these guys.

For some reason, there are different sets of ICD-10 for different countries, so for those of us who travel to foreign countries, there is likely to be some confusion with your insurance provider and local healthcare facility if you are injured or sick outside your home country.

Many organizations have already been working on this conversion for a few years. There are also lots of companies out there to help medical staffs make the transition. For example, Find-A-Code has search solutions for small practices ($300/year) and larger facilities ($950/year).

Like a lot of things in the Affordable Care Act, the end result of the convesion will be beneficial to patients. Getting there will be a really interesting ride, and will contibute to the loss of small medical practices with potentially a significant negative impact in rural areas.

The real concern will be the significant number of coding errors during the transition. Each diagnosis coding error can lead to health workers adminstering the wrong procedures, especially as patients are shifted between doctors and other care providers in larger medical organizations.

The last word:

Considering the large number of people who have access to your health care information, and the number of breaches in personal health care data, you should be concerned over misuse of your data. Certainly the government will have access. Expect companies, perhaps legally, to offer your health care information to your current or potential employer, and certainly to your insurance providers.

Read carefully the fine print around any job or insurance application you submit. You may be granting them access to all of your medical data as well as your financial data as part of a “background check.” HIPAA actually treats much of your medical information as a valid part of your employment record. This includes anything related to drug testing, Family and Medical Leave Act, Americans with Disabilities Act, Occupational Safety and Health Administration, workers’ compensation records, sick leave or return to work documents, and anything related to a drug or alcohol free workplace.

There are legal restrictions on what a company can access or ask for, but if you say “yes” in a job application all bets are off.

Comments solicited.

Keep your sense of humor.


Read Full Post »

2014 has been a very bad year for data security. Many of these attacks have made the news, starting with Target and ending with Sony. Unfortunately, the majority of data breaches never make the mainstream media. If you ever think that data security is improving, check out Hackmageddon.com. They put out a fortnightly report on worldwide cyber attacks. The November 16-30 report, for example, lists 36 attacks in just those 14 days. To me, some of the more interesting attacks:

  • ISIS social media is hacked, replacing a threatening message from the group’s leader with a song along with a logo similar to that of the Egyptian military.
  • The US State Department is forced to shut down its unclassified email system.
  • The entire City of Detroit database was encrypted, and the hackers demand a ransom of 2000 bitcoins (about US$800,000). The database is still down.
  • The hacker group Anonymous had a busy fortnight: they deface the City of Ottawa web site, take down websites of the Supreme Court of Canada, Ottawa Police, several police organizations in Italy, and the City of Cleveland.
  • The Syrian Electronic Army redirects the Internet traffic of a customer identity management platform to its servers. Among the many sites affected are CNBC, the Canadian Broadcasting Corp, and the Boston Globe.

Do not expect 2015 to be any safer. Websense Security Labs recently published their 2015 Security Predictions. They list eight areas of increased concern in 2015.

  1. Healthcare will see a substantial increase of data stealing attack campaigns. Attackers are after the medical records and patient data. These records contain personal information including links to insurance and financial accounts that can be used in additional attacks and fraud. I have recently posted about this issue in general and how the shift to electronic medial records is actually increasing the risk. Websense expects these attacks will rise in frequency and success in 2015.
  2. The “Internet of Things” refers to the increasing connection of almost anything to the Internet: you are probably aware of your car; your house including appliances and security devices; individual and government security cameras; and electric and other utility meters. The real danger is not your personal gadgets, but the devices that control our electrical grid, oilrigs, dams, water supplies, traffic lights, and manufacturing lines. Websence expects increased attacks from multiple sources on these devices. For your business, this is the next attack opportunity phase after your BYOD (bring your own device) initiatives.
  3. Credit card attacks will continue, but as the value per card decreases due to increased security by the card processors, Websense expects these cybercriminals to expand the information they steal, and aggregate that information for individuals from related sources like loyalty programs and medical information. Then they can sell complete personal identity dossiers.
  4. Your smart phone and tablet will be attacked, but not for stealing the data that is on the phone, but rather to gather information for later credential stealing and authentication attacks to all of the data you have access to in the Cloud. As more and more of us use the mobile device as part of our authentication process when we access the Cloud, Websense expects attacks involving malware that intercepts the authentication elements turning your device into a man-in-the-middle attack, perhaps even enabling the cloning of your mobile device. The result: the cybercriminals will have the same access to the personal and corporate data that you do.
  5. Newly discovered vulnerabilities in old code. We have recently seen examples such as Heartbleed that take advantage of vulnerabilities in open source code.   There are probably hundreds of similar vulnerabilities, and many are probably already known to hackers. There are probably thousands of vulnerabilities in proprietary code such as Windows and the huge supply of legacy code still in use, some of it decades old and written in an entirely different security landscape in a pre-Internet era. Little of that code has been properly checked from a security perspective. Websense expects at least one major breach of confidential company data based on “undiscovered” old code vulnerabilities.
  6. Email threats will evolve to a new level of sophistication.   Websense expects a general decline in the amount of spam, but the new spam will increasingly get through your corporate or ISP spam filters and reach your mailbox. These new messages may not contain a link or even some form of obviously spam message, but are actually the first reconnaissance step in a continuing attack.
  7. As your company increases its use of Cloud and social media tools, like Google Docs, these approved cooperative tools will become part of the attack structure. Cybercriminals will migrate their command and control infrastructure into these approved channels thus escaping detection by your company’s network monitors. Websense expects these compromised approved site to hide data-security attacks.
  8. New players will join in the current Cyber War. Unlike existing measures designed to limit access to strategic weapons (like the nuclear non-proliferation treaties), there is nothing to limit the ability of countries, rebel groups, and others with nationalistic interests to engage in cyber war. Even potential future international treaties, which may have an effect on some countries, will have no effect on organizations like ISIS or rogue countries like North Korea. Because it is relatively inexpensive to organize a cyber-terrorism or cyber-warfare organization, it does not require a large First World country to support such activity. Websense expects one or more cyber-warfare attacks from countries with high forecasted economic growth in order to protect and advance their growing influence.

All in all, it appears that 2015 will be a very interesting time in cybersecurity.

The last word:

When your company is attacked, are you ready? Can you afford not to be ready?

At an absolute minimum, keep your operating systems and malware software up to date. Microsoft’s December Patch Tuesday contained seven security updates including three critical security patches ending a year of far too many serious flaws in Microsoft software.

Are you still running Windows XP? If so, make a New Year’s resolution to get completely off XP by the end of 2015. It is far too dangerous to keep running it.

Comments solicited.

Keep your sense of humor.


Read Full Post »

The entire Health Care industry is impacted by existing legislation requiring the adoption of electronic medical records (EMR). This adoption is absolutely necessary in order to improve patient care, reduce medical accidents, and in the end reduce total cost to provide care. The Cloud is a key enabler, allowing insurance companies, pharmacies, doctors and hospitals to share information about a patient allowing for quicker and more accurate treatment. Getting there can be a very expensive pain, especially for those organizations with only paper-based patient records. These companies are not just moving their existing IT to the Cloud, they are moving to an automated computer-managed environment, actions that most older companies took decades ago, and a phase newer companies never went through at all. Most small rural medical practices fit into the “paper-based” category. In many rural areas, small medical practices with an aging physician are the norm. For them, the move to EMR to meet the current ObamaCare requirements can be a heavy and long-term burden.

These doctors are faced with four choices:

  1. Bite the bullet, and spend tens of thousands of dollars and at least a year to comply. While EMR is a federal mandate, the government provides no financial assistance in the conversation.
  2. Ignore the law and carry on as they have for, in some cases, several decades. In this case the government punishes the doctor by withholding part of their Medicare pay. Most small practices are running fairly close to the edge financially due to ever-increasing malpractice insurance rates, the need for more expensive equipment, and declining insurance payments to the practice.
  3. Merge into a larger regional organization. The larger organization probably has implemented a compliant EMR and will help the small practice migrate. The doctor loses a lot of control over the hours they work, possibly work location, and even patient selection. They become an employee of a large bureaucracy.
  4. Retire.

The Medicare reimbursement penalties are significant. Lose 1% for not having a qualified EMR. Lose another 1.5% for failing to enroll in PQRS, a federally mandated program the collects quality data.

For many doctors, especially those over 50, the last option is the one they are selecting, forcing many rural patients to find a new doctor, often many miles away from where they live and work.

To further complicate the migration to EMR, the government is changing, again, the classification codes used to identify diagnoses and diseases within an EMR and in exchanging data with insurers and government organizations. ICD-10 is required by every medical practice in the US by October 1, 2015. This changes how doctors and other medical staff code everything about patient care. Again, when the conversion is complete nationwide it should improve health care significantly, but the path is not easy and not free to the medical organizations. Several state medical associates and the National Physicians’ Council for Healthcare Policy have urged Congress to delay implementation of ICD-10 for two years. At the same time, other groups are pressing for no more delays citing the cost in time, effort and money as they try to meet disjointed deadlines for multiple federal mandates.

The last word:

The impact on you, your family and your business will depend on where you live and your financial situation. One impact we will all face is, at least over the next few years, is the increased cost of medical care and thus for medical insurance while everyone involved in the medical industry tries to keep up with constantly changing government regulations.

All of this confusion also negatively impacts the security of health care data, making us all more vulnerable.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Last time I wrote about The Need to Protect Healthcare Data, or perhaps more importantly the potential cost of not protecting it. This time I want to talk about how to do that in a non-disruptive way that will probably save your organization money while significantly reducing the chances of a major data breach involving hundreds or thousands of patient records.   Of course the same approach can be used to protect any kind of protected information from exiting en masse in any line of business.

The key is to protect the “crown jewels” – the database that contains the data that must be protected. Normally, these systems are implemented as three-tier environments. To keep the picture and words simple, in this discussion each tier has only one server but in a real implementation each tier is usually composed of multiple servers for redundancy or to provide the necessary performance.

  • The data tier contains the database server that actually contains the database. This server contains the software that manages all access to the data: no one can access the data without eventually getting to the database server.
  • The application tier that controls the business logic that uses the database. These are the programs that implement information retrieval and update for the medical staff, capture information from medical device controllers, and handle data retrieval for meaningful use and billing.
  • The presentation tier is what interfaces with the user or another application system. It is often implemented as web services so that any device with a web browser can access the same information.

For example, when a doctor needs to see a patients chart from her tablet, she can use a browser or a special tablet application to ask for the current chart for “John Smith DOB 04/23/1945.” The tablet browser or application sends that request to the presentation tier, where the doctor is authenticated if necessary, then sends that request to the application tier. There a program formats a query against the database and sends it to the data tier. The data tier retrieves the information and sends it back to the application tier, who formats the specific information for the chart and sends that to the presentation tier. The presentation tier then sends it to the tablet browser or application for display to the doctor.

While this may seem like a complicated process, it nicely separates the operation so that, for example, a different kind of user device with completely different display characteristics can be easily added by changing only the presentation tier, and usually just making a single change that will work independent of the specific kind of transaction. Similarly, it allows the application layer to perform additional validation on a specific transaction, such as verifying that the doctor is permitted by HIPAA to see John Smith’s information.

The purpose of this requirement is to limit access to the application and data tiers to only those specific devices that have a valid need to access those tiers. In particular, only the servers in the application tier should be allowed to access the servers in the data tier, and only the servers in the presentation and data tiers should be allowed to access the servers in the application tier. There are, of course, users called administrators that require access directly to the application and data tier servers. These are the people who are responsible for the management and operation of the applications and database. In most organizations, there are just a few database administrators and application administrators who must have direct access into those servers.

This solution described there uses the Unisys Stealth Solution. Stealth uses state-of-the-art encryption, but the key principle behind Stealth is that it only allows a device to communicate with another device if they share a Community of Interest, a COI. A COI is nothing more than a group of people and servers. Data can be shared freely within a COI, but must not be shared with any person or server not in the COI. In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on. If some device tries to access a Stealth-protected server or workstation without belonging to the same COI, then the Stealth-protected device is completely invisible; the Stealth-protected device simply will not respond to anything from that device.


The picture represents each tier by a single server and shows one database and application administrator. As stated before, there are usually multiple of each. The red lines show the communications paths protected by Stealth. The black line represents clear-text traffic coming from the organizations internal network or over the Internet. The Internet traffic should already be protected by some form of encryption such as IPsec or SSL. There are three Communities of Interest (COIs) in the diagram. The green dots represent devices in the DB COI, the blue dots represent devices in the Application COI, and the yellow dots represent devices in the DB Administrator COI. Only the database Administrator and the application tier server can access the data tier server. Only the data tier server, application administrator, and presentation tier server can access the application tier server. Any other device attempting to access the data or application tier servers would be completely ignored.

Since the individual administrator’s COI is determined at log on time, it does not matter which workstation an administrator uses. When an individual signs on with a database administrator’s credentials, he now has the DB ADMIN COI and can access the data tier server.

One Stealth implementation can protect multiple databases that are in the same network segment, i.e., are visible from each other in the network. Otherwise you can replicate the Stealth implementation as needed.

This solution has no impact on existing applications and is invisible to end-users and even to the database and application administrators. Capital savings come from not requiring as much network infrastructure such as firewalls. Operational savings come from not needing to reconfigure firewalls or other network security devices and applications. If an administrator is added or moves on, simply change your identity management system. Stealth then automatically permits or prevents the individual from accessing the database or application servers.

If you do not have a tiered implementation or have collapsed the tiers onto a single server, and therefore allow end users to directly access the server containing the database then this mechanism does not help. Then again, not much would be able to help in this situation. You first need to separate your environment into multiple tiers so that any security solution can control access to the database and application servers.

The last word:

This mechanism does not protect against the accidental or deliberate loss caused by inappropriate actions of individuals who are authorized to access the data. This includes the file clerk who walks away from a logged-on workstation in a semi-public area, or the doctor who foolishly loads a couple of patient files on her son’s laptop at home. There are ways to reduce the chances of these kinds of incidents, and in super-sensitive environments it makes sense to make those investments. But they are very expensive and usually not worth the cost. While these errors are regrettable they rarely lead to fines or the risk of losing accreditation, or the CIO needing to find a new job.

As always, the key is to have a good security policy document and provide annual security training emphasizing to employees and contractors that you are serious about data security.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.


Read Full Post »

I have mostly been concerned with data breaches that impact financial information, like the recent Target and Neiman Marcus events.  But health care breaches are also expensive, also costing about $200 per lost record and the potentially more serious impacts due to lost patients and even doctors due to the damage to the organization’s reputation.

In October 2013 AHMC Healthcare lost the medical records of 729,000 patients – they literally just walked out of the office.  These records contained patient names, Medicare data, diagnosis, plus insurance and payment information.  State and Federal governments are cracking down on these breaches, with stiffer notification rules and serious penalties:  $150,000 from Adult & Pediatric Dermatology in December 2013, $1.2 million from Affinity Health Plan in August, and $1.7 million from Wellpoint in July.

There are two Federal laws that apply to health care records, HIPAA and HITECH; plus the safety of health care information is included in the privacy laws of 46 US States plus the District of Columbia.

HIPAA is the “The Health Insurance Portability and Accountability Act” of 1996.  It includes rules about privacy, security and breach notification.

HITECH is the “Health Information Technology for Economic and Clinical Health Act” of 2009.  It seeks to improve US health care through the increased use of IT, including Electronic Health Records (EHR or EMR) systems.  It also includes rules about privacy and security of medical records.

Since most healthcare companies also handle patient financial information, they may also be required to be PCI-DSS (Payment Card Industry Data Security Standard) compliant.  You might think they can just worry about one type of compliance because they are both about protecting people’s personal data.  You would be wrong.  There are significant differences in requirements.

The biggest difference is that PCI-DSS compliance is defined by a commercial group of companies including American Express and Discover, VISA, and MasterCard.  While some States have criminal penalties for willful violation of their privacy laws, almost all penalties for violations are in terms of fines, the cost of dealing with a breach, and lost reputation.   These fines can run into the millions of dollars paid to the credit card companies, and could result in the company losing the right to process credit cards which can be a fatal blow.  The company must notify their customers who may have been compromised.  The large breaches end up in the news, but the smaller ones usually don’t.

PCI requirements are very technical, identifying specific IT activities and defining at least the attributes of solutions in twelve major areas.

HIPAA is Federal law monitored by the US Department of Health and Human Services (HHS).  In addition to fines paid to HHS, HIPAA establishes criminal penalties including vacations in a federal prison.  HIPAA requires that in addition to notifying potentially impacted patients, they must also issue press releases through media outlets.

HIPAA is focused on policies, training and processes.  It requires that all of your business partners and vendors, including Cloud Service Providers, be covered by a BAA (Business Associate Agreement) and that they must be HIPAA compliant.  Your company plus each of your business partners must complete a risk assessment and management plan for addressing each of the HIPAA safeguards.

HITECH, also under HHS, establishes four levels of penalties based on the culpability of the organization, with financial penalties up to $1.5 million dollars.  However, you can avoid financial penalties under HITECH if you correct the problem within 30 days and the violation was not due to your willful neglect.

I wonder who pays the fines when the Affordable Care Act website, including its back-end processing that links to Social Security and the health care providers, violates HIPAA, HITECH or PCI-DSS rules?

The last word:

What to do?

  • Make sure your company and your partners are HIPAA and HITECH compliant. Work with your partners like billing and EMR providers to make sure they are compliant, including with PCI where appropriate.
  • Get a copy of each partner’s HIPAA risk assessment and management plan, and keep them with yours in preparation for a possible HHS audit, usually conducted by KPMG.  Also get a copy of your partner’s latest audit report and confirm that HIPAA compliance is based on the OCR Audit Protocols.
  • If you are also dealing with patient financial information (e.g., hold credit card numbers), get your partner’s latest PCI audit report and that their compliance is based on the PCI-DSS.
  • Make sure your employees and contractors are well trained on your processes and the law, and monitored for violations.
  • Make sure your IT department is following the appropriate best practices.  Use the PCI technical requirements as a framework for HIPAA compliance.

A health care security breach can impact your business, even put you out of business.  While you are focused on your patients’ health, also focus on protecting their privacy and your reputation.

Comments solicited.

Keep your sense of humor.



Read Full Post »

Older Posts »