However, social media can also hurt organizations, and while the cases tend to be somewhat cut-and-dry, “you posted a patient’s personal information on Facebook, so you are fired” it’s the organizational response which I find most interesting.

Searches on the internet can find many organization’s social media policies posted online (I don’t understand this; but that’s for another day). Perusing these policies you get the gamut from ‘gentle guidance’ to Orwellian 1984-esque policies. So why such a spectrum? Organizational culture aside, they are mostly indicative to where breaches have occurred. While I understand that healthcare breaches are (starting to be) a big thing, I believe the over-handed policies go too far and will never make the changes they strive for.

Some of these policies read like they are taking away an employee’s right to express themselves via any social media outlet without the oversight and approval of management, even if it’s their own personal account written during non-business hours. This is also usually followed up with web filtering to remove the ability to gain access to Facebook, Twitter, or other popular social media sites (sorry again MySpace). Ironically enough, I’ve seen this happen and then the company emails all employees saying to “like” the company’s Facebook page and/or follow their Twitter feed.

This tactic will never work for a few main reasons. Human are social and companies can’t filter all channels to social media, even during business hours (i.e., smartphones). Remember when Egypt attempted to block Twitter during the protests? Short of the having the ‘Thought Police’ and ‘Ministry of Love’, people will always share their thoughts, some more than others. With the many technological advances it’s become easier and easier, now people can take a photo and upload it to their medium of choice in seconds.

This can lead to some fairly significant issues for organizations, especially healthcare. So how does an entity prevent these breaches? By setting expectations with reasonable limitations. What I mean by this is educate everyone what is acceptable and what is not. Telling employees that they can’t say anything bad about their job isn’t going to work. Telling them that they can’t use copyrighted materials (logos) or act as a company agent on a personal blog is acceptable. Informing them of libel and how far is too far is key for when employees become disgruntled (hopefully this never happens to you). Understanding that filtering social media sites is not going to be a control that prevents material from getting online and that it will be a time management control at best (assuming smartphones aren’t prevalent).

The successful policy both defines the acceptable boundaries of personal social media as it relates to the organization and educating employees on what to self-scrutinize before posting; pictures from work with a patient walking in the background, posts that may read like an organization-sanctioned post, etc. This ensures that the “what” comes across but also the “why.” This balanced approach is at least easier for organizations that don’t yet have their own Thought Police.

With the announcement that KPMG really is going to start performing HIPAA Privacy Audits in the New Year, we’ve had numerous conversations with healthcare providers around getting their privacy and security programs up to scratch. 

It’s a well-known secret in the healthcare industry that HIPAA compliance does not receive the attention (or the funding) that it should.  There are of course exceptions and I should note that most security and privacy professionals in the healthcare industry take their jobs very seriously and honestly do consider the protection of patient data to be their number one priority.  But, it’s often difficult to do your job if you don’t have the funding or resources needed to do it properly.

The federal government hasn’t helped – creating a mandatory requirement, but not putting in place any mechanism for testing compliance with that requirement rapidly creates a sense of non-urgency.  What’s the point of REALLY making sure that we’re HIPAA compliant if no one’s going to check?  It costs a lot of money, it’s annoying to doctors, it’s not even the slightest bit sexy, and it’s going to impact options to the organization.

And, if none of your competitors are limiting themselves and spending extra money on ensuring HIPAA compliance, a healthcare executive is going to see true HIPAA compliance as a competitive disadvantage.  Now it looks like everything is going to have to change.  Don’t believe me?  Think the audits are going to be ‘no big deal?’  Let’s draw a parallel with another compliance requirement – PCI DSS.

For those of you not familiar with PCI, you should be – you probably have to comply with this as well.  In any case, it’s the data security standard inflicted on merchants and service providers (companies that facilitate credit card payments) by the large credit card brands (VISA, MasterCard, etc.)  Anyone that takes (or processes) a credit card for payment needs to be PCI compliant.

Although the card brands catch a lot of flak for ‘inflicting’ PCI on the world, the truth of the matter is, something needed to be done.  Credit card data was not being protected and it was costing the card brands a LOT of money in fraudulent charges and impacting consumer credit ratings.  If they hadn’t created their own standard the government most likely would have.

When PCI was first rolled out to the community there were a lot of merchants that thought it was no big deal, but they didn’t plan on three things:

1. The card brands were perfectly willing to let non-compliant merchants make ‘examples’ of themselves (link, link)
2. The legal community quickly learned what ‘PCI-compliant’ meant and how not being PCI-compliant could be used in things like multi-million dollar class-action lawsuits
3. The PCI standard gave consumers a benchmark against which to judge the merchant’s brand.

These points have been effective because the card brands maintain a unified front when it comes to PCI (they all agree to the codified requirements as the baseline required by merchants to transact credit cards securely) and because they have a mandatory audit mechanism in place that gives them the power to take action if the merchant or service provider isn’t complying with PCI.

I think that we have the same dynamic going on now with HIPAA.

1. KPMG is going to be looking to justify their million dollar contract with the government – they will find issues with compliance during their audits.
2. The legal community is already very aware of privacy breaches in healthcare and what that means for things like multi-million (and multi-BILLION) dollar class-action lawsuits (link, link, link)
3. Everyone now has a benchmark against which to judge how much a healthcare provider cares about their patients’ data

I think that it’s time to figure out a plan on how to really address HIPAA – both in the short-run (i.e. achieving an initial compliant state) and long-run (maintaining compliance moving forward.)  If you aren’t familiar with the recent announcement involving the upcoming audits here’s a link on the HHS site which includes a sample of the letter that will be sent out to organizations.  Also note – the first round of audits is going to focus on Covered Entities, but future rounds will also include Business Associates.

For some additional information on how to put together a workable approach to really achieving HIPAA compliance please see material on the NetSPI blog and NetSPI services pages.  Also – NetSPI will be putting together whitepapers, additional blog posts, and (possibly) a webinar on this topic over the next couple of months.  Please check back here for more information, make a comment, or send me an email (link below) if you would like to discuss.

The problem is that individuals have found that they can recover the silver found within the film. While it isn’t a lot of silver (roughly 2% of the film’s weight) a few hundred pounds could make it a lucrative venture. That’s why it’s not surprising that thieves have begun stealing them. Let’s be honest here, when was the last time you checked the credentials of the crew coming to take away what you would consider to be garbage?

The issue here isn’t that these films will be used for identity theft purposes, it’s that you are now forced to go through breach notification procedures at your cost… for what is technically considered refuse! Three organizations in Pennsylvania already had to go through this as they’d fallen victim to thieves stealing the films from unsecured areas, and in one instance posing as a radiological film destruction company.

What can you do? Start securing X-rays and make sure they aren’t accessible to unauthorized parties, regardless whether the file is useful or scheduled for destruction. Many organizations store the X-rays near the equipment in semi-open rooms. If the rooms aren’t used 24×7 then you should either secure the room when not in use using your normal physical security system (key, badges, dragons, etc.) and monitoring equipment. If you don’t want to go to such extreme measures (I hear dragons eat a lot) then you may consider digitizing your x-rays and then securely dispose of the physical copies. Otherwise you may want to start recovering the silver yourself to help pay for the breach notification efforts you might find yourself facing.

Further reading:

http://www.ehow.com/how_4501375_extract-silver.html

http://www.ehow.com/facts_7786835_xray-silver-recovery.html

http://philadelphia.cbslocal.com/2011/10/17/thieves-seeking-quick-steal-x-ray-film-from-area-hospitals/

http://www.jeffersonhospital.org/Patients/scrap-x-ray-film-theft.aspx

Initially I thought of trying to showcase some of them in a silly reference; but I thought it might be too OPAQUE.

O – Overreacting is not going to get you through the event

P – Preparedness is key

A – Accept that it will happen to you

Q – Quit keeping old data

U – Understand the laws that impact your organization

E – Empathize with your customers/patients/employees – how are they going to react to your response?

In all seriousness; Q and A (no pun intended here) are both important and I wanted to point those two out.  

If you don’t need the data, as an organization you need to ask yourself, “what are we gaining by keeping this data?”  The liability is attached to every piece of information you retain regardless if you use it or not.  Having (and following) data retention policies will limit such a liability. 

Accepting that it is going to happen, now that’s a hard pill to swallow.;but similar to Emergency Preparedness techniques that many organizations routinely practice.  As they say, practice makes perfect even if you never have to use those techniques.  Organizations that routinely train for various circumstances are the ones best prepared to handle them.  If you accept that a data breach is going to happen, you’ll find yourself equipping and (more importantly) training for how to respond.  Whether you attach this to existing emergency practices or not is not as important as actually having a response.  Many organizations have suffered both from a Public Relations perspective and financially (fines) by their seemingly lack of response. 

In the end, training staff how to deal with data breaches because you accept that it will happen will yield positive results from a negative situation.  It’s amazing how people remember what to do during emergency situations; I still remember to get under my desk during an earthquake.

• Why is NetSPI not listed on their website? (Answer: We don’t need to be; we meet other requirements that make us qualified certifiers)
• Is NetSPI allowed to certify our application before you are listed on DEA’s website? (Answer: Yes)

According to 21 CFR 1311.300(a), there are two alternative processes for achieving the necessary qualifications:

1. “A third-party audit conducted by a person qualified to conduct a SysTrust, WebTrust or SAS 70 audit or a Certified Information System Auditor as stated in 21 CFR 1311.300(b), which comports with the requirements of paragraphs (c) and (d) of 21 CFR 1300.300” or
2. “A certification by a certifying organization whose certification process has been approved by DEA”

Therefore, the certification process emphasized within the clarification is simply one of the alternatives, and is in no way required or mandatory.  While the principal consultant involved with the EPCS Certification is a Certified Information System Auditor (CISA) in good standing, there should not be any issues with qualifications.  Experience with SysTrust, WebTrust, or the slightly outdated SAS-70 (in my opinion) are more a derivative of training provided by ISACA as part of CISA.

The bigger question would be whether having appropriate qualifications is the only measure by which you should select your certifying agent. This is where things like experience with certifying applications in other standards, experience in healthcare, and understanding of software development lifecycle can be significant differentiating factors.  Certainly, like with any other regulatory standard, there will be (perhaps already are) many low-cost, rubber-stamp firms that might get you the certification letter you are seeking.  They may let you replace application controls with policies and documentation, conduct the whole assessment by phone, and turn the whole certification process around in 24 hours.  However, obtaining the certification is only the first step in the long journey of maintaining DEA EPCS compliance.  If your client decides that your application does not meet requirements or is in violation of EPCS, you will have to investigate all such claims and if confirmed, announce to all of your customers that they can no longer use your application to prescribe or accept electronic prescriptions of controlled substances. (21 CFR 1311.302) 

While it may seem appealing to take a run at getting through the certification fast, trust me, taking this shortcut is not a good idea, and any perceived savings of time and money will likely come back to haunt you in the future.  Going for the low-cost auditor in this case may actually be the most expensive option.

Apart from the obvious benefits that such advancements have brought to healthcare, it also brings some responsibilities.  Since Mr. Radcliffe’s presentation there has been lots of discussion about the security of insulin pumps and what the manufacturer should do.  However I’d like to discuss the broader topic and maybe from a slightly different angle. 

Speaking generally about medical device security there is a lot of confusion about what can be done to ensure that privacy and security is maintained on, for all intents and purposes let’s call them “smart” devices.  Many individuals will say that FDA regulated devices cannot be altered in any way.  However; the FDA itself has published articles going back a couple of years now indicating that this is incorrect.  Aware of such misinterpretation a November 2009 post clearly reminds readers that “cybersecurity for medical devices and their associated communication networks is a shared responsibility between medical device manufacturers and medical device user facilities.” 

That’s a powerful statement and what some may think upon first read, unfair.  This doesn’t just say it is solely the responsibility of the device manufacturer but also to the organization that uses, distributes, and maintains them.  If a pump or other medical device that transmits information and/or receives instructions remotely (such as heart pumps) fails, the patient will most likely go back to the covered entity for a reason.  It doesn’t matter if it’s because the pump was damaged, altered maliciously, or just had a design flaw, both organizations will take a public relations hit. 

So what does this mean for covered entities?  Devices used and distributed by covered entities should have had security as part of the design process and allow for updates if necessary.  For example, if the device uses a Windows operating system, how will it receive updates and what department will be responsible for that?  

If you’d like to get more involved in this type of discussion check out the HIMSS Medical Device Security Work Group or the FDA Draft Guidance which is out for comments now.

Also, it’s important to keep in mind that a lot of physical theft reported by hospitals has nothing to do with someone actively seeking to steal PHI, and everything to do with someone losing a box of medical records in the warehouse or making their laptop easy for a thief to steal.  Comparing this to electronic hacking of EMR is simply like comparing apples and oranges, unless you can prove that all instances of physical theft were motivated by someone looking for the medical records. 

On the whole, I would suggest that we simply don’t have enough information to make a risk determination for storing EMR in the cloud or whether it’s a good idea.  All we have is the “Wall of Shame” from HHS  and the data that can be interpreted in many ways and support a variety of conclusions.  For example, since 12/15/09, there have been 292 total reported incidents, of which 58 involved a breach caused by a Business Associate (BA).  Also, the statistics showed that 50% of incidents reported by BAs involved a physical theft or loss of data, closely followed by “Unauthorized Access / Disclosure” category at 43%.   This means that approximately 20% of all breaches involved a third-party, and in reality the statistics for breaches caused by BAs are not much different than healthcare providers.  Applying an unfair twist to this statistic I could argue that a decision to not move data into the cloud would reduce chances of a breach by 20%, which would not be any less accurate than stating that the cloud will reduce the number of reported breaches.  The truth is that there is simply not enough historical data, and companies need to exercise great due-diligence when they decide to trust a third-party with sensitive data.

Short of a divining rod or a scrying pool, it’s difficult to know what the top pressures or concerns may be.  Luckily groups like the Managed Care Executive Group (MCEG) publish their Top 10 issues collected from healthcare leaders across the country. 

Not surprisingly many elements on the list discuss points of fiscal sustainability as it relates to funding from sources such as Medicare and Medicaid, and why wouldn’t it?  If an organization isn’t able to make money then the security posture won’t matter soon enough.

From a security perspective some interesting elements are found within number 7 – Health Information Exchanges.  It briefly hits on security where, “HIE’s, in many cases, are being launched under time pressures by relatively inexperienced and under-resourced groups, exposing a lot of data to misuse and/or errors.”  At number seven in the list of ten we finally get to potential PHI breach concerns.  Even so, it doesn’t outright mention HIPAA, HITECH, nor the Health and Human Services (HHS) Office of Civil Rights (OCR).

With the OCR increasing enforcement of HIPAA and HITECH regulations and recent fines and penalties this year totaling over $5 million ($4.3 and $1 respectively), this is a little surprising.  Many agree that the OCR is finding its footing in enforcement and their momentum is only going to increase.  I don’t know a lot of organizations that can pay such fines and the corresponding costs of immediate internal corrective actions (let alone the Public Relations costs) without too much concern.

How does this help the resource-strapped healthcare organization?  The actions that precipitated these fines weren’t ground-breaking hacks.  They were procedural issues that could have been addressed early and are all part of an environment that secures and protects patient privacy; the goal of HIPAA/HITECH and other requirements found in PCI.

Looking at the details of the OCR issues and knowing those top concerns may help reprioritize security.  Even those in a resource-strained company can benefit by using the recent OCR actions and by focusing initially on non-product based solutions that are no-to-low cost (such as policies and procedural changes, staff training, etc) and thus the foundational elements of a sound security posture.  Once those are solidified it makes it easier for those shelved security products to get dusted off and receive the green light. 

Resources:

Managed Care Executive Group – http://www.mceg.net

HHS Office of Civil Rights – http://www.hhs.gov/ocr/privacy/hipaa/news/index.html

Even the AMA agrees. While they don’t think most physicians will fall under the redefined categories of ‘creditor’ it does provide some Red Flag Rule Guidance, sample policy, and FAQ  on their website (AMA membership required). Every organization can benefit from an identity theft prevention program and healthcare is no exception. In fact the majority of privacy breach violations are prosecuted under HIPAA anyways.

With the loss of regulatory deadlines, the urgency to implement programs “formally known as Red Flag” seems to be faltering in some healthcare institutions. However the benefits of a successfully implemented identity theft program may limit losses and even gain consumer/patient confidence. With losses occurring due to bad debt and denial of payment false pretenses of identity theft (otherwise known as “I don’t want people to know it was me that was sent to the ED passed out”) a program can help successfully defend revenue recapture efforts. It also helps to curtail medical errors when individuals attempt to use another person’s medical records/insurance to obtain treatment or are merely drug seeking. 

Anyway it’s sliced an identity theft program will aid any organization and many healthcare organizations are continuing forward with their programs regardless of where they are in their implementation. While the FTC continues to offer guidance HITRUST may interest healthcare organizations directly with its Common Security Framework (CSF) that has continued to gain momentum in offering a validation tool to not just Red Flag but also HIPAA and other requirements. 

For those healthcare environments that have quantified the costs of resolving identity theft claims (both legitimate and not), they realize a little preventative medicine is worth it. I don’t need to remind those in healthcare that while that annual influenza shot may sting a little when you get it, it’s worth it in the long run.

Is letting someone know that a patient is not at a particular hospital at a specific time considered Protected Health Information (PHI)?  What about calling the hospital, asking for the room where Mr. Kravchenko is located and promptly being routed to my room?  Isn’t the simple fact of agreeing to route the call already considered PHI?  I realize that this may not be the biggest or most prominent HIPAA violation for most hospitals, requiring some familiarity with the patient in order to make the inquiry effective.  However, this also seems like this would allow for targeted inquiries into individual’s health records, all without having consent.  I can also see how interested but not authorized parties can start checking for attendance to substance abuse or psychological treatments simply by calling at the time when the patient is suspected to be there.

Obviously, HIPAA was not created to protect compulsive liars from being able to deceive their employers and it hard to feel bad for the person who would lie about being sick with a terminal disease.  However, this example does highlight the need for staff at hospitals and out-patient facilities to be trained on handling incoming inquiries, including deliveries of balloons and flowers.  This also means that hospitals may need to come up with a different / better way of handling incoming calls to patient rooms, and may even need to start using “passwords” before routing a call.  While many such incidents are anecdotal and often do not create a lot of sympathy for the “patient”, this does highlight just how easy it is for unauthorized disclosure of PHI to happen.