In less than a year—April 8, 2014 to be exact—Windows XP will no longer have Microsoft support, and in 2015, Microsoft Server 2003 follows suit. Hackers and other cyber criminals know this and will use it to their advantage. Because security updates will cease and Microsoft will no longer bail you out to fix issues, your medical data security will be vulnerable to viruses and electronic personal health information hacking.
This is a big red flag to upgrade Microsoft software in your hospital or practice. If you don’t, you will not be sticking to Health Insurance Portability and Accountability Act (HIPAA) requirements. As per HIPAA Security Rule section 164.308(a)(5)(ii)(B), health care entities must have in place “procedures for guarding against, detecting, and reporting malicious software.” Failing to upgrade to a secure operating system means you are using “malicious software” and in violation of adhering to HIPAA Security Rules.
According to the Physicians Practice blog, Growing HIPAA Threat–Ignore Windows XP at Your Own Peril, “Addressing Windows XP and Server 2003 issues will not only make your practice more functional and secure, but it will satisfy HIPAA and meaningful use requirements. And it won’t make you the giant target for hackers, because they will find those systems still running Windows XP and Server 2003 much easier prey.”
May 23rd, 2013
If you think your health care organization is immune to financial penalties following a violation of the Health Insurance Portability and Accountability Act (HIPAA), think again. Today, with the use of mobile phones, laptops, and other portable storage devices—more than ever—you need policies and procedures to safeguard private patient information, no matter how it’s used or accessed.
As an example of how implementing privacy and security policies and procedures is important, Robert A. Pelaia, Esq., CPC, CPCO, uses a recent (Jan. 2, 2013) HIPAA settlement case, which is the first case involving a breach of less than 500 individuals. The violation involved an Idaho hospice provider and the theft of an unencrypted laptop computer containing electronic protected health information (ePHI). The provider notified the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR), as required under 45 C.F.R. section 164.408, about the 441 patients affected. OCR investigated the incident and found that “the provider didn’t conduct a risk analysis to safeguard ePHI and there were no policies or procedures in place in regards to mobile device security, which is a requirement under HIPAA Security Rule,” according the Pelaia. “For the settlement, the provider had to pay HHS $50,000 and begin a corrective action plan.”
In cases that Michael D. Miscoe, Esq., CPC, CASCC, CUC, CCPC, CPCO, CHCC, has handled, and based on his discussions with the OCR investigators handling them, “the sufficiency of the Privacy and Security Policies and procedures is more of a concern to them than the breach is—especially where the entity is without fault (i.e. theft of data or disclosure by a business associate).” For this reason, Miscoe says, “It’s important for your health care organization to conduct a detailed risk analysis addressing every method of accessing or using PHI in your organization. This is then followed by development and review of appropriate policies and procedures. Because policies and procedures must address all the ways in which your specific organization uses, accesses, and discloses ePHI and PHI, it is unlikely that “off-the-shelf” products and consultant-generated products from a template” will be sufficient.
Miscoe recommends these tips to help protect and safeguard your PHI from potential security breaches:
- Policies and procedures should be drafted by legal counsel only after conducting a thorough risk analysis.
- Policies and procedures should be updated as methods of storage, access or use of ePHI, or PHI change. This is where having a Certified Professional Compliance Officer (CPCO™) is invaluable to ride herd over the policy and procedures to ensure they are current.
- Periodic (at least annually) formal review should occur to ensure that policies and procedures are being followed and accurately reflect how PHI is acquired, used, stored, and disclosed.
“Failure to take these steps, under the tier system of penalties in the Health Information Technology for Economic and Clinical Health (HITECH) Act,” Miscoe points out, “will likely mean the difference between a $100 fine and a $50K fine as in the case identified by Robert.”
January 14th, 2013
Alaska’s Department of Health & Human Services (DHSS), the state’s Medicaid agency, will pay $1.7 million to the U.S. Department of Health & Human Services (HHS) after reporting a USB hard drive containing personal health information (PHI) was stolen from a state employee’s car. This is the first fine levied by the Office of Civil Rights (OCR) against a state agency.
June 29th, 2012
The Office for Civil Rights (OCR) released on June 26 a protocol for a Health Insurance Portability and Accountability Act (HIPAA) audit program that is already underway. Mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, the OCR piloted the program in November 2011 and will continue audits until the end of the year. (more…)
Greater numbers of health care providers adopting smartphones and tablets (such as the iPad) means greater concerns about the security of patient health information stored on such devices. And, as reported by Pamela Lewis Dolan of amednews, if a portable device gets lost (or worse, stolen), you can be fairly certain that whoever finds it will try to access the information contained within it.
Dolan’s article, “How to ensure a lost mobile device won’t cause a data breach” notes that data encryption is the best tool to guard against a data breach. Under the Health Insurance Portability and Accountability Act (HIPAA), encryption is strongly encouraged, and is required unless there’s a technology limitation or some other compelling reason encryption is not possible. Under federal law, the presence of encryption is a safe harbor that would negate a health care organization’s obligation to report a data breach.
Unfortunately, encryption of mobile devices poses technical difficulties, at least in the present; however, there are additional steps you can take to secure mobile devices. Dolan offers the following:
- Pick the right device: Some devices have encryption for all or some data, while others require downloading apps to provide the service. Reading reviews at the app stores and getting advice from previous users and employees at the mobile phone companies will help find the best solutions.
- Use a passcode lock, and set the device to lock or remotely wipe the memory after several failed login attempts.
- Add a second layer of protection between the main menu of the phone and access to confidential files and apps. Many smartphone apps offer automated logins, which means that you can enter a website without having to provide a password. Enacting a required login to apps that carry sensitive information improves security.
- Before donating or selling a used device, restore the operating system to the factory settings. Without this step, you can never be sure the new owner won’t have access to data previously stored on the device.
- Talk to an attorney to help ensure that any privacy and security protections placed on your mobile devices are HIPAA-compliant.
Sidebar: The Office of the Chief Privacy Officer (OCPO) for the Office of the National Coordinator for Health Information Technology (ONC) recently launched a privacy and security mobile device project. The project builds on the existing U.S. Department of Health & Human Services (HHS) HIPAA Security Rule – Remote Use Guidance and is designed to identify privacy and security good practices for mobile devices.
Event videos and materials from the March 16 Mobile Devices Roundtable are available online.
March 29th, 2012