Missing Hard Drives Contain PHI of Nearly One Million Individuals

Missing Hard Drives Contain PHI of Nearly One Million Individuals

Cybersecurity and safeguarding Protected Health Information (PHI) is a hot topic in the digital world. However, while awareness and new legislation are improving the current state of digital information security, less attention is given to security protocols for hardware and physical data storage.

Hard Drive Theft

Centene, a prominent Medicare and Medicaid insurance provider, recently announced the loss of six hard drives containing private information on nearly 950,000 individuals. The affected data loss includes names, addresses, social security numbers, and membership IDs. A statement offered by Centene on Jan. 26th claimed that the hard drive loss “resulted from an employee not following established procedures on storing IT hardware,” noting that the missing drives were a small part of their total 26,000 unit IT inventory.

Is Encryption Necessary?

Centene’s data loss was a function of lack of encryption protocols and poor inventory management.

Unfortunately, the answer to data security isn’t as simple as “encrypt everything with PHI.” Unnecessary encryption can be costly and may reduce efficiency due to the extra steps needed to authenticate users. Under the HIPAA Security Rule, encryption of PHI is merely “addressable.” This means that organizations that thoroughly document alternative security measures need not encrypt all instances of PHI.Centene Corporation

When encryption isn’t feasible, other security protocols must be used. Inventory governance is essential for protecting hardware containing PHI. However, the challenges of keeping a real-time IT inventory make the process easier said than done.

“An inventory of any IT assets, including data, is only accurate for a moment. Things are constantly changing. Maintaining an accurate inventory doesn’t scale well for large organizations. Rather than putting a lot of effort into an accurate inventory, efforts are better spent encrypting media containing confidential information,” said Tom Walsh, founder of security consulting firm tw-Security.

This presents a challenge to holders of PHI: how can the costs of encryption be balanced with inventory management for better overall security? According to Walsh, risk analyses coupled with precise inventory tracking will help organizations “channel limited security resources where they are needed most.”

Finding a Middle Ground

The question of hardware and PHI security is as complex as the challenges associated with cybersecurity. It’s clear that both inventory governance and correctly-applied security protocols are necessary to keep PHI safe. The CEO of security consulting firm Redspin noted that: “…Healthcare organizations must be disciplined about tracking PHI throughout the organization and ensuring the appropriate safeguards are in place everywhere. Encryption adds cost and complexity, but a PHI breach can be far more costly.”

Given recent PHI breaches, we’re willing to bet that insurers like Centene would agree.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

There’s a surge in the use of social networking and fitness-tracking devices like Fitbit to monitor and improve health and wellness, but some of these same advancements in health and fitness technology are raising alarming privacy issues. Here are four ways your efforts to share your fitness journey with the latest and greatest technology could have unintended consequences and compromise your privacy.

1. HIPAA Has Its Limits

The Health Insurance Portability and Accountability Act (affectionately known as HIPAA) effectively governs the privacy and security of health-related data collected by hospitals, healthcare providers and insurance companies. However, HIPAA’s policies and regulations for data security don’t apply to your private information when you choose to place it on other outlets.

When you fill out questionnaires or surveys at a gym, massage therapist’s office or health food store, you should understand that the data isn’t regulated the same way it is when it’s shared with your doctor or insurer.

2. You May Inadvertently Over-Share

Source: Photopin

For most people, accountability is a wonderful tool to use when working towards fitness goals. Through apps and social media, we can share our successes (such as a new record for a mile run) and find support in our downfalls (like the empty Ben & Jerry’s container in today’s trash). Fitbit offers its users a leaderboard that refreshes all day to show who’s burning the most calories, making the best food choices and getting the most sleep.

Making your triumphs and failures public may seem like a great way to stay motivated and meet your goals, but, as some Fitbit users learned in 2011, you may accidentally give TMI. Just as Fitbit shared the number of calories worked off on the treadmill or how many flights of stairs were scaled, the popular fitness device also recorded and published late-night physical activity statistics including duration and calories burned.

3. “Checking In” Allows Others to Check-Up on You

Checking in via Facebook or FourSquare is a popular tool on social networking that allows users to publicize where they’re eating lunch or what landmark they’re visiting. Believe it or not, broadcasting your every move and activity could affect your health insurance rates. Insurance companies are in the business of minimizing risk and turning a profit, so constantly checking in at bars or cigar shops could lead to a hike in your premiums if your insurer decided to check out your check-ins.

4. Facebook Is the New Insurance Company Questionnaire

When applying for new health insurance, you’ll likely be asked to fill out a detailed questionnaire regarding your general health, preexisting conditions and medical history. However, insurers are jumping on the social media bandwagon and doing their own research to determine the riskiness of would-be policy holders. The amount of private and personal information people willingly share on their social networking profiles is astounding. These profiles have become a valuable and insightful resource for insurance companies hoping to determine the actual lifestyle of an individual, which may vary from how one represents themselves on a health questionnaire.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Why Electronic Health Records Face Significant Security Risks

Why Electronic Health Records Face Significant Security Risks

The days of massive file stacks full of carefully coded health records are all but over. Today’s healthcare system is undergoing a somewhat rocky transition to more easily accessible electronic health records (EHRs) that put a wealth of patient healthcare history at physicians’ fingertips. There are so many positives to the digitalization of health records that it’s easy to get swept up in the fervor.

Beyond the significant financial investments required of individual practitioners and major healthcare systems alike, upgrading to EHRs may pose significant risks to the privacy and security of patients’ private health information. What can be done to stop the data leaks and breaches that tarnish the reputation of electronic health records?

Source: FreeDigitalPhotos.net/Stuart Miles

Counting the Costs

A recent report from POLITICO found a full identify profile of a single patient could fetch up to $500 on the black market. With medical data at a premium, individual patients face a significant risk each time practitioners enter private data into an online database. The cost for consumers goes beyond financial disaster:

  • Unlike credit card fraud or banking breaches, there’s no one-stop-shop where affected individuals can report medical identity theft.
  • What happens if your record contains falsified information about previous treatments or even a fictitious diagnosis? Just thinking about the possible real-world repercussions of such breaches is enough to raise your blood pressure.

If you think healthcare identity theft isn’t a significant issue, consider this statistic from the Identity Theft Resource Center: in 2013, the healthcare sector racked up 43.8 percent of total security breaches, outpacing the business sector by nearly 10 percent. It turns out the reason for growth in healthcare breaches is likely economic; these days even a stolen Social Security number garners only about a buck on the black market, while a full medical record fetches hundreds of times that amount.

How Is Healthcare Security Performing?

In the wake of recent data breaches at Target, Neiman Marcus and other retailers, many large companies are beefing up their data security in efforts to escape the wrath of angry consumers tipped off largely by renegade data security blogger Brian Krebs. While that’s a positive development, the same encouraging changes don’t seem to be catching traction in the healthcare industry, where profits should ideally take a backseat to patient care… and that should include care of private healthcare information security, too.

Misplaced Priorities

Perhaps it all comes down to a few misplaced priorities:

  • Healthcare providers must ramp up their privacy standards, requiring significantly increased spending on security measures.
  • Leaving EHRs vulnerable to data beaches comes at a great cost to patients, many of whom are already dealing with stressful situations such as chronic diseases like cancer.
  • The Healthcare Information and Management Systems Society (HIMSS) reports that half of survey respondents in a recent security study spent less than three percent of their overall IT budgets on healthcare information security.

This statistic points to a serious spending shortfall, leaving patient health information vulnerable to security breaches that come at great personal and security costs. In order to safely modernize U.S. healthcare, providers will need to refocus and redouble their efforts at securing patient information to keep Americans both healthy and safe from identity breaches.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

20 HIPAA Breach Response Tips From Experts

20 HIPAA Breach Response Tips From Experts

Medical identity theft is undeniably one of the biggest challenges facing the healthcare industry today. The guidelines laid out by HIPAA provide an excellent frame of reference to help better protect patient data. When you are faced with a breach, however, what’s the best response? Here’s a look at 20 tips from the experts.

Source: freedigitalphotos.net/Stuart Miles

1. Locate Breach

The very first thing to do if you suspect a breach is to find it. No other steps can be taken without knowing exactly what you’re up against.

2. Containment

After identifying the breach, the next step is containment. The goal here is the IT equivalent of stopping the bleeding, whether that means disabling compromised accounts or blocking access to infected machines.

3. Damage Control

Damage control begins as soon as the immediate threat is under control. Determine what was accessed, and investigate other potential vulnerabilities to gauge the extent of any collateral damage.

4. Restore Services

Your organization must continue functioning effectively, and this means getting critical systems up and running again as quickly as possible. Once you’re sure that you’ve accurately identified and contained the source of the breach, restore essential services.

5. Internal Notification

Next, develop an internal report that notifies everyone from the ground up about what just happened. This is important for managing the rumor mill, but also contributes to the U.S. Department of Health and Human Services documentation requirements.

6. Be Honest

Don’t bother trying to combine sugarcoating and information dissemination. Just be honest and explain the facts behind the breach.

7. Change Passwords

Change all passwords and authorizations right away. It’s hard to tell how much information a hacker had time to grab, so err on the side of caution.

8. Preserve Evidence

As you’re doing things like changing passwords and containing the breach, be sure to save evidence of both the breach itself and the corrective measures you’re taking for future reference.

9. Gather Documentation

The OCR will require extensive documentation, including but not limited to: a copy of your most recent risk assessment, records of corrective action taken to correct the breach, proof of plans to prevent future recurrence, and much more.

10. Report Immediately

Although you technically have 60 days to report the breach to HHS and the press, it’s better to go public sooner rather than later. This shows that you’re taking the issue seriously, which in turn bolsters confidence in your organization.

11. Inform HHS

Tell HHS about your breach. Remember, any incident that affects more than 500 patients should be reported directly to the Office of Civil Rights.

12. Contact Your Patients

All companies are required to inform potentially affected individuals that a breach has occurred. Again, this should be taken care of as quickly as is reasonable, for the same reasons mentioned above.

13. Tell the Media

As the saying goes, he who breaks the story controls the manner of its release. Acknowledging the breach openly with the media is much better PR than trying to cover anything up.

14. Remediate

Everyone makes mistakes, but those who make an effort to rectify those mistakes rebuild trust in their organization that much faster. Do the right thing by offering help where help is needed.

15. Offer Resources

As part of the remediation process, provide resources to patients who are concerned about their privacy. For example, you can create a dedicated 1-800 number help line for affected parties to easily get answers to the questions they have, or offer free credit monitoring for one month.

16. Discipline

If your data breach resulted from a clear internal violation of your existing policies, the responsible party has to suffer the appropriate consequences. Take the necessary steps to discipline where called for.

17. Review Policies

Any data breach is a good indicator that it’s time to review your processes and policies to prevent similar incidents in the future.

18. Uptrain

Further investigation of the breach could reveal that remedial training is required to ensure that all employees are in compliance with current data guidelines.

19. Promote Awareness

Most healthcare organizations have a great number of various policies and procedures that employees are expected to follow, and it’s possible that data security concerns could get lost in the shuffle. Encourage awareness of the importance of HIPAA compliance, and make it clear that ignorance is not an acceptable excuse for noncompliance.

20. Prevent

While all of these steps are important for handling a data breach with professionalism and grace, the truth is that prevention is still the best policy when it comes to keeping information secure. Going the extra mile now to limit the potential of dealing with fallout later on is well worth the extra effort.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Ramped-Up HIPAA Audits: What They Mean to You

Ramped-Up HIPAA Audits: What They Mean to You

Over the last 12 months, more than $10 million has been recovered by the U.S. Department of Health and Human Services (HHS) in connection with alleged HIPAA violations. Yet, the upcoming year is likely to bring on a few more game-changers: namely, a seriously ramped-up effort when it comes to audits. The HHS Office of Civil Rights (OCR) has decided it’s time to broadcast a definitive message throughout the industry by conducting new HIPAA audits among hundreds of organizations that have been identified as being at high risk. What will this mean for those in the healthcare industry? 

Source: freedigitalphotos.net/Stuart Miles

HIPAA Sticking Points

The statistics gathered by the OCR are sobering:

  • The number of individuals who were impacted by smaller breaches increased over the last two years, more than tripling between 2010 and 2011 and increasing again in 2012.
  • There has been an increase in breaches related to hacking, although theft and loss account for them majority of large breaches
  • Most large breach incidents were traced back to business associates, which has led to the OCR’s announcement that business associates will be included in future audits
  • The majority of small breaches occurred due to unauthorized access or disclosures such as incorrect billing, sending information to an outdated physical address or otherwise misdirected communications
  • More small breaches involved paper records rather than electronically stored health records

According to current guidelines, HIPAA applies to anyone defined as either a covered entity or a business associate of a covered entity. This classification can cause confusion out of the gate for many organizations that remain unsure whether they’re actually bound by HIPAA requirements. (Here’s a helpful hint: when in doubt, assume that you need to follow the guidelines. It’s much easier to take extra precautions than suffer the consequences of being found in violation.)

Another sticking point when it comes to HIPAA is the widespread use of mobile devices outside the office. Personal devices such as smartphones and tablets that are being used to access company data are often responsible for a large number of complaints and data breaches because they lack the proper security specifications and aren’t always held to the same standards as on-site equipment.

Protecting Yourself

When it comes to protecting your business against the ramifications of a data breach, the most important step you can take as a healthcare organization is to conduct an exhaustive risk assessment (as required by HIPAA) to examine existing policies and procedures in an effort to more accurately identify potential problems. From there, don’t hesitate to take steps to shore up weak spots and revise current practices as needed to safeguard sensitive information from a potential data breach… and limit the possibility of a future audit by the OCR.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

3 Tips for Healthcare Data Security

3 Tips for Healthcare Data Security

While IT security is challenging in any business, the healthcare industry carries its own unique set of obstacles and high standards. This is due to a number of different factors, ranging from the obvious (HIPAA and other regulatory guidelines) to the subtle (the best way to handle long-term data storage of medical records). Here are three tips that can help you improve your healthcare data security overall.

1. Risk Analysis Done Right

Image via freedigitalphotos.net/Stuart Miles

Image via freedigitalphotos.net/Stuart Miles

Arguably the most important item of documentation required as part of an Office of Civil Rights audit, a risk analysis shows the steps your organization has taken in terms of both technical and physical data security, as well as looking at employee education efforts and other administrative factors. From uptraining and promoting awareness among staff to ensuring that satellite devices like company-issued laptops are just as secure off-site as on, every detail of your data security can be revealed with a risk analysis. With the OCR going as far back as five years for their audits, showing just the most current version is no longer enough; they’re looking now at how your security strategy has evolved over the years, and if you’re making ample efforts in the right directions.

2. Encrypt, Encrypt, Encrypt

Speaking of company-issued laptops, are yours encrypted? Because physical theft and loss of unprotected data remains the biggest problem currently facing healthcare data security. In fact, OCR data shows that the majority of HIPAA privacy and security breaches—60 percent—are due to the theft or loss of unencrypted laptops and other devices. If this equipment were encrypted, unauthorized access to the data they contained would be severely limited or even prevented entirely. While the per-user costs seem significant to enable encryption initially (sources estimate somewhere between $200-$400), the financial impact of a data breach that occurs from a failure to encrypt is exponentially higher.

3. Educate Your Employees

Of course, all the rules and policies in the world aren’t going to make a bit of difference if your employees remain unaware of them… or worse, decline to follow them. Employees have to be educated about the risks—not just of how a data breach could impact employees and patients, but also the importance of encryption, why safe browsing and computing habits matter, the difference between a strong and weak password and so on. IT security doesn’t happen in a vacuum; privacy and protection are dependent on every individual who interacts with sensitive data, and at every step of the workflow.

Call in the Experts

If you’re feeling generally overwhelmed by the big picture of healthcare IT security—or the multitude of just as important yet easily overlooked tiny safety details—you may want to look into working with a third party vendor who specializes in the field of ensuring IT security for healthcare organizations. From data analysis to implementing encryption and working to develop a comprehensive employee education program, an outside voice of expertise can provide a much-needed level of guidance to ensure that your organization and your patients are well-protected.

Are Small Hospitals More Vulnerable to Data Breaches?

Are Small Hospitals More Vulnerable to Data Breaches?

Small hospitals and healthcare practices often think they’re not as vulnerable to hackers as their larger peers, and for seemingly logical reasons. In theory, they present less of a motivation for hackers (since the payoff wouldn’t be nearly as impressive), and their size probably makes them less well-known compared to a larger facility, too. Yet, the realty is that what these healthcare providers read in the news is just the tip of the iceberg. There are a few reasons why smaller healthcare organizations may actually be a more enticing target than healthcare executives realize.

Size Relative to Security

Image via freedigitalphotos.net/Stuart Miles

Image via freedigitalphotos.net/Stuart Miles

When it comes to security, size should never be relative. That is, smaller facilities shouldn’t skimp on protection just because they have less extensive databanks or fewer patients. Unfortunately, this is exactly the misassumption some healthcare executives make: that protection really isn’t all that critical. Just as unfortunately, a lot of hackers know that this attitude is prevalent in small practices, which makes those less extensive databases ripe for the plucking.

Another place where size is deceptive lies on the development side of the healthcare industry. Healthcare-related apps are convenient little things, thought of as generally hobby-based and innocuous. This combination of qualities means that security is often overlooked here, too, leading to many health and fitness apps that sorely lack in adequate protection of patient privacy.

Steps to Take

No matter how insignificant your healthcare practice may seem in comparison to larger, fancier or sleeker facilities, one man’s trash is another man’s treasure, as the saying goes. Just because you imagine that your limited information couldn’t possibly be valuable to hackers doesn’t mean that the jackpot isn’t just as satisfying if cybercriminals gain unauthorized access to your system…and that means your patients—and their privacy—remain very much at risk.

There are a few steps that can help limit these vulnerabilities:

  • Beef up security: Don’t let anything go unprotected, even (perhaps especially) medical records. Hackers aren’t just after payment information; don’t assume that just because you don’t maintain records of credit card authorizations that there’s nothing in your circuits that could interest a seasoned cybercriminal. Health data is its own gold mine.
  • Regular check-ups: Even if a breach does occur, an early diagnosis is key to limiting potential damages. Something as simple as keeping an eye on your access logs so you recognize any anomalies can make a huge impact in rendering hackers powerless.
  • Don’t forget the small stuff: There really is no “too small” when it comes to hackers. From health-related apps to insulin pumps to the most remote rural practice, anything that houses, transmits or records medical information requires the utmost protection.

If there’s only one takeaway here, let it be that developing awareness of the very real danger of medical identity theft—regardless of practice size—is of the utmost importance to protecting patient information. Take the right steps to protect your practice and your patients, and you’ll become a much less tempting target.

How Can Less Tech-Savvy Hospitals Move Forward with EHR?

How Can Less Tech-Savvy Hospitals Move Forward with EHR?

In urban areas, it’s typical and even expected that larger healthcare organizations and hospitals are already using the latest medical breakthroughs and technological advances, including making (or having already made) the transition to electronic health records (EHR). Yet, rural practices are often stuck years behind their big city counterparts in a number of ways, and EHR adoption is no exception. How can smaller medical practices and hospitals catch up, let alone move forward?

Pipeline Problems

There are a lot of things people living in larger metropolitan areas take for granted, like 24-hour grocery stores or extensive public transportation. Smaller communities are faced with a number of unique challenges related to their relatively remote, isolated locations.

This dynamic is reflected in the healthcare industry as well. When it comes to making tech upgrades, the problems an urban hospital faces are most often related to issues like figuring out the best way to transform a large volume of paper records into digital format, or how to rearrange the budget to pay for the transition. In rural areas, though, complications occur at a much more fundamental level.

The question that smaller practices face isn’t necessarily how to schedule the time or the best way reprioritize the budget, but may instead be as basic as how can they find a technician or vendor to perform the service at all. Facilities that only have a couple dozen beds to begin with may have trouble even getting the latest medical equipment, and definitely don’t have access to the expert guidance they need to install and implement the hardware and software that’s necessary to build and maintain effective electronic records management.

Lack of funding in general is another serious issue facing rural practices. On average, the nation’s 2000 or so rural hospitals already run at an eight percent loss, so the question of finding the necessary investment to adopt EHR—often in the range of about a million dollars—can feel impossible. Yet, these changes need to be on track in order to comply with the mandatory 2015 deadline, so an answer has to be found.

Joining Forces

The solution adopted by increasing number of smaller practices involves a trade-off: giving up their independence in exchange for being absorbed into a larger nearby healthcare organization. Rural hospitals can align or merge with the nearest large metropolitan area hospital system and receive the benefits of more generous financial backing, along with superior access to the necessary technical support. Often, the urban facilities are already using EHR, so making the upgrade is a fairly streamlined—and less financially strapped—process. While some small hospitals remain stubbornly independent and are determined to find funding somehow on their own, others are benefiting in a big way from creatively joining forces with other healthcare providers.

Image via freedigitalphotos.net/2nix

Is Your Healthcare IT Security Stuck in The Stone Age?

Is Your Healthcare IT Security Stuck in The Stone Age?

It has been more than a decade since HIPAA’s security rule was introduced. In the intervening years, the field of healthcare IT security has evolved dramatically. However, not all practices and providers have gone along for the ride.
Are you part of an organization running a Flintstones-era healthcare infosec operation? If so, you may be playing fast and loose not only with patient welfare but also federal regulations. With the impending implementation of IDC-10 and the ongoing shift to fully electronic medical records, chinks in your healthcare IT security armor may leave both your patients and your organization vulnerable to costly and compromising breaches.

Head in the Cloud?Image via freedigitalphotos.net/ddpavumba

Cloud computing has lifted physicians’ abilities to communicate, collaborate, and compare patient information into the stratosphere. Developments in cloud computing technology put staggering amounts of useful information in the hands of healthcare providers in both megacities and small municipalities.

But for all the benefits that come from this open access platform, there is also great risk involved. Managing data across multiple platforms and great distances exposes sensitive patient information to huge numbers of eyes. If you haven’t made security a priority, you may inadvertently – and unknowingly – be exposing patient reports, EMRs, and images to nefarious individuals or entities. Be sure any outsourced firms with which your organization or practice contracts has a top-of-the-line IT security system and federal approval for capturing and storing confidential patient information.

Security Alphabet Soup

When swimming in a sea of EHR/EMR, HIPAA, HITECH and many other acronyms, it’s easy to let information security fall to the bottom of your list of compliance priorities. However, the federal government is ramping up efforts to monitor and intervene in even the smallest of HIPAA breaches. In a world of rogue “hacktivists” and ever-changing security threats and standards, how can you be sure you’re doing everything possible to keep patient information secure? Here’s a hint: if you don’t know what “hacktivists” are, you may be in the middle of a Stone Age healthcare IT security situation.

In the new cyber economy, even small- to medium-sized businesses and practices face security threats more commonly associated with institutions on an enterprise-level scale. Putting healthcare IT security higher on your list of priorities shouldn’t even be up for debate.

Top Healthcare IT Security Threats

A few of the most vulnerable points for IT security include:

  • Providers and contractors with multiple, untraceable, unencrypted mobile devices – Constantly upgraded operating systems make these ubiquitous devices are especially vulnerable to cyber hacking and viruses.
  • The shift from desktop systems to cloud-based servers – The ability to use multiple applications from one virtualized “desktop” saves hardware dollars but exposes private health information to a wider array of infosec threats.
  • Social media vulnerability – It’s nearly impossible to restrict employee access to social media, but these networks are also rife with quickly-spreading viruses and security bugs.

Healthcare Security for the Modern Age

If you aren’t sure whether your healthcare security processes and procedures are up-to-date, they’re most likely behind the times. Get smart with your healthcare IT security policies in order to ensure both federal compliance and patient privacy. Leaving your practice and patients vulnerable to cyber infection is as great a charge as the cause of improving physical health. To guarantee the security of both patient data and your vital business information, make IT security a top priority. Doing so may require enlisting an outside contractor with the expertise to make your healthcare IT security completely airtight.

Image via freedigitalphotos.net/ddpavumba