The proposed meaningful use stage 2 requirements were posted yesterday. The requirements are over 450 pages so we are still going through them and trying to digest them. As of now, two major IT related items jump out at us.

The first IT related objective is focused on protecting and securing patient information. In stage 1, one of the objectives was to perform a HIPAA risk assessment on how patient information is being protected. This requirement is still in place but additional emphasis has been placed on the use of encryption.

Proposed Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45CMS-0044-P 83 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.

Insight into why the use of encryption is being emphasized in very interesting

This measure is the same as in Stage 1 except that we specifically address the encryption/security of data is that is stored in Certified EHR Technology (data at rest). Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure.

Although the use of encryption is not required, it is clear that the emphasis has been placed on its use. An organization that has not implemented encryption will find itself in an awkward position of trying to explain why it has not been implemented.

The second IT related item is a change to stage 1 requirements. In stage 1 the requirement was to provide patients with an electronic copy of their health information and discharge instructions. This requirement has been removed. The new requirement, in stage 2, would allow patients to view online, download and transmit their health information

Proposed EP Objective: Provide patients the ability to view online, download, and transmit their health information within 4 business days of the information being available to the EP.
The goal of this objective is to allow patients easy access to their health information as soon as possible so that they can make informed decisions regarding their care or share their most recent clinical information with other health care providers and personal caregivers as they see fit.

This requirement signals the use of secure patient portals that will allow patients to login and access their records.

According to a report to Congress from The Department of Health and Human Services (HHS), there have been almost 8 million records breached since 2009. That is a staggering number. What is worse it that the number of data breaches continues to increase.

Another way of looking at it is that we are only in the beginning of Stage 1 of Meaningful Use. That means a lot more medical practices and hospitals will be implementing EMRs in the next few years. At this rate the number of records that could be breached could be 20 million or more.

There is a point where patients and consumers of healthcare services lose confidence in the system. When that tipping point happens I am not sure anyone knows but it is a real possibility. Unchecked and without fundamental changes to protecting patient data we could be heading for that fate.

The question is what can be done to stop this epidemic of patient data breaches? HHS has announced that they will perform 150 HIPAA audits in the next year. Will this change healthcare providers’ mindset? Will this make them take HIPAA and patient data security more seriously? I don’t think anyone can answer this but it is a step in the right direction.

One thing is clear, that without some fundamental change the amount of patient data breaches will continue to increase and trust in electronic medical records will be hurt. This goes in the exact opposite direction that the government is pushing with Meaningful Use and incentives to implement EMRs.

It has been a turbulent week on the East Coast.  We have had a rare 5.9 earthquake and have been hit by a Category 1 hurricane that have left millions without power and has caused major flooding. So naturally I have been thinking about Disaster Recovery.  It really takes extreme cases like the past week to get people thinking about disasters and Disaster Recovery.  But the truth is that disasters happen every day.  There are fires and floods and explosions that impact businesses every day.

But being that large powerful eye opening events really get people thinking about disasters, I will seize the moment and use it to help get people start thinking about Disaster Recovery planning.  Disaster Recovery planning is not easy. The exercise is trying to plan for something you don’t know exists and can’t anticipate environmental, physical and human actions. But before you get discouraged, you can start planning for things that you think might happen even if you don’t know the exact chain of events.

Categories of disasters

When I look at Disaster Recovery planning I like to split the disaster into 1 of 2 categories.  The first category is a temporary disruption in a business’ ability to access their server/network infrastructure.  This could be the result of an extended power outage that shuts the servers down. Or may be the result of a flood that makes travel to the office for employees impossible but also disrupts the network communication and remote access such as a failed T1, DSL or cable modem.  Both of these scenarios leave a business and employees temporarily without access to the network, data and applications.  The second category is more serious and involves destruction of a business’ server/network infrastructure.  This could be the result of a fire, flood, explosion, earthquake, etc.  The business’ servers and network are permanently destroyed.

You will notice that splitting the disasters into 2 categories allow for planning of multiple scenarios but without having to know the exact cause of the disaster.  It makes the Disaster Recovery planning much easier.

Data replication

One of the key parts of ensuring that you have a Disaster Recovery plan is to figure out how you are going to access critical data in the event that your servers/network are either temporarily or permanently inaccessible.  In this post I go into detail on Disaster Recovery planning which includes data replication and utilizing alternate locations to run duplicate infrastructure. The details of the post will give you good insight into some of the alternatives.

Communications

But another key part of Disaster Recovery planning is much less high tech.  In fact it is probably very low tech and almost as important.  In a disaster one of the worst outcomes is that a business’ employees may not have the ability to communicate with each other.  For example if there is a widespread power outage and your business primarily relies on email to communicate, your email server may be down and this will not be an option.  Secondly as more and more people move away from landline phones (Verizon, AT&T, etc.) to voice over IP (VoIP) such as Vonage and phone service through Cable companies, FIOS, etc, power outages cause people to lose their home phone access. When the power is out, Internet and phone are also out.  The third point is that as we rely on cell phones more and more for communications we are very susceptible to a disruption in cell service.  After the recent earthquake, millions rushed to their cell phones to makes calls only to find that calls would not go through. Unfortunately the reality is our cell phone infrastructure has major problems with extremely high volumes of calls and in disasters that is exactly the amount of volume to expect.  So a business might face the scenarios where email is down and employees can’t be reached via home and cell phones. The issue is critical if you cannot communicate with employees.

Let’s take a low tech approach to communications and see if some basic planning can help.  Prior to the recent hurricane, Entegration did some basic planning to ensure that all employees could communicate in the event of a disaster.  Here are some of the steps we took:

1. Ensure that we had an up to date contact list with all home phone numbers, cell phone numbers and home addresses (yes driving to a person’s house is a viable option if there is no other way to communicate with them).
2. Every employee setup an alternate email address (via Gmail, Hotmail, Yahoo mail, etc.).  We set up the address as First Name Last Name Company Name .  For example ArtGEntegration@hotmail.com.  In the event our primary email server went down and we could not communicate via Exchange/Outlook or our smartphones, we could still communicate via alternate email providers.  These email services are free and very easy to setup. And with smartphones, tablets and wireless network ability, access to these services are very straightforward and easy even in the event of a power outage.  We ensured that our contact list as mentioned in bullet 1 had both the primary and secondary email address for each employee.

Social Networks

Other alternatives are to utilize social networks such as Facebook, Twitter, LinkedIn and Google+ to communicate.  Adding social networks to the above options increase your chances of being able to communicate.

Summary

So hopefully this will get you thinking about Disaster Recovery planning.  In summary:

1. Break disasters into categories (temporary and permanent disruptions of service).
2. Focus on communication strategies that will enable all employees to communicate in the event of a disaster.
3. Plan data replication and alternate locations to run critical business functions.

Image via Flickr posted by www.gisuser.com

I woke up this morning to see that while I was sleeping I somehow managed to send out about 100 Twitter direct messages with a message saying:

“You look different in this photo. http://t.co/NglQQu1″

Needless to say, I didn’t actually send the direct messages and was a victim of a phishing scam.  I received the same message yesterday from a friend on Twitter and read it while I was on the phone. I clicked on the link and realized I wasn’t logged into Twitter (I use HootSuite).  So when prompted for my email and password I entered both.  The page looked identical to the real Twitter login page.  I was then greeted with a weird page.  I realized something was wrong but continued on my phone conversation.

When I woke up and saw all the Twitter messages on my phone I realized that my account was hacked and when I logged into Twitter yesterday it must have been a phishing attack that captured my email and password. I immediately changed my Twitter password.

If you received a message from me I want to apologize.

Yes I wrote about how to avoid being a victim of a phishing attack and I then become a victim myself. Ironic? Yes! Embarrassing? Yes!

I am just glad the damage was minimal and the phishing attack didn’t lead to something more serious.

Be safe out there. Phishing is real and anyone can be a victim. An with implicit trust that comes with social networks it is even easier to be a victim.

Health Info Security has published the transcript from an interview with Susan McAndrew of the Department of Health and Human Services’ Office for Civil Rights. The article is very good and should be read in its entirety. Below are some of the key points.

When asked if business associates as well as covered entities will be part of the 150 audits, McAndrew responded:

Eventually. I’m not sure whether business associates will be part of the initial selection process because they are a little more difficult to obtain information about. We don’t have a list or a registry yet of who is a business associate. We’re still strategizing as to how to collect information about business associates to make a meaningful selection, but we certainly are looking to KPMG to have protocols developed to give us the capability of auditing business associates.

It’s unclear at this point whether or not we will be able to conduct and test the business associate protocols. We are hopeful of being able to do so. The primary focus is going to be on the protocols for the covered entities and proving the audit results with regard to covered

If should be interesting to see how they collect the list of business associates. Will they require each covered entity to identify their own business associates?

When asked if the audits will be looking for general compliance or more specific issues of compliance McAndrew replied:

However, at least initially, because we’re very interested in assuring that the protocols are complete and provide comprehensive feedback to us on the degree of compliance, we will be focusing primarily on more comprehensive aspects of compliance

That can be read into as they will be looking to see how closely an organization is compliant with the HIPAA regulations. High level may include policies and procedure, when the last risk assessment was conducted, employee training, incident response procedures, etc.

When asked about onsite audits and if results will be publicly published, she responded:

The model that we’re testing is your typical onsite audit. … There will definitely be advanced notice to the entity. There will usually be advanced request for documentation and survey material from the covered entity so that the auditor can best use their time onsite to focus in on what they need to do and the people they need to talk to onsite. And then, as is typical following the onsite visit, the auditors, if they need to, will collect more information. They will complete their draft report. Typically the draft report is shared with the covered entity before it’s final, and the covered entity’s responses to the findings of the auditor would be incorporated as part of the final audit report.

We haven’t decided that (publishing results publicly) yet. Part of this whole endeavor is to have an evaluation component where we can be assured that the information that we are getting through this audit process is accurate and meaningful.

That said, whether we do it in summary form or publish the individual report similar to the way that the inspector general does with their audit materials still needs to be worked out. I think that we will be looking at that very closely as part of our evaluation criteria.

So audits will be onsite and the organization will have advanced notice. Draft reports will be prepared prior to publication. It is not clear if the results will be published for each audit or just a summary will be published. Will this turn into another wall of shame?

And finally, McAndrew gives insight to organizations of how to prepare for the coming audits:

But this is certainly an opportunity for the covered entities to review their policies and procedures to make sure that they are complete and up-to-date. Also, the way that they are managing the information, whether it’s in computerized files or good old-fashioned paper records, make sure that they are fully documenting what’s being done with the information and how it’s being managed and safeguarded. The [HIPAA] security rule has its own requirements for risk analysis and risk management programs. …

Through the experience that we’ve been having with covered entities on breaches and incident response plans, [those plans] need to be up-to-date and flexible, as well as emergency backup systems. I think this is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment. We think that this will help them down the road in terms of building their own capacity for a robust compliance program, training of individuals and making sure that there is awareness throughout the entity of their security and privacy rules and responsibilities.

So she recommends:

• Creating or reviewing the appropriate policies and procedures
• Preforming a risk assessment and well as a risk management program (implementing the results of the risk assessment)
• Creating incident response plans
• Training employees and implementing an employee awareness program

Good advice for every organization!

I write a lot about network security, HIPAA and protecting patient data. I truly believe that these concerns should be on the top of every healthcare organization’s security list. But recently something has hit my radar that concerns me even more. Phishing has always been a problem but now it seems like an epidemic. Let’s take a closer look at Phishing. What is Phishing? Below is the Wikipedia definition:

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

A good example of a typical Phishing attack is for a person to get an email from their bank that states their account has been locked due to suspicious activity.  The email states that the person needs to log into their account to reactivate it.  In the email there is a link to a website that looks like the normal bank login.  The person enters their log in credentials. From here the login credentials are used to access the real bank account and money is then transferred out of the account to another bank.

Unfortunately over the past month I have heard of actual successful Phishing attempts that have resulted in hundreds of thousands of dollars being stolen. Now you see why Phishing is on top of my list of concerns not only for my company but for my client’s as well.

In the past Phishing attempts were easy to spot.  The emails had spelling mistakes, the website didn’t look legitimate, etc. But that is not the case anymore.  The emails now are almost impossible to spot as fake, the websites look exactly like the real websites. It is getting harder and harder to spot Phishing attempts.

With the recent high profile hacking of large companies such as Epsilon and Sony, millions and millions of email addresses are now in the hands of people that are using them for Phishing attacks.

So what can an organization do to protect themselves against Phishing attacks?

1. Educate your employees – make them aware of Phishing attacks. Make sure anyone that has access to your organization’s financials, credit cards and online banking is very aware of what Phishing is and are on the lookout for Phishing attacks. Make sure they know that anytime they think something may be suspicious, they should call the bank or company and verify the legitimacy of the request prior to providing any information online.
2. Lower your bank’s wire transfer amount limit – many times a successful Phishing attack utilizes a wire transfer out of the victim’s bank into another bank. One way to protect against this is to lower the wire transfer amount limit on your account. If you don’t use wire transfers often then lower it to $5,000 or less or insist that you have to verbally approve each wire transfer. Each bank is different but it is worth the time to discuss your options with your bank.

In addition to loss of money due to wire transfers, other Phishing attempts try to collect credit card information, social networking information such as ids and passwords of sites such as Facebook and LinkedIn. Now more than ever, it is very important to scrutinize each email that you receive and make sure that it is legitimate prior to providing any information that can be used to access your accounts.

Image: scottchan / FreeDigitalPhotos.net

There has been a lot written about Google+.  Google’s new social platform seems to be a hit. Google+ mixes the best elements of both Facebook and Twitter and provides a platform that allows for both sharing of information as well as providing Facebook type comments and feedback.

So far the pace of information, sharing and user growth has been both fast and furious. I am enjoying the Google+ experience and seeing how a new social platform develops.

Are you on Google+?  If you are and want to connect use the Follow Me on Google+ box to the right of this post to add me to one of your circles.

See you on G+!

We are looking for a good Systems Administrator for a New York City client.  If you know someone that might be a good fit please pass the below posting to them.

Systems Engineer/Systems Administrator

Microsoft’s latest cloud based service called Office 365 was recently released. More than 200,000 organizations participated in the beta testing period. Office 365 provides the following:

Microsoft Office, Microsoft SharePoint Online, Microsoft Exchange Online and Microsoft Lync Online in an always-up-to-date cloud service, at a predictable monthly subscription.

In addition, Microsoft is trying to target the healthcare industry by offering Business Associate Agreements (BAA). Microsoft is one of the first large organizations to offer a HIPAA BAA for their cloud based service.

Due to the requirements of HIPAA, the Health & Life Sciences industry requires privacy, security, and confidentiality of patient data (“protected health information”). With this in mind, Microsoft will be among the first in industry to offer a Business Associate Agreements (BAA) as an operationalized part of its solution to address requirements associated with hosting protected health information. Customers can obtain more information on BAA availability from their designated Microsoft account manager.

By offering a BAA it will make it easier for healthcare organizations to utilize the Office 365 cloud service. On the other hand, companies such as Google have not offered a BAA for their cloud based services. Microsoft has made a wise choice of offering the BAA and will make it easier for organizations to implement Office 365 and stay compliant with HIPAA regulations.

Let’s hope more cloud based services step up and offer Business Associate Agreements to customers.