Putting a gun in an inexperienced person’s hands is a very bad idea.  Hand guns can be very safe if safety precautions are taken.  Experienced gun owners take the right steps to ensure that the gun does not cause harm.  Not storing a loaded gun, safety locks and ensuring that guns are stored in a locked gun cabinet are all steps that knowledgeable and experienced gun owners take.

This year many health organizations are implementing EMRs for the first time.  They are going from paper charts and relatively few computers to complex networks, servers, tablets and other computing devices.  These organizations are used to protecting patient’s information by ensuring that charts are not left where unauthorized persons can read them, storing charts in locked cabinets and other general precautions to protect paper based records.

The switch to electronic medical records is a new adventure for some of these organizations.  They probably spent months evaluating, planning and implementing their new EMR.  The first weeks and months of an EMR implementation is usually a very hallowing experience.  New systems, new workflows, hardware and software issues all put a lot of stress and strain on an organization’s employees.  Doctors, nurses and the entire staff usually struggle in the beginning of an implementation.  In addition, the total amount of training that the EMR vendor provides is on an average 1-2 hours per employee (and that number may be high in some cases).  The training is usually focused on how to use the new EMR, how to login, how to enter progress notes, how to e-prescribe, etc.  Little or no training is provided on how to protect patients’ information.

The topics of securing the daily tape backup, encrypting USB drives and laptops, ensuring that emails are sent securely, performing a risk assessment and other topics are usually not discussed in the EMR training.  Some may argue that the EMR vendor should address these topics but that is for another discussion.  The reality is that you have an organization that is struggling with learning and using a new EMR and have little or no knowledge on computer and patient data protection.  Is it any wonder why we have so many patient data breaches?

EMRs and electronic data accessed and used by inexperience employees are very dangerous to the organization’s patients.  Just as dangerous as putting guns in an inexperienced person’s hands.

Last night I received an emergency text on my phone from a client that had an HR issue and needed the Administrator account password changed.  I understand the use of texting in that case because several people at the client had access to his mailbox.  The use of texting appears safe and is away from prying eyes.  We sent each other a few texts back and forth and the issue was taken care of.

Another client uses texting to request information and support.  This client uses abbreviations and texting shorthand to communicate.  Maybe I am old fashion but I just don’t want to communicate via text when it comes to business communications.  Don’t get me wrong, being the father of 2 teenage kids I totally get the text craze. I have even been know to text my kids when we are all in the same house.  But when it comes to business I just don’t want to use texting for communications.  One of the main reasons I don’t like texting is that I can’t really do anything with the text.  Many times I need to forward information to my staff.  When I receive a text it is not easy to forward (yes I know I can copy and paste into an email but that is just unnecessary steps).  And forwarding a message that is written in texting abbreviation is just unprofessional in my opinion.  In additional texting, unlike email, does not provide a good audit trail.  With email I have a record of every email sent to me and that I have sent.  I don’t trust texting to keep a long term record of my communications.

Texting has it place but I don’t think it should be used for business communications.  What do you think?

As 2010 draws to a close, a lot of people are starting to focus on the New Year.  New Year’s always brings new resolutions and one of them for many healthcare professionals is to get involved in social media.  By social media I am referring to blogging, facebook, LinkedIn, Twitter, etc.  You may be thinking about social media for your medical practice or using it for your own personal professional reasons.

It feels a little awkward writing a guide to social media when I am still a newbie to this whole thing.  I started posting to the Entegration Blog barely 10 months ago.  And I just starting using Twitter (@EntegrationBlog) 2 months ago.  So you can see I am clearly not an expert on the subject. With that said, I will offer up some advice from the perspective of a newbie.

OK, so you want to start using social media but are not quite sure where to begin.  Start with reading the AMA’s recently published guide to social media.

Sit and watch

The first thing I recommend you do is sit back and watch.  Find a few people to follow that you are interested in. I offer some recommendations below.  Read their blogs,analyze their writing style and read the comments that they get on their posts.  You will see that some topics trigger a lot of responses and other topics are ignored. Make mental notes about this activity. Also notice  that some comments are negative and others are positive. Ask yourself what you would do if you posted a topic and received some negative feedback.

The next step is to sign-up on Twitter.  Create a Twitter account and start following people that interest you. Again, sit back and observe.  Twitter is a lot different than blogs.  It is not as easy to get your point across in 140 characters.  But yet some people use Twitter with skill and precision.  I believe it takes a while to figure Twitter out but once you do you will see it is a great resource for information.

Facebook is another resource that you want to observe.  I recommend that you read this post on the doctor-patient relationship and facebook.

Questions that you should ask yourself regarding facebook are:

• Are you interested in setting up up a facebook page for your practice?
• Are you interested in setting up a personal facebook page?  If so, are you going to friend your patients or colleagues?

I decided early on that I would setup a facebook page that was purely for personal interaction.  I don’t friend clients, vendors or business associates.  I use my LinkedIn account for all business related interaction.  I find this works best for me.  In no way is this a recommendation.  You have to decide for yourself what works best for you.

Baby steps

Once you get comfortable observing how people are using blogs, Twitter, facebook, LinkedIn you are ready to make the next step. The next step is to get your “online voice”.  If you read a post on a blog that interests you, leave a comment.  Start to interact with the blogs that you are reading.  The first comment may be a little frightening.  I remember the first comment I left on a blog, I checked the spelling and grammar at least 10 times before hitting submit.  I also checked, over and over, to see if someone responded to my comment.  After the first comment the rest are easy.  As a blogger, I can tell you that getting comments and feedback is greatly welcomed.  Start interacting with the blogs that you read and start to get a feel of putting your thoughts and words out there for everyone to read.

Once you are comfortable with Twitter start to Tweet yourself.  If you read a blog or article that is interesting, Tweet about it.  Twitter is all about sharing information so go ahead and share.  You can also retweet other people’s post and pass it along to the people that are following you.  At first you may not have anyone following you but eventually as you tweet and retweet, people interested in your content will start to follow you.  You may have to follow a lot of people and tweet for a while before others are interested in you but trust me it will happen.

The same goes for facebook.  “Like” other medical practices or friend other colleagues (if you decide that you are comfortable with that).  Observe how they utilize facebook.  Interact with these resources or simply observe the interaction until you are comfortable. You will decide what you want and do not want to do on facebook, which is extremely important if you decide to start your own facebook page or personal account.

Get involved in LinkedIn discussion groups.  Add your comments to on-going discussions or start a new discussion.  You will see that LinkedIn is a great resource for online conversation and sharing of ideas.

Dive in

Once you get a good understanding about how the whole social media works you may want to dive in. Some people choose to start their own blog to share their ideas.  Others use facebook, LinkedIn and Twitter to share ideas without blogging.  Some use all types of social media to get their message out.  There is no right or wrong answer.  Do what you are most comfortable with.

If you do decide to start a blog here are a few pointers:

• Identify who your audience is.  Who do you want to read your blog?  Write to that audience every time you post a blog.
• Don’t feel pressured to write a book each time you blog.  Keep it short and to the point.
• Coming up with ideas is not easy.  If you don’t have a good idea don’t force it.
• If you read someone else’s blog that you feel is interesting to both you and your audience share it. Summarize it or analyze it by adding your input to the blog.  Make sure you give credit to the author and provide a link or reference to the original post.

Once you start blogging make sure you share your blog posts via Twitter, LinkedIn and facebook.

I would like to point out that I have only mentioned blogging, Twitter, LinkedIn and facebook as sources of social media.  There are many other sources that you can utilize.  These are the only one’s that I use and feel comfortable discussing but do not limit yourself.

Final thoughts

Here are some final thoughts I have:

• Utilizing social media is not easy.  It takes a lot of time and work.
• At first you may feel like you are talking to yourself.  You will probably be correct.  It takes time to gain an audience.
• Post interesting material and utilize the various methods of sharing information and you will see the results.
• Enjoy yourself.  At first it may seem like additional work that you don’t have time for but hopefully you will start to enjoy it and look forward to blogging, twittering or facebooking.

Some people to follow:

• Kevin Pho M.D. – self proclaimed “Social media’s leading physician voice”.  His site provides excellent information and insight.
  • Blog: http://www.kevinmd.com/blog/
  • Twitter: @kevinmd
• Bryan Vartabedian –  aka Doctor_V.  His Twitter profile states “Dispatches from the frontline of social media and medicine”.  An excellent resource and someone who clearly gets the social media thing.
  • Blog: http://www.33charts.com
  • Twitter: @Doctor_V
• John Lynn – I find John’s stuff to be very interesting and informative.  He is on the front-line in terms of EHR implementations, HIPAA and general healthcare IT related topics.   His writes several blogs and utilizes Twitter with a couple of different accounts.
  • Blog: http://www.emrandhipaa.com/
  • Blog: http://www.emrandehr.com/
  • Twitter: @ehrandhit
• Mary Pat Whaley -her goal is to “provide medical practice managers a place to find resources and information”.  She does a great job at achieving her goal.
  • Blog: http://www.managemypractice.com/
  • Twitter: @mpwhaley

Most digital copiers have hard drives that contain an imagine of every copy the copier makes.  As I have previously mentioned in this article, digital copiers may contain sensitive information.

In an effort to make the public aware of this danger, the FTC has released a paper that details the risks.

Some of the highlights of the paper include:

Commercial copiers have come a long way. Today’s generation of networked multifunction devices — known as “digital copiers” — are “smart” machines that are used to copy, print, scan, fax and email documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production.

Copiers often are leased, returned, and then leased again or sold. It’s important to know how to secure data that may be retained on a copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.

It’s wise to build in data security for each stage of your digital copier’s life-cycle: when you plan to acquire a device, when you buy or lease, while you use it, and when you turn it in or dispose of it.

Their advice if you buy or lease a digital copier:

When you buy or lease a copier:

Evaluate your options for securing the data on the device. Most manufacturers offer data security features with their copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

Encryption is the scrambling of data using a secret code that can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.

Overwriting — also known as file wiping or shredding — changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. By overwriting the disk space that the file occupied, its traces are removed, and the file can’t be reconstructed as easily.

When you use the copier:

Take advantage of all its security features. Securely overwrite the entire hard drive at least once a month.

When you finish using the copier:

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

One cautionary note about removing a hard drive from a digital copier on your own: hard drives in digital copiers often include required firmware that enables the device to operate. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives aren’t always easy to find, and some devices may have more than one. Generally, it is advisable to work with skilled technicians rather than to remove the hard drive on your own.

I applaud the FTC for publishing this paper.  It is obvious that digital copiers are a real risk to security and could cause security breaches.  The more the public is aware of the risk the more they can do to prevent it.

Recently Gawker Media had a security breach that exposed the email and passwords of registered users that left comments on their sites.  Gawker Media runs several sites including Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot.  If you are a registered user of any of these sites it is strongly suggested that you change your password on all websites that you are registered at (i.e. amazon.com, walmart.com, etc.).  Many people use the same password across several or all the sites that they register with. You can check to see if your password has been exposed by going to http://www.didigetgawkered.com/ and putting in your email address.

The Wall Street Journal has an interesting article on the top 50 passwords that people used at the Gawker Media sites.  The passwords are below.

The message here is if you are using any of the passwords in the above list, there is a good chance that someone can easily guess them.

There are two main takeaways from the Gawker Media security breach:

1. Do not use the same email and password across websites.  Each website that you register at should have a unique password.  Said another way, the password you use at Amazon.com should be different than the password you use at Walmart.com.

 

2. Make sure you use complex passwords.  Passwords should have a mix of letters, numbers and special characters.  A good complex password is one that you will remember but someone can not easily guess.  I like to tell my clients that they should pick a sentence and then use the first character of the words that make up the sentence.  For example:  My son Chris is 10 years old – could make a password of: MsCi10y@.  That is a good complex password that mixes upper and lower case letters, numbers and special characters.  It is also pretty easy to remember (assuming you have a son Chris that is 10 years old).

Make sure you are careful in the passwords that you use and make sure that you pass this information along to your employees.  They should be using unique and complex passwords for all the websites AND applications that they use.

By now almost everyone has heard or read about the security leaks exposed by WikiLeaks.  WikiLeaks has published hundred of thousands of classified and confidential information that was leaked from within the United States Government.  This has been extremely embarrassing to the United States to say the least.  Now in a turn of events, WikiLeaks has exposed confidential information on a US public company.  WikiLeaks has exposed a series of cables about the US Pharmaceutical company, Pfizer.  These leaks have been very embarrassing to Pfizer just as they are to the US.

This got me thinking and what I came up with is pretty chilling.  If these leaks can happen to the United States Government and to Pfizer, could it happen to smaller organizations?  I think the answer is clearly YES!  You might be saying to yourself that WikiLeaks isn’t coming after my healthcare organization or medical practice. You may be right but lets take a look at another scenario.

What if an employee of your healthcare organization decided to steal electronic protected health information (ePHI)?  Say they downloaded a report from your EMR and emailed the information to an external email account.  Or say they took the information and copied it onto a USB flash drive.  Would you even know that this has occurred?

And imagine that a week after your employee has accessed and stolen your patient information, you receive an email or letter from an unknown source letting you know they have your data.  They include a sample of some of the patient information to ensure that your are convinced they really have your data.  The amount of data they have could be 1,000 records (you pick the number – 5, 100, 10,000 records).  And what if the email or letter demanded $100,000 (you pick the number – $10,000, $250,000, $1,000,000) or they would sell it or release it on a public website.  As I said it is a pretty chilling scenario.  But you may be saying to yourself that the scenario is far fetched and couldn’t happen to your organization.  Don’t be so sure.

It is a well know fact that ePHI is very valuable.  It can be used to commit various types of fraud.  Some examples can be found here, here and here.

An employee could be motivated my many different factors that would push them to steal and blackmail an organization.  The scenario is not that far fetched.  Now let’s look at some steps that you can take to minimize the risk of this scenario.

Believe it or not, your best prevention is to implement the safeguards defined in the HIPAA Security Rule.  Yep HIPAA can actually help you protect yourself against theft and blackmail.

The first step of this scenario was that an employee was stealing your data and you had no idea it occurred. Unfortunately I believe this is a reality in a lot of smaller healthcare organizations.  In order to combat this from occurring you need to implement  Audit Controls.  Audit Controls as defined by HIPAA are:

STANDARD§ 164.312(b) Audit Controls

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

 

STANDARD§ 164.308(a)(1)(ii)(D) Information  System  Activity  Review

“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Basically this says that everytime someone accesses or attempts to access ePHI, you record who accessed it, when was it accessed and what was accessed.  This will give you a full record of all attempts and accesses to your patient information.  In addition the HIPAA Security Rule states that you have to periodically review the Audit records (Information System Activity Review).  During the Audit Review maybe you see that a large number of ePHI is being access, or that repeated failed attempts to access ePHI are occurring.  Audit Controls give you the insight that you need to know what is going on within your network and to your data.

Other safeguards that can help you is to implement both Technical Access Controls and Access Authorization

STANDARD§  164.312(a)(1) Access Control

“the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. “

 

Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions.

 

STANDARD§  164.308(a)(4)(ii)(B) Access Authorization

“Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.”

Both Access Control and Access Authorization will limit who has access to ePHI.  It will also put in place technical controls and security to ensure that only the appropriate people can access ePHI.  Maybe these safeguards would have prevented your employee from accessing and stealing your data.

Another safeguard that can help you would be employee education.

STANDARD §  164.308(a)(5) Security Awareness and Training

“Implement a security awareness and training program for all members of its workforce (including management).”

 

And an implementation specification under Security Awareness and Training is Log-in Monitoring

§ 164.308(a)(5)(ii)(C) Log-in Monitoring

“Procedures for monitoring log-in attempts and reporting discrepancies.”

If rocket scientists can’t protect confidential data there is little hope that others could protect it either.  The Inspector General released a report that details how NASA sold old equipment without first  ensuring that the sensitive data was properly removed.  What is even worse is that this was not an isolated case for NASA.  The report stated that breaches were found at each of the 4 NASA locations that were audited.  There is clearly a breakdown in the disposal procedures at NASA.

Health organizations, like NASA, have to be concerned with disposal procedures.  Electronic protected health information (ePHI) needs to be properly deleted prior to disposing of any computer equipment that contains ePHI.  The HIPAA Security Rule states:

§ 164.310   Physical safeguards.

A covered entity must, in accordance with §164.306:

(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Proper disposal of media containing ePHI or sensitive data includes utilizing a software and/or hardware that ensures that data is deleted and can not be accessed.  Proper disposal of media includes Degaussing (to demagnetize) the media or running a software product that complies with the US Department of Defense (DoD) standard 5220.22-M for data destruction.  If neither of these methods are feasible then the media needs to be destroyed so that the information can not be read.

It should be noted that if the media is going to be reused then the ePHI needs to be properly destroyed prior to reuse. An example would be sharing a USB drive with various employees or giving an older laptop that contains ePHI to another employee.

Keep in mind that a lot of copy machines have hard drives that store a copy of everything that is copied or printed on the machine.  Make sure you properly delete any data on the the copier before returning it to a vendor or disposing of it.

So the next time you are throwing out, recycling or donating an old piece of equipment be sure to following the below steps

1. Check to see if the equipment contains ePHI (or sensitive data)
2. Utilize a degaussing utility to destroy the data
3. If degaussing is not an option then utilize a software program that deletes the data in compliance with the DoD standard 5220.22-M for data destruction
4. If the media can not be degaussed or a utility to delete the data can not be run (i.e. the drive is no longer working) then the media must be destroyed (disintegrate, incinerate, pulverize, shred, or melt).

Make sure you incorporate the above steps in a documented procedure and ensure that it is utilized every time you dispose or reuse media.

The number of data breaches that were reported to OCR and posted on HHS breach notification website have almost doubled since July.  In July there were 107 notifications and as of today there are 197 notifications. Each of these notifications are for breaches that affect more than 500 individuals.

In an article over at Health Leaders Media, they give some interesting facts regarding the data breaches.

In the past five months, 90 new reports have surfaced, or an average of 18 per month, a higher pace than the 15-per-month the first five months after OCR launched the website.

Not surprising, laptops and portable media are the leading cause of a majority of the breaches.  Laptops and portable electronic devices are the cause of 42% of the breaches.

Laptops are still the number one location of breach information on the list, accounting for 55 of the 197 reports (27.9%). Paper records (41 reports), desktop computers (32) and portable electronic devices (29) follow.

If you are not encrypting your laptops and portable media (USB drives and Smartphones) you are likely to be added to the ever growing list.

How many breaches do we have to hit before OCR really does something?  It is a well know secret that OCR is not enforcing HIPAA or HITECH.  Without this enforcement health organizations are not putting the necessary security around patient health information.  Without incentives (positive or negative) health organizations are ignoring the requirements to protect patient data.

The AMA has released a policy to help physicians walk the fine line between maintaining an online presence and preserving the integrity of the patient-physician relationship.

The new policy encourages physicians to:

Use privacy settings to safeguard personal information and content to the fullest extent possible on social networking sites.

Routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and content posted about them by others, is accurate and appropriate.

Maintain appropriate boundaries of the patient-physician relationship when interacting with patients online and ensure patient privacy and confidentiality is maintained.

Consider separating personal and professional content online.

Recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may even have consequences for their medical careers.