Joplin, MO was hit by a massive tornado on Sunday evening that did extensive damage to the St. John’s Regional Medical Center hospital. There are reports that x-rays from the hospital have been found in driveways 70 miles east of the hospital.

On Twitter Steven Waldren sheds some very interesting and insightful perspectives:

Steven’s quotes gets to the bottom of Disaster Recovery.  When an actual disaster hits and your servers are destroyed how do you get to your data? Having tape backups or offsite backups are fine but if your servers are gone where do you restore the data?

Disaster Recovery (DR) planning is more than ensuring you have a backup of your data. It is about ensuring that your organization can still function and get to critical systems even when your primary systems have been destroyed. With cloud-based Disaster Recovery solutions the cost of implementing DR has been significantly lowered. All healthcare organizations should be looking into some sort of DR that will not only ensure that data is properly backed up but will allow for access to critical data in the event of a real disaster.

Contingency planning and DR planning are required under the HIPAA Security Rule:

STANDARD § 164.308(a)(7)Contingency Plan

The purpose of contingency planning is to establish strategies for recovering access to EPHI should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations. The goal is to ensure that organizations have their EPHI available when it is needed. The Contingency Plan standard requires that covered entities:

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

DISASTER RECOVERY PLAN (R) – § 164.308(a)(7)(ii)(B)

The Disaster Recovery Plan implementation specification requires covered entities to:

“Establish (and implement as needed) procedures to restore any loss of data.” Some covered entities may already have a general disaster plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover EPHI

A final takeaway is that the time to think about Disaster Recovery is before a disaster hits. Implementing DR is not only required under HIPAA but is critical to any business to ensure that the organization can continue to operate even when primary systems are destroyed.

There is a great post over at Infosec Island regarding a letter that was received from the Office of Civil Rights (OCR) after a data breach that occurred at a small medical practice. The breach was the result of a burglary. No details were given on what was stolen or what kind of patient information was obtained.

The post lists the following 11 items that were requested in the letter from OCR and states that the practice only had 21 days to respond.

1. Documentation of the covered entity’s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations.

2. Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.

3. Documentation of the covered entity’s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:

a. sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity’s current policies and procedures, and as required by the Privacy Rule.

b. re-training of appropriate workforce members.

c. mitigation of the harm alleged, as required by the Privacy Rule.

4.  A copy of your HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.

5.  A copy of the policies and procedures implemented to safeguard the CE’s facility and equipment.

6.  Evidence of physical safeguards implemented for computing devices to restrict access to PHI.

7.  A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.

8.  Evidence of security awareness training for involved workforce members including training on workstation security.

9.  Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.

10. A copy of the written notification of the breach provided to the affected individuals.

11.  A copy of the written notification given to the media.  This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.

The first take away from this is that OCR is asking for a lot of information in a very short period of time.  21 days to provide this information is not enough time if the practice didn’t have all of this documentation in place already. And maybe that is the point, the short period of time to respond does not give an organization time to scrabble and put this together and say it was in place prior to the breach.

The second take away is that OCR clearly wants to see written documentation that you have a security program in place to protect patient information and are in compliance with the HIPAA regulations.

Items #4 and #5 clearly states that they want to see written policies and procedures on how an organization is protecting patient information. Unless you have gone through the exercise of preparing the policies and procedures, I doubt that telling them you discussed these with your staff but haven’t documented them will carry much weight.

Item #7 clearly states that they want evidence that you have performed a Risk Assessment on how you are protecting patient information. A Risk Assessment is required under the HIPAA Security rule and will identify areas where an organization needs to focus on to better protect patient information. Not having a Risk Assessment will make it very difficult to defend yourself and prove that you have taken HIPAA Security regulations and protecting patient information seriously.

Item #8 addresses providing evidence that each of an organization’s workforce have received HIPAA Security training. Again this seems to be looking for documented proof that each workforce member has been trained. If you do not have a formalized training program, saying you discussed training in staff meetings might not be sufficient especially when they are looking for formal documentation.

Item #9 is very interesting because it is asking for documentation addressing the encryption of information on workstations. Encryption is an addressable implementation specification in the HIPAA Security Rule. OCR wants to see how the organization has implemented this specification. Remember, an addressable implementation specification is not optional and documentation must exist on how an organization has or has not implemented the specification. For example, an organization might require laptops to be encrypted but data at rest on servers or desktops does not need to be encrypted. The take away is that you need to document how you have or have not implemented encryption along with reasons to support your decisions.

Items #10 and #11 address how an organization has prepared itself for a security breach and how it has responded to the current security breach. The Breach Notification Rule as defined in the HITECH Act states that an organization has to issue a notification to affected individuals within 60 days of discovery of a breach. Below is more information from the HHS website:

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

All in all this insight into what to expect from OCR if your organization experiences a data breach should make you very apprehensive. If you do not have these items in place prior to a breach it will cast a very negative light on your security program. If you cannot provide the written documentation for the 11 items that they are requesting, there is a chance that OCR will determine that you are in violation of “Willful Neglect” of the HIPAA Regulations.  Fines associated with “Willful Neglect” are substantially more expensive and carry a penalty of $50,000 per violation, with an annual maximum of $1.5 million.

The time to worry about complying with HIPAA security is before a data breach and not after. OCR has made it clear of what they will demand from an organization. If you do not have these items in place, NOW is the time to act!

An interesting report was released by the Consumer Health Information Corporation (CHIC) which looked into the use of smartphone apps. The report was based on a survey of 395 respondents and was conducted to gauge consumer interest in health apps and evaluate the likelihood of patient adherence to them.

According to the report

The CHIC survey shows that the availability of a better app (34.4%) and lack of user friendliness (32.6%) are the top reasons for discontinuation of smartphone apps.

Another data point that seems fairly obvious is:

In general, ease of navigation (90.9%) was the top feature that made apps favorable. In terms of interest in health apps, the majority of surveyed consumers stated that they would be most interested in using a health app to gain information (91.1%).

The one piece of information that I think is very useful is how patients would like to be reminded to perform a health related task. The overwhelming response (41%) was that they would like to receive a text reminder. Only 1.3% said they wanted to receive a phone call as a reminder.  Clearly people do not want phone calls as reminders.

So if you are calling patients to remind them of upcoming appointments, you may want to explore implementing a text reminder instead.

Other information from the study included:

Consumers were most likely to use a health app to find information about drugs (42.2%) or disease states (26.5%).

39.8% were willing to use such a health app several times a day.

National health organizations were the most trusted source of health information (51.8%).

The majority of consumers were either somewhat influenced by (55.8%) or very much influenced (32.2%) by consumer ratings of apps.

33.4% of consumers preferred health apps to be free but the majority were willing to pay, with 30.9% willing to pay $1.00-$5.99.

In terms of preference for health-related task reminders, consumers did not want phone calls, drug vials, or email reminders.  The majority of consumers preferred reminders through their mobile phones such as text messages (41.1%), smartphone apps (20.3%), or phone alarm (19.5%).

This is truly a very challenging time if you are a health care organization. There is a fundamental change occurring that will transform the way medicine is practiced in the next 20 years. Almost like the invention of electricity, the light bulb or the first gas powered engine, the change will have enormous impact to everyone that it touches.

At the same time the risks associated with this change cannot be ignored. As our society moves to the use of electronic medical records, the security issues and associated risk levels have never been greater.

The burden on health care organizations is incredible when looking at securing electronic medical records, smart phones and tablets, USB drives, wireless access points, and remote access solutions. Combine that with the impact of natural disasters such as earthquakes and tornadoes that have been all over the news lately. Implementing disaster recovery solutions only adds to the overwhelming security burden.

Health care organizations are already strapped for the necessary resources to implement electronic medical records. Where will they find the resources to ensure that the appropriate security and disaster recovery procedures are properly implemented?

Like all new technologies, electronic medical records offer incredible opportunities but along with opportunities are real risks that need to be addressed. We will look back in a few years and see that health care organizations made the move from the dark ages to a much more modern area. Unfortunately we will see lots of mistakes and security issues that could and should have been addressed.

It seems that at least twice a month we are hearing about a health care organization that has had a data breach because of a lost of stolen laptop. Every time I read about a new breach I shake my head and ask myself why aren’t these organizations using encryption to protect the contents on the laptops? I have come up with 2 conclusions:

1. The organizations are not familiar with encryption technology and think it is too complex to implement
2. The organizations think that implementing encryption technology is too expensive and cost prohibitive

So I thought I would take a few minutes to hopefully help enlighten some people on just how easy it is to implement encryption and how affordable encryption is.

There are many encryption products on the market.  Some are free such at TrueCrypt, while others vary in cost and complexity.  PGP is one of the leaders in encryption and has recently been purchased by Symantec Corporation.  PGP ranges from encryption of a few laptops to 1,000s of laptops in an enterprise.  PGP usually requires some infrastructure setup that allows administrators to control policies, safeguard encryption keys and monitor which laptops have been encrypted. There is some complexity that is associated with setup and deploying PGP encryption.

A product that we have been using for ourselves and our clients is called AlertBoot.  AlertBoot is an easy to install encryption product that encrypts the entire laptop’s hard drive.  The install is web based from the AlertBoot’s site and is very easy and painless.  Depending on the size of the hard drive and the speed of the drive it can take anywhere from 30 minutes to 4 hours to encrypt the drive.  You can even use the laptop while it is doing the one-time encryption.  There is no risk of losing the encryption password and then being locked out of the laptop.  AlertBoot has 7×24 hour support that can help a user recover a lost encryption password.

AlertBoot Support, Password Recovery, and Helpdesk

Forget your password? Have a question about AlertBoot? Don’t worry: help is always just a phone call away. AlertDesk is your personal helpdesk for password recovery and assistance— open 24 hours a day, 7 days a week, 365 days a year.

AlertDesk is completely secure and confidential. You’ll be challenged with security questions as a safety precaution to verify your identity. AlertDesk Support will never have access to your devices or your personal data.

AlertBoot encryption costs $12.95 per month per laptop.  There is a 10% savings if you prepay for the year.  So for around $150/year per laptop you can fully encrypt the contents of the hard drive.

Now to be clear, AlertBoot is just one of the many products on the market and I am only using them as an example because I am familiar with the technology and their monthly cost per laptop makes it easy to calculate the true cost of encrypting each laptop.

So say you have 10 laptops in your organization, you are looking at $130 month to encrypt all 10 laptops.  That to me is a very reasonable price to pay to ensure that you are protecting the data on each laptop, complying with HIPAA regulations and ensuring that any patient data on the laptop is secure and protected.

To put the costs into perspective let’s take a look at some estimates of cost if a laptop is lost or stolen.  According to the Ponemon study (PDF) titled “The Cost of a Lost Laptop” published in April 22, 2009, a lost laptop will cost:

According to the report, the use of encryption can reduce the cost of a lost laptop by $20,000. That makes the $12.95/mo seem incredibly cheap.  And now that you know encryption is easy to install and the risk of being locked out of the laptop is not an issue, you should seriously consider encrypting each of your laptops. There really is no good excuse not to implement Laptop encryption.

Medical practices are not only tasked with protecting their patient’s health but now are responsible for protecting their patient’s electronic information as well. Protecting data is probably something that most practice employees have not been trained to do nor are they familiar with best security practices. Data security is usually left to IT consultants who maintain and support their network.  Here are 5 things that you and your IT consultants can do to ensure you are properly protecting patient data.

Security Patches

The reality of software is that most software has security vulnerabilities that allow hackers, viruses and spyware to exploit these vulnerabilities and compromise the security of a network. Software vulnerabilities are in Windows operating systems including desktops (Windows XP, Vista and 7) and servers (all versions). Software vulnerabilities are also in applications such as Adobe Acrobat, Microsoft Office, and Internet Browsers. In order to minimize the risk of software vulnerabilities, vendor security patches should be diligently applied.  Microsoft issues patches at least once a month.  These patches should be applied by your IT vendor.  Desktops can be set to automatically update with no need for IT or user intervention.  Employees should be trained to diligently update programs such as Adobe Acrobat and Flash, Java and Internet Browsers. An even better strategy is to invest in software that allows IT administrators to control the deployments of vendor security patches and software updates. Microsoft has free tools to control Microsoft specific security patches to be centrally deployed. Unfortunately the Microsoft tools do not take care of 3^rd party applications.  Additional tools will need to be purchased to address these 3^rd party apps.

Ban USB drives

A majority of patient data security breaches are due to lost or stolen portable devices such as USB drives, smart phones and laptops. In order to reduce the risk of a data breach, I recommend that you set a policy to ban USB drives. If an employee absolutely needs to use a USB drive to perform their job function then invest in encrypted USB drives. I am a fan of the Kanguru encrypted drives.  You can also get other encrypted drives here. Many people I talk to about data encryption admit to me that they really don’t understand the technology and are reluctant to use it because of this.  Simply stated an encrypted USB drive secures the data on the drive and requires a password to read or write information to the drive. The technology is super easy to use.  These drives cost more than unencrypted drives but the cost is not significant.  For example an unencrypted 4GB drive might cost $10 and an encrypted drive might cost $35.  The cost difference is nothing compared to the cost of a data breach.

Encrypt Laptops

As mentioned above, stolen or lost laptops are a leading cause of data breaches. All laptops should be encrypted. There are many types of encryption on the market. Some of these require IT support and installation. An encryption service that we started to work with called AlertBoot sells a very easy to use product that will encrypt a laptop’s disk drive. The service can be used with no IT support required. After AlertBoot encrypts the laptop’s disk drive, an employee simply enters the encryption password once each time they start the laptop. AlertBoot can help reset the encryption password if an employee forgets it so there are no worries about losing a password and being locked out of the laptop. At $12.95/mo. it is not the cheapest on the market but its ease of installation, minimal impact to a laptop’s performance and 7 x 24 hour support make it a great choice to protect each of your laptops.

Password Controls

One of the cheapest and most effective security steps that you can do is to implement passwords controls.  Password controls include:

• Disabling a user account after a number of failed password attempts (think 5 failed passwords and your account is locked and can only be unlocked by your IT administrator)
• Require complex passwords. Simply stated, complex passwords require a user to set a password that is 6 -8 characters and must have letters, numbers, and special characters (! @ # $ % ^ & * + ).  These prevent using easy to guess passwords.
• Force users to change passwords every 60-90 days. Unfortunately I can guarantee you that your employees will complain about this. It always amazes me how people hate to change their passwords. I guess with so many different passwords, changing one makes it even harder to remember them. As a note, security is a fine balance between protecting your network and making it easy for employees to perform their job function.

Each of these password controls can easily be set by your IT administrator using the tools that Microsoft provides to manage a Windows networks.  At most this setup will take 1 or 2 hours of time.

Encrypt Backup Tapes

Backing up your data is very important and is a best practice to ensuring that you protect your patient’s information. If you backup your EMR on a nightly basis you will have all of your patient’s records on the backup tape.  That can be 100, 1,000 or 100,000 patients depending on how much data is in your EMR.  Now think about what would happen if that backup tape is lost or stolen.  Having the tape lost or stolen is not that hard to imagine and could happen if someone breaks into your office or if an employee is responsible for taking the tape out of the office and has it stolen from their car.  The good news is that most backup software has data encryption built into the software.  All that has to be done is to configure the software to encrypt the data and set an encryption password.  Unfortunately what I have seen is that the encryption setting is usually not set and the data is backed up to tape without encryption. Make sure your IT vendor has encryption enabled and that your tapes are encrypted.

If you follow these 5 steps to securing your patient’s data your will significantly increase your level of security.  As I mentioned, none of these are very expensive and the expense is insignificant compared to the expense of a data breach.  And as an added benefit, these will help you with your HIPAA security compliance as well.

Let me know if you already have implemented some of these security measures or if you have other examples of easy and cheap security protections.

Image: jscreationzs / FreeDigitalPhotos.net