According to a report to Congress from The Department of Health and Human Services (HHS), there have been almost 8 million records breached since 2009. That is a staggering number. What is worse it that the number of data breaches continues to increase.

Another way of looking at it is that we are only in the beginning of Stage 1 of Meaningful Use. That means a lot more medical practices and hospitals will be implementing EMRs in the next few years. At this rate the number of records that could be breached could be 20 million or more.

There is a point where patients and consumers of healthcare services lose confidence in the system. When that tipping point happens I am not sure anyone knows but it is a real possibility. Unchecked and without fundamental changes to protecting patient data we could be heading for that fate.

The question is what can be done to stop this epidemic of patient data breaches? HHS has announced that they will perform 150 HIPAA audits in the next year. Will this change healthcare providers’ mindset? Will this make them take HIPAA and patient data security more seriously? I don’t think anyone can answer this but it is a step in the right direction.

One thing is clear, that without some fundamental change the amount of patient data breaches will continue to increase and trust in electronic medical records will be hurt. This goes in the exact opposite direction that the government is pushing with Meaningful Use and incentives to implement EMRs.

Health Info Security has published the transcript from an interview with Susan McAndrew of the Department of Health and Human Services’ Office for Civil Rights. The article is very good and should be read in its entirety. Below are some of the key points.

When asked if business associates as well as covered entities will be part of the 150 audits, McAndrew responded:

Eventually. I’m not sure whether business associates will be part of the initial selection process because they are a little more difficult to obtain information about. We don’t have a list or a registry yet of who is a business associate. We’re still strategizing as to how to collect information about business associates to make a meaningful selection, but we certainly are looking to KPMG to have protocols developed to give us the capability of auditing business associates.

It’s unclear at this point whether or not we will be able to conduct and test the business associate protocols. We are hopeful of being able to do so. The primary focus is going to be on the protocols for the covered entities and proving the audit results with regard to covered

If should be interesting to see how they collect the list of business associates. Will they require each covered entity to identify their own business associates?

When asked if the audits will be looking for general compliance or more specific issues of compliance McAndrew replied:

However, at least initially, because we’re very interested in assuring that the protocols are complete and provide comprehensive feedback to us on the degree of compliance, we will be focusing primarily on more comprehensive aspects of compliance

That can be read into as they will be looking to see how closely an organization is compliant with the HIPAA regulations. High level may include policies and procedure, when the last risk assessment was conducted, employee training, incident response procedures, etc.

When asked about onsite audits and if results will be publicly published, she responded:

The model that we’re testing is your typical onsite audit. … There will definitely be advanced notice to the entity. There will usually be advanced request for documentation and survey material from the covered entity so that the auditor can best use their time onsite to focus in on what they need to do and the people they need to talk to onsite. And then, as is typical following the onsite visit, the auditors, if they need to, will collect more information. They will complete their draft report. Typically the draft report is shared with the covered entity before it’s final, and the covered entity’s responses to the findings of the auditor would be incorporated as part of the final audit report.

We haven’t decided that (publishing results publicly) yet. Part of this whole endeavor is to have an evaluation component where we can be assured that the information that we are getting through this audit process is accurate and meaningful.

That said, whether we do it in summary form or publish the individual report similar to the way that the inspector general does with their audit materials still needs to be worked out. I think that we will be looking at that very closely as part of our evaluation criteria.

So audits will be onsite and the organization will have advanced notice. Draft reports will be prepared prior to publication. It is not clear if the results will be published for each audit or just a summary will be published. Will this turn into another wall of shame?

And finally, McAndrew gives insight to organizations of how to prepare for the coming audits:

But this is certainly an opportunity for the covered entities to review their policies and procedures to make sure that they are complete and up-to-date. Also, the way that they are managing the information, whether it’s in computerized files or good old-fashioned paper records, make sure that they are fully documenting what’s being done with the information and how it’s being managed and safeguarded. The [HIPAA] security rule has its own requirements for risk analysis and risk management programs. …

Through the experience that we’ve been having with covered entities on breaches and incident response plans, [those plans] need to be up-to-date and flexible, as well as emergency backup systems. I think this is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment. We think that this will help them down the road in terms of building their own capacity for a robust compliance program, training of individuals and making sure that there is awareness throughout the entity of their security and privacy rules and responsibilities.

So she recommends:

• Creating or reviewing the appropriate policies and procedures
• Preforming a risk assessment and well as a risk management program (implementing the results of the risk assessment)
• Creating incident response plans
• Training employees and implementing an employee awareness program

Good advice for every organization!

There are two very disturbing trends regarding information security that should keep physicians and practice administrators up at night.

The first trend is that is seems like no company is safe from security breaches. Just yesterday Citigroup announced that they experienced a breach that involved more than 200,000 accounts.  Sony has been hacked repeatedly. Epsilon has experience a huge data breach.  These are multi-national companies that have the resources to protect data and yet they have been hacked and data has been breached.

The second trend is that hackers are starting to focus on smaller targets. In the Verizon 2011 Data Breach Investigations Report (PDF) they found that hackers are moving away from larger targets to smaller companies (tell that to the companies mentioned above).  The reason is that smaller companies have less security and are easier to hack.

Medical data has a very high value on the black market and it is only a matter of time until hackers turn their attention to medical practices. Medical practices typically don’t invest a lot of money in security and many are not compliant with HIPAA Security regulations. The chances that hackers are successful when they focus on medical practices is probably pretty high. In addition, the costs of security breaches are increasing and HIPAA enforcement and fines are also increasing.

Physicians and practice administrators need to be aware of these disturbing trends. Security and HIPAA compliance is essential and needs to be focused on now before it is too late.

Image: digitalart / FreeDigitalPhotos.net

There is a great post over at Infosec Island regarding a letter that was received from the Office of Civil Rights (OCR) after a data breach that occurred at a small medical practice. The breach was the result of a burglary. No details were given on what was stolen or what kind of patient information was obtained.

The post lists the following 11 items that were requested in the letter from OCR and states that the practice only had 21 days to respond.

1. Documentation of the covered entity’s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations.

2. Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.

3. Documentation of the covered entity’s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:

a. sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity’s current policies and procedures, and as required by the Privacy Rule.

b. re-training of appropriate workforce members.

c. mitigation of the harm alleged, as required by the Privacy Rule.

4.  A copy of your HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.

5.  A copy of the policies and procedures implemented to safeguard the CE’s facility and equipment.

6.  Evidence of physical safeguards implemented for computing devices to restrict access to PHI.

7.  A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.

8.  Evidence of security awareness training for involved workforce members including training on workstation security.

9.  Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.

10. A copy of the written notification of the breach provided to the affected individuals.

11.  A copy of the written notification given to the media.  This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.

The first take away from this is that OCR is asking for a lot of information in a very short period of time.  21 days to provide this information is not enough time if the practice didn’t have all of this documentation in place already. And maybe that is the point, the short period of time to respond does not give an organization time to scrabble and put this together and say it was in place prior to the breach.

The second take away is that OCR clearly wants to see written documentation that you have a security program in place to protect patient information and are in compliance with the HIPAA regulations.

Items #4 and #5 clearly states that they want to see written policies and procedures on how an organization is protecting patient information. Unless you have gone through the exercise of preparing the policies and procedures, I doubt that telling them you discussed these with your staff but haven’t documented them will carry much weight.

Item #7 clearly states that they want evidence that you have performed a Risk Assessment on how you are protecting patient information. A Risk Assessment is required under the HIPAA Security rule and will identify areas where an organization needs to focus on to better protect patient information. Not having a Risk Assessment will make it very difficult to defend yourself and prove that you have taken HIPAA Security regulations and protecting patient information seriously.

Item #8 addresses providing evidence that each of an organization’s workforce have received HIPAA Security training. Again this seems to be looking for documented proof that each workforce member has been trained. If you do not have a formalized training program, saying you discussed training in staff meetings might not be sufficient especially when they are looking for formal documentation.

Item #9 is very interesting because it is asking for documentation addressing the encryption of information on workstations. Encryption is an addressable implementation specification in the HIPAA Security Rule. OCR wants to see how the organization has implemented this specification. Remember, an addressable implementation specification is not optional and documentation must exist on how an organization has or has not implemented the specification. For example, an organization might require laptops to be encrypted but data at rest on servers or desktops does not need to be encrypted. The take away is that you need to document how you have or have not implemented encryption along with reasons to support your decisions.

Items #10 and #11 address how an organization has prepared itself for a security breach and how it has responded to the current security breach. The Breach Notification Rule as defined in the HITECH Act states that an organization has to issue a notification to affected individuals within 60 days of discovery of a breach. Below is more information from the HHS website:

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

All in all this insight into what to expect from OCR if your organization experiences a data breach should make you very apprehensive. If you do not have these items in place prior to a breach it will cast a very negative light on your security program. If you cannot provide the written documentation for the 11 items that they are requesting, there is a chance that OCR will determine that you are in violation of “Willful Neglect” of the HIPAA Regulations.  Fines associated with “Willful Neglect” are substantially more expensive and carry a penalty of $50,000 per violation, with an annual maximum of $1.5 million.

The time to worry about complying with HIPAA security is before a data breach and not after. OCR has made it clear of what they will demand from an organization. If you do not have these items in place, NOW is the time to act!

It seems that at least twice a month we are hearing about a health care organization that has had a data breach because of a lost of stolen laptop. Every time I read about a new breach I shake my head and ask myself why aren’t these organizations using encryption to protect the contents on the laptops? I have come up with 2 conclusions:

1. The organizations are not familiar with encryption technology and think it is too complex to implement
2. The organizations think that implementing encryption technology is too expensive and cost prohibitive

So I thought I would take a few minutes to hopefully help enlighten some people on just how easy it is to implement encryption and how affordable encryption is.

There are many encryption products on the market.  Some are free such at TrueCrypt, while others vary in cost and complexity.  PGP is one of the leaders in encryption and has recently been purchased by Symantec Corporation.  PGP ranges from encryption of a few laptops to 1,000s of laptops in an enterprise.  PGP usually requires some infrastructure setup that allows administrators to control policies, safeguard encryption keys and monitor which laptops have been encrypted. There is some complexity that is associated with setup and deploying PGP encryption.

A product that we have been using for ourselves and our clients is called AlertBoot.  AlertBoot is an easy to install encryption product that encrypts the entire laptop’s hard drive.  The install is web based from the AlertBoot’s site and is very easy and painless.  Depending on the size of the hard drive and the speed of the drive it can take anywhere from 30 minutes to 4 hours to encrypt the drive.  You can even use the laptop while it is doing the one-time encryption.  There is no risk of losing the encryption password and then being locked out of the laptop.  AlertBoot has 7×24 hour support that can help a user recover a lost encryption password.

AlertBoot Support, Password Recovery, and Helpdesk

Forget your password? Have a question about AlertBoot? Don’t worry: help is always just a phone call away. AlertDesk is your personal helpdesk for password recovery and assistance— open 24 hours a day, 7 days a week, 365 days a year.

AlertDesk is completely secure and confidential. You’ll be challenged with security questions as a safety precaution to verify your identity. AlertDesk Support will never have access to your devices or your personal data.

AlertBoot encryption costs $12.95 per month per laptop.  There is a 10% savings if you prepay for the year.  So for around $150/year per laptop you can fully encrypt the contents of the hard drive.

Now to be clear, AlertBoot is just one of the many products on the market and I am only using them as an example because I am familiar with the technology and their monthly cost per laptop makes it easy to calculate the true cost of encrypting each laptop.

So say you have 10 laptops in your organization, you are looking at $130 month to encrypt all 10 laptops.  That to me is a very reasonable price to pay to ensure that you are protecting the data on each laptop, complying with HIPAA regulations and ensuring that any patient data on the laptop is secure and protected.

To put the costs into perspective let’s take a look at some estimates of cost if a laptop is lost or stolen.  According to the Ponemon study (PDF) titled “The Cost of a Lost Laptop” published in April 22, 2009, a lost laptop will cost:

According to the report, the use of encryption can reduce the cost of a lost laptop by $20,000. That makes the $12.95/mo seem incredibly cheap.  And now that you know encryption is easy to install and the risk of being locked out of the laptop is not an issue, you should seriously consider encrypting each of your laptops. There really is no good excuse not to implement Laptop encryption.

Medical practices are not only tasked with protecting their patient’s health but now are responsible for protecting their patient’s electronic information as well. Protecting data is probably something that most practice employees have not been trained to do nor are they familiar with best security practices. Data security is usually left to IT consultants who maintain and support their network.  Here are 5 things that you and your IT consultants can do to ensure you are properly protecting patient data.

Security Patches

The reality of software is that most software has security vulnerabilities that allow hackers, viruses and spyware to exploit these vulnerabilities and compromise the security of a network. Software vulnerabilities are in Windows operating systems including desktops (Windows XP, Vista and 7) and servers (all versions). Software vulnerabilities are also in applications such as Adobe Acrobat, Microsoft Office, and Internet Browsers. In order to minimize the risk of software vulnerabilities, vendor security patches should be diligently applied.  Microsoft issues patches at least once a month.  These patches should be applied by your IT vendor.  Desktops can be set to automatically update with no need for IT or user intervention.  Employees should be trained to diligently update programs such as Adobe Acrobat and Flash, Java and Internet Browsers. An even better strategy is to invest in software that allows IT administrators to control the deployments of vendor security patches and software updates. Microsoft has free tools to control Microsoft specific security patches to be centrally deployed. Unfortunately the Microsoft tools do not take care of 3^rd party applications.  Additional tools will need to be purchased to address these 3^rd party apps.

Ban USB drives

A majority of patient data security breaches are due to lost or stolen portable devices such as USB drives, smart phones and laptops. In order to reduce the risk of a data breach, I recommend that you set a policy to ban USB drives. If an employee absolutely needs to use a USB drive to perform their job function then invest in encrypted USB drives. I am a fan of the Kanguru encrypted drives.  You can also get other encrypted drives here. Many people I talk to about data encryption admit to me that they really don’t understand the technology and are reluctant to use it because of this.  Simply stated an encrypted USB drive secures the data on the drive and requires a password to read or write information to the drive. The technology is super easy to use.  These drives cost more than unencrypted drives but the cost is not significant.  For example an unencrypted 4GB drive might cost $10 and an encrypted drive might cost $35.  The cost difference is nothing compared to the cost of a data breach.

Encrypt Laptops

As mentioned above, stolen or lost laptops are a leading cause of data breaches. All laptops should be encrypted. There are many types of encryption on the market. Some of these require IT support and installation. An encryption service that we started to work with called AlertBoot sells a very easy to use product that will encrypt a laptop’s disk drive. The service can be used with no IT support required. After AlertBoot encrypts the laptop’s disk drive, an employee simply enters the encryption password once each time they start the laptop. AlertBoot can help reset the encryption password if an employee forgets it so there are no worries about losing a password and being locked out of the laptop. At $12.95/mo. it is not the cheapest on the market but its ease of installation, minimal impact to a laptop’s performance and 7 x 24 hour support make it a great choice to protect each of your laptops.

Password Controls

One of the cheapest and most effective security steps that you can do is to implement passwords controls.  Password controls include:

• Disabling a user account after a number of failed password attempts (think 5 failed passwords and your account is locked and can only be unlocked by your IT administrator)
• Require complex passwords. Simply stated, complex passwords require a user to set a password that is 6 -8 characters and must have letters, numbers, and special characters (! @ # $ % ^ & * + ).  These prevent using easy to guess passwords.
• Force users to change passwords every 60-90 days. Unfortunately I can guarantee you that your employees will complain about this. It always amazes me how people hate to change their passwords. I guess with so many different passwords, changing one makes it even harder to remember them. As a note, security is a fine balance between protecting your network and making it easy for employees to perform their job function.

Each of these password controls can easily be set by your IT administrator using the tools that Microsoft provides to manage a Windows networks.  At most this setup will take 1 or 2 hours of time.

Encrypt Backup Tapes

Backing up your data is very important and is a best practice to ensuring that you protect your patient’s information. If you backup your EMR on a nightly basis you will have all of your patient’s records on the backup tape.  That can be 100, 1,000 or 100,000 patients depending on how much data is in your EMR.  Now think about what would happen if that backup tape is lost or stolen.  Having the tape lost or stolen is not that hard to imagine and could happen if someone breaks into your office or if an employee is responsible for taking the tape out of the office and has it stolen from their car.  The good news is that most backup software has data encryption built into the software.  All that has to be done is to configure the software to encrypt the data and set an encryption password.  Unfortunately what I have seen is that the encryption setting is usually not set and the data is backed up to tape without encryption. Make sure your IT vendor has encryption enabled and that your tapes are encrypted.

If you follow these 5 steps to securing your patient’s data your will significantly increase your level of security.  As I mentioned, none of these are very expensive and the expense is insignificant compared to the expense of a data breach.  And as an added benefit, these will help you with your HIPAA security compliance as well.

Let me know if you already have implemented some of these security measures or if you have other examples of easy and cheap security protections.

Image: jscreationzs / FreeDigitalPhotos.net

You have just implementing a new electronic health records (EHR) system, congratulations!  You probably spent anywhere from $75,000 – $500,000+ on hardware, software, licenses,and implementation labor.
Hopefully you qualify for EHR meaningful use incentive funds to offset some of those expenses. While you are looking to stop spending money and to start recouping some of the expense, I am going to tell you 3 additional products and services that you must consider.

The 3 products and services are:

1. Offsite data backup
2. HIPAA Security
3. Disaster Recovery

I realize those 3 items are not sexy and will not help increase your revenue. I think that is one of the reasons that many medical practices don’t sign up for these services. The 3 services are about protecting your EHR, your data, your patient’s information and protecting your practice.

Offsite Data Backup

“Why do I need offsite data backup when we are backing up to a tape drive?”

I can’t tell you how many times I have had this conversation. Backing up your data nightly to a tape drive is a good practice but unfortunately backup tapes are not completely reliable. Every time we have to restore a file, database or other data from a backup tape, I hold my breath and pray that the data is on the tape and we can retrieve it successfully.

If you are backing up to tape the responsibility to switch tapes on a daily basis is usually assigned to an individual in the practice. From experience we have seen that people forget to switch tapes (trust me this happens more then you can imagine). In addition, tapes are used over and over and eventually they lose their ability to successfully read and write data. Hence the praying comment that when we need the data, the tape will not be at the point where we can not successfully retrieve the data.

Offsite data backup is a very straightforward process and very similar to backing data up to tape. On a nightly basis the data is backed up but instead of being backed up to tape it is backed up to a server in a vendor’s data center. Here is how it works.

1. On the system that you are backing up, there is a backup agent (software program) that starts to backup the data.
2. The backup agent makes a secure encrypted connection via the Internet to a server(s) at a vendor’s data center.
3. The data is copied to the servers and is stored on the vendor’s server is a secure encrypted format.

As you can see it is critical to have an Internet connection in order to perform the offsite backup.  The offsite data backup is scheduled and runs automatically so there is no human intervention required. This eliminates the issue with someone forgetting to change the backup tape.

My recommendation to most practices is to use offsite data backup as a supplemental service in addition to doing nightly tape backups.  If you do both then you have your data in 2 different places and you increase your chances that the data will be available if and when you need it.

On an average, offsite data backup costs around $2/GB.  So if you are backing up your EHR and you have 20GB of data it will cost you around $40/mo. I think that is a very reasonable amount to help ensure that your data is protected. To help convince you that offsite backup is worth the additional expense let’s look at a scenario that I have seen happen multiple times.

There is a really bad storm with heavy rain and lightning. The storm knocks out power to your office and although your EHR server is on a uninterrupted power supply (UPS) the server does not shut down cleanly (immediately loses power) and in the process it corrupts the EHR database. When power is eventually restored and the server comes back online the EHR program generates errors stating that it can not read the EHR database (it is corrupt). Imagine that you have been using the EHR for 1 month and every patient that you have seen is in your EHR (go ahead and imagine you have been using it for over a year and the amount of records would be even scarier). Your IT company comes in to help restore the EHR database from tape and get you back up and running.  When the IT company inserts the backup tape they can not locate the EHR database.   It turns out that the person who was responsible for changing the tape forgot to do it the last 2 evenings. They are able to restore the database from 2 days ago but all the data that was entered for the past 2 days is lost.  Think about having to recreate that data. You are using an EHR so do you have notes on each patient? Probably not. The amount of time and effort you and your staff will have to use to recover from the lost data makes the $40 look cheap.

HIPAA Security

The second service I urge you to consider is HIPAA Security. You are using an EHR and all of your patient information moving forward will be electronically stored. You may also have interfaces with vendors for electronic lab results, digital x-rays, ultrasounds, etc. For each patient there is a lot of electronic information that has to be protected.

Most EHR vendors do not address HIPAA security when they are training employees on the new EHR. If they do it is not in depth and there is a good chance that your employees will not understand what is required by HIPAA to protect patient information.

HIPAA security is about protecting patient data in electronic format. I am recommending you sign up for a HIPAA security service not only to comply with the HIPAA regulations but to ensure that your entire staff is educated on what exactly is required to protect patient data and to understand the best practices for protecting data. More importantly HIPAA security is a defensive measure to help protect your patients and your practice against a data breach. A lost laptop or USB drive with patient information could have serious financial impact on an organization.  Imagine a data breach that costs your practice $1,500,000. If you think that number too high consider the regulatory fines, patient breach notification expenses, lost revenue from patients leaving the practice, IT related expenses to re-mediate the breach, etc.  Even if the expense is half of that at $750,000 it can have a significant impact to an organization. And if you are thinking that your general liability insurance policy will cover most of those expenses you should check your coverage. Most policies do not cover HIPAA related expenses (although there are supplemental insurance policies that do cover HIPAA and cyber expenses).

There are many HIPAA security services on the market but on a whole you should look to accomplish the following:

1. Implement policies and procedures to ensure that patient information is properly protected
2. Perform a risk assessment to understand where you are at risk in protecting patient information and what additional security measures you should implement to better protect the information.
3. Train your entire staff on exactly what is HIPAA security, what they should be doing to protect patient data and what they should not be doing that could put patient data at risk.

HIPAA security will range in costs but for some real numbers this service will cost $1,750 to provide the 3 items above. (Full disclosure, HIPAA Secure Now! is a service of Entegration, Inc.).

As with the justification for offsite data backup, spending $1,750 to help protected you from fines and expenses that could be up to 100 times more expensive seems like a good investment.

Disaster Recovery

The third and final service I will urge you to consider is disaster recovery for your EHR and network.

I will start off by acknowledging that the odds of a disaster are slim but yet we have seen the affects of earthquakes and tornadoes in the past few months. And disasters are not only confined to natural disasters.  Fires and floods occur all the time.  Broken water pipes and sprinkler systems can destroy servers and computing equipment.

What exactly is disaster recovery?  Simply stated it is the ability to continue to utilize your applications in the event that your primary servers, network and applications are either destroyed or made unavailable by some event. Disaster recovery is ensuring that you can run your EHR on another server and access that server in the event of a disaster.

I wrote a detailed blog article on cheap disaster recovery which you should read.  But from a high level view, disaster recovery is:

1. Ensuring that you have another server(s) in another physical location that you can use in the event your primary server is unavailable
2. Data needs to be copied and kept up to date on the server(s) that you will use for disaster recovery
3. A method of accessing the disaster recovery server must be established
4. A detailed procedure must be in place that defines exactly what is needed to utilize the disaster recovery server(s) and what your employees need to do to operate in disaster recovery mode.

If you go back to the blog article that I wrote on cloud based disaster recovery the prices range from around $100/month/server.  So if you need to ensure that have your EHR server and your Domain Controller available in the event of a disaster then it will cost you around $200/mo.

Again let me define a scenario that helps justify the expense.

Let’s assume a water pipe bursts in the office above you and overnight hundreds of gallons of water leak onto your servers, destroying them.  Everything else in your office is wet but usable. After a couple of days of clean up you are ready to see patients but you no longer have functional servers and no functional EHR. You can order new servers from Dell or HP but even with overnight shipping there is a chance you will not receive them for 10-14 days.  Can you go without your EHR for that long? With the cloud based disaster recovery you can be up and running in as little as 4 hours. You can even access the EHR if you need to see patients in another practices’ office while you repair your office. Again I argue that $200/month is worth the expense to provide the safety net and flexibility to recover in the event of a disaster.

Summary

The 3 services that I described will protect your medical practice. Each of the services can be considered a safety net and operational insurance to protect you and to avoid events that can have significant financial impact to your organization. Take a step back and think of how much money you just spent on your EHR. The services that I recommend will cost you under $5,000 the first year (and half of that moving forward) and will help protect your investment in your EHR.

I would love to hear your thoughts and help with any questions you may have. Use the comments section below to give feedback.

Epsilon, the largest email marketing firm, announced that their customer database has been breached. Epsilon has over 2,500 large clients including: Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens,  and The College Board. They send over 40 billion emails a year on behalf of their clients.

Epsilon said that the hackers only had access to customer email addresses and first / last names. The affected clients are sending out warning notifications similar to the one from Kroger:

As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience. Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

Although no social security numbers or credit card information was accessed, the emails and names could be used in SPAM and Phishing scams.

This massive breach shows the danger of outsourcing functions to other companies.  No matter how good the security was for each of these companies, they had no control over the data at Epsilon. The take away here is that all companies not only have to look at their own security but also the security of business associates and vendors.  When you outsource your customers’ information and trust make sure you fully understand the dangers that are associated with this decision.  Some of the world’s largest companies are now coming to grips with this reality.

The folks over at HIMSS and MGMA have teamed up to produce what they call the HIMSS Privacy & Security Toolkit for Small Provider Organizations.  The toolkit provides medical practices with a wealth of information about HIPAA, HITECH, meaningful use, privacy and security.  Below is the letter from both the HIMSS and MGMA CEOs describing the security toolkit.

Message from the CEOs

As small provider organizations increasingly leverage electronic health records and other information technologies, they face significant challenges in their efforts to secure patient information. This is coupled with their efforts to comply with a myriad of existing and newly revised federal requirements. There is also a renewed emphasis on the importance of maintaining the confidentiality of electronic health information due to patient concern and media attention. Providers also recognize that protecting against a breach of health information will require employee training and the development of effective safeguards and reporting processes.

Targeting the needs of these small providers, HIMSS and the Medical Group Management Association (MGMA) (www.mgma.com) have partnered to create the HIMSS Privacy & Security Toolkit for Small Provider Organizations. This useful and practical toolkit will assist first in understanding the rapidly changing privacy and security environment, and then help providers implement an appropriate set of policies and procedures that best meet the needs of their organization. Since smaller organizations may not typically have the resources or technical expertise found in larger institutions, this toolkit will act as a roadmap and resource for clinical and administrative staff to navigate the complex privacy and security laws and regulations and to understand the security components required to participate in Medicare’s “Meaningful Use” EHR incentive program.

We hope this toolkit proves helpful as providers move forward with their health information privacy and security preparations.

I am a strong believer that the more medical practices understand privacy and security issues, the more they will do to protect patient information. So the HIMSS security toolkit is a welcome addition. The only issue I have with it is that it has too much information. With too much information it makes it hard to digest all of the content. In a rough count I came up with around 50+ links to documents ranging from CMS Security Series paper #7 “Implementation for the Small Provider” (12/10/2007) to Meaningful Use Introduction (2/12/2011).  Each of the links provides great information but the problem is that it is too much information. I am not sure who is going to read all that information and be able to digest it and formulate a plan for protecting patient information. I think this information has to be summarized and put into a form that is easy to understand.

They do offer a method of adding additional tools to the toolkit so maybe someone will put a good summary together.  Maybe they will utilize video to make it easier to understand and make it somewhat entertaining. Reading 50 links and over 500 pages of information is just not that much fun.