I spoke with a potential client today and had a conversation that I seem to be having a lot lately. The client gave an overview of their issues and it with something like this….

Potential Client: “Our network is really screwed up. We have been through 5 IT people already. We installed an EMR but it is a bunch of junk. We are getting a new EMR in a few months. We spent $44,000 on the first EMR and even more on the second. We can’t add new laptops, we can’t print. We need help.”

The good news is that the problems he mentioned to me all seem to be very straightforward and fixable. I let him know that the first thing that has to be done is to ensure that the network is operating correctly before any EMR is installed.

As I mentioned this is the same conversation that I have had over and over. It seems that so many medical practices are implementing advanced technologies to support EMRs but operating on networks that are not up to specs or configured correctly. In addition, the EMR software does not perform the way the vendor stated and does not provide the functionality they are looking for.

One of the core functions we do for our clients is to help them with software and hardware selection. A client that is evaluating an EMR needs help to ensure that the EMR will work in their environment. They need technical guidance to ensure the infrastructure can support the new EMR. A lot of EMR vendors try to undersell the hardware requirements to make their products look more affordable. I think this is a huge mistake. It is critical to ensure that the network is properly sized, configured and ready to run an EMR.

Epsilon, the largest email marketing firm, announced that their customer database has been breached. Epsilon has over 2,500 large clients including: Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens,  and The College Board. They send over 40 billion emails a year on behalf of their clients.

Epsilon said that the hackers only had access to customer email addresses and first / last names. The affected clients are sending out warning notifications similar to the one from Kroger:

As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience. Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

Although no social security numbers or credit card information was accessed, the emails and names could be used in SPAM and Phishing scams.

This massive breach shows the danger of outsourcing functions to other companies.  No matter how good the security was for each of these companies, they had no control over the data at Epsilon. The take away here is that all companies not only have to look at their own security but also the security of business associates and vendors.  When you outsource your customers’ information and trust make sure you fully understand the dangers that are associated with this decision.  Some of the world’s largest companies are now coming to grips with this reality.

The folks over at HIMSS and MGMA have teamed up to produce what they call the HIMSS Privacy & Security Toolkit for Small Provider Organizations.  The toolkit provides medical practices with a wealth of information about HIPAA, HITECH, meaningful use, privacy and security.  Below is the letter from both the HIMSS and MGMA CEOs describing the security toolkit.

Message from the CEOs

As small provider organizations increasingly leverage electronic health records and other information technologies, they face significant challenges in their efforts to secure patient information. This is coupled with their efforts to comply with a myriad of existing and newly revised federal requirements. There is also a renewed emphasis on the importance of maintaining the confidentiality of electronic health information due to patient concern and media attention. Providers also recognize that protecting against a breach of health information will require employee training and the development of effective safeguards and reporting processes.

Targeting the needs of these small providers, HIMSS and the Medical Group Management Association (MGMA) (www.mgma.com) have partnered to create the HIMSS Privacy & Security Toolkit for Small Provider Organizations. This useful and practical toolkit will assist first in understanding the rapidly changing privacy and security environment, and then help providers implement an appropriate set of policies and procedures that best meet the needs of their organization. Since smaller organizations may not typically have the resources or technical expertise found in larger institutions, this toolkit will act as a roadmap and resource for clinical and administrative staff to navigate the complex privacy and security laws and regulations and to understand the security components required to participate in Medicare’s “Meaningful Use” EHR incentive program.

We hope this toolkit proves helpful as providers move forward with their health information privacy and security preparations.

I am a strong believer that the more medical practices understand privacy and security issues, the more they will do to protect patient information. So the HIMSS security toolkit is a welcome addition. The only issue I have with it is that it has too much information. With too much information it makes it hard to digest all of the content. In a rough count I came up with around 50+ links to documents ranging from CMS Security Series paper #7 “Implementation for the Small Provider” (12/10/2007) to Meaningful Use Introduction (2/12/2011).  Each of the links provides great information but the problem is that it is too much information. I am not sure who is going to read all that information and be able to digest it and formulate a plan for protecting patient information. I think this information has to be summarized and put into a form that is easy to understand.

They do offer a method of adding additional tools to the toolkit so maybe someone will put a good summary together.  Maybe they will utilize video to make it easier to understand and make it somewhat entertaining. Reading 50 links and over 500 pages of information is just not that much fun.

A real-life experience occurred on Friday that shows the use of encryption, to protect patient data, is still an afterthought at best.  A conversation between one of our clients and their EMR vendor shows that encryption and data protection is still not at the forefront of concern.  Below is a modified version of the conversation between the client and the EMR vendor which I was copied on.  Everything was changed (to protect the innocent) except for the overall meaning of the conversation.

EMR Vendor: Dear customer – we need a copy of your EMR database so we can test it on the new version of the software we will be rolling out in a couple of months.  We will be sending you a USB disk so your IT vendor can copy the database(s) and send it back to us.

Client: Why do you need the data?

EMR vendor: We want to test functionality of the new system and your database is one of the largest amongst all of our customers

Client: OK we will send you the data

Seems like a very straightforward conversation.  The EMR vendor wants to test a large instance of the database which is good so they can iron out any bugs with the new version of the software.  The client is happy to be part of the testing so they know their database will have no issues when they upgrade.

Everyone but me was happy with the conversation.  Now it is probably because I write about HIPAA security or have launched a HIPAA Security Service but I immediately thought to myself “there is no way we are going to send a disk with over 10 years of patient data to anyone without ensuring that this data is encrypted”.  On the other hand, I am an optimist so I was just waited for the vendor to tell the client that the USB drive will be encrypted or for the client to ask about encryption.  I waited but that dialog never occurred.  I eventually replied to the email with my concerns.

Me: Will the USB drive be encrypted?  There is no way we can send that data without proper protection of the data.

EMR vendor: Yes the drive will contain an encryption utility that you can use to encrypt the data.

Me: Good!

So the good news is that the EMR vendor knew that the data had to be encrypted. The bad news is that the fact that the data had to be protected never came up in conversation until I raised the issue. Encryption was an afterthought during this conversation. We need to move to the point where patient data protection is a primary concern. In this case protecting the data in transit is more important than the testing of the software (in my opinion). A loss of this data could be devastating to the client.

In the end the client thanked me for looking out for the data security. To me patient data protection is one of my primary concerns. Unfortunately it seems that my concerns are not shared by others. We need to get to the point where patient data protection is a primary thought and not an afterthought.

OCR is serious about enforcement!

That is a message that 3 officials from the U.S. Department of Health and Human Services’ Office for Civil Rights made clear as they presented at the 19th National HIPAA Summit. The 3 officials who presented (links below take you to their presentations [PDF] ) were:

• Susan McAndrew - Deputy Director for Health Information Privacy
• David S. Holtzman – Health Information Privacy Specialist
• Valerie Morgan-Alston – Deputy Director for Enforcement and Regional Operations

Each of their presentations went into details of how OCR has been working to enforce HIPAA regulations.  I urge you to read each one fully but I will point out some of the more interesting points of their presentations.

Susan McAndrew

Pointed out that there have been 241 reports of security incidents that affected 500 or more individuals and over 29,000 incidents that affected under 500 individuals.  Laptops and portables devices continue to be the main cause of breaches.

Click to enlarge

She went on to state that there have been around 58,000 privacy complaints since 2003 and that 91% of the complaints have been resolved.  Of the 58,000 complaints, around 19,400 have been investigated and 64% have lead to corrective actions (fines I presume).

McAndrew went into details of the latest HIPAA fines that have been handed out including the $4.3 million fine to Cignet Health/Maryland.  She also discussed the training program for the 50 State Attorneys General.

David S. Holtzman

Went into details about some of the security breaches and enforcement activity.  His presentation was very interesting and some of the slides are below.

He said that every complaint that the OCR receives is reviewed and analyzed and an investigation is launched if the facts look like an organization failed to comply with the HIPAA regulations

Compliance reviews include evaluating an organization’s policies and procedures.  All breaches that affect over 500 individuals are reviewed

In a very interesting slide, Holtzman showed the most frequent Security Rule issues.  They included lack of security incident response, lack of security training, lack of access controls and information access controls, and the lack of workstation security.

The next two slides give some good insight into the most common causes of breaches as well as where the information was located in the breach.

He ended with some valuable lessons learned including stressing that encryption should be used on data at rest on desktops as well as portable devices.

Valerie Morgan-Alston

Went into details on some of the fines that have been handed down including Cignet, Massachusetts General Hospital and Rite Aid.

But in the most interesting slide she went on to say:

In light of OCR’s clearly articulated intention to aggressively enforce the HIPAA Privacy and Security Rules, covered entities and business associates should review their current HIPAA compliance programs

A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.

All in all a few clear messages were presented.  OCR is serious about enforcement and used several recent cases as examples.  More enforcement and more fines are coming.  Make sure you have policies and procedures in place. And utilize encryption for data on desktops and portable devices.

Image: Pixomar / FreeDigitalPhotos.net

The Ponemon Institute in combination with Symantec Corp released a report titled 2010 Annual Study: U.S. Cost of a Data Breach. The report looks at the financial impact including lost of customers resulting in data breaches. Some highlights of the report are listed below.

Rapid response to data breaches cost organizations more then slower response. It could be due to inefficiencies of rapid response. Organizations are feeling pressure to respond to breaches quickly due to state and federal data protection laws

More organizations favor rapid response to data breaches, and that is significantly costing them: Forty-three percent of companies notified victims within one month of discovering the data breach, up 7 points from 36 percent last year. That growth marks the largest percent increase among data breach response attributes. For the second year in a row, these “quick responders” paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.

Our results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases. The notable increase in companies responding quickly to breaches, despite the additional cost, may reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws. We will closely watch this issue in future reports.

Costs of data breaches continue to rise and now the average organizational cost is $7.2 million per breach.

For the fifth year in a row, data breach costs have continued to rise: Data breaches continue to cost organizations more every year. The average organizational cost of a data breach this year increased to $7.2 million, up 7 percent from $6.8 million in 2009. Total breach costs have grown every year since 2006.

Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year. Data breaches are costing more at both ends of the scale, but particularly the top. The most expensive data breach included in this year’s study cost a company $35.3 million to resolve, up $4.8 million (15 percent) from last year. The least expensive data breach was $780,000, up $30,000 (4 percent) from 2009. As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Therefore, larger breaches continue to be a more serious cause for concern than smaller breaches.

I found the next point to be very interesting. It shows that losing customers due to a data breach is the most expensive component of the total data breach expenses. Pharmaceutical and healthcare had the highest customer churn. This should be a wakeup call to healthcare organizations

Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in data breach cost. Regulatory compliance contributes to lower churn rates by boosting customer confidence in organizations’ IT security practices. Average abnormal churn rates across all 51 incidents stayed level at 4 percent. The industries with the highest 2010 churn rate remained pharmaceuticals and healthcare (both up a point to 7 percent). The industries with the lowest abnormal churn rates were public sector (less than 1 percent) and retail (1 percent). Sectors with the highest 2010 average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). Those with the lowest costs were media ($131), education ($112), and public sector ($81).

The use of encryption is increasing as a post data breach solution. Now if organizations would use more encryption prior to data breaches they would have a lot less headaches and expenses.

Training and awareness programs barely stayed in first place with nearly two-thirds (63 percent, down 4 points) of respondents using them. Expanded use of encryption stayed the most popular technology solution and, with 61 percent (up 3 points), took sole possession of second place this year. Interestingly, since 2008, technological solutions have seen the strongest growth while personnel and policy solutions have grown more slowly.

Laptops and mobile devices are expensive liabilities.

The prevalence of breaches concerning mobile devices holding sensitive data stayed roughly the same at 35 percent this year, down a point. Per-record costs rose $33 (15 percent) to $258 per record. Our research suggests that device-oriented breaches have consistently cost more than many other breach types. This may be because investigations and forensics into lost or stolen devices are more difficult and costly.

The report offers some sound advice for next steps

Take as slow and thoughtful an approach to data breach response as possible, given federal and state legal requirements applicable to location, industry and circumstances of the breach. Prepare in advance as much as possible to enable quick and cost-effective response.

Ensure that portable data-bearing devices – such as laptops, smart phones and USB memory sticks – are encrypted, especially for extensive business travelers. Also, consider implementing inventory control, anti-theft devices and data loss prevention (DLP) policies, practices and technologies.

Vet and evaluate the security posture of third parties before sharing confidential or sensitive information. Pick responsible vendors that can guarantee data protection through encryption and appropriate procedures and controls. Also, ensure that third parties protect data on their employees’ mobile devices.

In two recent surveys a clear message is being sent. The message is that patients want doctors and health organizations to use electronic health records (EHRs) but the patients are very concerned with the privacy and security of their records.

A survey by Dell called The Dell Executive and Patient Survey (PDF) reported an overwhelming amount of patients wanted the following:

EHRs (69%)

Making it possible for EHRs to be shared between physicians, hospitals, and ancillary providers (74%)

Email access to their doctor so they can ask questions and discuss their health via electronic mail (71%)

Electronic prescription processing to allow health care providers and pharmacies to communicate without paper (76%)

But the patients also worried about the security of their electronic patient records.  They are concerned with:

Their health data being safely and securely stored (69%)

Their health data being transmitted over the internet (66%)

Hospitals and providers adhering to privacy laws (such as HIPAA) (66%)

It is interesting that 69% of patients wanted EHRs but 69% also worried about their records being safely and securely stored.

A second survey sponsored by the National Opinion Research Center (NORC) at the University of Chicago shows similar desires and concerns:

Despite the fact that 48% of Americans are concerned about the privacy of medical records, fully 64% said that the benefits of EMRs outweigh privacy concerns

So it is clear that patients want doctors to use EHRs but they are also very concerned with the privacy and security of their records. Many medical practices and health organizations are pushing forward with the use of EHRs so understanding and realizing patient’s concerns is really important. But what if medical practices and health organizations were to use patient’s concerns as a competitive advantage over other health organizations?

What if instead of looking at HIPAA Security regulations as something that is mandatory and required by the government, a medical practice sees HIPAA and patient security as a way of addressing patient concerns? Savvy medical practices can use the fact that they have implemented the HIPAA Security Policies and Procedures, performed a Risk Assessment on all systems that contain patient information and have trained their entire staff on how to protect patient information. Medical practices that have embraced patient record security can differentiate themselves from their competition.  A clear message they can send to their patients is:

Come to our medical practice because we care about patient record security and will do everything we can to protect and  make your records secure!

Medical practices can address patient’s concerns and use HIPAA Security as a competitive advantage. Something to think about.

Cross-posted at HIPAA Secure Now!

Image: hinnamsaisuy / FreeDigitalPhotos.net

The Health and Human Services’ (HHS) Office of Civil Rights (OCR) issued a $4.3 million fine to Cignet Health of Prince George’s County, MD (Cignet) for violating the Privacy Rule of HIPAA. Cignet refused to provide 41 patients with access to their medical records. Under HIPAA, patients are entitled to have access to their medical records within 30 days and no later than 60 days from the initial request.

Not only did Cignet not provide the patients with access to their medical records, they also refused to cooperate with OCR during the investigation of the complaints. Below is a section from the HHS posting regarding this fine.

During the investigations, Cignet refused to respond to OCR’s repeated demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints, including failure to produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

What could Cignet be thinking? This is a question that many will be asking. It clearly shows that ignoring requests by HHS or OCR is not a good move.

Willful Neglect
Fines under HIPAA fall into different categories based on the severity of the violations. The most severe and most costly category is for willful neglect of HIPAA. Previously willful neglect was a vague category that was not clearly defined. Well now we have very good idea of what willful neglect looks and feels like. One thing to especially note is that if OCR starts to investigate your organization it is in your best interest to comply with the investigation.

Breakdown of the fines
The $4.3 million fine is actually a combination of two separate fines. The fines are called civil money penalty (CMP). Again from HHS:

The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The two fines are broken down as this:

Covered entities are required under law to cooperate with the Department’s investigations. OCR found that Cignet’s failure to cooperate with OCR’s investigations was due to willful neglect. The CMP for these violations is $3 million.

The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

The clear takeaway from the Cignet fines is that HHS and OCR are sending a clear message that HIPAA is not to be ignored. I would take that as both the HIPAA Privacy and Security Rules. HHS and OCR have taken a lot of knocks for not enforcing the HIPAA and HITECH acts. This might be a wakeup call to everyone that it may no longer be that case. The final paragraph on the HHS site makes this very clear.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and seriously consider their compliance with all of HIPAA’s requirements,” said Director Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

Cross-posted at HIPAA Secure Now!

The consulting company Deloitte release a study called Privacy and Security in Health Care: A Fresh Look. (PDF)

The report is a 20 page overview that addresses the following:

• Provides an update about current and emergent privacy and security challenges in health care;
• Examines notable hot spots where current policies, rules, and regulations are a focus of industry risk;
• Reviews the state of preparedness for privacy and security risk throughout the industry;
• Suggests an approach to assessing an organization’s current preparedness.

They have a good graph that shows a breakdown of breaches since 2009 that have been reported to HHS.

As you can see, laptops continue to be the leading source of data breaches.

The study went on to look at other healthcare industry studies and the results show that organizations are clearly not doing enough to protect patient privacy.

Some highlight of the studies include:

• 85% of hospitals are not in compliance with HITECH
• Data breaches cost organizations on average $1 million annually
• The top three causes of a data breach are: unintentional employee action,lost or stolen computing devices, and third-party snafu
• Inadequate budget and lack of trained staff or end users are top two reasons for data breach

The findings from a CMS study were eye opening:

• CEs did not perform a risk assessment and did not have a formalized, documented risk assessment process
• Risk assessments were outdated and did not address all potential areas of risk
• CEs had few and inadequate policies and procedures and they did not address the HIPAA Security Standards and Implementation Specifications
• Documented procedures were inconsistent with procedures followed by CE personnel
• CEs did not conduct security awareness training prior to granting user access
• CEs had BAs but Business Associate Agreements (BAAs) did not  exist between the two parties or existing BAAs were inadequate

The report is very interesting and worth a thorough read.

Backup tapes have been stolen, from a van, that contained 1.7 million records of patients.  The tapes had patient history and electronic protected health information (ePHI) dating back 20 years.  The information on the tapes includes names, addresses, Social Security numbers and medical information.

This is a huge data breach affecting an enormous amount of people.  Each of the 1.7 million people could  be in danger of identify theft and other identity related crimes.  Stop for a second and think through the value on the black market that this data including Social Security numbers, patient health records, name and addresses would be worth.

The first question that MUST be asked is: why were these backup tapes not encrypted?  Let’s not glaze over this.  This is a crime to jeopardize this many people.  Encrypting backup tapes is not only cheap but it is very easy to do.  It is just a setting in the backup software.  It is just an encryption password.

The second question is: why is the HIPAA Security Rule not being enforced?  How can we watch as millions and millions of patients are having their social security numbers and health records being breached.  How can we ignore the government regulations that were put in place to protect patients?  How many patients must be victims of identity theft before we say enough is enough!?