This is truly a very challenging time if you are a health care organization. There is a fundamental change occurring that will transform the way medicine is practiced in the next 20 years. Almost like the invention of electricity, the light bulb or the first gas powered engine, the change will have enormous impact to everyone that it touches.

At the same time the risks associated with this change cannot be ignored. As our society moves to the use of electronic medical records, the security issues and associated risk levels have never been greater.

The burden on health care organizations is incredible when looking at securing electronic medical records, smart phones and tablets, USB drives, wireless access points, and remote access solutions. Combine that with the impact of natural disasters such as earthquakes and tornadoes that have been all over the news lately. Implementing disaster recovery solutions only adds to the overwhelming security burden.

Health care organizations are already strapped for the necessary resources to implement electronic medical records. Where will they find the resources to ensure that the appropriate security and disaster recovery procedures are properly implemented?

Like all new technologies, electronic medical records offer incredible opportunities but along with opportunities are real risks that need to be addressed. We will look back in a few years and see that health care organizations made the move from the dark ages to a much more modern area. Unfortunately we will see lots of mistakes and security issues that could and should have been addressed.

The folks over at HIMSS and MGMA have teamed up to produce what they call the HIMSS Privacy & Security Toolkit for Small Provider Organizations.  The toolkit provides medical practices with a wealth of information about HIPAA, HITECH, meaningful use, privacy and security.  Below is the letter from both the HIMSS and MGMA CEOs describing the security toolkit.

Message from the CEOs

As small provider organizations increasingly leverage electronic health records and other information technologies, they face significant challenges in their efforts to secure patient information. This is coupled with their efforts to comply with a myriad of existing and newly revised federal requirements. There is also a renewed emphasis on the importance of maintaining the confidentiality of electronic health information due to patient concern and media attention. Providers also recognize that protecting against a breach of health information will require employee training and the development of effective safeguards and reporting processes.

Targeting the needs of these small providers, HIMSS and the Medical Group Management Association (MGMA) (www.mgma.com) have partnered to create the HIMSS Privacy & Security Toolkit for Small Provider Organizations. This useful and practical toolkit will assist first in understanding the rapidly changing privacy and security environment, and then help providers implement an appropriate set of policies and procedures that best meet the needs of their organization. Since smaller organizations may not typically have the resources or technical expertise found in larger institutions, this toolkit will act as a roadmap and resource for clinical and administrative staff to navigate the complex privacy and security laws and regulations and to understand the security components required to participate in Medicare’s “Meaningful Use” EHR incentive program.

We hope this toolkit proves helpful as providers move forward with their health information privacy and security preparations.

I am a strong believer that the more medical practices understand privacy and security issues, the more they will do to protect patient information. So the HIMSS security toolkit is a welcome addition. The only issue I have with it is that it has too much information. With too much information it makes it hard to digest all of the content. In a rough count I came up with around 50+ links to documents ranging from CMS Security Series paper #7 “Implementation for the Small Provider” (12/10/2007) to Meaningful Use Introduction (2/12/2011).  Each of the links provides great information but the problem is that it is too much information. I am not sure who is going to read all that information and be able to digest it and formulate a plan for protecting patient information. I think this information has to be summarized and put into a form that is easy to understand.

They do offer a method of adding additional tools to the toolkit so maybe someone will put a good summary together.  Maybe they will utilize video to make it easier to understand and make it somewhat entertaining. Reading 50 links and over 500 pages of information is just not that much fun.

Source: Cisco 2010 Annual Security Report

Cisco released it’s 2010 Annual Security Report (pdf).  Some of the findings and trends are very interesting. Cisco found that Microsoft’s improvements in Windows 7 and more aggressive patching of vulnerabilities are making it more difficult for hackers. In response, hackers are moving their target to mobile devices.

Hackers are also taking advantage of new opportunities to make money. In response to vulnerability exploits in various Windows PC operating systems, Microsoft has improved security in Windows 7 and taken a more aggressive approach to patching vulnerabilities. This makes it tougher for scammers to infiltrate Windows 7 effectively; having reached the Windows vulnerability “tipping point” (see page 30), they have moved on to other operating systems, applications, software services, and devices such as smartphones, iPads, and iPods. Apple and its products, including iPhones, iPads, and the iTunes media service, have all experienced upticks in exploits. Just as important in driving this trend is the embrace of mobile devices and applications by consumers and enterprises.

The worldwide adoption of mobile devices presents even more opportunities for intrusions and theft. While security researchers have identified many focused scams that target mobile devices, a widespread incident is almost certainly on its way. To date, scams have targeted select groups of mobile users, such as customers of a specific bank. The massive and relatively new market for mobile applications also offers new markets for criminals. Researchers have detected exploits in which wallpaper apps for Android Market, the app store for the Android mobile operating system, have been collecting mobile subscriber information and sending it to a website owned by a scammer.

Cisco points out the emerging problem associated with Social Networks as well:

Criminals continue to take advantage of the high levels of trust that users place in social networking services. They often exploit this trust by masquerading as someone the user knows.

One noticeable shift in social engineering is that criminals are spending more time figuring out how to assume someone’s identity, perhaps by generating emails from an individual’s computer or social networking account. A malware-laden email or scam sent by a “trusted person” is more likely to elicit a clickthrough response than the same message sent by a stranger.

Spammers are not only spoofing social networking messages to persuade targets to click on links in emails—they are taking advantage of users’ trust of their social networking connections to attract new victims. As communications shift from traditional email and toward the messaging features used in social networks, such as those provided by Facebook and LinkedIn, criminals follow closely behind.

Weak passwords continue to be a problem:

In spite of pleading from IT professionals to choose tough-to-guess security passwords, workers are still disconcertingly likely to come up with something like “password1!”—or simply attach a few numbers, like “123,” to the end of a word. The problem of weak, guessable passwords is not a new one, but it isn’t going away—in fact, it’s getting worse, as users are forced to create several passwords for different systems and change them every 60 or 90 days.

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.