Archive for HIPAA Summit
Mar
27
HIPAA Summit nuggets from William R. Braithwaite, MD, PhD, “Doctor HIPAA”; Chief Medical Officer, Equifax; Former Senior Advisor on Health Information Policy, HHS, Washington, DC (Co chair):
- Dr. HIPAA: “You all owe your jobs to me,” Braithwaite said (he helped craft the rules and regulations of HIPAA).
- The Privacy Rule: Don’t surprise the patient with a use or disclosure they don’t expect; “it’s that simple,” Braithwaite says.
- HIPAA says you must get your health record when you ask for it; but some providers still think they don’t have to give it to them on occasion
- 50,000 comments on first proposed HIPAA rule
- If you don’t encrypt a mobile device you are in violation because you have to put in reasonable protections; and encryption is the only protection for mobile devices
- Take reasonable and appropriate steps to reduce risk; those terms are used throughout all pages of the privacy and security rule
- Don’t just train once, “as some of you have done,” Braithwaite said, widening his eyes at the audience. Do it at least annually and have training material reflect what you found in your risk assessment
- Username and password alone is not satisfactory protections for logging from a home computer
Mar
27
HIPAA Summit nuggets from Phyllis A. Patrick, MBA, FACHE, CHC, president, Phyllis A. Patrick & Associates LLC, Purchase, NY:
- Often, we see providers with extensive lists of “business associates,” but often some of them are not actually BAs. Most organizations can shorten that list. First thing is look at your list to make sure you have all BAs on the list. Most lists are 20 percent too long.
- Someone has to be the focal point of managing business associate contracts and relationships. It does take time, but if you haven’t done it already, you need to step back and take a look at the BA agreement in a “new light” and see what you can do with it. It has to be on your risk profile.
- Have you prioritized your BAs? Higher risk companies might be billing services, record management, IT vendors, etc. And have you identified where your PHI resides?
- May be a good idea to survey your BAs. What kinds of privacy and security policies and procedures do they have in place?
Mar
27
HIPAA Summit nuggets from Sharon D. Nelson, Esq., president, Sensei Enterprises, Inc., Fairfax, VA; and John W. Simek, vice president, Sensei Enterprises, Inc., Fairfax, VA:
- You may have a great security plan, but it’s as only as good as your incident response plan for breaches
- Where did attacks on your organization originate: is it internal or external? You may have to do forensic investigation and preservation.
- Containing a breach? Just because you block a certain IP address, if they’re already in, it doesn’t matter. You have to block them out.
- No. 1 failure we see on breach response? Failure to patch things.
- If you’re running something like Windows 98, you may want to update that. Turn things on like failed log-in detection. It may not be a default feature.
- Physical security is a concern; a server is right behind a receptionist in a doctor’s office — not good
- Any eight-character password can be broken in two hours. You need 12 characters these days; it takes 17 years to hack a 12-character password. “Eight-character passwords are dead,” Nelson said.
- Have an exit/termination checklist. Did you get all keys, tokens, passwords, log-ins, disable remote access, when an employee is no longer with a company?
Mar
27
HIPAA Summit nuggets from J. David Kirby, president, Kirby Information Management Consulting LLC; Former Director, Information Security Office, Duke University Health System, Durham, NC
- 39% of privacy breach incidents on the OCR “Wall of Shame” (breaches of 500 or more website) have occurred on laptop or mobile device
- 88% of exposed records are mobile-media related
- Ponemon study says 60% of breaches have a strong malicious component
- Business associates involved in half of breaches
Mar
27
HIPAA Summit nuggets from Uday O. Ali Pabrai, CISSP, CHSS, CEO and co-founder, ECFirst (Home of HIPAA Academy), Newport Beach, CA:
- Pabrai went home to his native India this past week, made an Indian breakfast, and of course started thinking about HIPAA. He made an Indian masala omelette and thought how much can go into one. It’s just like a HIPAA security compliance plan — a lot goes into it.
- Very first specification in security rule is risk analysis. Hackers broke into the United Nations computer system and hid there for two years. How do we know someone is not in our hospital computer system. Risk analysis lays foundation for next specification in security rule — risk management.
- 60,000 attacks per day on a DMZ, which is, according to Wikipedia, “a physical or logical subnetwork that contains and exposes an organization’s external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.” Pabrai: It’s a matter of which one of these attacks is going to get through? “It’s relentless,” he says.
- The Wall Street Journal reported the identity of 12,000,000 Americans was compromised this past year, a 13 percent rise. 62 percent of us don’t have a password on the home screen
- OIG report from last May and the Blue Cross Blue Shield settlement with OCR this month represent a good security-compliance measuring stick for organizations
- We have to make sure we can communicate the right message to business associates and have the right information in those business associate contracts, Pabrai said.
- PCI DSS — security standards on the payment card industry — represents a strong set of standards providers can apply to HIPAA security.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here