Mobile Data Security a Big Concern

Do you use a laptop that contains patient information? Do you have a list of your patients with their telephone numbers, email addresses and appointment schedule in your smart phone? Are those devices encrypted?

The number of mobile devices we utilize to conduct our businesses has expanded beyond belief. What can we do to make sure that our patient data is not at risk if we utilize these devices to access their information? As providers of behavioral healthcare services, we have special responsibility to protect the sensitive information related to the care of our clients.

The U.S. Department of Health and Human Services is very concerned about the spread of these devices and their innate insecurity. They have developed a special section of their healthit.gov web site to focus on these privacy and security needs.

The HHS video on the topic focuses on five issues:

  1. Lost mobile device
  2. Stolen mobile device
  3. Downloaded virus or malware
  4. Shared mobile device
  5. Unsecured Wi-Fi network

Take a look when you get a chance and learn more about how to protect PHI when using mobile devices. And don’t forget, encryption gives you ‘safe harbor’ under HIPAA, even if you were to experience a data breach.

Does your organization have policies about using mobile devices to access PHI? How do you manage your experience with mobility? Please share your comments below.

 

Will Your Organization Weather a Storm…or Other Catastrophe?

Superstorm Sandy has had major impact on the lives of large numbers of our fellow Americans and colleagues who live in the Northeast U.S. The loss of life, property, and access to conveniences like electricity, warm showers, and transportation has made clear how vulnerable we are to the impacts of catastrophic events.

Sandy has also given us the unfortunate opportunity to evaluate the policies and procedures we have in place for dealing with physical catastrophes.

The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations have in place a Contingency Plan (STANDARD § 164.308(a)(7) Contingency Plan, see page 19):

The Contingency Plan standard requires that covered entities:

“Establish (and implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems that
contain electronic protected health information.”

This requirement is not aimed at giving you one more thing to do. The purpose is to protect the health information of your patients and to make sure that they have access to continuing care. Hurricane Andrew in 1992 and Hurricane Katrina in 2005 demonstrated how poorly prepared we have been to maintain continuity of care for our patients. The requirements of HIPAA are designed to prevent such huge failures as happened previously.

FiercePracticeManagement newsletter suggests three key steps.

  1. Know how your remote data is stored and can be accessed. This assumes that you have your data stored offsite, as it should be. Knowing just where it is and how to access it so you can get your system back up and running without delay is crucial. 
  2. Duplicate needed paper and have it with you. Make sure you have a copy of your schedule with you. Assure that you have with you ways to contact your patients so you can let them know your alternative arrangements for meeting with them.
  3. Plan where you will relocate physical data. Know where that alternative location will be so you can get access to your data again quickly.

 

In HealthCare IT News, Benjamin Harris covers some of the same ground. He also suggests three basic processes, but starts at a more basic level.

  1. On-site safety. How is your hardware and software and record systems protected at your site? Is your server located in the building basement along with the generator? As demonstrated by Sandy, the basement is not the best location for such equipment or records in the case of flooding . . . something that had previously been an issue in hurricanes Andrew and Katrina.
  2. Off-site data. If you are relying on a remote (cloud) storage facility or you need to access your data by means of the Internet, what do you do if your ISP (internet service provider) is down? And if your EHR is an online product, what do you do if those remote computers are underwater and without electricity? Having your schedules for the next week and treatment summaries for each of those patients printed out gives you a week of buffer time to give your vendors a chance to get back up and running.
  3. Accessibility. If you are using such remote storage or providers and they are not in the affected area or can implement access to backups quickly, having the capability of connecting to them becomes your responsibility. You can tether your laptop to your cell phone to reach your service or data in an emergency, as long as you have prepared in advance.

 

Madeline Hyden of the Medical Group Management Association (MGMA) suggests a slightly different but very practical list of steps.

  1. Secure your electronic information.
  2. Get the support of your professional colleagues.
  3. Immediately start securing new office space.
  4. Establish authority: Make sure someone in your organization is responsible to and has the authority to activate your contingency plan.
  5. Communicate with your vendors (hardware, software, backup services, electrical company, landlord, billing service, answering service).
  6. Develop a notification protocol: decide who to contact and how and who does the contacting. Determine just what they will be told.
  7. Communicate honestly with your patients.
  8. Protect your records so you are sure you can have access even if your main system is not accessible.
  9. Practice your emergency plan. If you have not done so, it is possible you will be too traumatized to carry it out.

If you are not sure how to go about establishing a contingency plan, AHIMA has some suggestions for you. This does not need to be a complicated process, but it is a process you need to address if you have not already done so. After all, the U.S. northeast coast did not think they were susceptible to a hurricane-like storm that could cause such disruption.

Whether it is hurricanes, snowstorms, tornadoes, earthquakes, or fires, our electrical systems and business facilities are not impervious to disasters. We must be prepared so our patients can rely upon continued care.  Behavioral health clients are especially susceptible to negative consequences from disruptive events. After all, they are likely to have just experienced the same trauma you did.

We hope all our SOS customers and their patients are safe and recovering in the aftermath of Sandy. We hope any of you, our readers will share your experiences and how you have assured the security of your data.

 

PHI Thieves Are Usually After Financial Information

Now that many physicians and other healthcare organizations are purchasing and utilizing EMRs, they seem to be focused on safeguarding the clinical Protected Health Information (PHI) of their patients. In the process, some are forgetting to protect patient financial information even though it is also PHI.

The FierceHealthIT newsletter of October 24, 2012 indicates that healthcare system data thieves are usually after financial information.

Despite reports of efforts to blackmail patients and the possibility of hacking pacemakers, healthcare data breaches in the end are similar to other cyber crimes, according to a new report from Verizon. In an examination of approximately 60 confirmed data breaches over the past two years, the report concludes that those who attack healthcare systems primarily look for information from which they can make a profit.

According to this Verizon report, point-of-sale systems (credit card machines) and desktop and laptop computers are the most common points of breach. Thieves attack the weakest links in the payment chain. Rather than going after your server, they hack into peripheral equipment that can get them access to this financial information.

Here at SOS, we harp on the need to secure the data in your billing and clinical record software. We have been amazed at the lack of awareness of even our largest customers. Every week, we receive emails that contain PHI or a direct way to get to PHI. Employees of behavioral health organizations often do not realize that sending an email with PHI in it is like sending a postcard with the same information. Anyone who sees that postcard and who knows how to read can take a look at your message. The same is true with insecure, unencrypted email. Anyone who knows how to do so and who has any interest can take a look at your email.

This study indicated that, among the breaches they studied, most of the incidents occurred at businesses that had from one to one hundred employees.

The simple solution….encrypt all PHI while it is resting on your system and while it is in transit from one place to another. If you don’t know how to do that, learn how, now!

Please share your experiences, direct or indirect, with safeguarding PHI. Do you encrypt? What procedures has your organization developed to assure that all of the PHI in your possession is as safe as possible from thieves?

Ongoing HIPAA Care: What is your plan?

Here at SOS Software, we have been in an ongoing process to develop, maintain, and implement detailed policies and procedures to assure that we are doing everything possible to act as responsible Business Associates to our Covered Entity customers. We have been holding monthly training for our staff in which we all take a pre-test, watch an instructional video together, discuss what we have learned, take a post-test to measure how much we have learned, then discuss the results of our testing to be sure we all understand these important concepts.

HIPAA (Health Insurance Portability and Accountability Act of 1996) mandated that electronically stored protected health information (PHI) be handled in such a fashion as to assure the privacy of the patients to whom it belongs. The HITECH (Health Information Technology for Economic and Clinical Health) sections of ARRA (the American Recovery and Reinvestment Act of 2009) also required additional security measures be utilized for all PHI. HITECH extended the same privacy and security requirements to Business Associates of Covered Entities as to the entities themselves.

We have been distressed to find that many of our customers have no idea what HIPAA actually requires. While it is true that the requirements are scalable (small organizations like solo psychiatric or psychological practices do not need to do as much as large ones), some customers seem to think that scalability means they need to do nothing since they are not a community mental health center or a hospital. This is far from accurate.

Every organization that handles PHI is responsible to assure that the privacy and security of that information is guaranteed. Not doing a security risk assessment, not having an incident response plan, not having a disaster plan, not having usable backups of your patient information off site . . . all of these things could easily be considered “willful neglect” by the Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA. If an unhappy patient reports you to OCR as ignoring the requirements of HIPAA and you are found to be guilty of “willful neglect”, OCR must penalize you. Are you prepared to pay at least a $10,000 to $50,000 fine . . . or worse?

If the items I just mentioned above are not very familiar to you, that means you and your organization may not have done your HIPAA homework. You may not need to start at the beginning, but reviewing some of our old posts and links might help you get started. We have found that there are many resources available on the Internet free or at low cost. You might consider some of those. Seth plans to attend a free webinar he got notice of last week. He has started a workgroup of some of our customers who are trying to help themselves and one another move their security and privacy programs forward.

What do you need to do to become HIPAA compliant?

What do you or your organization already do to assure your compliance?

Do you know who your Privacy Officer is?

Please share some of the steps you and your organization have taken to assure that your organization is HIPAA compliant. Let us know what you do on an ongoing basis to be sure new employees are educated to the requirements. Just enter your comments below.

 

UCLA and WellPoint Fined for Data Breaches

I am sure many of you remember the reports dating back to 2005 that celebrity patient files were being viewed by casual lookers…employees who had access to the University of California at Los Angeles (UCLA) Health System electronic medical record (EMR) but who had no legitimate reason to view those records. Well, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has entered into an agreement with UCLAHS to settle potential HIPAA violations for $865,500. Additionally, UCLA has made a commitment to correct gaps in their security, to improve their policies and procedures to better safeguard patient information, and to adequately educate their employees.

In a separate case, FierceHealthPayer reported that WellPoint will pay $100,000 to the state of Indiana because they waited several months before notifying Indiana officials of a security breach that could have exposed the data of 32,000 members.

It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General.                                                                  [Read more; Subscribe]

For me, the important issues here are the following:

  • OCR is serious about data breaches and safeguarding patient protected health information (PHI).
  • State laws are just as important as Federal law. You must know and follow those local regulations as well as HIPAA and HITECH.
  • The cost of a data breach is significant and would put many small provider organizations out of business.

Have you reviewed your security and privacy practices and policies this year? Are you confident that your PHI practices are solid and that your employees are using the procedures as written? How do you review these and how do you educate your employees?

Please share your experiences and concerns about data privacy and security with us below.

Security and Backup: Yes…backup, again!

Once a month, on average, our technical support specialists are confronted with a customer whose database has become corrupted because of some hardware issue and who has no usable backup. After last week’s adventure, I decided I would again write about backup. Then, last night, I saw a discussion on a Psychology and Technology listserv that included some of our customers talking about full disk encryption of a Mac laptop. Encryption is something we recommend for every customer who uses our software or maintains any Protected Health Information (PHI) on a computer…especially on a laptop. To round out the clues that security and backup should be my topics of choice this week, I noticed an article in eweek of March 21, 2011 entitled ‘Remote access presents complexity, security issues.’

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.

Data Security, Backup, and the HITECH Law

A question on one of the psychology listservs I follow got me thinking, yet again, about data security…and backup. The writer asked about the proper procedures to follow when patient psychotherapy treatment records are permanently lost. The question pertained to how the counselor in question should respond to the loss of all of their patient data from a mental health clinical record software program. Since we provide one such program, my attention was immediately attracted.

The other listserv members addressed three issues: recovery of the data from the hard drive, backup of the data, and re-creation of the records from scratch. Because of our experience with customers losing data due to computer failure, I focused yet again on data backup and database recovery. Added to my thoughts this time are the HIPAA requirements for securing protected health information (PHI) and the increased penalties in the HITECH portion of the stimulus bill (ARRA) for breach of privacy and security of PHI.

It is likely that you all remember that HIPAA requires healthcare providers (including psychiatrists, psychologists, social workers, mental health counselors, and community behavioral health organizations) to have in place procedures for securing the PHI of their patients. Most mental health workers with whom I am familiar focus on the privacy aspect of this protection; they see it as their responsibility to assure that the consumer’s information remains private. HIPAA also mandates that providers and their organizations have in place plans to protect the security of their physical data.

The National Institute of Standards and Technology (NIST) has produced Special Publication 800-66-Revision 1, “An Introductory Resource Guide for Implementing the HIPAA Security Rule.” A quick search of this document finds that the words “loss of data” are mentioned on pages 38, 77 and 98. The first mention is in a table describing the necessary contents of the Contingency Plan for data security, including a Data Backup Plan. The sections of this document that focus on the Contingency Plan and the Disaster Recovery Plan are the ones most concerned with electronic data storage.

If your organization, including your private practice of psychology or psychiatry, does not have a Contingency Plan and a Disaster Recovery Plan, however brief, you are living dangerously. And, of course, you must implement your plan to secure your PHI, not just have a plan.

How does this pertain to you? Let’s start with your data backup plan. What is it? Who in your organization is responsible to implement it? What are the consequences if it is not implemented?

One of our customers,   W. E. (Bill) Benet, Ph.D., Psy.D., Clinical Psychologist, Gainesville, FL  WEBenet.com | Assessment Psychology.com describes his experience and current backup strategy.

“I mentioned Eco Data Recovery in my previous note because I had to use their service a number of years ago after the hard drive on my main office PC mechanically failed and became inaccessible while backing up to a tape drive, corrupting the data on the tape. Fortunately, Eco was able to recover all of the data from the hard drive, by disassembling it in a ‘clean room’ and scanning the data off the individual platters. Luckily, the data on the hard drive hadn’t been corrupted, but it very easily could have been, and I would have lost years of billing records and reports.”

“But what about data that has become insidiously corrupted without being immediately obvious?”

“Today, I employ a simulated RAID backup strategy involving nightly network backups to two external USB drives, as well as from one PC to the other, AND continuous 24/7 incremental offsite backups, using Carbonite. Hopefully, if corrupted files are discovered days or weeks later, those incremental backups will save the day, at least for a while.”

Here at SOS Software, we all too often run into an organization where the principals thought they had an excellent data security plan, only to find out that their plan had not been effective or had not been implemented by the person(s) who were responsible to do so.

One of the obstacles we run into is the common belief that “it can’t happen to us.” We all know this is magical thinking; of course, it can and does.

Another often-believed myth is “I don’t really need to worry about data on my PC; data can always be recovered from a hard drive if there is a problem.” While this belief is sometimes true, it often is not. If the files lost when a computer crashes are in a complex, proprietary relational database, they sometimes are totally irretrievable. They are not text files where parts can be grabbed and some sense made of the data.

Our product uses Sybase ASA as its engine because that database creates a transaction log that can allow us to completely recreate every keystroke the user made…if the log file is intact. In fact, we use Sybase because of this capability to completely recreate the database if it is necessary to do so. As long as we have a usable starting point, we can restore the entire database from the log file…if we have an intact log file.

Two problems can intervene. 1. With our products as with many others, if the backup is done while the database is running, certain of the files are not backed up because they cannot be accessed completely. Some backup software products will tell you they can back up even when the program is running. That is not true with SOS products. 2. Hard drives often fail gradually becoming literally “flaky” over time. If key sectors of the log file are lost, it is impossible to recreate the database from the log, even if there has been no overwriting of the database.

Also, sadly, even folks who believe they responsibly make backups, never test those backups to assure they can be restored properly, and they often use the same backup medium overwriting old backups. If the hard drive has been gradually failing, destroying parts of the files as it goes, then backups of those bad files become bad too…all of this over time with no noticeable degradation of performance of the database.

Then the catastrophe occurs…a power surge or some other event causes a crash of the hard drive and the database will not restart when the computer is rebooted!

As indicated by comments on my post of November 19, 2008, The Indispensable Data Backup, among my readers are many folks who are sophisticated computer users who are responsible enough to use multiple methods of backing up their patient data. Using a rotating system of backing up with permanent, non-incremental backups created periodically and stored off-site, is crucial. The strategy we recommend is in document 125 on our main web site.

If you have never tried restoring from one of your backups, you have not completed the process. Unverified backups are useless backups. Useless backups equal insecure PHI. How big a risk taker are you?

Please add your comments by clicking on the title of this article and typing in the box at the bottom of the page.

Are your passwords HIPAA secure?

Standard advice for securing computer systems is to require users to change passwords frequently. Something about this recommendation has always bothered me, but I never really thought it through. A current blog posting at Healthcare Informatics by Dale Sanders really hits the nail on the head. He points out that these change-passwords-frequently policies actually undercut password security rather than enhancing it, once you factor in human psychology. If you have to replace your password frequently, you will probably come up with something simplistic, or resort to a post-it note on the monitor, or maintain a paper list. It would be far more secure to create a single, strong password or passphrase and continue to use it for a much longer period.

To manage passwords used on the web, you can’t go wrong with Roboform. Create a strong master password (long, and using a combination of letters, numbers, and special characters), then let Robo’s password generator suggest strong passwords for individual web sites. Once you select and use a password on a web site, Robo will remember and “type” it in for you when you next visit that site. All you have to do is enter your master password once in each browser session; Robo uses that to unlock your password library and cleverly selects the right one whenever you hit a login window. There is even a version of Roboform that you can install on a USB “thumb” drive, so you can securely carry your passwords with you for use on multiple computers, or even public computers when traveling.

In the course of providing technical support on our billing and EMR software, I am exposed to the password selections of many of our users. It is amazing how rare it is to find anyone using serious passwords. Names, almost surely loved ones or pets, are the most common, but way too frequently I see passwords that are identical to user IDs, or non-passwords like “123” and “password”. Although we have optional rules in our products that would require strong password choices if enabled, they rarely are used.

Coming up with an easily remembered, secure, master password is not really all that hard. Just think up a short sentence that includes punctuation and some numbers. You can check the quality of your choice using Microsoft’s password checker.

Here’s an example: “Turning 60! soon.” This easily remembered phrase is actually more secure than “3-vO$aLKG7”, which conforms to all the standard password creation advice.

Maintaining medical privacy is serious business. Current HIPAA rules provide for serious penalties when medical information is not properly secured. Are you guilty of password negligence yourself?

Seth Krieger

To comment on this article, click on the title and enter your comment at the bottom of the article.