Houston-Healthcare | Houston-EMR

From a developers point of view, an I.T. system needs to provide sufficient tools to fine-tune security and system access, however, it remains the responsibility of those in charge of the health care environment to correctly implement these tools to protect PHI. This is our specialty at Citiscape IT.

We would suggest the following as the bare minimum requirements for any health care I.T. system:

The system should be configurable to allow or deny access to any part of the system that may contain patient info. This access can be fine tuned to allow read/update/insert and delete permissions to prevent unauthorized viewing/changing/creation or deletion of patient info.


Complete audit trail of: WHO changed, created or deleted WHAT.It must also limit access to reports containing patient info. If you cannot view certain data, you should also not be able to generate any reports that allow you to do so. This is a common mistake made by I.T. Systems.

The ability tot distinguish between routine patient info and confidential patient info. Some lab tests are "more" confidential than others and may only be viewed and updated by a select few. Point 3 above is a common problem for this level of confidentiality.

If you email confidential data, it should be encrypted and password protected.

A system capable of distinguishing between confidential and routine data should also then be able to limit where this data may be printed. Some systems, for instance, does not allow the printing of confidential results directly to ward printers, instead we define a single "Confidential Printer" per site as the only printer that will allow users to print confidential results. This printer may be in a locked cupboard or supervisor office, or it may be a printer that automatically places all reports in sealed envelopes.

We specialize in Houston-Healthcare IT Projects

Citiscape IT

281-733-2422

Call us for EMR Projects and Business Practice Needs

Houston-Healthcare | HIPAA Security

How Safe Is Wi-Fi?

Society is increasingly moving from the Information Age to the Connected Age and so Wi-Fi has become very popular.  Case in point.  You’re on the move so much and need to stay connected to your office, your clients, your children and their schools, your friends and other events, and so you connect everywhere you go through smart phones and laptop computers.  You connect at local Wi-Fi coffee shops, bookstores, fast food restaurants, airports, hotels, grocery stores, shopping malls, and libraries.

But, how safe is this?  While you’re using a Wi-Fi connection, any other user within range could be monitoring your internet usage if your device is not protected.  Sending unencrypted information over any unfamiliar network can turn your computer into an “open book” with pages full of your “personal” information.

Wi-Fi zones in airports, hotels, coffee shops, and the like are generally designed for ease of use and convenience, rather than security. The ability to get online quickly and freely often trumps network security protection.  So, what can you do to be safe?

Protect your connection device.  Busy Wi-Fi locations are target rich environments for the potential hacker.  A recent conference of internet professionals pointed out that by simply running a sniffer program (available free on the internet) on the local network they can easily obtain your private information such as login usernames and passwords, if your device is unprotected.

Install security software and keep it updated.  Just as with regular wired connections, personal firewalls can alert you if your computer's wireless connection is being invaded and can block the intrusion.  You might look for security software which provides not only antivirus, antispyware, and antimalware security, but also a software security firewall which will alert you if anyone is attempting access to your device.

Secure login.  If you are accessing a page that requires a login and password, or if you are entering ANY personal data (credit card, SSN, etc) be sure that you are on a secure site. Simply check that the web address begins with https instead of the usual http and your information will be safely encrypted before transmission. As long as you're on a page with an address that begins with https, the data you send and receive is protected from sniffers and snoopers.

Web-based email.  Be on your guard, some web-based email providers have a secure login page and after you're logged in the access reverts to normal non-encrypted mode, so any email you send or receive while on a wireless connection is out in the clear.  Look for the link or checkbox for the secure login when accessing your web-based email. If your service doesn't offer one, consider switching or decide to live with the security exposure.

Shoulder Surfers.  Just like when you're entering your PIN code at an ATM, you need to keep an eye open for anyone who might be glancing over your shoulder while you hunt and peck in the airport or coffee shop.

Use strong passwords. Whether it's a virtual private network, a laptop, or your home computer you share with your family, the weakest point of security is the login. Using commonly guessable passwords or default passwords ("admin," "password," etc.) can render your computer open to anyone who wants a look at the contents. Use random combinations of letters and numbers for passwords and change them frequently. 

Don't automatically connect to open networks.  Many laptops have wireless connections set to pick up any open signal by default. While this may be convenient, it can also open you up to security risks. It's best to set your wireless connection to work manually, so that it only connects to networks when you instruct it to.

Disable P2P connections.  Many Wi-Fi hackers set up "ad hoc" networks disguised to look like verifiable networks in airports and the like. They'll usually have names like "Free Wifi", "Free Airport Wireless," etc., and many ad hoc culprits will camouflage their fake networks to look exactly like the real thing. Turn off your P2P connections for wireless unless you're certain you are connecting to a verified, trusted network.

Power down. If you're working offline for extended periods of time, shut down or disable your wireless connection. Every minute you're on someone else's wireless network is a minute you're exposing your device and your data to intruders. 

Houston Healthcare Information Security

Many healthcare organizations are ramping up their use of mobile devices before they have appropriate privacy and security policies, procedures and technologies in place, some experts say.

Every "expert" should be saying this, not just some. There should be nothing surprising about this "cart before the horse" situation. You must have a context in which to write and then apply a policy: no point in setting up do's and don'ts if you can't first precisely define what either is.

One must recognize that policies are like laws in this way: a law is drawn up and installed 99% of the time after the act it outlaws has been committed, probably several times. Both are by their very nature retroactive in the sense that the act itself creates the context and the conditions by and through which to frame the law or policy - to attempt to do it the other way round would create a policy in a vacuum, which would be quite ill-suited for application.

The user-driven influx of mobile devices that is forcing healthcare organizations to contend with mobility, presence, wireless, etc is reflective of what other sectors are also dealing with (BYOD). We consult on this matter and have been doing so for years. We are Board Certified by ASIS International & ISACA, licensed by The State of Texas. Contact us today for a security assessment and our compliance services offerings especially for the Houston Medical Community.

The only smart approach to this situation is to recognize it will force its way into your enterprise, whether you want it to or not (especially true if it is the younger docs that are the force behind it). The smart CTO/CIO will realize this (hopefully has already) and will reach out to embrace it, even (gently) advocate for it. The question becomes "how can we best enable the effective and secure use of this to add capability and functionality that serves our community?" The CTO/CIO is expected to enable, not disable. 

To address the mobile onslaught with a "No, we will not allow its use" will very likely get the CxO marginalized and place them off the "Trusted Ally" list. It is not unlike the logic behind "keeping one's friends close, and keeping one's enemies closer".

Houston Compliance Services, IT Audit, Risk Assessment, & Information Security by State Licensed & Board Certified Security Experts

What About Texting?

The explosion in the use of texting among physicians and nurses is creating new security issues. For example, some answering services send to a doctor's smart phone an unencrypted text message containing a patient's name, phone number and symptoms, which creates risks for privacy violations, notes Adam Kehler, quality and security specialist at the consultancy Quality Insights of Pennsylvania.

"So a risk assessment has to go beyond just electronic health records" when sizing up risks to protected health information, he stresses.

While it investigates secure texting technologies, Adventist Health System has banned communicating patient-specific information through texting, says Sharon Finney, corporate data security officer at the 44-hospital system.

Mobile Applications and Malware

Another area of risk involved in using the latest smart phones is exposure to malware, says Jacob DeLaRosa, M.D, a cardiovascular surgeon at the Portneuf Medical Center, Idaho State University. He recently downloaded an application designed to help him calculate the Body Mass Index that turned out to include a virus that automatically sent messages about Viagra to his contacts. When selecting new apps, "you have to assume that they're not secure," Gallagher stresses. Healthcare organizations must test-drive all apps before clinicians are allowed to use them and must educate users on the necessary security provisions tied to new apps.

By year's end, HHS plans to offer videos, tip sheets and other guidance on security for mobile devices, says Joy Pritts, ONC's chief privacy officer. "Given the rapid adoption of mobile devices against the backdrop of the breach incidents reported, there's been a growing concern about the use of these devices because of their vulnerability," Pritts says. "The mobile device privacy and security good practices project is one of the ways we hope to address these concerns."

281-733-2422

Houston-Healthcare

A sound information security plan covers a multitude of best practices. However, three areas are critical to an effective program: risk analysis and mitigation, effective handling of breach notifications, and sound compliance practices. Nationally-recognized experts will provide an update on best practices across these three important components of an information security program. Risk Analysis (in HIPAA Security Rule parlance) is a fundamental, foundational step for any infosec program... of course, HIPAA Security actual requires both an Evaluation (at 45 CFR 164.308(a)(8)) and the Risk Analysis (at 45 CFR 164.308(a)(1)(ii)(A))

The consequences of data breaches are starting to seriously affect organizations. Many companies do not realize that for them to be complaint, covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access (164.312(a)(1)). However, 164.502(d)(2) provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). Health information that meets the requirements for de-identification is considered not to be individually identifiable health information.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers. “The cost of dealing with the breach was prohibitive” for the company, Impairment Resources said when explaining its decision to file for Chapter 7 bankruptcy protection. That type of bankruptcy is used most often by companies to shut down and sell off what’s left to pay off their debts.

It’s a numbers game when it comes to information security risk management.  The bigger the numbers the harder it is to manage the risk of unauthorized access to protected health information.


Risk Assessment and Management
By “numbers”, we mean the numbers of vulnerabilities that create risk.  For example, in how many locations in an organization does identifiable health information exist and what controls are in place to protect it from unauthorized access?   How many workstations, lap tops, flash drives, servers, network devices, portable devices, smart phones, media, etc. exist in an organization?  How about remote access, wireless access, email accounts?  How about data stored in “the cloud”? The numbers grow when comparing a single practice physician, to an ambulatory clinic to a hospital, to a health system, to an accountable care organization (ACO) and health information exchange (HIE).

281-733-2422 

No matter what size and complexity an organization is, a good starting point is to assess / analyze the potential locations and vulnerabilities of protected health information. This is something that must be done periodically in order to manage change and a service we specialize in. The objective should be to eventually limit the number of locations, lock down the majority of user workstations, and protect media that is vulnerable such as authorized portable devices with security controls including encryption that complies with HITECH / NIST standards. Remember that if lost or stolen protected health information is properly encrypted, there is no breach.  There have been enough breach notifications involving lost or stolen portable devices to give all of us an understanding of the risk level.  At some point, very soon, if not now, a breach due to a lost or stolen unencrypted portable device will be considered willful neglect, and the $$ penalty will be substantial.  Call us for more information on helping your Houston Medical Practice reduce your liability and remain compliant with HIPAA and ADA. We have in-house offerings for Houston Medical Practices that are cost-effective and practical. 

IT Consulting Companies Houston

Cloud computing can and does mean different things to different people. The common characteristics most share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and dislocation of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. The National Institute for Standards and Technology (NIST) Cloud Computing Guidelines on Security and Privacy document lets the cloud service provider off the hook for security. It's hard for the customer to see what insider threats might occur, how virtualization security is being handled and most of the providers are loath to document what controls they have put in place if any. In the end, who is responsible for Cloud Security? END USERS, says the NIST!

Where would you rather drop your wallet - on the hallway of your home, or on a busy sidewalk downtown?

Similarly:

- Where would you rather have a tire blowout? On your driveway or on a public street?

- Where would you rather throw away a hard disk you haven't completely erased - or paper documents poorly shredded - in your private dumpster, your fireplace, someone else's dumpster, or a public recycle bin?

- Where would you rather talk about corporate secrets? In your conference room, or your ISP's conference room?

- In which scenario will greater loss of life occur? One plane out of one - with 300 passengers aboard - crashes, or one of 300 planes - each with 1 passenger aboard - crashes? Where is your laptop less likely to get stolen, your shoulder less likely to be surfed, your body less likely to catch a cold?

- Where would you rather use your password to log in - taking the risks that accompany that action - from your desk to your server room in the same building occupied exclusively by you, or from your desk to another company's server room in another city?

Clouds offer the cost benefits that they do - which go almost entirely to their owners - via the sharing of resources. The flip side of this coin - the exact same thing restated - is that they deny any and all benefits availed by the use of the opposite - user-owned, dedicated resources.

So:

- Your switched traffic can now be sniffed, whereas it wasn't before

- You can not erase your hard disks when you are done using them, whereas you could before

- Your stuff can be seized by the FBI when your neighbor gets investigated, whereas it wasn't before

- Your security can't be known to be correct, whereas it -could- have before, had you spent the time to do so. Admittedly, nobody does, by and large.

Microsoft Houston

If you’re not working with a local IT specialist who is board certified in information security and licensed by the State of Texas, use the link above to schedule an initial consultation.

The biggest benefit by far - the dollars in  cost savings from the power and cooling reductions and from overbooking go to the cloud owner, not the customer. Learn the facts and get a professional involved before dedicating your proprietary assets to an environment that you have no control over.

HIPAA 5010 Grace Period and HIPAA Best Practices for CE’s

  HIPAA 5010 (aka HIPAA X12) is the new standard regulating electronic transmission of health care transactions, which is slated to start January 1, 2012. CMS (Center for Medicare and Medicaid Services) has granted a grace period of 90 days before enforcement of this new transmission standard in a CMS Statement dated Thursday, November 17, 2011. The official document can be viewed online: http://www.cms.gov/ICD10/Downloads/CMSStatement5010EnforcementDiscretion111711.pdf
The transactions specified in the HIPAA 5010 standards are as follows:
270/271 Eligibility Benefit
276/277 Claim Statuses
820 Payroll deductions and group premium payments for insurance
834 Benefit Enrollments & Maintenance
835 Health Care Claims Payment Advice
837 Health Care Claims (Professional, Institution, and Dental)
The following entities required to upgrade are physicians, hospitals, payers, clearinghouses, pharmacies and dentists. Software vendors will need to upgrade their products to support the new 5010 compliant transmission standard. Practices must communicate with their vendors to determine what technology upgrades will take place, plus any additional costs incurred for these upgrades. The Center for Medicare & Medicaid Services provides an implementation guide and more details on 5010, which can be downloaded online at http://www.cms.gov/ElectronicBillingEDITrans/18_5010D0.asp which will assist practices in conducting a gap analysis and compares the old 4010 standard to the new 5010 standard.
The American Medical Association provides a wealth of resources available for free at www.ama-assn.org/go/5010. The AMA’s preparatory fact sheet on planning and tactical implementation of the HIPAA 5010 standard is as follows:
1. Impact Analysis – Conduct an internal impact analysis to determine how much of a change the switch to 5010 will have on your current business practices and systems.
2. Contact your Vendors, Payers, Billing Service and Clearinghouse – Contact vendors for specific details regarding system upgrades, and ask them about when they expect their upgrades to be completed, and when they’ll be able to accept 5010
transactions.
3. Installation of Vendor Upgrades – Schedule the system upgrades according to your vendor’s readiness, and ensure the installation of upgrades is complete.
4. Internal Testing and Staff Training – Once upgrades are completed, conduct internal testing of your systems to ensure you can generate and handle the 5010
transactions. Leave a margin of time for issue resolution and staff training on the
new system.
5. External Testing with Clearinghouse, Billing Service and Payers – Contact your vendors to conduct external testing with them to ensure you can send and receive transactions properly.
6. Make the Switch to 5010 – After completing external testing, you may switch to
using only 5010 transactions.
Any claims or bills your practice submits after Jan1, 2012 that are not in compliance with the new HIPAA 5010 format will get rejected, but this grace period of enforcement will allow your practice to resubmit the appropriate HIPAA 5010 compliant format without being subject to a penalty. Smaller payers and Medicaid carriers will probably especially welcome this grace period. Physician groups, as well as hospitals, may have to continue to file some claims in the 5010 compliant format plus the current 4010 format, unless clearinghouses can translate claims back to the 4010 format.
HIPAA Best Practices for Covered Entities:

• Have sound company policies in place and well documented. This includes (but is not limited to) data management, security (administrative, physical, & technical), hiring policies as well as outsourcing to third party policy and guideline. Doing this from the ground up will save your practice money in the future by building a solid foundation to run your practice as well as tying into HIPAA compliance.
• Have a sound electronic usage policy in place, and require all staff to read the policy and sign / date it and keep this in personnel files.
• Document and follow a sound password policy (computer logins, access to ePHI (Electronic Protected Health Information), etc.
• Have a remote device policy in place. Laptops, smart phones, USB drives and other remote devices should be required to be encrypted. Encryption techniques and mechanisms of sensitive information should be known to only a select few in the organization.
• Document a disaster recovery plan as well as business continuity plan.
• Have an IT disposal policy in place (what you do with obsolete equipment). If you outsource your information technology, make sure they follow HIPAA guidelines. This includes, but is not limited to, doing DOD 5220.22-M (Department of Defense) wipes on the hard drives before redeploying a workstation that previously contained ePHI or other sensitive information on it. This includes copiers and fax machines, which have hard drives in them. You would be surprised at how many copiers and fax machines wind up being returned to the leasing company (after the lease expires) with sensitive data on that hard drive. Most of these copiers and fax machines are resold on the market after they have reached their operating potential, and data on the hard drive is easily recovered by anyone with the know how.

Houston HIPAA, EMR, EHR, PPM

With HITECH extending a Covered Entity's liability out to their Business Associates, how are you ensuring your Business Associates are compliant in order to mitigate risk to your organization?

You could similarly ask HOW does a CE maintain the "satisfactory assurances" required by the HIPAA Security Rule and the Privacy Rule. Having the contractual right to audit the BA's security procedures may only create more liability if it is never used, no audits or reviews done. Most BA's would not be eager to share their risk analyses with CE's. It is not realistic that you would be able to perform an onsite audit of all of your BA's. The only logical way is to survey them and ask for their Privacy and Security Policies and Procedures that would include training and how they protect data along will all of the rest of their compliance plan. The real issue is the storing of this data along with your data. The bottom line to a compliance plan is not only what you put in it to show due diligence but making sure the right people in your organization have access to it. There are cost efficient ways to do this and if you are not doing it and your BA is breached you can assure they will find you in willful neglect.

Houston Medical Journal

An alternative to actually requiring a copy of an annual risk assessment or conducting your own audits would be to require an annual attestation by an accredited third party auditor that confirms compliance for the BA. This might be acceptable to a BA who is reluctant to share actual audit data. Put a process in place to have the attestation reviewed by someone in your own IT Security Department, or compliance office, and keep it on file. The costs for such an exercise might likely be shared, but if the BA does business with a bunch of healthcare organizations, they'll likely absorb this as an overhead cost since they'd be required to do this across the board.