Houston Healthcare Information Security

Many healthcare organizations are ramping up their use of mobile devices before they have appropriate privacy and security policies, procedures and technologies in place, some experts say.

Every "expert" should be saying this, not just some. There should be nothing surprising about this "cart before the horse" situation. You must have a context in which to write and then apply a policy: no point in setting up do's and don'ts if you can't first precisely define what either is.

One must recognize that policies are like laws in this way: a law is drawn up and installed 99% of the time after the act it outlaws has been committed, probably several times. Both are by their very nature retroactive in the sense that the act itself creates the context and the conditions by and through which to frame the law or policy - to attempt to do it the other way round would create a policy in a vacuum, which would be quite ill-suited for application.

The user-driven influx of mobile devices that is forcing healthcare organizations to contend with mobility, presence, wireless, etc is reflective of what other sectors are also dealing with (BYOD). We consult on this matter and have been doing so for years. We are Board Certified by ASIS International & ISACA, licensed by The State of Texas. Contact us today for a security assessment and our compliance services offerings especially for the Houston Medical Community.

The only smart approach to this situation is to recognize it will force its way into your enterprise, whether you want it to or not (especially true if it is the younger docs that are the force behind it). The smart CTO/CIO will realize this (hopefully has already) and will reach out to embrace it, even (gently) advocate for it. The question becomes "how can we best enable the effective and secure use of this to add capability and functionality that serves our community?" The CTO/CIO is expected to enable, not disable. 

To address the mobile onslaught with a "No, we will not allow its use" will very likely get the CxO marginalized and place them off the "Trusted Ally" list. It is not unlike the logic behind "keeping one's friends close, and keeping one's enemies closer".

Houston Compliance Services, IT Audit, Risk Assessment, & Information Security by State Licensed & Board Certified Security Experts

What About Texting?

The explosion in the use of texting among physicians and nurses is creating new security issues. For example, some answering services send to a doctor's smart phone an unencrypted text message containing a patient's name, phone number and symptoms, which creates risks for privacy violations, notes Adam Kehler, quality and security specialist at the consultancy Quality Insights of Pennsylvania.

"So a risk assessment has to go beyond just electronic health records" when sizing up risks to protected health information, he stresses.

While it investigates secure texting technologies, Adventist Health System has banned communicating patient-specific information through texting, says Sharon Finney, corporate data security officer at the 44-hospital system.

Mobile Applications and Malware

Another area of risk involved in using the latest smart phones is exposure to malware, says Jacob DeLaRosa, M.D, a cardiovascular surgeon at the Portneuf Medical Center, Idaho State University. He recently downloaded an application designed to help him calculate the Body Mass Index that turned out to include a virus that automatically sent messages about Viagra to his contacts. When selecting new apps, "you have to assume that they're not secure," Gallagher stresses. Healthcare organizations must test-drive all apps before clinicians are allowed to use them and must educate users on the necessary security provisions tied to new apps.

By year's end, HHS plans to offer videos, tip sheets and other guidance on security for mobile devices, says Joy Pritts, ONC's chief privacy officer. "Given the rapid adoption of mobile devices against the backdrop of the breach incidents reported, there's been a growing concern about the use of these devices because of their vulnerability," Pritts says. "The mobile device privacy and security good practices project is one of the ways we hope to address these concerns."

281-733-2422

Houston-Healthcare

A sound information security plan covers a multitude of best practices. However, three areas are critical to an effective program: risk analysis and mitigation, effective handling of breach notifications, and sound compliance practices. Nationally-recognized experts will provide an update on best practices across these three important components of an information security program. Risk Analysis (in HIPAA Security Rule parlance) is a fundamental, foundational step for any infosec program... of course, HIPAA Security actual requires both an Evaluation (at 45 CFR 164.308(a)(8)) and the Risk Analysis (at 45 CFR 164.308(a)(1)(ii)(A))

The consequences of data breaches are starting to seriously affect organizations. Many companies do not realize that for them to be complaint, covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access (164.312(a)(1)). However, 164.502(d)(2) provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). Health information that meets the requirements for de-identification is considered not to be individually identifiable health information.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers. “The cost of dealing with the breach was prohibitive” for the company, Impairment Resources said when explaining its decision to file for Chapter 7 bankruptcy protection. That type of bankruptcy is used most often by companies to shut down and sell off what’s left to pay off their debts.

It’s a numbers game when it comes to information security risk management.  The bigger the numbers the harder it is to manage the risk of unauthorized access to protected health information.


Risk Assessment and Management
By “numbers”, we mean the numbers of vulnerabilities that create risk.  For example, in how many locations in an organization does identifiable health information exist and what controls are in place to protect it from unauthorized access?   How many workstations, lap tops, flash drives, servers, network devices, portable devices, smart phones, media, etc. exist in an organization?  How about remote access, wireless access, email accounts?  How about data stored in “the cloud”? The numbers grow when comparing a single practice physician, to an ambulatory clinic to a hospital, to a health system, to an accountable care organization (ACO) and health information exchange (HIE).

281-733-2422 

No matter what size and complexity an organization is, a good starting point is to assess / analyze the potential locations and vulnerabilities of protected health information. This is something that must be done periodically in order to manage change and a service we specialize in. The objective should be to eventually limit the number of locations, lock down the majority of user workstations, and protect media that is vulnerable such as authorized portable devices with security controls including encryption that complies with HITECH / NIST standards. Remember that if lost or stolen protected health information is properly encrypted, there is no breach.  There have been enough breach notifications involving lost or stolen portable devices to give all of us an understanding of the risk level.  At some point, very soon, if not now, a breach due to a lost or stolen unencrypted portable device will be considered willful neglect, and the $$ penalty will be substantial.  Call us for more information on helping your Houston Medical Practice reduce your liability and remain compliant with HIPAA and ADA. We have in-house offerings for Houston Medical Practices that are cost-effective and practical.