How Safe is Your Patient Data?

How Safe is Your Patient Data?
Steps to Protect Electronic Health Information in Nursing Homes
A collaborative effort brought to you by
Harmony University
The Provider Unit of
Harmony Healthcare International, Inc. (HHI)
And
Kinara Insights
Presented by:
Sameer Sule, MS, MSc
Founder & President

Harmony Healthcare International
About Sameer
Sameer Sule, MS, MSc., Founder and President of Kinara Insights
!
Specialize in patient data security & HIPAA compliance.
Author of “Protecting Electronic Health Information: A Practical Approach to Patient
Data Security in your Healthcare Practice”
Extensive experience in guiding clients through the planning, selection and
technology implementation phases.
Assisted clients through the OCR HIPAA audit process and provided
recommendations to address the audit findings.
Published in the Journal of Massachusetts Dental Society, The Granite State Report -
a publication of the ACHCA New Hampshire Chapter, The Disaster Recovery Journal
and the Worcester Telegram and Gazette.
Regular blogger- provides insights, tips and advice on secure technology usage in a
constantly changing healthcare landscape.
MS from Syracuse University and MSc. from the Indian Institute of Technology,
Bombay
Co-inventor on 14 US, EU, and AU patents.
Copyright © 2014 All Rights Reserved

How Safe is Your Patient Data?
Steps to Protect Electronic Health Information in Nursing Homes
Disclosure: The planners and presenters of this
education activity have no relationship with
commercial entities or conflicts of interest to disclose
Planners:
Elisa Bovee, MS, OTR/L
Diane Buckley, BSN, RN, RAC-CT
Sameer Sule, MS, MSc
Presenter: Sameer Sule, MS, MSc
Harmony Healthcare International

Healthcare Technology Consulting
Help healthcare organizations and their business associates
use technology in a secure HIPAA compliant manner to be
more efficient and deliver high quality patient care.
Focus
Data Security | HIPAA Compliance
Mobile Technology | Cloud Computing
KINARA | INSIGHTS
www.kinarainsights.com

Services
ePHI Risk Assessment
HIPAA Security Policies & Procedures
(Review /Development)
Data Backup & Disaster Recovery Planning
Data Security- HIPAA Compliance Training
and Workshops
Secure Cloud Computing, Mobile Solutions

Objectives
By the end of this presentation, you will
be able to:
1. Explain the importance of patient data
security and consequences of medical
identity theft to nursing homes
2. Identify potential data breach scenarios in
your facility
3. List the steps for protecting ePHI in your
organization

Disclaimer
This seminar is meant to provide information
for educational purposes only
Information presented in this seminar is not
legal advice and must not be taken as such
HIPAA rules and regulations are subject to
different interpretations
Please consult your attorney for legal advice
specific to your case

Acronyms Used
HIPAA (Health Insurance Portability and
Accountability Act)
ePHI (Electronic Protected Health
Information)
CE (Covered Entity)
BA (Business Associate)
BAA (Business Associate Agreement)

Why is Data Security Important?
!
MEDICAL IDENTITY
THEFT

Medical Identity Theft
Occurs when criminals use your
personal information to obtain medical
services, drugs or for fraudulent billing
Fastest growing identity theft in the US
Over 300,000 victims per year in the US

Health Information at Risk
!
Medical/Healthcare industry is a top target for
cybercriminals accounting for 44% of the breaches
(Identity Theft Resource Center 2013 study)
!
Nursing homes are exposed to hacker attacks -
Cybersecurity experts find trove of information on file-sharing
web site
(Wall Street Journal Article, Feb 2014)
!
Cybercriminals know that many healthcare
organizations do not have adequate security measures
in place to protect confidential data

Criminals Love ePHI!
Rich in identity information
Contains patient name, DOB, SSN#,
insurance policy information, credit card
details, medical history, emergency contact
info of family members, etc.
A complete medical record sells for $50 on
the black market vs. $20 for credit card info
alone

Medical Identity Theft Consequences
Financial fraud
Medical insurance fraud
Corruption of the original medical
records
Denial of access to your own records

Medical Identity Theft Consequences
Possible social stigma and
embarrassment
Denial of insurance
Loss of reputation
Loss of time trying to get the records
corrected in different healthcare systems
that are not connected with each other

Data Breach Costs
$$$$$$$$
in
HIPAA fines, Legal costs,
Remediation costs,
Loss of Reputation & Revenue

Recent HIPAA Penalties
$4.8 million New York Presbyterian Hospital (NYP) and
Columbia University Medical Center (CU)
Cause: Physician employed by CU attempted to deactivate a
personally-owned computer server on the network containing
NYP patient ePHI
Disclosure of ePHI of 6,800 individuals, including patient status,
vital signs, medications, and laboratory results on internet search
engines
Lack of technical safeguards to check to see if the server was
secure, no risk analysis to identify all systems with ePHI,
failure to implement and appropriate policies for database
access authorization and failure to comply with its own
information access management policies

$1.7 million Concentra Health Services
Cause: Unencrypted laptop was stolen from one of its facilities.
Company had previously recognized in multiple risk analyses that
a lack of encryption on its laptops, desktops, medical equipment,
tablets and other devices containing ePHI was a critical risk
Efforts at encryption were incomplete and inconsistent over
time leaving patient ePHI vulnerable throughout the organization
Insufficient security management processes

$1.2 million Health Plan, Inc
Cause: Photocopier Hard Drive
Disclosure of ePHI of 344,579 individuals when it returned
multiple photocopiers to a leasing agent without erasing
the data contained on the copier hard drives
!
Failure to incorporate the ePHI stored in copier’s hard
drives in its risk analysis
!
Failure to implement policies and procedures when
returning the hard drives to its leasing agents

$150,000 Dermatology practice in MA
Cause: Unencrypted thumb drive containing ePHI of 2,200
individuals stolen from a vehicle of one its staff members. Drive
was not recovered.
!
Failure to conduct an accurate and thorough risk analysis
as part of its security management process.
!
First settlement with a covered entity for not having policies and
procedures in place to address the breach notification provisions of
HITECH Act.

Breach Report to Congress
In 2012, theft and hacking/IT incidents
affected the largest numbers of
individuals.
Theft continues to be one of the top
causes that affects the most
individuals.

HIPAA Settlements
!
In 7 cases resulting from a breach
report, HHS has entered into resolution
agreements or corrective action plans
totaling more than $8 million in
settlements.

Loss of ePHI is disastrous
for your patients and your
healthcare organization!

Data Security
&
HIPAA Compliance

HIPAA Security Rule
Protect
Confidentiality
Integrity
Availability
of ePHI

Security Rule Safeguards
Nursing homes and their business associates
must implement Administrative, Physical &
Technical safeguards to protect ePHI.
!
Each safeguard has standards
Each standard has implementation
specifications that are Required/Addressable
Addressable DOES NOT mean optional

Administrative Safeguards
STANDARDS
IMPLEMENTATION SPECIFICATIONS R= Required, A=Addressable
Security Management Process
Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R)
Assigned Security Responsibility (Required)
Workforce Security
Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A)
Information Access Management
Isolating Health Care Clearinghouse Functions (R) Access Authorization (A) Access Establishment and Modification (A)
Security Awareness and Training
Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A)
Security Incident Procedures
Response and Reporting (R)
Contingency Plan
Data Backup Plan (R)
Contingency Plan
Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedures (A)
Applications and Data Criticality Analysis (A)
Evaluation
(Required)
Business Associate Agreements/Contracts and Other
Arrangements
Written contract or other Arrangement(R)

Physical Safeguards
STANDARDS
IMPLEMENTATION SPECIFICATIONS
R= Required, A=Addressable
Facility Access Controls
Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use
(Required)
Workstation Security
(Required)
Device and Media Controls
Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)

Technical Safeguards
STANDARDS
IMPLEMENTATION SPECIFICATIONS
R= Required, A=Addressable
Access control
Unique User Identification (R)
Emergency Access Procedure (R)
Automatic logoff (A)
Encryption and Decryption (A)
Audit Controls
(Required)
Integrity
Mechanism to authenticate EPHI(A)
Person or Entity Authentication
(Required)
Transmission Security
Integrity Controls (A)
Encryption (A)

Causes of Data Breach
in SNFs
Loss / theft of laptops or mobile devices containing ePHI
Lack of appropriate authentication/audit software and
controls to secure access to ePHI
Unsecure medical devices, printers connected to the
network
Software updates or system maintenance
Stolen passwords or weak passwords that are easy to
hack
Use of unsecure file sharing software/services
Use of unsecure email or text messaging services
Viruses or malware in the computer system
Unintentional employee action or error
Intentional employee action
Negligence of third party service contractors

Key Steps to Data Security
1. Risk Analysis
2. Access and Audit Controls
3. Encryption (Safe Harbor)
4. Mobile Device Management
5. Contingency Planning
6. Policies & Procedures
7. Training
8. Business Associate Agreements
9. Documentation

1. Conduct a Risk Analysis
An accurate and thorough assessment of
the potential threats and vulnerabilities to
the confidentiality, integrity, and
availability of electronic protected health
information (ePHI).

What is Risk Analysis?
1. Knowing where ePHI resides in your
computer systems and how it flows through
your systems.
!
2. Identifying potential risks to the data.
!
3. Taking reasonable and appropriate
measures to mitigate the risks.

O ePHI, ePHI, wherefore art thou ePHI?

ePHI in Motion
Electronic Communications
Are you using web based email like
Hotmail or Gmail to send ePHI?
How about text messaging?
Is the Wireless internet in the facility
secure?
Is staff accessing ePHI from remote
locations using free/unsecure Wi-Fi?

Who has access to ePHI?
What are the policies/processes in place to
grant individuals access to ePHI?
What technology are you using to monitor
access?
How are alerts set up for monitoring
unauthorized access?
Do you have audit logs to monitor access to
ePHI?

The Minimum Necessary Principle
!
Restrict ePHI access only to those people that
need it to perform their jobs
AND
Restrict access to ePHI data to the minimum
necessary for people to do their jobs

3. Encryption
Renders your data unreadable to
unauthorized users
Needs password (key) to access the
data
Provides a safe harbor in case of a
data breach

3. Encryption
Addressable DOES NOT mean optional
Is all your stored (at rest) ePHI encrypted?
Is the ePHI encrypted during transmission (in
motion) over the network?
If the ePHI is not encrypted, what alternative
safeguards do you have in place of encryption
that ensure the security of ePHI?

4. Manage Mobile Devices
Laptops, Smartphones, Tablets, USB drives
Usage & Disposal Policy
Encryption
Device Tracking
Remote Lock & Wipeout
Wireless Internet Access
Secure Wi-Fi network for providers and staff
(password protected)
Separate guest Wi-Fi network for residents and
family

5. Contingency Planning
Planning and Preparing
for Unforeseen Disruptive Scenarios
including natural disasters and disruptions due
to power failures, server repair etc.
!
Ensuring Continuity of Business Operations and
Patient Care

Eye Opener
70 percent of small firms
that experience a major
data loss go out of business
within a year
!
SCORE: Counselors to America’s Small Businesses

Is Contingency Planning Required?
YES! If you are a Covered Entity or a Business
Associate under HIPAA Security Standard §
164.308(a)(7)
!
AND
!
YES! If you would like to still stay in business after
a disaster.

Implementation Specifications
Data backup plan (Required)
Disaster recovery plan (Required)
Emergency mode operation plan (Required)
Testing and revision procedures (Addressable)
Applications and data criticality analysis
(Addressable)

Contingency Plan Benefits
Prevents or reduces operational
downtime
!
Reduces business loss
!
Enables continuity of patient care
!
Enhances your reputation among
patients and business partners

Contingency Planning Cycle

Contingency Plan
PLAN IT
IMPLEMENT IT
TEST IT REGULARLY
!
DON’T LEAVE YOUR
BUSINESS TO CHANCE!!

6. Policies and Procedures
Must have well documented policies and
procedures that comprehensively cover the
administrative, physical, and technical safeguards
in place to protect ePHI.
!
Polices should cover risk management, access
control to ePHI, contingency planning, employee
termination etc.
!
Make sure policies and procedures are relevant
and up-to-date.

7. Training
Implement a policy mandating periodic training
for all personnel that handle ePHI.
Must include permanent staff as well as
temporary and contract workers.
Conduct periodic training.
Document the training.
Implement a sanction policy in place that clearly
spells out the severe consequences for anyone
not following the security policies despite
receiving compliance training.
!
Humans can be the Weakest Link in the security chain!!!

8. Business Associate Agreement
Execute a Business Associate
Agreement (BAA) with all third party
vendors that come in contact with your
ePHI, as a part to the services they
provide you/on your behalf.
!
(These include consultants, transcription companies, billing
companies, accountants, legal companies, marketing
companies, cloud based data backup services etc.)

Final Omnibus Rule and BAs
How many Business Associates (BA)
do you have?
Expanded BA definition
!
Need to have BAA with all your BAs
!
BAs are directly liable for data breach

9. Documentation
!
Is all your HIPAA related documentation
organized and easily accessible?
!
You will need to produce this in case of a data breach
or HIPAA Compliance Audit

The Big Picture

Security Rule Compliance
Don’t assume that if the technology is
compliant, the organization is also compliant.
Compliance is achieved by a combination of:
❖ Technology
❖ Policies and procedures
❖ Regular staff training
❖ Strict enforcement and sanctions
❖ Periodic review and updates
❖ Proper documentation

Data Security and Compliance
Requires planning
Must be detailed
Takes coordination different
departments
Requires an investment of time
Is on-going

Data Security: A Practical Approach
Immediate Action Steps
!
1. Conduct a comprehensive risk analysis.
2. Encrypt all ePHI.
3. Review existing security technology, policies and
procedures.
4. Review your data backup & disaster recovery procedures.
5. Schedule regular staff training.
!
Take a step-wise approach and build a strong data
security foundation

Your Options
Do it all by yourself and/or get outside
help when needed.
Example: You can use ready-made policy templates.
But you need to customize them to your organization.
GOAL
Implement reasonable and appropriate
security measures for your organization.

THANK YOU
Sameer Sule, President Kinara Insights
Author: “Protecting Electronic Health Information: A
Practical Approach to Patient Data Security in Your
Healthcare Practice”
Amazon: http://www.amazon.com/author/sameersule
Email: ssule@kinarainsights.com
Blog: www.kinarainsights.com/blog
LinkedIn: http://www.linkedin.com/pub/sameer-sule/
7/b1b/511
Twitter:@sameersule

How Safe is Your Patient Data?

More Related Content

What's hot

Similar to How Safe is Your Patient Data?

More from Harmony Healthcare International (HHI)

Recently uploaded

How Safe is Your Patient Data?