Covering the latest industry trends and an excellent source of thought leadership.
Online Tech is liveblogging from the Michigan HIMSS 2012 Fall conference, HITECH Status in Michigan: Navigating the Future of Electronic Health Records at the Crown Plaza Hotel Detroit-Novi. Stay informed with our updates throughout the conference!
If you’re attending, don’t miss Online Tech President and COO Mike Klein’s presentation, Security and Compliance for Processing Facilities, at 10:30AM ET with Gail Einhaus, Compliance, Education and Privacy Officer of Trinity Health.
9:00AM – Keynote Presentation: HITECH: Evolving to the Next Stage
Mary Griskewicz, MS & HIMSS fellow, Senior Director Healthcare Information Systems, will kick off the MI HIMSS conference momentarily!
Some memorable quotes:
Security and Compliance for Data Center Facilities:
Which audit should you look for? SSAE 16 is taking the place of SAS 70 as a new standard with the addition of attestation.
Mike is discussing the difference between all of these audits offered, and some of the main differences in components between the audits administered. It’s important to ask for the audit from your data center operator. Get a non-disclosure, and ask for that SSAE-16 audit to get the most information about what they’re going to do to secure their data.
PCI DSS is very prescriptive and includes some unnecessary costs and complexity. It requires an independent audit. However, HIPAA is specific to PHI (protected health information), and is not as prescriptive. It is much more about people, and the training that you follow. That includes how you manage a breach. It also includes physical, technical and administrative safeguards.
CE (Covered Entity) vs. BA (Business Associate) Responsibilities
Do BAs (business associates) get HITECH? Some do and some don’t. We [Online Tech] will never open a data file. It’s a fireable offense to open a file. It’s important to know who owns what when it comes to data. Other business associate and covered entity responsibilities that are important to clarify include timeline of breach notification, advance preparation, and breach insurance.
Beware of data centers that claim to be ‘HIPAA Certified’…you can’t do it. You can be ‘HIPAA compliant,’ which means that they’re going to help with audits or breaches. ‘HIPAA certified’ doesn’t necessarily mean that they’ve been audited, so be sure to ask for their audit report.
Compliance is a culture, not just a checkbox. Being process-oriented and being transparent with your clients are values of a compliant culture.
Admin Safeguards include:
Technical Safeguards include:
Physical Safeguards include:
Compliance, Trust, Process-Oriented, Transparency, Embraces Independent Input. Culture is extremely important to make sure that you’re getting all the tools at your fingertips so you can be sure you know what’s going to happen with your data.
Most people are just looking for their checkmark, but it’s not their business like it is for us. It’s key to understand the technology. You may or may not want some of those safeguards, but you need to be knowledgeable of what they are so you can make an informed decision.
Business Associate HIPAA Compliance – Impact on the Business Associate and Covered Entity:
Speakers Joe Dylewski of Health Care Management and Meredith Philips
Joe: Defining the ‘certain functions or activities’ safeguards: people are seeing them as vague language. HITECH: Health Information Technology for Economic Recovery and Reinvestment Act was developed to educate and enforce HIPAA and meaningful use.
The idea of security was out there, but there was no one to enforce it, before HITECH.
A few changes include:
BAs were involved in 58% of breaches. From the the CE’s perspective:
Protected Health Information is being touched by potentially:
These all need to be compliant.
What constitutes compliance?
Who enforces HIPAA compliance?
Speaker: Meredith R. Phillips, CHC, CHPC, Chief Privacy Officer of the Henry Ford Health System
Data Breach Responses Involving Business Associates
The HFHS Landscape:
Now everything is streamlined, standardized, and centralized.
Vendor Compliance: the group that manages BAAs to make sure that they don’t agree to things that they don’t like about vendors. They take part in notification in the event that there’s a breach. They created a manual process for conducting breach risk assessments and applied the plan to previous breaches to vet approach. Create plan to notify all known BAs about the HITECH implications. Your exposure is not going to come from someone breaking into the network. Exposure is going to come from someone making a spreadsheet, and then saving it on a device that gets lost or stolen.
They created a HFHS branded data breach response program so the workers could get more information and understand what the program does, and what protocol is in the event of a breach. That way people can react appropriately. Decided that it was the hospital’s responsibility to educate the BA on what their responsibility is in order to protect patient data.
Things to Consider:
Implement the following formalized programs:
IT Security – Indirect Threats to Patient Data
Adam Goslin, Chief Operations Officer with High Bit Security
IT security trends:
Recent medical security events:
Head of interpol stated:
May 2012 – Cost of cybercrime is larger than the combined costs of cocaine, marijuana, and heroin trafficking.
The US government is building a ‘hacking monitoring facility.’
Breach costs are presently averaged at $194 per record.(this includes detection, escalation, notification, resolution and after-the-fact response). At 2000 records, you’re already up to $388,000. There are huge costs associated with a breach.
Why is it so difficult to maintain security?
Two questions to ask about your security:
75% of total data loss happened or were targeted towards medical facilities/business.
Malware and Worms:
These pieces of software show up from email, the web, USB drives