Welcome!

 

healthcare technologyWelcome to the Healthcare & Technology blog. After 17 years in technology, including various leadership roles, and as a Registered Nurse with a Master of Science in Healthcare Informatics, I turn my attention to HIPAA Regulations and compliance for the healthcare industry.

As VP of 3Lions Publishing, Inc. publishers of the HIPAA Survival Guide and Expresso, the Risk Assessment Express I have been able to leverage prior technical knowledge and understanding of HIPAA Regulations and technology risks to help Covered Entities and Business Associates be successful in their HIPAA Compliance Initiative.

Our HIPAA products come pre-packaged with tools, frameworks, policies, over 70 training modules, and more. The HIPAA Survival Guide also offers HIPAA Compliance Certification for individuals. Our SaaS-based Expresso Risk Assessment software contains not only an easy-to-use interface and risk assessment process but also an encrypted Compliance Repository with access to all HIPAA Survival Guide products. We've recently added a Breach Wizard that enables you to assess whether an Incident is a Breach, or not. Healthcare Compliance is, and remains, one of the most pressing challenges facing Covered Entities and Business Associates.

 

Posted at 11:33 AM | | Comments (26)

New Privacy Rule coming from HHS

June 2021 Webinar Title:
 
Title: Deeper Dive into the Privacy Rule Changes (1.5 hr) 
 
Date: Thursday, June 24, 2021
Time: 2:00 pm - 3:00 pm CST
 
 
Poking through the Privacy Rule
 
As many of us have (hopefully) completed our Security Rule (“SR”) Assessments and Remediation, the Privacy Rule (“PR”) requires significantly more thought and time, especially pursuant to the significant changes that are expected to be promulgated in 2021. Consider Subpart E — Privacy of Individually Identifiable Information. There are some who have questions about the differences between Personal Health Information (“PHI”) and Personally Identifiable Health Information (“PII”).
 
It is an oversimplification to claim that PII does not have any health information associated with it therefore, it may not require the same safeguards and protections as PHI. Because PII enables the identification of a particular person, it is equally dangerous in the hands of the “bad guys.” Components include things like name, address, license number, or address. Of course, this information can be extremely sensitive if it was in the hands of the wrong person (e.g., Cyber Security, Credit Card Theft). HHS Guidance on PII includes:
 
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic, or other media.
 
Often the question is asked if PII should be treated in the same manner as PHI. Well, the answer is almost always yes. Consider that PII can also cause harm to individuals if it is disclosed to those who have no need for its access. All sensitive data, just like PHI, has a significant need for protection.
 
The Privacy Rule requires that PHI and PII are safeguarded by establishing (and implementing as needed) policies and procedures to restore any loss of data. Just like other HIPAA regulations, generally, you are not given the exact method(s) to accomplish and comply with the task at hand. Unlike the Security Rule, the PR is process and people-driven. What do I mean by that? Well, SR regulations typically have a technical means to the end. For example, The Contingency Framework includes backups, recovery, criticality lists, and other related data access methods. The PR requires more thought. For example, “How do I respond when I am asked for PHI from one of my Patients?”
 
Here is an instance of a Minor’s Parent who wants to access PHI for their son. Note that the question and answer come and go from person to person, and due diligence is performed to ensure that the correct authorization is utilized. Sally is at the Clinic’s office and wants to get a copy of her young son’s medical record. She asks the Receptionist for a copy and the Receptionist is unaware of the rules related to providing medical records. The receptionist asks a co-worker, and he/she does not know either. Since neither one of them are familiar with the Privacy Rule regulations related to disclosing records to the parent of a minor, they sought the guidance of the Clinic’s Compliance Department.
 
The Privacy Rule §164.502(G)(3)(i) Uses and disclosures of protected health information: general rules state that under the law, a parent guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor AND the covered entity must treat this person as a personal representative.
 
However, if the minor has the authority to act as an individual related to health care service, the minor may consent not only to the health care service, and records are maintained but also the minor can request or deny access to the personal representative. So, in this case, either there was no denial of access to the parent, or Peter was an emancipated minor. However, in either case, staff must be trained in the regulations that govern the Privacy Rule and its future changes. Requires a bit of information, no?
 
Directly from the most prominent HIPAA authority I know:
 
“After the HITECH Act and the Omnibus Rule, all the attention went to the HIPAA Security Rule, and rightfully so. But lost in all that is that the public policy reason for the security is privacy. Privacy of confidential information including patient data, intellectual property, military defense secrets, etc. The changes to the HIPAA Privacy Rule are a wake-up call to the healthcare industry, get your act together or be prepared to pay a price. Over the last year, OCR has already shown a willingness to impose stiff CMPs for those organizations that fail to provide PHI in a timely manner to patients.
 
Something (or someone) snapped in Washington and came to the realization that without patient involvement we are never going to transition healthcare from a sickness system to a wellness system. Our current approach is unsustainable and will lead to disastrous unintended consequences. Witness the COVID pandemic. We have no way of knowing how often these will occur at this scale. OK, the Spanish Flu was about a hundred years ago but that is a single data point. What about Ebola, HIV, the return of malaria, etc., etc. These never reached the same scale, but they could have.
 
The reason for going into a public policy discussion is that if the law changes slow, healthcare, the most insular industry in the U.S., changes even slower. It is woefully unprepared for a shift to a consumer-centric orientation. Most compliance budgets are significantly underwater dealing with the current challenges, let alone something that shifts the paradigm right under its feet.”[i]
 
This is just one example of the complexity and processes associated with the existing PR.
However, PR compliance efforts may be severely impacted by changes in the future regardless of the Regime. There will be new regulations, changes to regulations, slightly modified regulations, and perhaps deleted ones. Each of these changes will require that organizations re-train their workers and put new policies and procedures in place to remain compliant with the regime.
 
We will be working on a new Privacy Assessment for Expresso as well as other HIPAA Survival Guide content/product updates. We plan to have an informative webinar on these HIPAA PR changes in June as mentioned above. We hope you will join us!
 
[ii] Responding to Requests for Minors’ Protected Health Information: Guidelines for N.C. Local Health Departments, Jill Moore UNC School of Government https://sph.unc.edu/wp-content/uploads/sites/112/2014/09/nciph-chrm-minorsconsent.pdf

Posted at 02:23 PM in Current Affairs, HITECH / HIPAA | | Comments (0)

August 2020 Security Reminder Notice

3lp
HSGLogoR
 
 
Note: For HIPAA Survival Guide with Expresso clients, this Security Reminder will be stored in your DOCS / Products / HIPAA Tools folder.
 
 
 
 
"Forrester, a leading global research and advisory firm, recently analyzed the emerging cybersecurity risk ratings solutions market.
 
The free 2020 Forrester report delivers critical insights for CISO's and third-party risk teams on how and why cybersecurity risk rating solutions can fit into their security programs."
 
 
 
 
"video surveillance component consists of around 700 different Siqura cameras, working with VDG Sense video management software and storage from TKH Security,” Anwer said. “The iProtect access control system, also from TKH Security, manages around 400 doors with card and pin authentication. [The] iProtect security management system is able to flawlessly fulfill the set of complex requirements demanded by this client."
 
 
 
 
"The pervasive impact of Internet of Things (IoT) devices on our lives is greater than that of traditional IT devices. There are several unknowns in IoT security, and it raises concerns for customers who are looking to incorporate IoT devices in their existing infrastructure. Fortunately, security by design can resolve some of the major root causes of the underlying vulnerabilities in these connected devices.
 
In acknowledgement of the challenges discussed above, an internal NIST report IR8228 entitled Considerations for Managing IoT Cybersecurity and Privacy Risks indicates that educating IoT device customers plays an important role and that they should be aware of the cybersecurity risks and mitigation plans for IoT devices. This report also points to the requirement of creating robust communication channels between the manufacturer and the customer, specifically regarding cybersecurity features and expectations for security controls."
 
 
 
 
"The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.
 
Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.
Twitter said its staff were targeted through their phones.
The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.
 
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam."
 
 
 
 
"A preliminary settlement of a class action data breach lawsuit against Iowa Health System - which does business as UnityPoint Health - contains an extraordinary provision that could prove quite costly.
 
Unlike settlements in most other data breach class action lawsuits, this one does not contain a "global cap" on the total amount of claims to be paid to victims.
 
Under the terms of the proposed settlement, UnityPoint will provide one year of comprehensive credit monitoring and ID theft protection services with a retail value of about $200 per settlement class member."
 
 
 
 
"On March 15, 2020, the CDC announced gatherings of 50 or more people be canceled for the next eight weeks, marking a pivotal point in the 2019 Novel Coronavirus. The CDC needed to make a strong recommendation to limit the spread of the virus, and on this day, there were 3,000 cases in the US, and airports were in chaos due to new screenings.
 
With our daily livelihoods changing right before our eyes, bad actors online started to see this chaos as an opportunity. SlashNext Threat Intelligence researchers identified that in the days which followed, we saw a +3000% increase in COVID-19 themed Phishing URLs. With no sign of slowing down, thousands of new phishing pages are launched hourly to steal personal information, corporate data exfiltration, and credit card fraud."
 
 
 
 
 
The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.
 
If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:
  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes
 
Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.
To view the presentation slides, click here.
To view the webinar recording, click here."
 
Nudge: The Federal government is reviewing what HIPAA will require for a new Privacy Rule Risk Assessment. Note that in anticipation of expected Federal Privacy regulations, we have developed a Privacy Rule Risk Assessment for Expresso.
 
 
 
 
"TikTok has long presented a parenting problem, as millions of Americans raising preteens and teenagers distracted by its viral videos can attest. But when the C.I.A. was asked recently to assess whether it was also a national security problem, the answer that came back was highly equivocal."
 
 
 
"Data breaches are a hot topic and will undoubtedly get even hotter. Cybersecurity for your own enterprise isn’t enough — you must evaluate your vendors and determine if they’re prepared to resist cyberattacks. 
 
The increase in data breaches has only led to more regulatory scrutiny. Regulatory focus on third-party vendors was already increasing after the 2008 financial crisis, but has reached a fever pitch in recent years. New data privacy laws often make companies liable for the mistakes of their vendors, even as businesses are relying on outsourcing more and more. So this reliance on vendors, suppliers and subcontractors means increased liability."
 
 
Nudge: Take a look at our new Business Partner Vetting Portal in Expresso. It will save time and money with a paperless method to obtain valid assurances from potential Business Partners. Contact us at support@3lionspublishing.com for a preview.
 
 
 
 
"Enforcement of Maine’s landmark online privacy law, which bans internet service providers from collecting and selling customers’ personal data without their permission, began this month after clearing a major legal hurdle in July.
Still, state officials can not provide a clear picture of what will happen to providers in Maine if they don’t comply.
 
The law dictates that internet providers must gather express, affirmative consent from customers before collecting any of their identifying data, such as location, browsing history or device identification. Providers also must give customers “clear, conspicuous and non-deceptive notice” of their rights at the point of sale, and are not allowed to offer promotions to customers who choose to give consent to have their data collected or refuse service to those who do not."
 
 
 
 
"The ransomware threat landscape worsened in several significant ways through 2019 and into the current year, according to BakerHostetler’s 2020 Data Security Incident Response Report. Average demands increased more than tenfold and all industry segments saw growth in attack frequency, with stark increases seen by education and government entities.
 
Several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment, the report noted.
The average ransom paid in 2018 was $28,920 and the largest payment $250,000. But that figure jumped to $302,539 the following year and the largest payment was $5.6 million, the latest report stated.
 
A tip to avoid this: require vendors to implement multifactor authentication to access an environment."

Posted at 09:59 AM in Accountable Care Organizations, Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Web/Tech | | Comments (0)

 
August 2020 Webinar Title:
 
What SOC-2 promises an Agile HIPAA compliance initiative delivers! (1.5 hr)
 
Description: This webinar compares and contrasts SOC-2 with a lightweight high utility cyber-security approach.
 
Date and Time:
Thu, August 20, 2020 2:00 PM - 3:30 PM EDT
 
 
After registering, you will receive a confirmation email with information about joining the webinar.
 
Why SOC-2 will Derail your Cyber-Security Initiative
business-man-phone.jpg
 
First let me start with a question that most compliance officers (COs) will not get right, which is this: “How many security laws do we have in the U.S.?” Many will answer fifty (50) because each state has at least one. Others will “throw-in” GLBA, FERPA, etc. The answer is one. The HIPAA Security Rule (HSR). What the states have are their own privacy and breach notification laws. GLBA and FERPA are for the most part privacy laws.  
 
The HSR is the only U.S. law that describes the controls at some depth that must be implemented to comply with HIPAA. It is a kind of cyber-security 101 law. It provides a strong foundation for a cyber-security initiative but that is it. The HSR provides a solid platform to build upon. That said, most covered entities and business associates remain woefully non-compliant even with the basics of the HSR; and where they do comply it is mostly in an ad hoc and haphazard manner.
 
With that as a starting point, let us look at SOC-2’s Trust Services Principles (TSPs):
  1. Security: you must protect your systems/data from unauthorized access
  2. Availability: you must institute controls that ensure that your systems/data is accessible to customers and staff when they need it
  3. Confidentiality: you must protect the privacy of your personally identifiable information (PII) or your protected health information (PHI) by allowing access on a “need to know” basis
  4. Processing Integrity: you must ensure the integrity of the PII or PHI utilized by your organization
  5. Privacy: you must ensure that that PII and PHI utilized by your organization is accessed, disclosed, and disposed of properl
 
For most COs the initial impression of the TSPs is that they look like “stuff” that is covered by the HSR or the HIPAA Privacy Rule (HPR); and they are absolutely correct in making this inference. Is SOC-2 law? No! It is a set of standards promulgated by the American Institute of CPAs (AICPA) with input from various consortia. We generally trust CPAs for taxes and for producing audited financial statements when required. But the elephant in the room concerning SOC-2 is “when did CPAs become qualified as cyber-security experts?” We wouldn’t let a CPA anywhere near our privacy or cyber-security initiative. Further CPAs are not lawyers and therefore not qualified to give an opinion as to whether you are legally compliant with HIPAA.
 
Let’s get down and dirty with this argument. What does a typical SOC-2 audit cost? The anecdotal evidence, even for a small organization, is a one-time fee of $20K for the SOC-2 provider to understand your “as is” environment, and then about $30K a year to actually deliver the report (these numbers are at the low end for smaller customers); you pay the $30K year in and year out. Why so expensive? In part, because the AICPA has promulgated such a heavyweight legally burdened process that it takes a significant amount of everyone’s time, especially that of the senior management team, to figure out the deliverables. Further, this same heavyweight process controls the auditing of the deliverables as well.
 
From the AICPA’s perspective, and their practitioners, it is a cleverly designed professional services revenue stream. However, in this article, we are more interested in the utility value that SOC-2 produces. What do get at the end of the day? You get an electronic “piece of paper” with recommendations as to how to proceed. Mind you, the $30K a year does not include actual remediation costs; it is nothing more than a roadmap for how to proceed.
 
The fact of the matter is that if you have implemented your HIPAA Compliance Initiative (HCI) using the best practices that we (and others) recommend, you are already 95% compliant with SOC-2. There are several gotchas though: (1) most companies are barely crawling with their HCI; and (2) there is not a clear and concise mapping of SOC-2 to HIPAA. With Expresso we intend to deliver that mapping through a SOC-2 load module by Q4 2020. Although this may not prevent you from having to eat a SOC-2 implementation mandated by a large customer, it will give you ammunition to make the argument that you are mostly (assuming your HCI improves) compliant with SOC-2; and moreover, be better positioned to ask the question, What more would they like you to do?
 
Here is the money quote. “SOC-2 is a plan, it performs, zero, nada, zilch, by way of remediation.” The controls it generally recommends are those promulgated by the Center for Internet Security (CIS). SOC-2 does not have its own control set. It recommends control sets that are already de facto industry standards. So, you can't actually map SOC-2 at the level of a control (e.g. HIPAA implementation specification), and you have to do the mapping through some of intermediate set of controls (e.g. CIS).
 
The SOC-2 “value proposition” tends to work with the executive management team and with large organizations; because having an incomplete (or worse) HCI is a non-starter. The compliance organization in these large companies is in a weak position to challenge SOC-2 because the compliance department is in no position to clearly articulate what has already been accomplished to senior management (for smaller companies and startups things are even worse).
 
This is true even for companies that have invested in compliance software. Compliance software and related artifacts (policies and procedures, training, checklists, etc.) can dramatically reduce the time to implement a robust HCI, but there is no free lunch. The software may help with the heavy lifting, but it cannot replace boots on the ground driving the initiative.
 
Even if you are not required to comply with HIPAA, implementing the CIS Top Twenty Controls still gets you 95% home pursuant to SOC-2. There are only so many ways to skin-the-cat vis-à-vis launching a baseline cybersecurity initiative. There is a huge overlap between the HSR requisite controls and the CIS Controls. Most of the differences are “semantics.” Most SOC-2 reports end up recommending that you implement the CIS Controls. We just told you that well-kept secret and it didn’t cost you $50K. Ah, but the retort from SOC-2 folks is yes we often recommend the CIS Controls but our real “value add” is setting up the appropriate “governance structure” for your organization.
 
What does this involve? Establishing roles, responsibilities, reporting structures, and accountability. Although you may get high utility from high-quality compliance software, you generally do not get recommendations pursuant to the kinds of people and processes you need to have in place for a successful initiative. That is why at 3Lions we are now offering professional services that help you navigate these issues from a bottom-up approach. As virtual privacy/security officers on an as-needed basis, we help you navigate your organization, and by “doing the assessment and remediation” the relevant processes and reporting relationships will evolve. We help you implement what has proven to be successful HCI as demonstrated by our work at other organizations of similar size and complexity, at a fraction of the cost.
 
It boils down to this clash of “civilizations”: SOC-2 delivers a governance structure using a heavyweight linear methodology; Expresso delivers high utility value on day one and helps you navigate your company so that the correct governance structure evolves organically using a lightweight Agile methodology. Query your Tech friends and ask them how many are still using linear heavyweight methodologies. None. Agile dominates. That’s been about twenty years in the making. Compliance is a little slow to catch on.
 

Posted at 02:31 PM | | Comments (0)

COVID-19 A Reminder to Reason

from the New England Journal of Medicine

 

https://www.linkedin.com/pulse/covid-19-reminder-reason-deborah-leyva-rn-hcp

 

PICT0002


"How long will this pandemic last? When will we find a treatment or vaccine? Which drug should we give our patients? Will we run out of personal protective equipment (PPE)? When will everyone return to work? We find ourselves in a time of great economic, social, and medical uncertainty. Faced with a crisis, Lee Iacocca, the late automobile company executive, once said, “So what do we do? Anything. Something… . If we screw it up, start over. Try something else. If we wait until we’ve satisfied all the uncertainties, it may be too late.” Similarly, in the heat of the Great Depression, Franklin Roosevelt commented, “Take a method and try it. If it fails, admit it frankly and try another. But by all means, try something.” Though a trial-and-error approach may be appropriate in business and politics, should it be applied to medical decision making during a pandemic?"

Posted at 01:43 PM in Current Affairs, Health IT, Health Reform, Healthcare, Population Health | | Comments (0)

HIPAA Survival Guide April Newsletter & Webinar

April 2020 Webinar Title:
 
COVID-19 and HIPAA-What you need to know!
 
Description:
This webinar will discuss HHS' guidelines at the intersection of COVID-19 and HIPAA, as well as other impacts that the virus is having on HIPAA writ large.
 
Date and Time:
Thu, April 16, 2020 2:00 PM - 3:30 PM EDT
 


 

COVID-19 ("C-19") and Ransomware

Introduction

We are not aware of any massive ransomware attacks on the U.S. healthcare industry attempting to capitalize on the COVID-19 (“C-19”) panic. This article from Forbes suggests that the bad guys have gone on C-19 holiday—but if that’s the case, it’s probably out of their own self-interest. Further, it is likely only the big, publicly prominent criminal gangs are on holiday from attacking the U.S. healthcare system when it is most vulnerable. However, our readers would be naïve to believe that this holiday will extend, or that the thousands of smaller, yet equally effective, criminal ransomware gangs are joining the moratorium. You would be well served to review our Ransomware Resilience webinar to get up to speed on what you are likely to face.

Attacks are Here to Stay

Attacks are coming sooner rather than later. The bad guys have families to feed. This is not a hobby for them. Ransomware is what they do for a living. The healthcare industry, writ large, is far too vulnerable for the moratorium (if there is one) to last more than a few weeks. All of us now live on Internet time, where days are weeks, weeks are months, and months are years—our 24/7 365 non-stop always on work environment is the “new, new, normal.” That said, there is nothing inherently new about the “new normal,” it has been “normal” for us for well over a decade. Our office exists “on the wires.” All we need is an Internet connection to plug in. We may not have been “born digital” but we emigrated many moons ago. We have written newsletters, conducted webinars, and continued to develop our Subscription Plan and Expresso from the beaches of the world.

C-19 Guidance from HHS
 
HHS has provided the following guidance pursuant to C-19:
 
  • OCR’s Notice of Enforcement Discretion allowing providers to serve patients where they are through commonly used apps like FaceTime, Skype, and Zoom to provide telehealth remote communications:

https://www.hhs.gov/about/news/2020/03/20/ocr-issues-guidance-on-telehealth-remote-communications-following-its-notification-of-enforcement-discretion.html

  • Guidance that empowers first responders and others who receive protected health information about individuals who have tested positive or been exposed to COVID-19 to help keep both first responders and the public safe.

https://www.hhs.gov/about/news/2020/03/24/ocr-issues-guidance-to-help-ensure-first-responders-and-others-receive-protected-health-information-about-individuals-exposed-to-covid-19.html

  • Guidance on how health care providers can share information with the CDC, family members of patients, and others, to help address the COVID-19 emergency.

https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus - PDF

 
This guidance from HHS is often “clear as mud”—although we commend the agency for trying to get in front of this evolving disaster. During the next few months, if you need HIPAA clarification pursuant to C-19, then you can use the Digital Business Law Group’s 1-800-Ask-DBLG service for $25.00 per 45-minute session, instead of the customary $250.00 fee.
 
Summary
 
Be vigilant. The bad guys will be back with a vengeance. You don’t want your health records locked, or your electricity disrupted when you have patients on ventilators. We did not predict C-19, but we did predict that 2020 would be the year when patients die because of ransomware. Trust us. You don’t want this to be your organization. Hope for the best and prepare for the worst.

Posted at 09:48 AM in Current Affairs, HITECH / HIPAA, Internet Resources, Webinars | | Comments (0)

Ransomware Resilience

March 2020 Webinar Title:
Ransomware Resilience: How to effectively respond to Ransomware when everything is on the line.
 
Description:
This webinar will discuss a framework for responding to a Ransomware attack in a manner that maximizes your negotiation options including, but not limited to: (1) how to avoid paying the Ransom; (2) how to pay the Ransom with plausible deniability if that is the option of least resistance; (3) how to walk through the Breach Notification Legal Framework for determining whether the attack in question requires notification to the authorities; and (4) the steps that should be taken to mitigate risks going forward.
 
Date and Time:
Thu, Mar 19, 2020 2:00 PM - 3:30 PM EDT
 
 
***************************************************************************************************************************
HIPAA Survival Guide March 2020 Newsletter Article
Ransomware Resilience: Only the Paranoid Survive!
 
Introduction
 
Unfortunately, the U.S. government (“Team USA”), despite being aware of the damage that Ransomware can inflict upon the healthcare industry writ large, including the fact that patients will die if a concerted effort is launched attacking the industry at its weakest links (of which hundreds of thousands exist), offers nothing more than platitudes as to how Ransomware Resilience can be obtained, to wit:
 
Three Steps to Resilience Against Ransomware:
 
1.     Back-Up Your Systems – Now (and Daily)
Immediately and regularly back up all critical agency and system configuration information on a separate device and store the back-ups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than you lost, fully patched and updated to the latest version.
 
2. Reinforce Basic Cybersecurity Awareness and Education
Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing and suspicious links – the most common vectors for ransomware attacks. Remind employees how to report incidents to appropriate IT staff, in a timely manner, which should include out-of-band communication paths.
 
3. Revisit and Refine Cyber Incident Response Plans
Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS -ISAC, in the event of an attack.
 
See CISA, MS -ISAC, NGA & NASCIO RECOMMEND IMMEDIATE ACTION TO SAFEGUARD AGAINST RANSOMWARE ATTACKS. Really, circa mid-2019 (i.e. the date that the above “advice” was promulgated) is this the best that Team USA can do? NO! But you can rest assured for the foreseeable future this is the best that Team USA will do, premised on national security concerns. Team USA is not about to go any further than the “proverbial toe in the water”—doing nothing more than reinforcing the anemic response that it has shown pursuant to cybersecurity threats over the last four decades. It’s not about to expose its sources and methods by coming to the rescue of the healthcare industry. If patients must die, then so be it. After all we are at war. People die during wars. It’s the inescapable nature of the beast. This is on us. Team USA will do little more than what its already done by offering platitudes yet not venturing into the no man’s land of reallocating public/private Risks pursuant to cybersecurity threats. Big Brother is not coming to the rescue anytime soon.
 
As discussed in February’s webinar, patients are likely, almost certainly, to die from a forthcoming concerted attack on the healthcare industry—arguably, along with government itself, one of the most vulnerable industries in the country. Team USA will not change its current position according to public/private cybersecurity risks anytime soon, and when it does, it will be a slow roll. The healthcare private sector has no choice but to step up in a big way, but it appears weak, and imminently ill-equipped for this challenge. The most insidious reason that the industry is so ill-equipped is that it continues to be in denial vis-à-vis its vulnerability, despite the U.S. government, ratings agencies, and knowledgeable observers beating the drum for well over a decade now. Healthcare executives, not all but in sufficiently large numbers, exhibit a naive response to this growing cacophony. They just want to place their collective hands over their ears and hope that the noise goes away. It won’t. In the interim people will die, and the latter will have blood on their hands; along with their underlings—all complicit in standing by and taking no action, while the writing has been on the wall for a long time now.
 
If you are a CO that has been beating the drum to no avail, we suggest that you start writing “memos to file” (i.e. as a CYA strategy) according to recommendations that likely fell on the deaf, dumb and blind. It’s important that you lead your executive team to the water, and that you document these efforts, even though you can’t make them drink. We understand that many CO’s are not able to affect real change within your respective organizations; you’re overworked and underpaid. Eventually, your management team will “wake up and smell the coffee” or perish as roadkill on the info highway. It’s important that you live to fight another day.
 
Ransomware Resilience Framework
 
What is a Ransomware Resilience Framework (“RRF”) and why does it matter? Glad you asked. Our RRF (shipping soon to a theatre near you) is designed to help organizations of all sizes who experience a Ransomware attack to respond effectively, keeping in mind that lives are at stake. Our Framework also attempts to cover the major components of Ransomware Resilience, which by necessity, touches on other collateral in our Subscription Plan (e.g. our Breach Notification Framework, our Contingency Framework, and our Breach Response Framework). Other than the obvious shameless plug, we use our offerings here as reference to eliminate the healthcare industry’s constant lament that compliance is too confusing, too expensive, etc. Fill in your excuse du jour. These excuses do not hold water because once patients start dying based on your neglect, they will seem even more vacuous. We’re in perpetual cyberwar, no amount of excuses will get you through these dark tumultuous times. The healthcare industry writ large must take the proverbial “bull by the horns” and begin to take serious actions to mitigate the number of lives lost.
 
Resilience Components
 
Here we capture, at ten-thousand feet, the major components you should have in place as part of your Ransomware Resilience initiative. Our objective here is to put you on notice. If you want to take your initiative to the next level, then you must make the necessary investment. You can purchase our RRF or spend hundreds of man-hours trying to piece together the pieces of the puzzle yourself, but the important thing is that you act quickly. Time is not on your side. Patients’ lives are at risk because your organization has failed to prepare. This is true across the healthcare industry writ large.
 
No one contests the foundational material facts that lead to this inference. Last month’s webinar contains the sources that we relied on to arrive at this sobering conclusion. You can also look here and here for additional background. This is dark and unsettling territory that we have embarked upon, but we are never going back to the nonexistent, yet soothing concept, embodied in the nostalgia for the good-ole-days. For many of our fellow citizens, these mythical good days weren’t all that good. Moreover, if they ever existed, they are long since gone; we have crossed the Rubicon.
 
Preparedness
 
The problem with “preparedness” is that it is too easy to fall into a litany of platitudes that everyone knows they should do, yet no one does. Well sorry to say that we are not going to disappoint. Prepare for some dull, boring, trite platitudes. However, the difference is that our RRF provides the reader with a set of tools that facilitate “preparedness,” because at the end of the day there is no escaping it. You will be forced to develop your own preparedness plan (“Response Plan” or “Plan”) or modify ours to suit your needs. Having a plan in and of itself may help you avoid some liability (i.e. to the extent that having a Plan allows your legal team to make an argument that “far from being completely negligent, you were attempting to do the right thing”). Most of you understand that although this argument is better than no argument at all, it’s only going to take you so far. At the end of the day you will be forced to provide visible, demonstrable evidence (“VDE”) that you have responded to a Ransomware attack in an effective way—that is, your “boots on the ground” did the right thing.
 
Here's an outline of a Plan to get you started:
  • Review and distribute of Ransomware Resilience Policy
  • Review, modify, and distribute the Application Sensitive Data Criticality List (i.e. so that you know what applications and data to restore and in what order)
  • Actions that should be taken to ensure that the vector that allowed your adversaries to install the Ransomware malware has been plugged
  • A methodology for determining whether a breach has occurred (i.e. because any Ransomware response will require a breach notification analysis)
  • A forensic analysis to discover technical root cause analytics;
  • A legal analytical framework for deciding if the root cause analysis necessitates breach notification under applicable law, both state and federal;
  • A review of tools and templates such as executive management/board of director’s updates, call lists, sample notification letters/communications to stakeholders, press releases.      
  • Incidents
  • Ensure Incident gathering and documentation process are in place;
  • Ensure that your incident master document was designed, implemented and routed for approval.
  • A Communications plan
  • Communication to Response partners and the activation of Response teams;
  • Communication to regulatory authorities;
  • Communication to media, social media, and other appropriate organizational news consumption endpoints;
  • Communication to individuals impacted;
  • Activation of Call Center for inquiries;
  • Activation of identity protection services as required;
  • Activation of remediation teams, including closely working with third-party technical partners.
  • Response Plan Testing
  • Test your ability to instantiate virtual (i.e. cloud-based) servers wherein users can be routed once mission-critical data is restored;
  • Test the immediate incident reception and analysis workflow;
  • Instantiate and test the Communications Plan;
  • Review remediation readiness.
  • Response Postmortem
  • Review the status of remediation;
  • Update the executive management team on remediation progress;
  • Implement additional Security Controls that would prevent similar attacks;
  • Update Ransomware Response Plan according to insights gained from postmortem.
 
Whew! If you are not overwhelmed by now you haven’t been paying attention. Once the magnitude of the problem is understood then everyone becomes overwhelmed; no surprise. Most compliance officers are also paralyzed into inaction. They don’t know what to do or where to start. Our Frameworks answer this question. Moreover, the entirety of our Subscription Plan focuses on this issue. The shameless plug is unavoidable. Why? Because it demonstrates that there are cost-effective and compelling solutions in the marketplace today. If your organization is not willing to spend a little over $1K to address the problem, then there is nothing anyone can do. The abyss awaits you. It should go without saying, but with an abundance of caution, we will expressly state that there are other competitive solutions available in the marketplace, despite the fact that we believe ours is more comprehensive and offered at a price point unmatched anywhere. The takeaway from this article is this: do something. Doing nothing is no longer an option. Doing nothing will likely result in people dying. Start you Ransomware Resiliency initiative today.
 
Incidents
 
Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with the operations of an Information System. Although not all Ransomware attacks constitute Breaches per se, all are security incidents and must be analyzed as such. Notice that an attempt qualifies as an Incident. That is one of the reasons that all Incidents should be tracked as part of a rigorous compliance initiative. Tracking Incidents is obviously a key part of the Ransomware resilience process and shows visible demonstrable evidence that your organization is serious about your Ransomware response. That said, tracking Incidents is necessary, but not enough. As this article illustrates, more is required.
 
Teams
 
No man is an island. There is no compliance officer anywhere capable of responding to a Ransomware attack on his/her own. This is impossible for obvious reasons. That said, most compliance officers also do not have a Ransomware resilience program in place. They don’t understand the magnitude of the problem. They are blissfully ignorant of the teams (“Teams”) they must collaborate with to effectively respond. The Teams of necessity will include inside or outside counsel and the potential need for additional technical personnel with deep experience in Cybersecurity. You don’t want to be scrambling to put these teams in place after an attack. During an attack, you will be facing enormous pressure and it won’t take you long to figure out that your career is on the line. If you work for a certain kind of covered entity, then you are likely to also realize that lives are on the line. Failing to prepare is akin to “planning to fail.”
 
Testing
 
There is not much sense in developing a Ransomware Resilience Plan (“RRP”) if you don’t test prior to use. Sure, the old military adage that “no plan survives” the first contact with the enemy remains true; however, the military, writ large, plans more than any other organization that we know of. Why? Because if you don’t have a baseline plan, including provisions for reacting to the adversary’s anticipated actions, then you won’t know what to tweak should the unexpected occur. In war, the unexpected almost always occurs. Cyberwar is no different. Planning represents one of the most effective tools in a compliance officer’s toolbox. Yet most compliance officers do not have resilience plans in place, let alone one that has been rigorously tested.
 
Conclusion
 
This article has covered a significant amount of ground. We intended it to. We are at war. It is time that we get on with the business at hand. Big Brother is not going to come to the rescue. By all accounts, Big Brother is incapable of protecting its own information systems. We crossed the Rubicon. We are now in dark and uncharted territory. Hoping that things will get better on their own is the stuff of children. There will be no peace in our lifetime. Winston Churchill was virtually alone in the wilderness sounding the alarm of what Nazi Germany was up to, long before the commencement of WWII. Here we are not alone. Others have done the leg work. We are doing nothing more than connecting the dots and stating the inescapable inference. People are going to die because of Ransomware or computer network attacks on the healthcare industry. That blood will be on all our hands. What is the acceptable death count?
 

Posted at 02:00 PM in Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Webinars | | Comments (0)

The Compliance Manifesto Podcast

Capture
In case I haven't mentioned it, we recently began a Compliance Podcast where we first reviewed The Compliance Manifesto, 2nd Edition and its contents at a high level. We also plan to have conversations with industry luminaries to discuss issues of importance in the compliance space as well as other relevant topics. Download a Podcast Episode from the Podcast player of your choice as shown here.

Posted at 09:21 AM in Health IT, Healthcare, HITECH / HIPAA, Internet Resources, Podcasts | | Comments (0)

HIPAA Survival Guide Newsletter & Webinar February, 2020

 
 
FREE FEBRUARY WEBINAR
 
Webinar Title: A Short History of Cyber war and Why It Matters

Description:  
This webinar will discuss the history of cyber warfare and its impact on Compliance. Understanding cyber war is a small step in the right direction, but not sufficient. Organizations, and especially those responsible for compliance, must do a better job preventing cyber attacks. 
 
Because in healthcare, the lives of people and not just data are at stake. 

After registering, you will receive a confirmation email containing information about joining the webinar.
 
Date:     Thu, February 20, 2020
Time:     2:00 - 3:30 p.m. EST
 

A Short History of Cyber War and Why it Matters
 
 
 
 
 
Introduction
 
If you are a Compliance Officer ("CO") you must care about cybersecurity and cyber warfare; 
that's all there is to it. Compliance and cybersecurity are joined at the hip, they can't be separated. Like peanut butter and jelly. 
 
OK. So what? Why does history matter? Because that short-lived history will astound you with events that are still applicable today as a daily lived experience for thousands of healthcare enterprises and their business associates. This history doesn't begin in 1983 but that was the groundbreaking year President Ronald Reagan watched War Games [1] (the movie). He was so intrigued by the narrative that in a White House Briefing on a different classified topic, he stopped the discussion and asked the Joint Chiefs ("JC") and others in attendance if anyone had seen what was portrayed in the movie War Games and could it really happen? The group was speechless. First, they hadn't seen the movie because it just came out and second, they thought the Prez was being a little "nutty" since he had recently announced his "Star Wars" policy. One of the chiefs had someone in mind who could provide a quick answer to the question, and the answer came back (paraphrasing), "Mr. President, it's even worse than you think!" But despite the fact the group was astounded by the answer, they likely gave very little credence to it. Nothing changed. Why? Because generals are always fighting that last war.
 
Four Star (****) Generals don't appear to have any interest in the geeky nonsense. If there are cyber-targets, they would rather just bomb them into nothingness; problem solved. Well not quite. Because if you decimate the enemy you lose the opportunity to penetrate their networks in the same way they have penetrated ours. It's an offensive "opportunity cost." You don't know what you don't know. Fortunately for the USA, there were some real believers at the National Security Agency ("NSA") (i.e. you know, the agency that for sure does NOT listen to communications between Americans), and some career officers that were the best and brightest in cryptology, deciphering, and electronic espionage. They were committed to showing the DOD, JC, and the President just how easily we could be hacked. Should new defense systems require re-design, updates, testing, and implementation? What's this new problem called? Cybercrimes, Cyber War, Cybernetics, Cyber Threats? In 1994 it was ultimately named Cyber Security. With this recognition, the nation began moving from Signals Intelligence (SIGINT) to the cyber age (i.e. all intelligence taking a digital form).
 
So, how do we protect critical infrastructures like Telecommunications, Electrical Power, Oil and Gas, Banking and Finance, Transportation, Water Supply, Emergency Services, and Continuation of Government in an emergency? These components mostly relied on networks and/or computers and could be impacted by cyber threats. But then, the big question in our mind is Where is Healthcare on the list? Healthcare must be considered a key component of the national infrastructure deserving protection. Electronic Medical Records and healthcare devices are also prone to hackers, especially when they provide interoperability and sharing of patient data across the Internet. Furthermore, that information not only consists of patient medical records, but also credit cards, insurance accounts, Medicare and Medicaid billing data, and provider Fee-for-Service records. It is likely that omitting the healthcare industry from the initial "critical infrastructure list" was an oversight. Clearly, it is a critical infrastructure. Witness the trouble that could be created by adversaries if the CDC's computers were hacked-right in the middle of dealing with a potential emerging pandemic threat, one analogous to what we are facing at this very moment.
 
Interestingly, an NSA project to bring down the telephone grid in several large cities was authorized as a cybersecurity study called "Eligible Receiver." This project's purpose was a demonstration of how to bring down power grids and 911 emergency communication lines for 8 cities: Los Angeles, Chicago, Detroit, Norfolk, St. Louis, Colorado Springs, Tampa, Fayetteville and the island of Oahu, Hawaii. Although this project impacted the delivery of healthcare services to needy people, it's actual purpose was to pressure political leaders into removing certain sanctions that negatively impacted Cyber Security Teams and their research on cyber threats. To make matters even more explicit, the NSA took it a step forward and successfully launched a similar attack on the military's telephone, fax, and computer networks. 
 
Eligible Receiver consisted of a group of NSA analysts who attacked systems that the DOD and JC thought were impenetrable. The NSA thought they could do it in four days. It took one day! Many defense computers weren't protected with a password; others were protected by gimpy passwords, like ABCDE or 12345. In one case, a team member simply called the office and said he needed to reset all passwords for security reasons; he got a password without hesitation. After successfully penetrating many computers, the team left notes; "Kilroy was here." But then they did more, they intercepted communications, deleted files, and sent false emails. This is the ultimate goal of Cyberwarfare; "disrupt the norm, confuse the parties, and have them believe false information!"[2] 
What might happen in traditional wartimes?
 
Eligible Receiver demonstrated that the DOD was completely unprepared for cyberwarfare, yet progress continued to be SLOW. In 1997 the President's Commission on Critical Infrastructure Protection released a report that stated, "We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power."[3] 
 
With this statement, military operations began to focus on cyber threats as weapons of mass disruption! In 2009 a dedicated Cyber Command was established having a budget that went from $2.7 billion to $7+ billion in its first three years.

Short Chronological History of Key Events

  • 1952 Establishment of the National Security Agency (NSA) America's largest secret Intelligence Agency.
  • 1980 Computers for the masses.
  • 1984 Reagan's National Policy on Telecommunications and Automated Information Systems Security.
  • 1990 Evolution and widespread use of the Internet with a new focus on electronic medical records. 
  • 1990 Air Force Cryptology Support Center established.
  • 1995 Critical infrastructure Working Group created. 
  • 1996 HIPAA becomes law.
  • 1996 Two kinds of threats to Critical Infrastructure identified: Physical and Cyber.
  • 2009 Creation of a dedicated Cyber Command. 

Still, Progress has Remained Painfully SLOW

Why is progress SLOW? Because most generals still prefer to drop bombs. I guess it's the macho thing to do. Furthermore, all of us have biases in favor of what we know works, rather than having to grok a heavy topic like cybersecurity. There are many Compliance Officers in healthcare that prefer to remain in the dark for that same reason. Ignorance is bliss until a breach occurs. It's not a question of if, but when one will occur. That's when all those things you have not been paying attention to will be available to all relevant stakeholders: (1) the executive management team; (2) the board (assuming you have one); (3) your colleagues; and perhaps (4) the offices of HHS and State Attorney Generals. 
 
Remember that willful neglect fines start at $50K and max out at $1.5M for identical violations. However, if you are in willful neglect of 10 distinct violations you could max out your civil monetary penalties (just for willful neglect) at over $10M. This does NOT include the cost of notifying patients when (not if) you have a Breach. The Ponemon Institute, which has been conducting Breach cost studies for nearly a decade now, states that in Healthcare it costs $400.00 per record/patient to notify. Say you had a small Breach of 10K records. You do the math. It is going to ruin your day and perhaps your career. Unfortunately, many Healthcare Compliance Officers believe that they have HIPAA wired. There are a few that do; most do not. 
 
The latter have no idea of the unknown unknowns. The smart ones, like the rest of us that struggle with complex topics, are willing to embark on a lifetime adventure of continuous education. The others, including us if we stop learning, will become roadkill on the info highway. Nothing personal. Simply the manifestation of Darwinian capitalism in a global economy. There is always someone coming after your job. You can bank on that! As we discussed earlier, the generals are always fighting that last war. It's the nature of the business they're in. They are students of military history; however, no amount of history is going to help you when your adversaries are rapidly inventing the future of cyber warfare as we speak. 
 
The Healthcare industry is especially vulnerable, a fact that the bad guys (organized crime, enemy nation-states, and enterprising hackers to name a few) are aware of. The Healthcare industry is SOFT compared to, for example, banks and financial services industries. Moreover, even the latter is NOT as prepared as they should be. Why are we not better informed about the current vulnerable state of affairs? Because for obvious reasons, including the fact that we are at war, it is not wise to broadcast your vulnerabilities to your enemies via public discussions. Many in Healthcare believe that an attack (ransomware, DDOS, etc.) won't happen to them. That's the stuff that happens to other people. And it turns out, it has been happening to other people in Healthcare A LOT. So much so that HHS is now starting to pay attention to small as well as large Breaches; even those that don't reach 500 records (a ridiculously low number to start with) that places your organization on the HHS Wall of Shame.

SCADA Systems

Hospitals generally do not have supervisory control and data acquisition systems ("SCADA") per se, because the latter is a term that is usually associated with production plants of all kinds, including but not limited to oil refineries and nuclear power plants. However, hospitals have thousands of electronic devices, now networked, that collect information on patients 24/7 365 and are ALL potential vectors for an intrusion. Imagine what would happen if an adversary were to shut down a Hospital's grid and it didn't have a redundant power supply. People would die. It turns out that we don't have to imagine this scenario, it happened during Katrina and recently in Venezuela when its grid was down for three weeks. Ah, does anyone believe that Venezuela's grid remained down for three weeks by accident? If you do, then you haven't been paying attention. Nation-states must test their cyber warfare offensive capabilities somewhere. Remember it was Americans, together with the Israelis that launched Stuxnet against an Iranian nuclear power plant in 2007, bringing it down to its knees. Enough said.

HIPAA

In 1996 President Clinton signed the Health Insurance Portability and Accountability Act ("HIPAA") and it became law. HIPAA included provisions to simplify administration and protect patient data confidentiality (i.e. the Privacy Rule) and included cybersecurity protections in the form of the Security Rule. The law did not go completely into effect until circa 2005. It was not taken seriously by the healthcare industry until the Breach Notification Rule was introduced in 2009 as part of the HITECH Act. Therefore, the industry writ large has arguably only been paying serious attention to cybersecurity for about a decade. Although significant progress has been made amongst the largest covered entities and business associates, progress has not been as widespread for the remainder of the industry, which in terms of numbers means the vast majority of covered entities and business associates who remain incapable of protecting the PHI they have been charged with protecting. That status has begun to change incrementally, but not apace of what the bad guys are capable of launching. This needs to change. Understanding a short history of cyber warfare is a small step in the right direction; necessary but not sufficient. The industry must do better. Lives, not just data, are at stake.

1  Lawrence Lasker and Walter Parkes, 1990: "WarGames"
2  Fred Kaplan, Dark Territory: The Secret History of Cyber War
3  Ibid
 
Signup for our FREE Newsletter here.
 

Posted at 11:03 AM in Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Webinars | | Comments (0)

HIPAA Survival Guide January 2020

Sophia_HSG_Store_Header
 
HIPAA Survival Guide® Newsletter 
January 2020: Issue 121
Your HIPAA Compliance Companion
 
JANUARY WEBINAR
 
 
Webinar Title:  Why most compliance officers should be fired!
 
Description:  
Most compliance officers are ill-prepared for the implosion/explosion of the unsustainable policies that the global economy now faces. The amount of fraud, waste, abuse, criminal and pseudo criminal conduct that will become front-page news in 2020 represents a tsunami of corporate malfeasance unprecedented since the early days of the 20th century. In a global economy where eight (8) families control 50% of the wealth, the elites rule. The Rule of Law is for sale, and compliance, with shrinking budgets and little or no corporate power, is literally the only thing that stands between the destruction of major brands as consumers revolt.

After registering, you will receive a confirmation email containing information about joining the webinar.
 
Date:     January, 23, 2020
Time:     2:00 - 3:30 p.m. EST
 
 
 
2019 NEW OR ENHANCED PRODUCTS!
  1. Expresso:
    • Clone Risk Assessments
    • Enhanced Reporting
    • Compliance Repository with HIPAA Survival Guide Product Download
    • Breach Notification Wizard
    • Forgot my password Feature
  2. Managing Multiple Risks with similar Vulnerabilities at One Time
  3. The Compliance Manifesto, Second Edition
  4. No worries if you can't make a Webinar. We provide recorded Webinars Online!
  5. Check out our Updated Data Sheets

What We do - A portfolio of 3Lions Publishing products.

Training - List of all training modules: Comprehensive, Concept Shorts and Micro Shorts.

Checklists and Frameworks - All about our Checklists and Frameworks for Risk Remediation.

Expresso® the Risk Assessment Express - Your guide to Expresso, our "SaaS" based Risk Assessment Software with an encrypted Compliance Repository, HIPAA Survival Guide product access, the new Breach Wizard and reduce time doing assessments with multiple Risk updates.

Model Documents - Policies, Forms, Letters, Contracts, etc. that can be modified for your use.

 
IN THE DIGITAL ECONOMY
ONLY THE PARANOID SURVIVE 
(a.k.a. Backups R' Us)
 
 
So, you like Technology and all the really, really, cool things it enables? Me too. But Tech has a dark side that is rarely discussed. All the "0's" and "1's" that we love so much can all disappear in a New York minute. And so, if you do not have a robust disaster recovery plan ("DRP") enabled and in place (obviously just having a plan is not enough), then sooner or later the Digital Economy is going to shoot you in the head. Guaranteed. All knowledge workers have inadvertently deleted, corrupted, and/or otherwise lost a document that they were working on. As painful as that may be, that is not what this article speaks about. No! Here we are talking about a massive loss of data that cannot be recovered! We are not discussing a few hours (even days) of lost work on behalf of a knowledge worker. We are talking thousands, if not hundreds of thousands, of lost man-hours. Poof. Gone. And don't forget the Patient and caregivers! How will care be provided when there is little to no history of what has already been given to the patient, their medications, other tests, records, and results?
 
OK. But what does this have to do with compliance? Well, that depends on what compliance regime we are discussing. If it is HIPAA (or GDPR), and the lost data involves Patient records, then you are in a world of hurt. There is no way that you can comply with the HIPAA Privacy Rule. For example, if you cannot provide a patient their records upon request then you are in violation of the Rule. Section §164.524 mandates that you provide a patient with records that they have requested. The last thing patients should worry about is the privacy and security of their medical information, especially when they're about to be admitted to the hospital. Obviously, if the records are no longer available then you can't provide them. Moreover, if the patient(s) complained to HHS about this, then HHS would consider that to be willful neglect on its face. So? The so what is that HHS, under these circumstances, is required to audit you. Generally, an OCR investigation results in corrective action plans and fines to settle HIPAA violations.
 
You almost certainly will be found to be in willful neglect; wherein the Civil Monetary Penalties ("CMP") start at $50K per identical violation. Multiply that times the number of individual patients whose data was lost, and you are going to get a really large number. OK, so those of you that have been following along for the last decade might be thinking: "yeah, the CMP will be large, but it will be capped at $1.5M."That's the maximum amount that an organization could be fined per identical violation." Would this kind of data loss constitute a Breach? Probably not, but you will still get audited AND you will likely have to notify patients that their data has been lost. Given the current state of healthcare compliance, additional violations are likely to be found. You are going to have a bad day!
 
Don't trust and verify. I know that President Reagan said "Trust and Verify" concerning any nuclear treaty with the Russians, but when it comes to backups, it is better NOT to trust and ALWAYS verify. About a month ago I got an email from Dropbox saying that 35K files had been deleted. I mirror my server to Dropbox so needless to say I was a bit disconcerted. Was I panicked? No. Why? Because when it comes to data, I have backups of backups and some are stored offsite. I am paranoid about it. I can't afford to lose client files, plus all the intellectual property developed over more than a decade. Dropbox was simply a convenient way to always have a mirror of my server available in case I traveled, and, for whatever reason, I couldn't get access.
 
When I got that email, I quickly checked my server to ensure all was well and temporarily forgot about it. A few days later I had to send a large file that I couldn't email and so I wanted to send it via a Dropbox ("DB") link. Whoa. When I logged into DB something looked wrong. I can't see all my files. Something is definitely wrong. I contacted DB support. They confirmed that 35K files had been deleted. I informed support that I still had those files on my server so how could they possibly have been deleted? First things first. Because it had been less than 30 days since the "delete event" DB said they could restore the files. I told them to go ahead and restore. They restored all 35K files. But things still did not look copacetic. There were folders that I knew existed on my server that I couldn't see in DB. So, I start the whole support dance of providing screenshots that demonstrate that what I am telling them is true. Apparently "on their end," they say they can see the files. I said, well that's nice but I can't. Why don't we do a "screen sharing" session so that DB support can see what I see? Nope. DB support says for security reasons they can't do that. What? They already have access to my account. What security reasons?
 
I tell support to escalate. Once escalated the dance continues. More screenshots. More proof. By now I have lost track of which DB support person I am talking to. In any case, they send me some links, not to the folders that I can't see, but to files beneath said folders. I click on the link and voila, now I can see my files. Life is good. I am ready to sing DB's support praises. Not so fast. I log in a few days later and I am back to not seeing the folders I couldn't see previously. Plus, now I am seeing duplicate folders. Things are definitely not right.
 
I am using a Synology NAS (Network Attached Storage model DS412+) to sync to DB. I decide to contact Synology support because the finger-pointing had already started. DB says that Synology is using an "unsupported API" which is news to me. Really? Unsupported? Evidently, DB just wants you to sync from workstations (e.g. Macs or PCs) but not from a NAS. I tell DB that that strategy is "brain dead" because for most businesses their mission-critical data is stored on a server (i.e. the NAS is actually nothing more than a file server). So here I sit. A month later. Still no resolution. I have spent about 15 hours "messing around" with support and there is no end in sight.
 
OK, because I have backups of backups, I have options. I can cancel DB and look for a more robust solution that works with my NAS. In fact, I believe Synology has some solutions that address this issue and that is likely the path that I will take. That said, I was a huge fan of DB. They were (and are) a market leader. I thought it was a safe bet using their "stuff." The moral of the story? There are no "safe bets," only the paranoid survive. Don't trust and always verify!
 
In the end, DB was not able to make me whole. I am going to cancel the service and look for another solution. DB support was diligent BUT apparently, things were so badly broken that Humpty Dumpty was never going to be put back together again. I can assure you that you will either see (or read about) this movie repeatedly going forward. We trust vendors, even arguably high-quality vendors, way too much. Don't trust and verify is a much better way to go!
 
Signup for our FREE Newsletter here.

Posted at 11:19 AM in Current Affairs, Healthcare, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Webinars | | Comments (0)

HIPAA Survival Guide December 2019

What you need is a workflow..

Introduction

We have often preached our mantra that compliance can only be achieved at the granularity level of a requirement ("Requirement"). Further, the only way to show compliance is by providing visible, demonstrable, evidence ("VDE") that the Requirement's result was delivered. A Requirement presupposes the existence of a discrete deliverable. VDE is an abstraction that indicates how this result is accomplished; however, it only works at 10K feet. To make it actionable within your organization you need a process that works at ground level. What you need is a well-defined process that achieves the result. What you need is a workflow.

Since this workflow topic is "heavy," as you read through this month's article, please note that you may contact us with questions you may have. Email us at: support@3lionspublishing.com

The following are examples of Privacy Rule ("PR") workflows and their attendant results.

  • Authorize PHI         ->     PHI Authorized
  • Restrict PHI            ->     PHI Restricted
  • Access PHI             ->     PHI Accessed (or delivered)
  • Amend PHI             ->     PHI Amended
  • Disclose PHI           ->     PHI Disclosed
  • Account for PHI      ->      PHI Accounted for

To demonstrate the need for a workflow, we borrow from the book: Workflow Modeling, Tools for Process Improvement and Application DevelopmentSecond Edition by Alec Sharp. Key definitions From Alec's work are shown below to enable the development of coherent compliance workflows and avoid the recursive semantics that has led many workflow projects into the abyss-turning what Edward Yourdon (father of Data Flow Diagrams) once correctly called "death march projects." Once you have experienced a demolished workflow design process and managed to survive, you never want to experience one again. Unfortunately, because we are veterans of the technology industry, we have managed to survive more than one-a fate that we would not wish on our worst enemies. 

Definition of a Process (aka "Workflow")

It should go without saying that a Process involves some sort of work. Duh. Well not so much because what often appears obvious in the business modeling space isn't.

A Process is a defined method to achieve some result, and that result is far more important to the definition of a business process than the work that goes into it.

Named in Verb-Noun Form

The first step in deciding whether or not you have a process is to name it and apply two exceedingly simple and useful guidelines:

  1. The Process name, at it's simplest, must be in the form verb-noun. (e.g. Assign Inspector). It might be in the form verb-qualifier-noun (e.g. Assign Backup Inspector) or verb-noun-noun (e.g. Assign Inspector to Route). Note the Processes are almost always defined in the singular. Not "Handle Orders" but rather "Fill Order."
  2. Here's where it gets interesting-the verb-noun name must indicate the result of the Process, as follows. If you flip the terms around into noun is verbed form, the phrase should indicate the intended result of the Process (i.e. as we have done above in the PR examples.

Delivers a Specific, Essential Result

And now it really gets interesting. The result of the Process, in "noun-verbed" form, must meet three criteria. 

The Result is discrete and identifiable

  1. That is, you can differentiate individual instances of the result, and it makes sense to talk about "one of them." For instance, the result of Authorize PHI is that one individual or entity is now authorized to view the patient's PHI. It stands to reason that a patient can designate one-to-many Authorizations.

The Result is countable

  1. That is, you can count how many results you have produced in a day, week, month, year, etc.

The Result is essential

  1. That is, it is fundamentally necessary to the operation of the enterprise, not just a consequence of the current implementation. It is axiomatic that "Authorize PHI" is essential to a Covered Entity ("CE") under HIPAA because it is a HIPAA regulatory requirement.

Producing VDE Requires a Workflow

It is axiomatic that producing VDE requires a Workflow. The "triggering event" in compliance is a Requirement; the result is the fulfillment of that Requirement. Do all regulatory Requirements fit this model? Who knows? We believe that the majority do. Here our objective is not to reach Workflow Panacea, that is way beyond our pay grade. Our objective is to illustrate how widely the Workflow Modeling framework can be applied to compliance, and in this instance to HIPAA. To be a competent Compliance Officer going forward it is essential that you master this discipline. Workflow modeling should be one of many tools inside your toolkit. If you want a seat at the C-Suite table that means getting busy. Iterate. Iterate. Iterate. Literacy. Literacy. Literacy.

Other Workflow Considerations

A Process is initiated to deliver its Result by a triggering event ("TE"). Generally, but not always, the Process is triggered by the "customer" that will benefit from the Result. The customer may be internal or external. In the examples herein, it is the patient or legal representative ("Individual") that triggers these processes. Between the TE and the Result is a collection of tasks, actions, steps (referred to as "Activities") that must be accomplished to deliver the Result. There may also be sub-processes, each meeting the Process definition, that may be interposed between a Process and its Result. For the Processes we present here as examples we will constrain the analysis to a collection of Activities. 

However, within your organization, there may be sub-processes interposed. That is something we leave as an exercise for our readers. Be forewarned, there are some non-trivial technical challenges when you start interposing sub-processes. Each sub-process consists of another collection of Activities.

The Activities within a Process must be interrelated, they are not just some arbitrary collection of work. They must be related either through a necessary sequence or a dependency. A dependency is implicated when Activity "C" cannot occur until Activity "B" is completed. This distinction may be semantic "hair-splitting" because a sequence appears to implicate dependency, although one could quickly think of use cases where this is not true (i.e. where the sequence does not occur in any particular order).

Activities are also interrelated because they all deal with the same "Token." We think of a Token as a single unit of work. For example, in the "Authorize PHI" example the Token is the work required to complete the Authorization, provide the necessary access, or notification of denied access. If we included training staff to deliver Authorizations in that Process than that would introduce a different Token-which under this model would mean that said training constitutes a separate Process.

Privacy Rule Example

The example provided below is intended to be just that. We do not pretend that this example Process will meet every CE's need, or that of any specific CE. We intend, by way of example, to demonstrate how you should be thinking about Workflow Modeling within your organization. We also hope to extend our lexicon to show that producing VDE for a Requirement requires a Process and what that Process might look like when diagrammed.

Authorize PHI

This Requirement is driven by the following PR section: §164.508 Uses and disclosures for which an authorization is required. In general, the Requirement is stated as follows:

(1) Authorization required: General rule

Except as otherwise permitted or required by this sub-chapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.

Let's provide a specific example. An aging mother (C) requests medical record access from her Physician (CE) for her daughter (Entity A). The TE for an authorization is the Individual ("I" or "C") (e.g. the Mother) who has requested access for her daughter. 

In this simple example the Individual is both the Customer ("C") that triggers the Process ("P") and is the ultimate beneficiary of the Result ("R") (however here there are two beneficiaries(1) the Mother (C); and (2) the Daughter (Entity A) that actually get authorized access to the PHI)

  • Authorization Requested by (C) for Entity A
  • Request communicated to Physician (CE) 
  • Validate Request
  • Provide Access
  • Notify Customer (C) and Entity A

Right away there should be some flags that are set off based on the simplicity of this Process. But first let's determine if all the attributes of a Process are met:

(1)   Here the R is discrete and identifiable: Access to the PHI has been provided and the Individual has been notified (two results here).

(2)   The number of times an Authorization is provided is clearly countable over time.

(3)   The R is essential in that it fulfills a regulatory requirement.

So, it appears that on its face we have a valid process. The issue is not based on the validity of the Process but rather on its simplicity. To see why this is true let's explore other aspects of §164.508. The Rule states as follows:

1) Valid authorizations.

(i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), and (c)(2) of this section, as applicable.

(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.

(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:

(i) The expiration date has passed, or the expiration event is known by the covered entity to have occurred;

(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;

(v) Any material information in the authorization is known by the covered entity to be false.

It should be clear from above that the Authorization requires validation and that the next steps cannot proceed until validation is complete. Further, it should be clear that "Validate Request," written in verb-noun form, is likely a sub-process with its own set of Activities. The same is true of "Provide Access" and "Notify Customer." 

What are the takeaways thus far? First, it should be clear that Process modeling is iterative. You are simply not going to get it right during your first attempt. Second, in order to model effectively you are going to need some expert knowledge of the subject matter domain. Third, there are other questions and/or flags that should be on your radar by now. For example, what happens if "Validate Request" fails? And a sub-process to "Store Validation?" If we do not perform the latter how will we find the Authorizations that this Individual has triggered when the same (or other) person/entity wants access again?

Here is an example of a Swim Lane Diagram for this Example (Workflow Process). A quick explanation of its components is helpful. 

  1. Left side (in grey) contains the names of the individuals or departments responsible for performing the duties to it's right (on the same line) a) Individual, b) Compliance Officer,    c) HIM Department, and d) Entity A.
  2. Arrows point to subsequent activities once the prior activity is complete.
  3. Notes are entered for clarification and further explanation.
  4. Blue starts the process (Triggering Event) and Red stops the Process.
  5. Yellow diamond designates yes or no response and may have sub-processes.

SwimLane

Summary

Are we done? No. There are other steps in the Process modeling framework that remain (e.g. creating a more detailed "swim lane diagram"). However, the intent here was to introduce Process modeling and how it might work pursuant to the Privacy Rule. We suspect that most healthcare organizations have not modeled the Processes required to comply with the HIPAA Rules (i.e. Privacy, Security, and Breach Notification). Process modeling is the mechanism by which an organization gets "down and dirty" with the Activities necessary to produce VDE for a single Requirement. 

Stay tuned for future webinars where we will provide additional information about how your organization can use swim lane diagrams (workflows) to improve HIPAA Compliance. 

Signup for our FREE Newsletter here.

Posted at 02:55 PM in Current Affairs, Health IT, Information Technology for Healthcare (EHR/EMR), Knowledge Management | | Comments (0)

Next »

Search

Healthcare Blogroll

Categories

Analytics

CC