Information Technology for Healthcare (EHR/EMR)

August 2020 Security Reminder Notice

3lp
HSGLogoR
 
 
Note: For HIPAA Survival Guide with Expresso clients, this Security Reminder will be stored in your DOCS / Products / HIPAA Tools folder.
 
 
 
 
"Forrester, a leading global research and advisory firm, recently analyzed the emerging cybersecurity risk ratings solutions market.
 
The free 2020 Forrester report delivers critical insights for CISO's and third-party risk teams on how and why cybersecurity risk rating solutions can fit into their security programs."
 
 
 
 
"video surveillance component consists of around 700 different Siqura cameras, working with VDG Sense video management software and storage from TKH Security,” Anwer said. “The iProtect access control system, also from TKH Security, manages around 400 doors with card and pin authentication. [The] iProtect security management system is able to flawlessly fulfill the set of complex requirements demanded by this client."
 
 
 
 
"The pervasive impact of Internet of Things (IoT) devices on our lives is greater than that of traditional IT devices. There are several unknowns in IoT security, and it raises concerns for customers who are looking to incorporate IoT devices in their existing infrastructure. Fortunately, security by design can resolve some of the major root causes of the underlying vulnerabilities in these connected devices.
 
In acknowledgement of the challenges discussed above, an internal NIST report IR8228 entitled Considerations for Managing IoT Cybersecurity and Privacy Risks indicates that educating IoT device customers plays an important role and that they should be aware of the cybersecurity risks and mitigation plans for IoT devices. This report also points to the requirement of creating robust communication channels between the manufacturer and the customer, specifically regarding cybersecurity features and expectations for security controls."
 
 
 
 
"The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.
 
Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.
Twitter said its staff were targeted through their phones.
The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.
 
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam."
 
 
 
 
"A preliminary settlement of a class action data breach lawsuit against Iowa Health System - which does business as UnityPoint Health - contains an extraordinary provision that could prove quite costly.
 
Unlike settlements in most other data breach class action lawsuits, this one does not contain a "global cap" on the total amount of claims to be paid to victims.
 
Under the terms of the proposed settlement, UnityPoint will provide one year of comprehensive credit monitoring and ID theft protection services with a retail value of about $200 per settlement class member."
 
 
 
 
"On March 15, 2020, the CDC announced gatherings of 50 or more people be canceled for the next eight weeks, marking a pivotal point in the 2019 Novel Coronavirus. The CDC needed to make a strong recommendation to limit the spread of the virus, and on this day, there were 3,000 cases in the US, and airports were in chaos due to new screenings.
 
With our daily livelihoods changing right before our eyes, bad actors online started to see this chaos as an opportunity. SlashNext Threat Intelligence researchers identified that in the days which followed, we saw a +3000% increase in COVID-19 themed Phishing URLs. With no sign of slowing down, thousands of new phishing pages are launched hourly to steal personal information, corporate data exfiltration, and credit card fraud."
 
 
 
 
 
The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.
 
If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:
  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes
 
Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.
To view the presentation slides, click here.
To view the webinar recording, click here."
 
Nudge: The Federal government is reviewing what HIPAA will require for a new Privacy Rule Risk Assessment. Note that in anticipation of expected Federal Privacy regulations, we have developed a Privacy Rule Risk Assessment for Expresso.
 
 
 
 
"TikTok has long presented a parenting problem, as millions of Americans raising preteens and teenagers distracted by its viral videos can attest. But when the C.I.A. was asked recently to assess whether it was also a national security problem, the answer that came back was highly equivocal."
 
 
 
"Data breaches are a hot topic and will undoubtedly get even hotter. Cybersecurity for your own enterprise isn’t enough — you must evaluate your vendors and determine if they’re prepared to resist cyberattacks. 
 
The increase in data breaches has only led to more regulatory scrutiny. Regulatory focus on third-party vendors was already increasing after the 2008 financial crisis, but has reached a fever pitch in recent years. New data privacy laws often make companies liable for the mistakes of their vendors, even as businesses are relying on outsourcing more and more. So this reliance on vendors, suppliers and subcontractors means increased liability."
 
 
Nudge: Take a look at our new Business Partner Vetting Portal in Expresso. It will save time and money with a paperless method to obtain valid assurances from potential Business Partners. Contact us at [email protected] for a preview.
 
 
 
 
"Enforcement of Maine’s landmark online privacy law, which bans internet service providers from collecting and selling customers’ personal data without their permission, began this month after clearing a major legal hurdle in July.
Still, state officials can not provide a clear picture of what will happen to providers in Maine if they don’t comply.
 
The law dictates that internet providers must gather express, affirmative consent from customers before collecting any of their identifying data, such as location, browsing history or device identification. Providers also must give customers “clear, conspicuous and non-deceptive notice” of their rights at the point of sale, and are not allowed to offer promotions to customers who choose to give consent to have their data collected or refuse service to those who do not."
 
 
 
 
"The ransomware threat landscape worsened in several significant ways through 2019 and into the current year, according to BakerHostetler’s 2020 Data Security Incident Response Report. Average demands increased more than tenfold and all industry segments saw growth in attack frequency, with stark increases seen by education and government entities.
 
Several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment, the report noted.
The average ransom paid in 2018 was $28,920 and the largest payment $250,000. But that figure jumped to $302,539 the following year and the largest payment was $5.6 million, the latest report stated.
 
A tip to avoid this: require vendors to implement multifactor authentication to access an environment."

Posted at 09:59 AM in Accountable Care Organizations, Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Web/Tech | | Comments (0)

Ransomware Resilience

March 2020 Webinar Title:
Ransomware Resilience: How to effectively respond to Ransomware when everything is on the line.
 
Description:
This webinar will discuss a framework for responding to a Ransomware attack in a manner that maximizes your negotiation options including, but not limited to: (1) how to avoid paying the Ransom; (2) how to pay the Ransom with plausible deniability if that is the option of least resistance; (3) how to walk through the Breach Notification Legal Framework for determining whether the attack in question requires notification to the authorities; and (4) the steps that should be taken to mitigate risks going forward.
 
Date and Time:
Thu, Mar 19, 2020 2:00 PM - 3:30 PM EDT
 
 
***************************************************************************************************************************
HIPAA Survival Guide March 2020 Newsletter Article
Ransomware Resilience: Only the Paranoid Survive!
 
Introduction
 
Unfortunately, the U.S. government (“Team USA”), despite being aware of the damage that Ransomware can inflict upon the healthcare industry writ large, including the fact that patients will die if a concerted effort is launched attacking the industry at its weakest links (of which hundreds of thousands exist), offers nothing more than platitudes as to how Ransomware Resilience can be obtained, to wit:
 
Three Steps to Resilience Against Ransomware:
 
1.     Back-Up Your Systems – Now (and Daily)
Immediately and regularly back up all critical agency and system configuration information on a separate device and store the back-ups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than you lost, fully patched and updated to the latest version.
 
2. Reinforce Basic Cybersecurity Awareness and Education
Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing and suspicious links – the most common vectors for ransomware attacks. Remind employees how to report incidents to appropriate IT staff, in a timely manner, which should include out-of-band communication paths.
 
3. Revisit and Refine Cyber Incident Response Plans
Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS -ISAC, in the event of an attack.
 
See CISA, MS -ISAC, NGA & NASCIO RECOMMEND IMMEDIATE ACTION TO SAFEGUARD AGAINST RANSOMWARE ATTACKS. Really, circa mid-2019 (i.e. the date that the above “advice” was promulgated) is this the best that Team USA can do? NO! But you can rest assured for the foreseeable future this is the best that Team USA will do, premised on national security concerns. Team USA is not about to go any further than the “proverbial toe in the water”—doing nothing more than reinforcing the anemic response that it has shown pursuant to cybersecurity threats over the last four decades. It’s not about to expose its sources and methods by coming to the rescue of the healthcare industry. If patients must die, then so be it. After all we are at war. People die during wars. It’s the inescapable nature of the beast. This is on us. Team USA will do little more than what its already done by offering platitudes yet not venturing into the no man’s land of reallocating public/private Risks pursuant to cybersecurity threats. Big Brother is not coming to the rescue anytime soon.
 
As discussed in February’s webinar, patients are likely, almost certainly, to die from a forthcoming concerted attack on the healthcare industry—arguably, along with government itself, one of the most vulnerable industries in the country. Team USA will not change its current position according to public/private cybersecurity risks anytime soon, and when it does, it will be a slow roll. The healthcare private sector has no choice but to step up in a big way, but it appears weak, and imminently ill-equipped for this challenge. The most insidious reason that the industry is so ill-equipped is that it continues to be in denial vis-à-vis its vulnerability, despite the U.S. government, ratings agencies, and knowledgeable observers beating the drum for well over a decade now. Healthcare executives, not all but in sufficiently large numbers, exhibit a naive response to this growing cacophony. They just want to place their collective hands over their ears and hope that the noise goes away. It won’t. In the interim people will die, and the latter will have blood on their hands; along with their underlings—all complicit in standing by and taking no action, while the writing has been on the wall for a long time now.
 
If you are a CO that has been beating the drum to no avail, we suggest that you start writing “memos to file” (i.e. as a CYA strategy) according to recommendations that likely fell on the deaf, dumb and blind. It’s important that you lead your executive team to the water, and that you document these efforts, even though you can’t make them drink. We understand that many CO’s are not able to affect real change within your respective organizations; you’re overworked and underpaid. Eventually, your management team will “wake up and smell the coffee” or perish as roadkill on the info highway. It’s important that you live to fight another day.
 
Ransomware Resilience Framework
 
What is a Ransomware Resilience Framework (“RRF”) and why does it matter? Glad you asked. Our RRF (shipping soon to a theatre near you) is designed to help organizations of all sizes who experience a Ransomware attack to respond effectively, keeping in mind that lives are at stake. Our Framework also attempts to cover the major components of Ransomware Resilience, which by necessity, touches on other collateral in our Subscription Plan (e.g. our Breach Notification Framework, our Contingency Framework, and our Breach Response Framework). Other than the obvious shameless plug, we use our offerings here as reference to eliminate the healthcare industry’s constant lament that compliance is too confusing, too expensive, etc. Fill in your excuse du jour. These excuses do not hold water because once patients start dying based on your neglect, they will seem even more vacuous. We’re in perpetual cyberwar, no amount of excuses will get you through these dark tumultuous times. The healthcare industry writ large must take the proverbial “bull by the horns” and begin to take serious actions to mitigate the number of lives lost.
 
Resilience Components
 
Here we capture, at ten-thousand feet, the major components you should have in place as part of your Ransomware Resilience initiative. Our objective here is to put you on notice. If you want to take your initiative to the next level, then you must make the necessary investment. You can purchase our RRF or spend hundreds of man-hours trying to piece together the pieces of the puzzle yourself, but the important thing is that you act quickly. Time is not on your side. Patients’ lives are at risk because your organization has failed to prepare. This is true across the healthcare industry writ large.
 
No one contests the foundational material facts that lead to this inference. Last month’s webinar contains the sources that we relied on to arrive at this sobering conclusion. You can also look here and here for additional background. This is dark and unsettling territory that we have embarked upon, but we are never going back to the nonexistent, yet soothing concept, embodied in the nostalgia for the good-ole-days. For many of our fellow citizens, these mythical good days weren’t all that good. Moreover, if they ever existed, they are long since gone; we have crossed the Rubicon.
 
Preparedness
 
The problem with “preparedness” is that it is too easy to fall into a litany of platitudes that everyone knows they should do, yet no one does. Well sorry to say that we are not going to disappoint. Prepare for some dull, boring, trite platitudes. However, the difference is that our RRF provides the reader with a set of tools that facilitate “preparedness,” because at the end of the day there is no escaping it. You will be forced to develop your own preparedness plan (“Response Plan” or “Plan”) or modify ours to suit your needs. Having a plan in and of itself may help you avoid some liability (i.e. to the extent that having a Plan allows your legal team to make an argument that “far from being completely negligent, you were attempting to do the right thing”). Most of you understand that although this argument is better than no argument at all, it’s only going to take you so far. At the end of the day you will be forced to provide visible, demonstrable evidence (“VDE”) that you have responded to a Ransomware attack in an effective way—that is, your “boots on the ground” did the right thing.
 
Here's an outline of a Plan to get you started:
  • Review and distribute of Ransomware Resilience Policy
  • Review, modify, and distribute the Application Sensitive Data Criticality List (i.e. so that you know what applications and data to restore and in what order)
  • Actions that should be taken to ensure that the vector that allowed your adversaries to install the Ransomware malware has been plugged
  • A methodology for determining whether a breach has occurred (i.e. because any Ransomware response will require a breach notification analysis)
  • A forensic analysis to discover technical root cause analytics;
  • A legal analytical framework for deciding if the root cause analysis necessitates breach notification under applicable law, both state and federal;
  • A review of tools and templates such as executive management/board of director’s updates, call lists, sample notification letters/communications to stakeholders, press releases.      
  • Incidents
  • Ensure Incident gathering and documentation process are in place;
  • Ensure that your incident master document was designed, implemented and routed for approval.
  • A Communications plan
  • Communication to Response partners and the activation of Response teams;
  • Communication to regulatory authorities;
  • Communication to media, social media, and other appropriate organizational news consumption endpoints;
  • Communication to individuals impacted;
  • Activation of Call Center for inquiries;
  • Activation of identity protection services as required;
  • Activation of remediation teams, including closely working with third-party technical partners.
  • Response Plan Testing
  • Test your ability to instantiate virtual (i.e. cloud-based) servers wherein users can be routed once mission-critical data is restored;
  • Test the immediate incident reception and analysis workflow;
  • Instantiate and test the Communications Plan;
  • Review remediation readiness.
  • Response Postmortem
  • Review the status of remediation;
  • Update the executive management team on remediation progress;
  • Implement additional Security Controls that would prevent similar attacks;
  • Update Ransomware Response Plan according to insights gained from postmortem.
 
Whew! If you are not overwhelmed by now you haven’t been paying attention. Once the magnitude of the problem is understood then everyone becomes overwhelmed; no surprise. Most compliance officers are also paralyzed into inaction. They don’t know what to do or where to start. Our Frameworks answer this question. Moreover, the entirety of our Subscription Plan focuses on this issue. The shameless plug is unavoidable. Why? Because it demonstrates that there are cost-effective and compelling solutions in the marketplace today. If your organization is not willing to spend a little over $1K to address the problem, then there is nothing anyone can do. The abyss awaits you. It should go without saying, but with an abundance of caution, we will expressly state that there are other competitive solutions available in the marketplace, despite the fact that we believe ours is more comprehensive and offered at a price point unmatched anywhere. The takeaway from this article is this: do something. Doing nothing is no longer an option. Doing nothing will likely result in people dying. Start you Ransomware Resiliency initiative today.
 
Incidents
 
Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with the operations of an Information System. Although not all Ransomware attacks constitute Breaches per se, all are security incidents and must be analyzed as such. Notice that an attempt qualifies as an Incident. That is one of the reasons that all Incidents should be tracked as part of a rigorous compliance initiative. Tracking Incidents is obviously a key part of the Ransomware resilience process and shows visible demonstrable evidence that your organization is serious about your Ransomware response. That said, tracking Incidents is necessary, but not enough. As this article illustrates, more is required.
 
Teams
 
No man is an island. There is no compliance officer anywhere capable of responding to a Ransomware attack on his/her own. This is impossible for obvious reasons. That said, most compliance officers also do not have a Ransomware resilience program in place. They don’t understand the magnitude of the problem. They are blissfully ignorant of the teams (“Teams”) they must collaborate with to effectively respond. The Teams of necessity will include inside or outside counsel and the potential need for additional technical personnel with deep experience in Cybersecurity. You don’t want to be scrambling to put these teams in place after an attack. During an attack, you will be facing enormous pressure and it won’t take you long to figure out that your career is on the line. If you work for a certain kind of covered entity, then you are likely to also realize that lives are on the line. Failing to prepare is akin to “planning to fail.”
 
Testing
 
There is not much sense in developing a Ransomware Resilience Plan (“RRP”) if you don’t test prior to use. Sure, the old military adage that “no plan survives” the first contact with the enemy remains true; however, the military, writ large, plans more than any other organization that we know of. Why? Because if you don’t have a baseline plan, including provisions for reacting to the adversary’s anticipated actions, then you won’t know what to tweak should the unexpected occur. In war, the unexpected almost always occurs. Cyberwar is no different. Planning represents one of the most effective tools in a compliance officer’s toolbox. Yet most compliance officers do not have resilience plans in place, let alone one that has been rigorously tested.
 
Conclusion
 
This article has covered a significant amount of ground. We intended it to. We are at war. It is time that we get on with the business at hand. Big Brother is not going to come to the rescue. By all accounts, Big Brother is incapable of protecting its own information systems. We crossed the Rubicon. We are now in dark and uncharted territory. Hoping that things will get better on their own is the stuff of children. There will be no peace in our lifetime. Winston Churchill was virtually alone in the wilderness sounding the alarm of what Nazi Germany was up to, long before the commencement of WWII. Here we are not alone. Others have done the leg work. We are doing nothing more than connecting the dots and stating the inescapable inference. People are going to die because of Ransomware or computer network attacks on the healthcare industry. That blood will be on all our hands. What is the acceptable death count?
 

Posted at 02:00 PM in Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Webinars | | Comments (0)

HIPAA Survival Guide Newsletter & Webinar February, 2020

 
 
FREE FEBRUARY WEBINAR
 
Webinar Title: A Short History of Cyber war and Why It Matters

Description:  
This webinar will discuss the history of cyber warfare and its impact on Compliance. Understanding cyber war is a small step in the right direction, but not sufficient. Organizations, and especially those responsible for compliance, must do a better job preventing cyber attacks. 
 
Because in healthcare, the lives of people and not just data are at stake. 

After registering, you will receive a confirmation email containing information about joining the webinar.
 
Date:     Thu, February 20, 2020
Time:     2:00 - 3:30 p.m. EST
 

A Short History of Cyber War and Why it Matters
 
 
 
 
 
Introduction
 
If you are a Compliance Officer ("CO") you must care about cybersecurity and cyber warfare; 
that's all there is to it. Compliance and cybersecurity are joined at the hip, they can't be separated. Like peanut butter and jelly. 
 
OK. So what? Why does history matter? Because that short-lived history will astound you with events that are still applicable today as a daily lived experience for thousands of healthcare enterprises and their business associates. This history doesn't begin in 1983 but that was the groundbreaking year President Ronald Reagan watched War Games [1] (the movie). He was so intrigued by the narrative that in a White House Briefing on a different classified topic, he stopped the discussion and asked the Joint Chiefs ("JC") and others in attendance if anyone had seen what was portrayed in the movie War Games and could it really happen? The group was speechless. First, they hadn't seen the movie because it just came out and second, they thought the Prez was being a little "nutty" since he had recently announced his "Star Wars" policy. One of the chiefs had someone in mind who could provide a quick answer to the question, and the answer came back (paraphrasing), "Mr. President, it's even worse than you think!" But despite the fact the group was astounded by the answer, they likely gave very little credence to it. Nothing changed. Why? Because generals are always fighting that last war.
 
Four Star (****) Generals don't appear to have any interest in the geeky nonsense. If there are cyber-targets, they would rather just bomb them into nothingness; problem solved. Well not quite. Because if you decimate the enemy you lose the opportunity to penetrate their networks in the same way they have penetrated ours. It's an offensive "opportunity cost." You don't know what you don't know. Fortunately for the USA, there were some real believers at the National Security Agency ("NSA") (i.e. you know, the agency that for sure does NOT listen to communications between Americans), and some career officers that were the best and brightest in cryptology, deciphering, and electronic espionage. They were committed to showing the DOD, JC, and the President just how easily we could be hacked. Should new defense systems require re-design, updates, testing, and implementation? What's this new problem called? Cybercrimes, Cyber War, Cybernetics, Cyber Threats? In 1994 it was ultimately named Cyber Security. With this recognition, the nation began moving from Signals Intelligence (SIGINT) to the cyber age (i.e. all intelligence taking a digital form).
 
So, how do we protect critical infrastructures like Telecommunications, Electrical Power, Oil and Gas, Banking and Finance, Transportation, Water Supply, Emergency Services, and Continuation of Government in an emergency? These components mostly relied on networks and/or computers and could be impacted by cyber threats. But then, the big question in our mind is Where is Healthcare on the list? Healthcare must be considered a key component of the national infrastructure deserving protection. Electronic Medical Records and healthcare devices are also prone to hackers, especially when they provide interoperability and sharing of patient data across the Internet. Furthermore, that information not only consists of patient medical records, but also credit cards, insurance accounts, Medicare and Medicaid billing data, and provider Fee-for-Service records. It is likely that omitting the healthcare industry from the initial "critical infrastructure list" was an oversight. Clearly, it is a critical infrastructure. Witness the trouble that could be created by adversaries if the CDC's computers were hacked-right in the middle of dealing with a potential emerging pandemic threat, one analogous to what we are facing at this very moment.
 
Interestingly, an NSA project to bring down the telephone grid in several large cities was authorized as a cybersecurity study called "Eligible Receiver." This project's purpose was a demonstration of how to bring down power grids and 911 emergency communication lines for 8 cities: Los Angeles, Chicago, Detroit, Norfolk, St. Louis, Colorado Springs, Tampa, Fayetteville and the island of Oahu, Hawaii. Although this project impacted the delivery of healthcare services to needy people, it's actual purpose was to pressure political leaders into removing certain sanctions that negatively impacted Cyber Security Teams and their research on cyber threats. To make matters even more explicit, the NSA took it a step forward and successfully launched a similar attack on the military's telephone, fax, and computer networks. 
 
Eligible Receiver consisted of a group of NSA analysts who attacked systems that the DOD and JC thought were impenetrable. The NSA thought they could do it in four days. It took one day! Many defense computers weren't protected with a password; others were protected by gimpy passwords, like ABCDE or 12345. In one case, a team member simply called the office and said he needed to reset all passwords for security reasons; he got a password without hesitation. After successfully penetrating many computers, the team left notes; "Kilroy was here." But then they did more, they intercepted communications, deleted files, and sent false emails. This is the ultimate goal of Cyberwarfare; "disrupt the norm, confuse the parties, and have them believe false information!"[2] 
What might happen in traditional wartimes?
 
Eligible Receiver demonstrated that the DOD was completely unprepared for cyberwarfare, yet progress continued to be SLOW. In 1997 the President's Commission on Critical Infrastructure Protection released a report that stated, "We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power."[3] 
 
With this statement, military operations began to focus on cyber threats as weapons of mass disruption! In 2009 a dedicated Cyber Command was established having a budget that went from $2.7 billion to $7+ billion in its first three years.

Short Chronological History of Key Events

  • 1952 Establishment of the National Security Agency (NSA) America's largest secret Intelligence Agency.
  • 1980 Computers for the masses.
  • 1984 Reagan's National Policy on Telecommunications and Automated Information Systems Security.
  • 1990 Evolution and widespread use of the Internet with a new focus on electronic medical records. 
  • 1990 Air Force Cryptology Support Center established.
  • 1995 Critical infrastructure Working Group created. 
  • 1996 HIPAA becomes law.
  • 1996 Two kinds of threats to Critical Infrastructure identified: Physical and Cyber.
  • 2009 Creation of a dedicated Cyber Command. 

Still, Progress has Remained Painfully SLOW

Why is progress SLOW? Because most generals still prefer to drop bombs. I guess it's the macho thing to do. Furthermore, all of us have biases in favor of what we know works, rather than having to grok a heavy topic like cybersecurity. There are many Compliance Officers in healthcare that prefer to remain in the dark for that same reason. Ignorance is bliss until a breach occurs. It's not a question of if, but when one will occur. That's when all those things you have not been paying attention to will be available to all relevant stakeholders: (1) the executive management team; (2) the board (assuming you have one); (3) your colleagues; and perhaps (4) the offices of HHS and State Attorney Generals. 
 
Remember that willful neglect fines start at $50K and max out at $1.5M for identical violations. However, if you are in willful neglect of 10 distinct violations you could max out your civil monetary penalties (just for willful neglect) at over $10M. This does NOT include the cost of notifying patients when (not if) you have a Breach. The Ponemon Institute, which has been conducting Breach cost studies for nearly a decade now, states that in Healthcare it costs $400.00 per record/patient to notify. Say you had a small Breach of 10K records. You do the math. It is going to ruin your day and perhaps your career. Unfortunately, many Healthcare Compliance Officers believe that they have HIPAA wired. There are a few that do; most do not. 
 
The latter have no idea of the unknown unknowns. The smart ones, like the rest of us that struggle with complex topics, are willing to embark on a lifetime adventure of continuous education. The others, including us if we stop learning, will become roadkill on the info highway. Nothing personal. Simply the manifestation of Darwinian capitalism in a global economy. There is always someone coming after your job. You can bank on that! As we discussed earlier, the generals are always fighting that last war. It's the nature of the business they're in. They are students of military history; however, no amount of history is going to help you when your adversaries are rapidly inventing the future of cyber warfare as we speak. 
 
The Healthcare industry is especially vulnerable, a fact that the bad guys (organized crime, enemy nation-states, and enterprising hackers to name a few) are aware of. The Healthcare industry is SOFT compared to, for example, banks and financial services industries. Moreover, even the latter is NOT as prepared as they should be. Why are we not better informed about the current vulnerable state of affairs? Because for obvious reasons, including the fact that we are at war, it is not wise to broadcast your vulnerabilities to your enemies via public discussions. Many in Healthcare believe that an attack (ransomware, DDOS, etc.) won't happen to them. That's the stuff that happens to other people. And it turns out, it has been happening to other people in Healthcare A LOT. So much so that HHS is now starting to pay attention to small as well as large Breaches; even those that don't reach 500 records (a ridiculously low number to start with) that places your organization on the HHS Wall of Shame.

SCADA Systems

Hospitals generally do not have supervisory control and data acquisition systems ("SCADA") per se, because the latter is a term that is usually associated with production plants of all kinds, including but not limited to oil refineries and nuclear power plants. However, hospitals have thousands of electronic devices, now networked, that collect information on patients 24/7 365 and are ALL potential vectors for an intrusion. Imagine what would happen if an adversary were to shut down a Hospital's grid and it didn't have a redundant power supply. People would die. It turns out that we don't have to imagine this scenario, it happened during Katrina and recently in Venezuela when its grid was down for three weeks. Ah, does anyone believe that Venezuela's grid remained down for three weeks by accident? If you do, then you haven't been paying attention. Nation-states must test their cyber warfare offensive capabilities somewhere. Remember it was Americans, together with the Israelis that launched Stuxnet against an Iranian nuclear power plant in 2007, bringing it down to its knees. Enough said.

HIPAA

In 1996 President Clinton signed the Health Insurance Portability and Accountability Act ("HIPAA") and it became law. HIPAA included provisions to simplify administration and protect patient data confidentiality (i.e. the Privacy Rule) and included cybersecurity protections in the form of the Security Rule. The law did not go completely into effect until circa 2005. It was not taken seriously by the healthcare industry until the Breach Notification Rule was introduced in 2009 as part of the HITECH Act. Therefore, the industry writ large has arguably only been paying serious attention to cybersecurity for about a decade. Although significant progress has been made amongst the largest covered entities and business associates, progress has not been as widespread for the remainder of the industry, which in terms of numbers means the vast majority of covered entities and business associates who remain incapable of protecting the PHI they have been charged with protecting. That status has begun to change incrementally, but not apace of what the bad guys are capable of launching. This needs to change. Understanding a short history of cyber warfare is a small step in the right direction; necessary but not sufficient. The industry must do better. Lives, not just data, are at stake.

1  Lawrence Lasker and Walter Parkes, 1990: "WarGames"
2  Fred Kaplan, Dark Territory: The Secret History of Cyber War
3  Ibid
 
Signup for our FREE Newsletter here.
 

Posted at 11:03 AM in Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Webinars | | Comments (0)

HIPAA Survival Guide January 2020

Sophia_HSG_Store_Header
 
HIPAA Survival Guide® Newsletter 
January 2020: Issue 121
Your HIPAA Compliance Companion
 
JANUARY WEBINAR
 
 
Webinar Title:  Why most compliance officers should be fired!
 
Description:  
Most compliance officers are ill-prepared for the implosion/explosion of the unsustainable policies that the global economy now faces. The amount of fraud, waste, abuse, criminal and pseudo criminal conduct that will become front-page news in 2020 represents a tsunami of corporate malfeasance unprecedented since the early days of the 20th century. In a global economy where eight (8) families control 50% of the wealth, the elites rule. The Rule of Law is for sale, and compliance, with shrinking budgets and little or no corporate power, is literally the only thing that stands between the destruction of major brands as consumers revolt.

After registering, you will receive a confirmation email containing information about joining the webinar.
 
Date:     January, 23, 2020
Time:     2:00 - 3:30 p.m. EST
 
 
 
2019 NEW OR ENHANCED PRODUCTS!
  1. Expresso:
    • Clone Risk Assessments
    • Enhanced Reporting
    • Compliance Repository with HIPAA Survival Guide Product Download
    • Breach Notification Wizard
    • Forgot my password Feature
  2. Managing Multiple Risks with similar Vulnerabilities at One Time
  3. The Compliance Manifesto, Second Edition
  4. No worries if you can't make a Webinar. We provide recorded Webinars Online!
  5. Check out our Updated Data Sheets

What We do - A portfolio of 3Lions Publishing products.

Training - List of all training modules: Comprehensive, Concept Shorts and Micro Shorts.

Checklists and Frameworks - All about our Checklists and Frameworks for Risk Remediation.

Expresso® the Risk Assessment Express - Your guide to Expresso, our "SaaS" based Risk Assessment Software with an encrypted Compliance Repository, HIPAA Survival Guide product access, the new Breach Wizard and reduce time doing assessments with multiple Risk updates.

Model Documents - Policies, Forms, Letters, Contracts, etc. that can be modified for your use.

 
IN THE DIGITAL ECONOMY
ONLY THE PARANOID SURVIVE 
(a.k.a. Backups R' Us)
 
 
So, you like Technology and all the really, really, cool things it enables? Me too. But Tech has a dark side that is rarely discussed. All the "0's" and "1's" that we love so much can all disappear in a New York minute. And so, if you do not have a robust disaster recovery plan ("DRP") enabled and in place (obviously just having a plan is not enough), then sooner or later the Digital Economy is going to shoot you in the head. Guaranteed. All knowledge workers have inadvertently deleted, corrupted, and/or otherwise lost a document that they were working on. As painful as that may be, that is not what this article speaks about. No! Here we are talking about a massive loss of data that cannot be recovered! We are not discussing a few hours (even days) of lost work on behalf of a knowledge worker. We are talking thousands, if not hundreds of thousands, of lost man-hours. Poof. Gone. And don't forget the Patient and caregivers! How will care be provided when there is little to no history of what has already been given to the patient, their medications, other tests, records, and results?
 
OK. But what does this have to do with compliance? Well, that depends on what compliance regime we are discussing. If it is HIPAA (or GDPR), and the lost data involves Patient records, then you are in a world of hurt. There is no way that you can comply with the HIPAA Privacy Rule. For example, if you cannot provide a patient their records upon request then you are in violation of the Rule. Section §164.524 mandates that you provide a patient with records that they have requested. The last thing patients should worry about is the privacy and security of their medical information, especially when they're about to be admitted to the hospital. Obviously, if the records are no longer available then you can't provide them. Moreover, if the patient(s) complained to HHS about this, then HHS would consider that to be willful neglect on its face. So? The so what is that HHS, under these circumstances, is required to audit you. Generally, an OCR investigation results in corrective action plans and fines to settle HIPAA violations.
 
You almost certainly will be found to be in willful neglect; wherein the Civil Monetary Penalties ("CMP") start at $50K per identical violation. Multiply that times the number of individual patients whose data was lost, and you are going to get a really large number. OK, so those of you that have been following along for the last decade might be thinking: "yeah, the CMP will be large, but it will be capped at $1.5M."That's the maximum amount that an organization could be fined per identical violation." Would this kind of data loss constitute a Breach? Probably not, but you will still get audited AND you will likely have to notify patients that their data has been lost. Given the current state of healthcare compliance, additional violations are likely to be found. You are going to have a bad day!
 
Don't trust and verify. I know that President Reagan said "Trust and Verify" concerning any nuclear treaty with the Russians, but when it comes to backups, it is better NOT to trust and ALWAYS verify. About a month ago I got an email from Dropbox saying that 35K files had been deleted. I mirror my server to Dropbox so needless to say I was a bit disconcerted. Was I panicked? No. Why? Because when it comes to data, I have backups of backups and some are stored offsite. I am paranoid about it. I can't afford to lose client files, plus all the intellectual property developed over more than a decade. Dropbox was simply a convenient way to always have a mirror of my server available in case I traveled, and, for whatever reason, I couldn't get access.
 
When I got that email, I quickly checked my server to ensure all was well and temporarily forgot about it. A few days later I had to send a large file that I couldn't email and so I wanted to send it via a Dropbox ("DB") link. Whoa. When I logged into DB something looked wrong. I can't see all my files. Something is definitely wrong. I contacted DB support. They confirmed that 35K files had been deleted. I informed support that I still had those files on my server so how could they possibly have been deleted? First things first. Because it had been less than 30 days since the "delete event" DB said they could restore the files. I told them to go ahead and restore. They restored all 35K files. But things still did not look copacetic. There were folders that I knew existed on my server that I couldn't see in DB. So, I start the whole support dance of providing screenshots that demonstrate that what I am telling them is true. Apparently "on their end," they say they can see the files. I said, well that's nice but I can't. Why don't we do a "screen sharing" session so that DB support can see what I see? Nope. DB support says for security reasons they can't do that. What? They already have access to my account. What security reasons?
 
I tell support to escalate. Once escalated the dance continues. More screenshots. More proof. By now I have lost track of which DB support person I am talking to. In any case, they send me some links, not to the folders that I can't see, but to files beneath said folders. I click on the link and voila, now I can see my files. Life is good. I am ready to sing DB's support praises. Not so fast. I log in a few days later and I am back to not seeing the folders I couldn't see previously. Plus, now I am seeing duplicate folders. Things are definitely not right.
 
I am using a Synology NAS (Network Attached Storage model DS412+) to sync to DB. I decide to contact Synology support because the finger-pointing had already started. DB says that Synology is using an "unsupported API" which is news to me. Really? Unsupported? Evidently, DB just wants you to sync from workstations (e.g. Macs or PCs) but not from a NAS. I tell DB that that strategy is "brain dead" because for most businesses their mission-critical data is stored on a server (i.e. the NAS is actually nothing more than a file server). So here I sit. A month later. Still no resolution. I have spent about 15 hours "messing around" with support and there is no end in sight.
 
OK, because I have backups of backups, I have options. I can cancel DB and look for a more robust solution that works with my NAS. In fact, I believe Synology has some solutions that address this issue and that is likely the path that I will take. That said, I was a huge fan of DB. They were (and are) a market leader. I thought it was a safe bet using their "stuff." The moral of the story? There are no "safe bets," only the paranoid survive. Don't trust and always verify!
 
In the end, DB was not able to make me whole. I am going to cancel the service and look for another solution. DB support was diligent BUT apparently, things were so badly broken that Humpty Dumpty was never going to be put back together again. I can assure you that you will either see (or read about) this movie repeatedly going forward. We trust vendors, even arguably high-quality vendors, way too much. Don't trust and verify is a much better way to go!
 
Signup for our FREE Newsletter here.

Posted at 11:19 AM in Current Affairs, Healthcare, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Webinars | | Comments (0)

HIPAA Survival Guide December 2019

What you need is a workflow..

Introduction

We have often preached our mantra that compliance can only be achieved at the granularity level of a requirement ("Requirement"). Further, the only way to show compliance is by providing visible, demonstrable, evidence ("VDE") that the Requirement's result was delivered. A Requirement presupposes the existence of a discrete deliverable. VDE is an abstraction that indicates how this result is accomplished; however, it only works at 10K feet. To make it actionable within your organization you need a process that works at ground level. What you need is a well-defined process that achieves the result. What you need is a workflow.

Since this workflow topic is "heavy," as you read through this month's article, please note that you may contact us with questions you may have. Email us at: [email protected]

The following are examples of Privacy Rule ("PR") workflows and their attendant results.

  • Authorize PHI         ->     PHI Authorized
  • Restrict PHI            ->     PHI Restricted
  • Access PHI             ->     PHI Accessed (or delivered)
  • Amend PHI             ->     PHI Amended
  • Disclose PHI           ->     PHI Disclosed
  • Account for PHI      ->      PHI Accounted for

To demonstrate the need for a workflow, we borrow from the book: Workflow Modeling, Tools for Process Improvement and Application DevelopmentSecond Edition by Alec Sharp. Key definitions From Alec's work are shown below to enable the development of coherent compliance workflows and avoid the recursive semantics that has led many workflow projects into the abyss-turning what Edward Yourdon (father of Data Flow Diagrams) once correctly called "death march projects." Once you have experienced a demolished workflow design process and managed to survive, you never want to experience one again. Unfortunately, because we are veterans of the technology industry, we have managed to survive more than one-a fate that we would not wish on our worst enemies. 

Definition of a Process (aka "Workflow")

It should go without saying that a Process involves some sort of work. Duh. Well not so much because what often appears obvious in the business modeling space isn't.

A Process is a defined method to achieve some result, and that result is far more important to the definition of a business process than the work that goes into it.

Named in Verb-Noun Form

The first step in deciding whether or not you have a process is to name it and apply two exceedingly simple and useful guidelines:

  1. The Process name, at it's simplest, must be in the form verb-noun. (e.g. Assign Inspector). It might be in the form verb-qualifier-noun (e.g. Assign Backup Inspector) or verb-noun-noun (e.g. Assign Inspector to Route). Note the Processes are almost always defined in the singular. Not "Handle Orders" but rather "Fill Order."
  2. Here's where it gets interesting-the verb-noun name must indicate the result of the Process, as follows. If you flip the terms around into noun is verbed form, the phrase should indicate the intended result of the Process (i.e. as we have done above in the PR examples.

Delivers a Specific, Essential Result

And now it really gets interesting. The result of the Process, in "noun-verbed" form, must meet three criteria. 

The Result is discrete and identifiable

  1. That is, you can differentiate individual instances of the result, and it makes sense to talk about "one of them." For instance, the result of Authorize PHI is that one individual or entity is now authorized to view the patient's PHI. It stands to reason that a patient can designate one-to-many Authorizations.

The Result is countable

  1. That is, you can count how many results you have produced in a day, week, month, year, etc.

The Result is essential

  1. That is, it is fundamentally necessary to the operation of the enterprise, not just a consequence of the current implementation. It is axiomatic that "Authorize PHI" is essential to a Covered Entity ("CE") under HIPAA because it is a HIPAA regulatory requirement.

Producing VDE Requires a Workflow

It is axiomatic that producing VDE requires a Workflow. The "triggering event" in compliance is a Requirement; the result is the fulfillment of that Requirement. Do all regulatory Requirements fit this model? Who knows? We believe that the majority do. Here our objective is not to reach Workflow Panacea, that is way beyond our pay grade. Our objective is to illustrate how widely the Workflow Modeling framework can be applied to compliance, and in this instance to HIPAA. To be a competent Compliance Officer going forward it is essential that you master this discipline. Workflow modeling should be one of many tools inside your toolkit. If you want a seat at the C-Suite table that means getting busy. Iterate. Iterate. Iterate. Literacy. Literacy. Literacy.

Other Workflow Considerations

A Process is initiated to deliver its Result by a triggering event ("TE"). Generally, but not always, the Process is triggered by the "customer" that will benefit from the Result. The customer may be internal or external. In the examples herein, it is the patient or legal representative ("Individual") that triggers these processes. Between the TE and the Result is a collection of tasks, actions, steps (referred to as "Activities") that must be accomplished to deliver the Result. There may also be sub-processes, each meeting the Process definition, that may be interposed between a Process and its Result. For the Processes we present here as examples we will constrain the analysis to a collection of Activities. 

However, within your organization, there may be sub-processes interposed. That is something we leave as an exercise for our readers. Be forewarned, there are some non-trivial technical challenges when you start interposing sub-processes. Each sub-process consists of another collection of Activities.

The Activities within a Process must be interrelated, they are not just some arbitrary collection of work. They must be related either through a necessary sequence or a dependency. A dependency is implicated when Activity "C" cannot occur until Activity "B" is completed. This distinction may be semantic "hair-splitting" because a sequence appears to implicate dependency, although one could quickly think of use cases where this is not true (i.e. where the sequence does not occur in any particular order).

Activities are also interrelated because they all deal with the same "Token." We think of a Token as a single unit of work. For example, in the "Authorize PHI" example the Token is the work required to complete the Authorization, provide the necessary access, or notification of denied access. If we included training staff to deliver Authorizations in that Process than that would introduce a different Token-which under this model would mean that said training constitutes a separate Process.

Privacy Rule Example

The example provided below is intended to be just that. We do not pretend that this example Process will meet every CE's need, or that of any specific CE. We intend, by way of example, to demonstrate how you should be thinking about Workflow Modeling within your organization. We also hope to extend our lexicon to show that producing VDE for a Requirement requires a Process and what that Process might look like when diagrammed.

Authorize PHI

This Requirement is driven by the following PR section: §164.508 Uses and disclosures for which an authorization is required. In general, the Requirement is stated as follows:

(1) Authorization required: General rule

Except as otherwise permitted or required by this sub-chapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.

Let's provide a specific example. An aging mother (C) requests medical record access from her Physician (CE) for her daughter (Entity A). The TE for an authorization is the Individual ("I" or "C") (e.g. the Mother) who has requested access for her daughter. 

In this simple example the Individual is both the Customer ("C") that triggers the Process ("P") and is the ultimate beneficiary of the Result ("R") (however here there are two beneficiaries(1) the Mother (C); and (2) the Daughter (Entity A) that actually get authorized access to the PHI)

  • Authorization Requested by (C) for Entity A
  • Request communicated to Physician (CE) 
  • Validate Request
  • Provide Access
  • Notify Customer (C) and Entity A

Right away there should be some flags that are set off based on the simplicity of this Process. But first let's determine if all the attributes of a Process are met:

(1)   Here the R is discrete and identifiable: Access to the PHI has been provided and the Individual has been notified (two results here).

(2)   The number of times an Authorization is provided is clearly countable over time.

(3)   The R is essential in that it fulfills a regulatory requirement.

So, it appears that on its face we have a valid process. The issue is not based on the validity of the Process but rather on its simplicity. To see why this is true let's explore other aspects of §164.508. The Rule states as follows:

1) Valid authorizations.

(i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), and (c)(2) of this section, as applicable.

(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.

(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:

(i) The expiration date has passed, or the expiration event is known by the covered entity to have occurred;

(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;

(v) Any material information in the authorization is known by the covered entity to be false.

It should be clear from above that the Authorization requires validation and that the next steps cannot proceed until validation is complete. Further, it should be clear that "Validate Request," written in verb-noun form, is likely a sub-process with its own set of Activities. The same is true of "Provide Access" and "Notify Customer." 

What are the takeaways thus far? First, it should be clear that Process modeling is iterative. You are simply not going to get it right during your first attempt. Second, in order to model effectively you are going to need some expert knowledge of the subject matter domain. Third, there are other questions and/or flags that should be on your radar by now. For example, what happens if "Validate Request" fails? And a sub-process to "Store Validation?" If we do not perform the latter how will we find the Authorizations that this Individual has triggered when the same (or other) person/entity wants access again?

Here is an example of a Swim Lane Diagram for this Example (Workflow Process). A quick explanation of its components is helpful. 

  1. Left side (in grey) contains the names of the individuals or departments responsible for performing the duties to it's right (on the same line) a) Individual, b) Compliance Officer,    c) HIM Department, and d) Entity A.
  2. Arrows point to subsequent activities once the prior activity is complete.
  3. Notes are entered for clarification and further explanation.
  4. Blue starts the process (Triggering Event) and Red stops the Process.
  5. Yellow diamond designates yes or no response and may have sub-processes.

SwimLane

Summary

Are we done? No. There are other steps in the Process modeling framework that remain (e.g. creating a more detailed "swim lane diagram"). However, the intent here was to introduce Process modeling and how it might work pursuant to the Privacy Rule. We suspect that most healthcare organizations have not modeled the Processes required to comply with the HIPAA Rules (i.e. Privacy, Security, and Breach Notification). Process modeling is the mechanism by which an organization gets "down and dirty" with the Activities necessary to produce VDE for a single Requirement. 

Stay tuned for future webinars where we will provide additional information about how your organization can use swim lane diagrams (workflows) to improve HIPAA Compliance. 

Signup for our FREE Newsletter here.

Posted at 02:55 PM in Current Affairs, Health IT, Information Technology for Healthcare (EHR/EMR), Knowledge Management | | Comments (0)

August HIPAA Survival Guide Newsletter

 

 
HIPAA Survival Guide® Newsletter August, 2019: Issue 116
Your HIPAA Compliance Companion
 
 
How Other People Comply with the Security Rule!
  
Webinar TitleHow Other People Comply with the Security Rule!
 
Description: This webinar will review one of the most insidious Required implementation specifications of the HIPAA Security Rule: Information System Activity Review and provide some "show and tell" of an elegant and affordable solution to this problem.
 
Date August  22, 2019
Time:  2:00 - 3:30 p.m. EST
 
 
Information System Review Challenges

INTRODUCTION
 
HIPAA's Information System Activity Review implementation specification (i.e. "Security Control") is one of the most insidious yet seemingly innocuous Security Controls that most covered entities ("CEs") and business associates ("BAs"), even the largest ones, do not implement and execute in a sufficiently rigorous and sophisticated way. This Security Control requirement is stated as follows:

§164.308 (1) (ii) (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

It is "tucked away" as part of Security Controls associated with the Security Rule's first standard ("Standard"):

§164.308 (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

This Standard is arguably the most important of all the Security Rule's standards and contains the following Controls:

 
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
 
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
 
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
 
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
 
The reason, in part, that not much focus is placed on this Standard is because it is part of a group of Controls that contains the key Security Rule Control that everyone obsesses about (i.e. Risk Analysis). There are good reasons to "obsess" over the Risk Analysis Control (a.k.a. "Risk Assessment") because it is foundational to the Security Rule's implementation. To wit, there is no way to comply with the Security Rule without first performing a rigorous Risk Assessment-notwithstanding the confusion surrounding exactly what this means (fodder for another newsletter article).

Equally important, but less readily understood, is the need to perform Information System Activity Reviews pursuant to all systems that create, update, access or use PHI. There is simply no way that any organization can plausibly ascertain whether their systems are being breached, or otherwise compromised if these reviews are not conducted on a weekly, if not daily basis. 

As a young programmer, Carlos Leyva went to work for a huge oil company in Houston, TX. He supported manufacturing's purchasing system nationwide, which was comprised of approximately eight refineries. Every morning, job one was to review the error logs for this distributed application, which, among other things, passed EDI ANSI X.12 transactions from each refinery to the central mainframe in Houston, and then to all the oil company's vendors, with acknowledgments subsequently sent back from the vendors electronically, indicating that the purchase order ("PO") was received. As you might imagine, this application was complex, with lots of opportunities for PO transactions to run amok; reviewing error logs, and resolving said errors, was one of the most import support functions that he performed.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The applications now deployed by CEs and BAs rival, if not exceed in complexity, the aforementioned purchasing system, for example, EHR applications. However, an EHR application is only of one of the dozens of applications that a CE must contend with, all of which require review for the detection of errors, incidents, access reports, etc. 

In most organizations, even amongst the largest of CEs, this review is performed in a cursory simplistic manner because the amount of information generated by today's applications quickly overwhelms even the most dedicated and competent support staff. BAs may also have applications that contain PHI and processes that receive and handle a CE's PHI that should be reviewed for errors in the application or the processes. Many organizations are paralyzed by this problem and quickly conclude that reviews are an exercise in futility.
 
CONCLUSION
 
So, what's the answer? There are no panaceas, but big data combined with sophisticated "structural analytics" algorithms offer hope. Join us for this month's webinar to see how others are solving this problem.
 

Posted at 03:39 PM in HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Webinars | | Comments (0)

HIPAA Survival Guide August 2018 Newsletter

 
 

  Register here for the FREE HIPAA Survival Guide Newsletter

  
 
Does your staff have sufficient HIPAA training?
 
 
Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI"). In this article, we describe aspects of what may be considered "good training" and what kind of training we make available so that you can compare across vendors.
 
You need answers! In our view, if you do not succeed in establishing compliance literacy in your workforce, you are likely going to have an occasional bad day, not to mention being out of compliance with the HIPAA regulations for training and associated documentation. As expressly stated in HHS' Audit Protocol, policies and procedures that have been adopted and activated by covered entities and business associates to meet selected standards are reviewed to determine an organization's implementation specifications of the Privacy, Security, and Breach Notification Rules. Training, by the way, is one of the Privacy Rule Regulations. 

If you are audited, one of the things that will be reviewed is your training documentation. Yes, seems this is a small item compared to your Risk Assessment and other Compliance efforts. However, Covered Entities ("CE") and Business Associates ("BA") must train all members of their workforce regarding PHI as it applies and as necessary to perform their jobs. Compliance with Privacy Rule regulation 164.530(b) requires policies and procedures for training and to document which staff member was trained on what topic and when.
 
From a practical standpoint, when it comes to training, it's not enough to have an understanding of the regulations, but also training should provide the ability to evaluate responses to a variety of situations where PHI may be at risk. Training that provides hypothetical risk situations related to HIPAA regulations that prevent incidents or breaches and/or a Quiz regarding knowledge obtained is a component of quality education.
 
But is HIPAA a top priority for a CEO's average day? Probably not, unless there is an Incident or a Breach. The same is likely true for other executives in your organization. Aside from the regulation requirement, this is a VERY good reason why a named Compliance Officer should be in each Covered Entity and Business Associate's organization. A Compliance Officer has the responsibility to ensure that policies and procedures are being followed by the workforce to avoid non-compliance. And yes, the Compliance Officer ensures policies for training and the visible, demonstrable evidence for same.
 
So, how much training is really needed? For the purpose of this article, we will use the HIPAA Training Products contained within our Subscription Plan as training recommendation topics for different categories of workforce members. Again, remember our principal premise is that all workforce members need to become HIPAA literate since you have the 800-pound gorilla of Breach Notification staring you in the face.
 
Training for Clinicians
Not all staff members need to attend or be educated for every HIPAA training module. We recommend three (3) training sessions for clinicians as listed below:
Why do we recommend specific training for clinicians? Well, I can say as a Registered Nurse, clinicians do not need to understand every aspect of the regulations. What they need to know is how to respond to various threats to PHI or situations where compliance action is required. They need an awareness and a basic understanding of Security, Privacy, and Breach Notification regulations that will enable prevention of risks while managing situations when HIPAA rules are tested. 
 
A particular item of importance is knowing WHO to call when a situation arises. The same is true for Business Associates. You might be surprised at the number of times I have randomly asked clinicians the name of their HIPAA Compliance Officer and they did not know. That's a recipe for a bad day! Try this yourself next time you visit your doctor. Ask the receptionist or the nurse, or any other clinician or workforce member you encounter if they know the name of their Compliance Officer. By the way, this is generally true of organizations both large and small, even those that regularly train their employees.
 
Foundational Training for Other Staff
The following list of training modules is recommended for other workforce members, including the executive management team. 
I have been asked if there is a HIPAA LITE for Business Associates, and the answer is No! Business Associates need to be as aware of the regulations as Covered Entities if they are "touching PHI." That said, we also provide specialized training for Business Associates in situations where their needs differ from Covered Entities (see below).
 
Specific Training for Compliance Officers
In addition to the training above, compliance officers should consider taking the following training classes to obtain their certification. We offer a HIPAA Certified Professional ("HCP") certification after taking an exam that covers material from the training modules listed below.
 
 
Certification Training Modules
3.    Audit
7.    Documentation* 
8.    HITECH Act
9.    Omnibus Rule
 
We also recommend that Compliance Officers take advantage of our pre-recorded four-part training series entitled: "Surviving a HIPAA Audit." Subscribers may log in to the Compliance Hub Member website to:
For some, the amount of information may be overwhelming, but just like HIPAA, you bite off a piece of the elephant one at a time.
 
Specialty Workforce Training
Finally, we recommend that staff who are responsible for items in the list below, and Compliance Officers and/or Executive Officers become knowledgeable on the following topics:
  1. Training for workforce members that are designated as "point persons" for the Patient's Bill of Rights; these are sections 164.520 through 164.528 of the Privacy Rule. 
    • The regulations require that individuals "sign off" on certain processes pertaining to providing access to a patient's PHI; 
    • Helping a patient amend their PHI; 
    • Distributing the notice of privacy practices, etc.
  2. Training for individuals that handle Privacy Rule requests for authorizations, restrictions, etc.
  3. Training for personnel assigned the responsibility of tracking security incidents.
  4. Training for information technology personnel that are required to audit information systems containing PHI.
  5. Training for personnel that are assigned the responsibility for disposing of PHI.
This is not an exhaustive list. The "final" list of training will depend on your operational environment, the size and complexity of your organization, and the resources you have available, etc. One thing is certain, look for training that provides answers, not just a description of the problems.
 
 
HOW TO COMPLY WITH HIPAA
 

At 3Lions Publishing, Inc. our mission is to provide clients with:

  • Premium Compliance Products,
  • Education,
  • Free Monthly Webinars
  • Newsletter Articles on HIPAA and regulatory topics, as well as 
  • "High Touch" LIVE assistance with Products for Risk Assessment and Remediation
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase. 

A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s 
 
The Subscription Plan includes  Expresso®the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
 
Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan, we also provide certification for clients seeking designation as a HIPAA Certified Professional ("HCP").
 
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance. 
 
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
 
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan! 
 
Or, take advantage of our FREE 15 day trial of Expresso to complete your Risk Assessment
 
 
Questions? Please call or write using the contact information below.
 
Email:     [email protected]
Phone:   (800) 516-7903    
 
 
HIPAA Help
 
 
What is the new LinkedIn GDPR Survival Guide?
What is the HIPAA Survival Guide® Subscription Plan and what does it include?
HIPAA Requirements for Cloud, Social Media, and Mobile including Policies and Procedures
HIPAA Requirements for Breach Notification including Policies and Procedures
HIPAA Requirements for a  Business Associate Agreement including the essential terms of the agreement
How to prepare for a HIPAA Security Rule Audit  
How to prepare for a HIPAA Privacy Rule Audit  
How to prepare for a HIPAA Breach Notification Audit  
How to prepare for a HIPAA Risk Assessment Audit  
 
For HIPAA Help send us an Email at [email protected]
 

 
Included in the HIPAA Survival Guide® Subscription Plan 
 
 
Protect Your Practice and Your Business
 
 
Click Here for HIPAA Survival Guide® Subscription Plan Testimonials

Take advantage of our Heartbeat™ and Pulse™ offerings with The HIPAA Survival Guide® Subscription Plan With Expresso®
 
 
 
 
 

Posted at 07:33 PM in Health Reform, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Web/Tech, Weblogs | | Comments (0)

Expresso® now handles GDPR Personal Data Assessments!

GDPRLogo

If you anticipate or are currently transacting commerce with EU consumers, you will need the ability to perform a Personal Data Risk Assessment with Expresso. 

HIPAA Survival Guide Subscription customers may purchase GDPR with Expresso as an ADD-ON for a one-time cost of $495.95 with no increase to your renewal fees. 

Click here for more information and to purchase GDPR with Expresso ADD-ON.

Non-subscription clients may purchase Expresso with GDPR Subscription that includes GDPR Products for $1,295.95. 

Click here for more information and to purchase Expresso with GDPR Subscription.

If you have any questions, please contact us at [email protected] or call (800) 516-7903

Expresso® was designed to manage more than one compliance regime. We are now delivering on that promise. Our competitors' products were narrowly focused on HIPAA and they have no easy path to migrate their offerings to other regimes. This includes smaller competitors and those that come with a more hefty price tag. None are delivering the kind of innovation that Expresso® represents. 

We have rationalized the GDPR risk assessment in a more streamlined manner because GDPR is even less prescriptive than HIPAA. Our decade of experience provides you with a foundational list of 10 Essential Controls that any compliance regime requires. We introduced the Compliance Stack™ as a way to explain this groundbreaking innovation to the marketplace. 

An introduction to the GDPR's 10 Essential Controls that are included in Expresso follows:

1. Risk Management: This Control encompasses the entirety of an entities Risk Management program ("Program"), including Risk Assessments and implementing additional Security Controls ("Controls") that reduce Risks to levels that are "reasonable and appropriate." 

2. Incident Management: There can be no effective Risk Management Program, including but not limited to Breach Notification, of security incidents are not tracked. 

3. Inventory (Security Objects): Controls are applied to Security Objects (e.g. most think in terms of an asset inventory but the term encompasses much more than that). 

4. Administrative: Compliance is a multi-disciplinary subject matter domain that requires a skillset far greater than technical acumen. 

5. Authentication: The ubiquitous nature of smart phones has led to widespread use of two-factor authentication by most large organizations including banks, brokerages, and of course all the major technology firms. 

6. Breach Notification: Breach notification, under every compliance regime where it is applicable, has become the 800-Pound-Gorilla that drives enforcement. Such is the case for HIPAA and we expect this same Gorilla to dominate GDPR enforcement. Large Breaches attract the attention of regulators.

7. Disaster Recovery: Disaster Recovery is yet another meta-control because it encompasses much more that data backups. Of course, backing up your protected data, and all your data for that matter, is mission critical. 

8. Audits: Measurement against a baseline of a compliance regime's requirements is the only level of granularity that matters during an audit. 

9. Technical Controls: This is another meta-control that of necessity must be treated as such because it is where the most innovation is currently occurring in cybersecurity defenses (i.e. for the moment we are discounting the importance of process innovations because they are so little understood). What we enumerate here as sub-controls are the basics, the most important of which is encryption. 

10. Physical Controls: Physical Controls are such a no-brainer that they often go overlooked because of our obsession with technology. 

GDPR PRODUCTS AND SUBSCRIPTION

GDPR Products are available on the HIPAA Survival Guide Store. They include:

GDPR products can be purchased as a subscription or individually (including the Combo Package). 

POLICIES

We recommend that you have at least four basic policies in place: (1) a Notice of Privacy Practices (outward facing); (2) a Privacy Policy; (3) a Security Policy; and (4) a Breach Notification Policy (collectively "Policies"). 

NOTICE OF PRIVACY PRACTICES ("NOPP")

Your GDPR NOPP is similar to covered entities NOPP under HIPAA, except you need to provide access to it in places where Data Subjects would expect to see it. 

PRIVACY POLICY 

Your Privacy Policy is an internal facing document and contains your organization's intentions vis-a-vis protecting the confidentiality of Personal Data. It should contain information about your Data Protection Officer (or Representative) and how you intend to resource this position. 

SECURITY POLICY 

Surprisingly there is only one Article in the GDPR (Article 32) that deals directly with security. It's not that security is not important under the GDPR, it obviously is; rather, it's that the emphasis on Privacy dominates. 

BREACH NOTIFICATION POLICY 

The GDPR introduces Breach Notification into the EU for the first time. Given what we have witnessed under HIPAA (post the HITECH Act) Breach Notification will also emerge as the GDPR's 800-pound Gorilla.

If you have any additional questions regarding GDPR Compliance, please contact us via email at [email protected] or by telephone at 800-516-7913.

Posted at 02:38 PM in Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR) | | Comments (0)

Selecting a HIPAA Compliance Vendor: Why 360 Degree Support Matters

 

 
HIPAA Survival Guide® Webinar
The semantics that underpin NIST's Risk Assessment Equation
 
  
Description: 
The webinar will break down the various components of the Risk Equation so that stakeholders understand how the equation can be used across compliance regimes!
 
Date and Time, including Time Zone 
June 21, 2018 2:00 pm EST
 
 
 
SELECTING A COMPLIANCE VENDOR: WHY 360 DEGREE SUPPORT MATTERS
 
In today's world of evolving regulatory matters, we often find ourselves buried under the weight of regulatory compliance initiatives. If compliance isn't the primary purpose of your workday, then it really becomes a burden of significant magnitude.
 
First, one must learn what the regulations are saying, which often is accomplished by reading the regulations over and over, ultimately giving up and asking a competent lawyer/consultant. I've heard the saying that although the law looks like English, and it sounds like English, it's NOT English. I can't help but wonder if they (the lawyers) planned it that way to warrant their existence.
 
In addition, as healthcare, commerce, digital technology and other disruptions enter the global marketplace, the interaction between various laws increase. This interplay may significantly impact the Compliance Officer's ability to manage and track compliance for their organizations. For example, Electronic Health Records (EHRs) dramatically changed the landscape for healthcare professionals not only pursuant to how they provide care to patients, but also how that care is documented. Watch this quick video about the first electronic medical records.
 
Taken a step further, analytics and big data became an opportunity to scrutinize this data as the digital analytics era ensued. In addition, EHRs impacted litigation and preservation of data. Records Management has been around for hundreds of years, but its visibility significantly grew with the advent of electronically stored information and impacted changes to Federal regulations regarding how electronic documentation is handled during a legal discovery process.

In the HIPAA world, regulations tell us WHAT is required, but HOW we comply is left out of the explanation. Why? Perhaps if they told us how to do it, and we followed the instructions and encountered a problem, then government wouldn't have an opportunity for enforcement. They did after all, tell us what and how to comply. In healthcare we start with a HIPAA Risk Assessment and move on to identify those Risks that require remediation. Risk Management achieves these two purposes: 1) identify areas of operational and financial risk to a facility, patients, visitors and employees, and 2) implement measures and remediation to lessen unavoidable risks and losses, as well as prevention of recurrence.[i]
 
HIPAA is unclear, at best, not only to learn what is required, but also to consider how to comply with the rules in a rigorous, competent manner. Fortunately, we provide model documents with the HOW written in real English by a legal subject matter expert! We provide not only the source of the regulations, but also a short description, a sample policy, controls/processes for compliance, a method for tracking compliance, and more.

Is this enough? Not quite.
 
Prepare for the next Regulatory Regime!

Do you mean there are other Compliance Regimes with additional regulations looming? If one Compliance Regime is difficult to understand and manage, imagine the difficulty of complying and adequately addressing the regulatory challenges of more than one set of regulations concurrently. How many other regimes are being "marked-up" as we speak to deal with the security breaches and invasions of our privacy that seem to occur on the battlefields of our daily lives. How should organizations prepare to address, understand, establish controls for, and comply with a regulatory environment that is almost certainly going to become more complex; despite all the promises of deregulation?
 
The European Union ("EU") implemented General Data Protection Regulations ("GDPR") effective May 25, 2018 to address regulations for protection of Personal Data. GDPR could prove transformative as the first Global Privacy and Security Regulations. Like HIPAA, the Payment Card Industry Data Security Standard ("PCI DSS") has been around for a while. PCI DSS provides standards for organizations that process major credit cards. The Gramm-Leach-Bliley Act (GLB) requires financial institutions to explain information-sharing practices to customers. In addition, the Sarbanes-Oxley Act (SOX) mandates strict financial reforms to protect investors from fraud. These are prominent regimes that are alive and well today. What we don't know, is how the House and Senate will respond to continuing instances analogous to the recent Facebook debacle.
 
THE COMPLIANCE STACK™ is one way to concurrently address more than one compliance regime and to handle the accompanying explosion of regulations. Let's take a deeper look.
 
INFORMATION GOVERNANCE STACK™
 
A stack within a stack? There are many reasons to establish Information Governance policy across and within industries, but healthcare's need to ensure the integrity of personal health information is not only a factor in HIPAA compliance but health information also faces unique challenges of cost and improved care for the patients they serve. The goals of the well-known "Triple Aim" rely on information governance for improving the patient's experience of care, improving the health of populations, and reducing the per capita costs of health care.[ii]
 
DATA RETENTION
 
With the advent of digitization, storage of electronic data has become an effective method for Records Management and Data Retention. However, one of the most difficult questions to answer is what types of data should be retained and how long should data be retained. In healthcare, accurate and timely documentation is essential to the provision of medical care. The Legal Health Record is used for guidance in health-care settings that could be paper-based, electronic or a hybrid. Legal Liability issues for patient data include "proof of quality" of patient care and "liability related to unauthorized access and handling of patient information." [iii] Do you see hints of HIPAA Privacy and Security? In the financial industry organizations require recognition of the important connection between data and records management policies to prevent corruption, fraud and maladministration of financial data.[iv]
 
eDiscovery
 
When a lawsuit seeks discovery of information, it is known as eDiscovery (at least to the extent that electronic documents are sought). The Federal Rules of Civil Procedure ("FRCP") govern all forms of eDiscovery which includes potentially all information that is stored electronically including business and/or patient records.[v] eDiscovery is a method to obtain facts for a legal matter. So, processes used to manage and retain data are essential not only for business and healthcare but also for potential eDiscovery.
 
POLICIES AND PROCESSES
 
Given the different Compliance Regimes and their specific needs, Policies and processes for each aspect of a given compliance regime will be unique, related to its specific requirements. For example, healthcare policy regarding data retention may be significantly different than what is required for SOX or PCI DSS. Here is where your creativity and knowledge are required to establish policies for a specific regime and to leverage, albeit modified, policies across regimes where appropriate. We provide model policies, procedures and tracking mechanisms for HIPAA, but they must be reviewed and may (usually do) require modification to meet the needs of your organization. Each organization has their own definition of what is considered "Reasonable and Appropriate."
 
SECURITY CONTROLS: Do you understand the hazards of Health IT?
 
One of the biggest issues facing organizations today is how they can defend themselves from human error and potential cyber attacks.[vi] Establishing effective Security Controls to address and defend against unauthorized disclosure and cyber attacks of protected data is paramount, regardless of regime.
 
New and innovative technologies are being introduced at a rapid pace - a "disruptive innovation cycle." Authors such as Clayton Christensen in his book The Innovator's Prescription describes A Disruptive Solution for Health Care, and Stephen Schimpff wrote an article for the Harvard Business Journal entitled, Disruptive Changes Are Coming to the Delivery of Medical Care. Consider eHealth and Telemedicine as two of the first examples of disruptive changes in healthcare. These disruptions, and others, will require innovative security controls if they are to survive in the marketplace.
 
Effective Security Controls extend far beyond the protection of computers themselves. An effective program includes both technical and human controls to avoid loss of data, accidental or intentional avoidable activities, prevention of unauthorized access, loss deterrence, recovery after a loss has occurred, and correction of system weaknesses to prevent the incident from happening again.[vii] So cyber attacks are just one aspect of controls that should be implemented; security controls reach far beyond isolated protection and vulnerability incidents.
 
CONCLUSION
 
Many of the regulations we now face in the modern world had their beginning as ethics and values of society. As requirements became more sophisticated, these values and demands became laws. For healthcare, legal and ethical issues initially focused on patient record requirements, confidentiality, informed consent, and access. With HIPAA, the circle widened to encompass Risk Management and Remediation, and requirements for management of records containing Protected Health Information ("PHI").
 
The complexity of regulatory compliance, regardless of the regime, requires investment of time to understand and implement policies, processes, and security controls. Yet, they offer no source of revenue for the organization's investment, they "offer" civil monetary penalties for non-compliance. We must, as Napolean Bonaparte once said, "Respect the Burden."
 
Organizations should look beyond tactical solutions when searching for a compliance vendor. Compliance is not a "once and done" activity, it is an ongoing responsibility to monitor and adapt to changes not only in the workplace but also in the regulations. Organizations are better served by identifying long-term partnering opportunities with vendors that continue to innovate not only technically, but more importantly, provide the thought leadership and assistance that will help you navigate these white-water rapids lurking over the horizon.

[i] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[ii] Berwick, Donald M., Thomas W. Nolan, and John Whittington. "The Triple Aim: Care, Health, And Cost." Health Affairs27, no. 3 (May/June 2008). Accessed May 30, 2018. https://doi.org/10.1377/hlthaff.27.3.759.
[iii] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[iv] Marlize Palmer, (2000) "Records management and accountability versus corruption, fraud and maladministration", Records Management Journal, Vol. 10 Issue: 2, pp.61-72, https://doi.org/10.1108/EUM0000000007256
[v] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[vi] Fieldera, Andrew, Emmanouil Panaousisb, Pasquale Malacariac, Chris Hankina, and Fabrizio Smeraldic. "Decision Support Approaches for Cyber Security Investment." Elsevier Decision Support Systems86 (June2016): 13-23. Accessed May 31, 2018. https://doi.org/10.1016/j.dss.2016.02.012.
[vii] Wright, Marie A. Protecting information: Effective security controls; Review of Business; New York Vol. 16, Iss. 2: 24. 
 
 
HOW TO COMPLY WITH HIPAA?
  
    
At 3Lions Publishing, Inc. our mission is to provide clients with:
  • Premium Compliance Products,
  • Education,
  • Free Monthly Webinars
  • Newsletter Articles on HIPAA and regulatory topicsas well as 
  • "High Touch" LIVE assistance with Products for Risk Assessment and Remediation
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase. 

A full 360 degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s  
 
The Subscription Plan includes  Expresso®the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
 
Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan we also provide certification for clients seeking designation as HIPAA Certified Professional ("HCP").
 
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance. 
 
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one?Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
 
 
NEW FEATURES FOR 2018
 
We are complimenting Expresso with access to:
 
1) A fully encrypted web-based Compliance Repository and 
2) Direct Access to HIPAA Survival Guide Products for Subscription clients. 
 
Your web-based repository will enable you to upload and save your final Visible Demonstrable Evidence of Compliance ("VDE") to secure and encrypted folders. Direct access to HIPAA Survival Guide Products makes it easy for Subscription Customers to get products and compliance information at a single site.
 
In addition, with the recent European Union (EU) enforcement of the General Data Protection Regulation ("GDPR") effective May 25, 2018, we are focused on providing a GDPR Personal Data Assessment within Expresso along with compliance tools. We have already made several GDPR policies and training videos available for purchase on the HIPAA Survival Guide Store. If you intend to conduct business with EU users, customers or businesses, you will need to learn how to conform with these requirements.
 
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan! 
 
Click here to add the Subscription Plan 
to your Cart
 
Questions? Please call or write using the contact information below.
 
Email:     [email protected]
Phone:   (800) 516-7903    

Posted at 08:34 PM in Healthcare, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources | | Comments (0)

Tags: HIPAA Compliance Vendor

What are the Application Security Considerations for Healthcare?

1HSGLogo-HighRes"Why does health care seem to be disproportionately the target of ransomware attacks, and what can be done about it?

To understand why somebody would attack healthcare organizations using ransomware as their strategy, you have to know what the motivation of the attacker is," wrote Tim Jarrett, Senior Director, Enterprise Security Strategy in an article in Health Leaders Media, Senior Director, Enterprise Security Strategy.

In addition, on April 14th, Becker's Healthcare IT and CIO Review reported: "There were 1,519,521 breached patient records in March, representing a 155 percent increase in the number of breached records in January (388,307) and February (206,151) combined." 

Healthcare information has been featured in the news of late for data breaches, ransomware, and phishing schemes. If you don't have a plan in place to deter these actions, I recommend taking a look at the HIPAA Survival Guide's Risk Assessment and Mitigation products. They are offering a FREE test drive of their signature Risk Assessment product, Expresso™.

 

Get a FREE 15-day Expresso™ Test Drive.
Logo
Expresso™ is an easy to use Risk Assessment software that allows you to detect risks, threats, security objects, and vulnerabilities to Protected Health Information and identify impacts and assign controls at a glance!

Just click on the Act Now Button below and fill out the information and the HIPAA Survival Guide's customer service staff will set up your Free 15-Day Expresso™ Test Drive. They will also arrange a "Go To Meeting" session to provide an introduction to the software and review how you can do your HIPAA Risk Assessment in 3 hours or less.

 

Posted at 03:12 PM in Healthcare, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR) | | Comments (0)

Tags: Expresso, HIPAA Survival Guide

Next »

Search

Healthcare Blogroll

Categories

Analytics

CC