Mobile Data Security a Big Concern

Do you use a laptop that contains patient information? Do you have a list of your patients with their telephone numbers, email addresses and appointment schedule in your smart phone? Are those devices encrypted?

The number of mobile devices we utilize to conduct our businesses has expanded beyond belief. What can we do to make sure that our patient data is not at risk if we utilize these devices to access their information? As providers of behavioral healthcare services, we have special responsibility to protect the sensitive information related to the care of our clients.

The U.S. Department of Health and Human Services is very concerned about the spread of these devices and their innate insecurity. They have developed a special section of their healthit.gov web site to focus on these privacy and security needs.

The HHS video on the topic focuses on five issues:

  1. Lost mobile device
  2. Stolen mobile device
  3. Downloaded virus or malware
  4. Shared mobile device
  5. Unsecured Wi-Fi network

Take a look when you get a chance and learn more about how to protect PHI when using mobile devices. And don’t forget, encryption gives you ‘safe harbor’ under HIPAA, even if you were to experience a data breach.

Does your organization have policies about using mobile devices to access PHI? How do you manage your experience with mobility? Please share your comments below.

 

Will Your Organization Weather a Storm…or Other Catastrophe?

Superstorm Sandy has had major impact on the lives of large numbers of our fellow Americans and colleagues who live in the Northeast U.S. The loss of life, property, and access to conveniences like electricity, warm showers, and transportation has made clear how vulnerable we are to the impacts of catastrophic events.

Sandy has also given us the unfortunate opportunity to evaluate the policies and procedures we have in place for dealing with physical catastrophes.

The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations have in place a Contingency Plan (STANDARD § 164.308(a)(7) Contingency Plan, see page 19):

The Contingency Plan standard requires that covered entities:

“Establish (and implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems that
contain electronic protected health information.”

This requirement is not aimed at giving you one more thing to do. The purpose is to protect the health information of your patients and to make sure that they have access to continuing care. Hurricane Andrew in 1992 and Hurricane Katrina in 2005 demonstrated how poorly prepared we have been to maintain continuity of care for our patients. The requirements of HIPAA are designed to prevent such huge failures as happened previously.

FiercePracticeManagement newsletter suggests three key steps.

  1. Know how your remote data is stored and can be accessed. This assumes that you have your data stored offsite, as it should be. Knowing just where it is and how to access it so you can get your system back up and running without delay is crucial. 
  2. Duplicate needed paper and have it with you. Make sure you have a copy of your schedule with you. Assure that you have with you ways to contact your patients so you can let them know your alternative arrangements for meeting with them.
  3. Plan where you will relocate physical data. Know where that alternative location will be so you can get access to your data again quickly.

 

In HealthCare IT News, Benjamin Harris covers some of the same ground. He also suggests three basic processes, but starts at a more basic level.

  1. On-site safety. How is your hardware and software and record systems protected at your site? Is your server located in the building basement along with the generator? As demonstrated by Sandy, the basement is not the best location for such equipment or records in the case of flooding . . . something that had previously been an issue in hurricanes Andrew and Katrina.
  2. Off-site data. If you are relying on a remote (cloud) storage facility or you need to access your data by means of the Internet, what do you do if your ISP (internet service provider) is down? And if your EHR is an online product, what do you do if those remote computers are underwater and without electricity? Having your schedules for the next week and treatment summaries for each of those patients printed out gives you a week of buffer time to give your vendors a chance to get back up and running.
  3. Accessibility. If you are using such remote storage or providers and they are not in the affected area or can implement access to backups quickly, having the capability of connecting to them becomes your responsibility. You can tether your laptop to your cell phone to reach your service or data in an emergency, as long as you have prepared in advance.

 

Madeline Hyden of the Medical Group Management Association (MGMA) suggests a slightly different but very practical list of steps.

  1. Secure your electronic information.
  2. Get the support of your professional colleagues.
  3. Immediately start securing new office space.
  4. Establish authority: Make sure someone in your organization is responsible to and has the authority to activate your contingency plan.
  5. Communicate with your vendors (hardware, software, backup services, electrical company, landlord, billing service, answering service).
  6. Develop a notification protocol: decide who to contact and how and who does the contacting. Determine just what they will be told.
  7. Communicate honestly with your patients.
  8. Protect your records so you are sure you can have access even if your main system is not accessible.
  9. Practice your emergency plan. If you have not done so, it is possible you will be too traumatized to carry it out.

If you are not sure how to go about establishing a contingency plan, AHIMA has some suggestions for you. This does not need to be a complicated process, but it is a process you need to address if you have not already done so. After all, the U.S. northeast coast did not think they were susceptible to a hurricane-like storm that could cause such disruption.

Whether it is hurricanes, snowstorms, tornadoes, earthquakes, or fires, our electrical systems and business facilities are not impervious to disasters. We must be prepared so our patients can rely upon continued care.  Behavioral health clients are especially susceptible to negative consequences from disruptive events. After all, they are likely to have just experienced the same trauma you did.

We hope all our SOS customers and their patients are safe and recovering in the aftermath of Sandy. We hope any of you, our readers will share your experiences and how you have assured the security of your data.

 

PHI Thieves Are Usually After Financial Information

Now that many physicians and other healthcare organizations are purchasing and utilizing EMRs, they seem to be focused on safeguarding the clinical Protected Health Information (PHI) of their patients. In the process, some are forgetting to protect patient financial information even though it is also PHI.

The FierceHealthIT newsletter of October 24, 2012 indicates that healthcare system data thieves are usually after financial information.

Despite reports of efforts to blackmail patients and the possibility of hacking pacemakers, healthcare data breaches in the end are similar to other cyber crimes, according to a new report from Verizon. In an examination of approximately 60 confirmed data breaches over the past two years, the report concludes that those who attack healthcare systems primarily look for information from which they can make a profit.

According to this Verizon report, point-of-sale systems (credit card machines) and desktop and laptop computers are the most common points of breach. Thieves attack the weakest links in the payment chain. Rather than going after your server, they hack into peripheral equipment that can get them access to this financial information.

Here at SOS, we harp on the need to secure the data in your billing and clinical record software. We have been amazed at the lack of awareness of even our largest customers. Every week, we receive emails that contain PHI or a direct way to get to PHI. Employees of behavioral health organizations often do not realize that sending an email with PHI in it is like sending a postcard with the same information. Anyone who sees that postcard and who knows how to read can take a look at your message. The same is true with insecure, unencrypted email. Anyone who knows how to do so and who has any interest can take a look at your email.

This study indicated that, among the breaches they studied, most of the incidents occurred at businesses that had from one to one hundred employees.

The simple solution….encrypt all PHI while it is resting on your system and while it is in transit from one place to another. If you don’t know how to do that, learn how, now!

Please share your experiences, direct or indirect, with safeguarding PHI. Do you encrypt? What procedures has your organization developed to assure that all of the PHI in your possession is as safe as possible from thieves?

Ongoing HIPAA Care: What is your plan?

Here at SOS Software, we have been in an ongoing process to develop, maintain, and implement detailed policies and procedures to assure that we are doing everything possible to act as responsible Business Associates to our Covered Entity customers. We have been holding monthly training for our staff in which we all take a pre-test, watch an instructional video together, discuss what we have learned, take a post-test to measure how much we have learned, then discuss the results of our testing to be sure we all understand these important concepts.

HIPAA (Health Insurance Portability and Accountability Act of 1996) mandated that electronically stored protected health information (PHI) be handled in such a fashion as to assure the privacy of the patients to whom it belongs. The HITECH (Health Information Technology for Economic and Clinical Health) sections of ARRA (the American Recovery and Reinvestment Act of 2009) also required additional security measures be utilized for all PHI. HITECH extended the same privacy and security requirements to Business Associates of Covered Entities as to the entities themselves.

We have been distressed to find that many of our customers have no idea what HIPAA actually requires. While it is true that the requirements are scalable (small organizations like solo psychiatric or psychological practices do not need to do as much as large ones), some customers seem to think that scalability means they need to do nothing since they are not a community mental health center or a hospital. This is far from accurate.

Every organization that handles PHI is responsible to assure that the privacy and security of that information is guaranteed. Not doing a security risk assessment, not having an incident response plan, not having a disaster plan, not having usable backups of your patient information off site . . . all of these things could easily be considered “willful neglect” by the Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA. If an unhappy patient reports you to OCR as ignoring the requirements of HIPAA and you are found to be guilty of “willful neglect”, OCR must penalize you. Are you prepared to pay at least a $10,000 to $50,000 fine . . . or worse?

If the items I just mentioned above are not very familiar to you, that means you and your organization may not have done your HIPAA homework. You may not need to start at the beginning, but reviewing some of our old posts and links might help you get started. We have found that there are many resources available on the Internet free or at low cost. You might consider some of those. Seth plans to attend a free webinar he got notice of last week. He has started a workgroup of some of our customers who are trying to help themselves and one another move their security and privacy programs forward.

What do you need to do to become HIPAA compliant?

What do you or your organization already do to assure your compliance?

Do you know who your Privacy Officer is?

Please share some of the steps you and your organization have taken to assure that your organization is HIPAA compliant. Let us know what you do on an ongoing basis to be sure new employees are educated to the requirements. Just enter your comments below.

 

Emailing Reports From First Contact

While secure email systems are available to send documents containing Protected Health Information (PHI), most regular email transmissions can be intercepted and viewed by parties other than the intended recipient. For this reason, it is a best practice to send such documents as encrypted, password-protected, PDF files.

When viewing an intake form in First Contact, you will notice that there is an icon in the toolbar with the caption “Email Provider”.

7-21-2011 3-26-27 PM

Clicking that icon generates a report in the same format as the screen display, which displays in a report preview window. Either click File > Export Document > PDF

7-21-2011 3-35-38 PM

… or click the Export Document icon on the toolbar.

7-21-2011 3-32-51 PM

In the Export Options window, click the field next to Password Security. Another window will open. Check the first box to Require a password to open the document and type the desired password in the indicated field. When you click OK at the bottom of that window, a confirmation box will appear. Re-type the password and click OK. That window will close and you will be back at the Export Options. Click OK there, then enter the desired location and name for the protected PDF file. Take note of this information. You will need it in order to attach the file to your email.

7-21-2011 3-42-03 PM

You will find yourself back at the report preview window. Just close that window with the X icon.

Open your email application, create your message and attach the document you just created. If you have not pre-shared the document password with the recipient, then you should send it separately via fax or phone. Do not include it in the body of email, as that would defeat the whole purpose of encrypting the document. Sending the password in a second email is almost as insecure. If you will be sending documents to this recipient on a regular basis, it is probably best to establish a standard password that you will use for that purpose and share it with the recipient beforehand.