Tag: security

UCLA and WellPoint Fined for Data Breaches

Posted on | by SOS Blog | Leave a Comment on UCLA and WellPoint Fined for Data Breaches

I am sure many of you remember the reports dating back to 2005 that celebrity patient files were being viewed by casual lookers…employees who had access to the University of California at Los Angeles (UCLA) Health System electronic medical record (EMR) but who had no legitimate reason to view those records. Well, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has entered into an agreement with UCLAHS to settle potential HIPAA violations for $865,500. Additionally, UCLA has made a commitment to correct gaps in their security, to improve their policies and procedures to better safeguard patient information, and to adequately educate their employees.

In a separate case, FierceHealthPayer reported that WellPoint will pay $100,000 to the state of Indiana because they waited several months before notifying Indiana officials of a security breach that could have exposed the data of 32,000 members.

It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General.                                                                  [Read more; Subscribe]

For me, the important issues here are the following:

  • OCR is serious about data breaches and safeguarding patient protected health information (PHI).
  • State laws are just as important as Federal law. You must know and follow those local regulations as well as HIPAA and HITECH.
  • The cost of a data breach is significant and would put many small provider organizations out of business.

Have you reviewed your security and privacy practices and policies this year? Are you confident that your PHI practices are solid and that your employees are using the procedures as written? How do you review these and how do you educate your employees?

Please share your experiences and concerns about data privacy and security with us below.

Security and Backup: Yes…backup, again!

Posted on | by SOS Blog | Leave a Comment on Security and Backup: Yes…backup, again!

Once a month, on average, our technical support specialists are confronted with a customer whose database has become corrupted because of some hardware issue and who has no usable backup. After last week’s adventure, I decided I would again write about backup. Then, last night, I saw a discussion on a Psychology and Technology listserv that included some of our customers talking about full disk encryption of a Mac laptop. Encryption is something we recommend for every customer who uses our software or maintains any Protected Health Information (PHI) on a computer…especially on a laptop. To round out the clues that security and backup should be my topics of choice this week, I noticed an article in eweek of March 21, 2011 entitled ‘Remote access presents complexity, security issues.’

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.

Data Security, Backup, and the HITECH Law

Posted on | by SOS Blog | 1 Comment on Data Security, Backup, and the HITECH Law

A question on one of the psychology listservs I follow got me thinking, yet again, about data security…and backup. The writer asked about the proper procedures to follow when patient psychotherapy treatment records are permanently lost. The question pertained to how the counselor in question should respond to the loss of all of their patient data from a mental health clinical record software program. Since we provide one such program, my attention was immediately attracted.

The other listserv members addressed three issues: recovery of the data from the hard drive, backup of the data, and re-creation of the records from scratch. Because of our experience with customers losing data due to computer failure, I focused yet again on data backup and database recovery. Added to my thoughts this time are the HIPAA requirements for securing protected health information (PHI) and the increased penalties in the HITECH portion of the stimulus bill (ARRA) for breach of privacy and security of PHI.

It is likely that you all remember that HIPAA requires healthcare providers (including psychiatrists, psychologists, social workers, mental health counselors, and community behavioral health organizations) to have in place procedures for securing the PHI of their patients. Most mental health workers with whom I am familiar focus on the privacy aspect of this protection; they see it as their responsibility to assure that the consumer’s information remains private. HIPAA also mandates that providers and their organizations have in place plans to protect the security of their physical data.

The National Institute of Standards and Technology (NIST) has produced Special Publication 800-66-Revision 1, “An Introductory Resource Guide for Implementing the HIPAA Security Rule.” A quick search of this document finds that the words “loss of data” are mentioned on pages 38, 77 and 98. The first mention is in a table describing the necessary contents of the Contingency Plan for data security, including a Data Backup Plan. The sections of this document that focus on the Contingency Plan and the Disaster Recovery Plan are the ones most concerned with electronic data storage.

If your organization, including your private practice of psychology or psychiatry, does not have a Contingency Plan and a Disaster Recovery Plan, however brief, you are living dangerously. And, of course, you must implement your plan to secure your PHI, not just have a plan.

How does this pertain to you? Let’s start with your data backup plan. What is it? Who in your organization is responsible to implement it? What are the consequences if it is not implemented?

One of our customers,   W. E. (Bill) Benet, Ph.D., Psy.D., Clinical Psychologist, Gainesville, FL  WEBenet.com | Assessment Psychology.com describes his experience and current backup strategy.

“I mentioned Eco Data Recovery in my previous note because I had to use their service a number of years ago after the hard drive on my main office PC mechanically failed and became inaccessible while backing up to a tape drive, corrupting the data on the tape. Fortunately, Eco was able to recover all of the data from the hard drive, by disassembling it in a ‘clean room’ and scanning the data off the individual platters. Luckily, the data on the hard drive hadn’t been corrupted, but it very easily could have been, and I would have lost years of billing records and reports.”

“But what about data that has become insidiously corrupted without being immediately obvious?”

“Today, I employ a simulated RAID backup strategy involving nightly network backups to two external USB drives, as well as from one PC to the other, AND continuous 24/7 incremental offsite backups, using Carbonite. Hopefully, if corrupted files are discovered days or weeks later, those incremental backups will save the day, at least for a while.”

Here at SOS Software, we all too often run into an organization where the principals thought they had an excellent data security plan, only to find out that their plan had not been effective or had not been implemented by the person(s) who were responsible to do so.

One of the obstacles we run into is the common belief that “it can’t happen to us.” We all know this is magical thinking; of course, it can and does.

Another often-believed myth is “I don’t really need to worry about data on my PC; data can always be recovered from a hard drive if there is a problem.” While this belief is sometimes true, it often is not. If the files lost when a computer crashes are in a complex, proprietary relational database, they sometimes are totally irretrievable. They are not text files where parts can be grabbed and some sense made of the data.

Our product uses Sybase ASA as its engine because that database creates a transaction log that can allow us to completely recreate every keystroke the user made…if the log file is intact. In fact, we use Sybase because of this capability to completely recreate the database if it is necessary to do so. As long as we have a usable starting point, we can restore the entire database from the log file…if we have an intact log file.

Two problems can intervene. 1. With our products as with many others, if the backup is done while the database is running, certain of the files are not backed up because they cannot be accessed completely. Some backup software products will tell you they can back up even when the program is running. That is not true with SOS products. 2. Hard drives often fail gradually becoming literally “flaky” over time. If key sectors of the log file are lost, it is impossible to recreate the database from the log, even if there has been no overwriting of the database.

Also, sadly, even folks who believe they responsibly make backups, never test those backups to assure they can be restored properly, and they often use the same backup medium overwriting old backups. If the hard drive has been gradually failing, destroying parts of the files as it goes, then backups of those bad files become bad too…all of this over time with no noticeable degradation of performance of the database.

Then the catastrophe occurs…a power surge or some other event causes a crash of the hard drive and the database will not restart when the computer is rebooted!

As indicated by comments on my post of November 19, 2008, The Indispensable Data Backup, among my readers are many folks who are sophisticated computer users who are responsible enough to use multiple methods of backing up their patient data. Using a rotating system of backing up with permanent, non-incremental backups created periodically and stored off-site, is crucial. The strategy we recommend is in document 125 on our main web site.

If you have never tried restoring from one of your backups, you have not completed the process. Unverified backups are useless backups. Useless backups equal insecure PHI. How big a risk taker are you?

Please add your comments by clicking on the title of this article and typing in the box at the bottom of the page.

Are your passwords HIPAA secure?

Posted on | by SOS Blog | 4 Comments on Are your passwords HIPAA secure?

Standard advice for securing computer systems is to require users to change passwords frequently. Something about this recommendation has always bothered me, but I never really thought it through. A current blog posting at Healthcare Informatics by Dale Sanders really hits the nail on the head. He points out that these change-passwords-frequently policies actually undercut password security rather than enhancing it, once you factor in human psychology. If you have to replace your password frequently, you will probably come up with something simplistic, or resort to a post-it note on the monitor, or maintain a paper list. It would be far more secure to create a single, strong password or passphrase and continue to use it for a much longer period.

To manage passwords used on the web, you can’t go wrong with Roboform. Create a strong master password (long, and using a combination of letters, numbers, and special characters), then let Robo’s password generator suggest strong passwords for individual web sites. Once you select and use a password on a web site, Robo will remember and “type” it in for you when you next visit that site. All you have to do is enter your master password once in each browser session; Robo uses that to unlock your password library and cleverly selects the right one whenever you hit a login window. There is even a version of Roboform that you can install on a USB “thumb” drive, so you can securely carry your passwords with you for use on multiple computers, or even public computers when traveling.

In the course of providing technical support on our billing and EMR software, I am exposed to the password selections of many of our users. It is amazing how rare it is to find anyone using serious passwords. Names, almost surely loved ones or pets, are the most common, but way too frequently I see passwords that are identical to user IDs, or non-passwords like “123” and “password”. Although we have optional rules in our products that would require strong password choices if enabled, they rarely are used.

Coming up with an easily remembered, secure, master password is not really all that hard. Just think up a short sentence that includes punctuation and some numbers. You can check the quality of your choice using Microsoft’s password checker.

Here’s an example: “Turning 60! soon.” This easily remembered phrase is actually more secure than “3-vO$aLKG7”, which conforms to all the standard password creation advice.

Maintaining medical privacy is serious business. Current HIPAA rules provide for serious penalties when medical information is not properly secured. Are you guilty of password negligence yourself?

Seth Krieger

To comment on this article, click on the title and enter your comment at the bottom of the article.