TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Is Windows XP Still Common in Healthcare Organizations 10 Months after Stopping Security Updates?

by Leave a Comment

laptop with a hammer on the screenOn April 8, 2014, Microsoft stopped providing patches and updates to the Windows XP operating system.  While this seems like old news and a bit crazy to talk about – many healthcare organizations are still using Windows XP operating systems.  In discussing this issue with many healthcare organizations – one of the most common issues is that they are using a software that is unable to migrate to new versions of Windows and is needed for day to day patient care.  The vendors that support these software systems are aware; however, have not taken action to move the software to a newer windows platform.

So they’re not providing updates – what does that actually mean?  With no updates being provided – there will be no new security updates, non-security hot fixes, free or paid assisted support options, or online technical content updates to the operating system.  This leaves the system vulnerable to an attack from the outside.  There has been a lot of documentation and confusion on what needs to be done in order to protect information stored on computers that have not migrated off of Windows XP.  In addition, there have been many articles have been published that are stating that if organizations didn’t migrate off of the Windows XP Platform by 4/8/14, providers will not be eligible for Meaningful Use and will not be HIPAA Compliant.  Fact or Truth?

Fact: You are not technically in violation of HIPAA if you use Windows XP as HIPAA doesn’t mandate any specific software system; HOWEVER, the practice is extremely risky and you could be found of out compliance if a data breach was to occur.

The HIPAA Security Requirement 164.308(a)(5)(ii)(B) is an addressable standard that states that an organization must have “policies and procedures for guarding against, detecting, and reporting malicious software.”  Malicious software can be brought through any program usually in the form of a virus, Trojan horse, or worm.   By not having the ability to add security patches into the operating system of Windows XP, there are risks to the organization and data that the organization keeps and maintains – good documentation of other safeguards that exist to protect that computer MUST be implemented and documented if choosing to run on the Windows XP operating system.

It is also important to note nowhere in the meaningful use requirements or the HIPAA requirements does it specify having to be on a specific software platform or operating system.  Here is an example FAQ from HHS for clarification regarding operating systems requirements under HIPAA – no specific operating system must be used!  http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html

Still Using XP – What you should be doing now:

  • Evaluate and determine how to migrate from Windows XP to an updated operating system as soon as possible.
  • If vendor is only running on XP – work with them and continue to push them to update the software due to risks of the old system and lack of security patches.
  • Conduct your HIPAA risk assessment to determine if your organization’s systems are still operating on Windows XP and what risks exist.
  • Come up with a detailed risk management process if your organization is still running on Windows XP, including information on how to reduce risk until you migrate from the Windows XP system.
  • Evaluate everything – There is not ‘formal’ documentation from HHS, ONC, or the OCR regarding this measure and how to interpret from a meaningful use and HIPAA aspect.
  • Assure that you document Windows XP as a risk to your organization within the risk assessment/mitigation as well as potential impacts from malware, viruses, & hackers.
  • If questions come up, ask for clarification or assistance.

As of July 14, 2015, Microsoft will stop providing updates and support to any versions of Windows Server 2003 – leaving organizations with a challenge of upgrading and/or migrating to a new server software.  If you are still running on Microsoft 2003, it is time to take steps now to execute a proper migration strategy and protect your patient information.

Final note: Running any type of organization where protected health information is involved and there are not adequate and regular security patches being implemented is a risky practice and could expose an organization to a data breach.  From the eyes of a security professional – the risk isn’t worth a large scale breach of information.  It is time to take action now and get rid of old software platforms that are no longer being updated and supported.

Danika

Don’t Get Run Over by the HIPAA Omnibus!

by Leave a Comment

3d london bus on white backgroundHIPAA Compliance continues to be a HOT TOPIC in healthcare.  Everyday news and information is published about the lack of compliance, the struggles within organizations, data breaches occurring, and the HIPAA audits coming.  In 2013, the HIPAA Omnibus Rule was established which had many provisions on the HIPAA Privacy and Security Regulations.  With the compliance date of September 23, 2013, many healthcare organizations and business associates have not taken proper steps to get to climb onto the HIPAA Omnibus and assure compliance with the new regulations.   

A recent study conducted by NueMD in 2014 provided insight into compliance levels with the HIPAA Regulations and the HIPAA Omnibus Rule.  Over 1,000 Medical Practices and 160 Billing Companies were surveyed in regards to the current level of compliance with HIPAA and the changes with the HIPAA Omnibus Rule.  The results were SHOCKING and EYEOPENING!!!!  Check out some key findings:

  • 36% of respondents stated they didn’t know about the HIPAA Omnibus Rule
  • 68% of respondents stated they didn’t know of the HIPAA Audits
  • 23% of respondents stated they had no HIPAA Compliance Plan
  • 54% of respondents stated they didn’t have a Security Officer
  • 45% of respondents stated they didn’t have a Privacy Officer
  • 55% of respondents stated they had no process established for Breach Notification

Based on the findings, it is clear that healthcare organizations need to step up and establish HIPAA Compliance Programs and ensure they are updating their information to include the HIPAA Omnibus Requirements.  Jump on the HIPAA Omnibus and ensure that the organization has a joyful ride rather than being ran off the road. 

The major components of the HIPAA Omnibus Rule that healthcare organizations AND business associates need to evaluate and implement within their organization are:

  • Breach Notification
  • Business Associates Compliance Requirements
  • Sale of Protected Health Information
  • Marketing and Protected Health Information
  • Fundraising and Protected Health Information
  • Research Authorization Changes
  • Access to Immunization Data
  • Electronic copy of Protected Health Information
  • Access to Deceased Patient’s Records
  • Genetic Information Nondisclosure Act (ACT)
  • Restriction of Protected Health Information to Health Plans
  • Update to the Notice of Privacy Practices

Please note this is not an “end all be all” list of requirements.  Each organization needs to assess the regulatory changes and determine how and what applies to their specific organization.

With the HIPAA Delays – healthcare organizations are given the gift of time.  Use this time to get aboard the HIPAA Omnibus and assure that you have updated or established all appropriate policies and procedures for your organization.  Don’t delay any longer – the time is NOW! 

Danika

Source: NueMD Survey Findings: http://www.nuemd.com/hipaa/survey/practice-findings.html

Going from 0 to HIPAA Compliant – Like Climbing Mt. Everest: Small Steps Take You a Long Way

by Leave a Comment

evening view of Everest and Nuptse from Kala PattharMoving from 0 to HIPAA Compliant can be a lot like climbing Mt. Everest.  Starting from the bottom and staring up to try and see the peak of Mt. Everest is challenging just as starting the route to HIPAA compliance can be.  When climbing Mt. Everest, nobody sets to climb to the summit in one day.  Instead, they prepare themselves for the climb, and they break it up and take it in small steps – with a dream of reaching the summit.  The usual course of the climb is:

  • Ice Fall
  • Camp 1
  • Camp 2
  • Camp 3
  • Camp 4
  • Everest Summit (YES)!

Looks easy, right?  WRONG!  At times, climbers spend 4 – 8 weeks at the different camps trying to acclimate themselves to the altitude and prepare themselves for the next hike up the mountain.  The time spent moving between camps takes hours upon hours and can be treacherous and dangerous.  But the moment that the climbers walk the last few steps and make it to the summit, all the hard work and dedication pays off.  They can finally enjoy the success of the momentous task they just accomplished.   

BREATH, EXIST, and ENJOY the moment – because then they remember that they have to climb down AND the only way down – is the way that they came up.     

When first reviewing the HIPAA Privacy and Security Regulations, it can be SCARY and OVERWHELMING, similar to climbing Mt. Everest.  Between the two regulations, writing policies and procedures and establishing practices for an organization can take weeks, even months.  The challenge that HIPAA privacy and security practitioners face is that HIPAA usually is another added task to one’s already full plate, creating an even bigger hurdle in the path to the summit of HIPAA compliance.  With all the conflicting priorities and trying to meet so many deadlines, HIPAA tasks usually gets pushed off to the side or left for ‘tomorrow’ to do.  How many times has HIPAA come up on your ‘To-Do’ list and got pushed off until tomorrow?

Looking at the requirements under HIPAA – it is easy to see how it can be overwhelming when you are starting from scratch or reviewing what you already have in place (if you are unclear about the HIPAA requirements – contact me).

Take a new philosophy on HIPAA Compliance and Commit to 3 tasks daily.  Think of the movement towards HIPAA compliance as your movement toward the different camps that the climbers make it to as they take the challenge of climbing Mt. Everest.  This may sound silly or a little ‘too easy’ but when you take a complicated task and break it down to small daily tasks, it seems a little more achievable and not so overwhelming.    

A Sample Week of HIPAA Tasks (Privacy Rule):

Monday 1.   Update Notice of Privacy Practices 

2.   Update process for Notice Signatures

3.   Update P&P on Notice of Privacy Practices
Tuesday 1.   Review P&P on Uses and Disclosures of Protected Health Information 

2.   Observe processes for releasing health information

3.   Evaluate documentation received for disclosures of health information
Wednesday 1.   Review recent Request for Amendments of Medical Record Documentation 

2.   Evaluate and Update Amendment Policy and procedure

3.   Assure Amendment Request form is adequate are being process timely
Thursday 1.   Review all accounting of disclosure (AOD) requests 

2.   Evaluate and update AOD policy and procedure

3.   Assure AOD Request form is adequate and requests are being process timely
Friday 1.   Evaluate areas that need re-training and education on practices reviewed this week 

2.   Create a training plan for workforce members

3.   Evaluate and Update HIPAA Training Policy and Procedure

The one important item to remember is – YOU CAN’T GET IT DONE IN A DAY!  To truly evaluate your level of HIPAA compliance, create and implement privacy and security practices within your organization, and effectively train your workforce – you need to dedicate time and effort to the project.  And remember, once you get it all done – it is not time to sit back, relax and never worry again.  It is the time for evaluation and assurance that what has been established for HIPAA compliance with what is being practiced within your organization – similar to climbing back down Mt. Everest.

Remember the famous Spanish saying “Poco a Poco se va lejos” (Little by Little, One Goes a Long Way).  Small steps can make all the difference in the successful creation, evaluation, and execution of a solid and complete HIPAA Compliance Program!

Danika 

HAPPY NEW YEAR – HIPAA Style!

by Leave a Comment

Vintage Key With 2015 Year Sign2014 was an epic year for healthcare data breaches.  From hacking into systems, breaking into healthcare organizations, theft of portable media, and improper destruction of paper records, the healthcare sector saw the largest data breach increase in 2014.  With 2015 just starting out, predictions are that healthcare organizations will see another increase in the number of data breaches.  While nothing can completely eliminate the risk to a healthcare organization regarding a data breach, simple steps can be put into place to manage and oversee the privacy and security protections established by healthcare organizations.  By taking some simple steps with the new year, healthcare organizations can proactively manage their privacy and security programs, and deter the potential data breach from occurring.  Follow the Happy New Year steps and your organization will be well on its way to effective and efficient privacy and security management of protected health information! 

HHave a strong breach investigation process defined and implemented

A – Assure regular staff training and updates on privacy and security

P – Pay attention to who has access to what information (Minimum Necessary)

P – Proactive reviews of audit logs for software that maintains protected health information

Y – Yearly risk assessment and risk management  

N – Narrow access of protected health information to only get access to what is needed

E – Evaluation of privacy and security safeguards implemented to assure they are working effectively

W – Watch how people are working to determine how they are protecting health information

Y – Yearly review of business associates and the contracts that are established

E – Evaluate the use of encryption in the organization and document why, if encryption was not chosen

A – Adequate apply proper security patches and malicious software updates

R – Regular review of all HIPAA Privacy and security policies and procedures

Healthcare organizations should no longer ignore or overlook their compliance with the HIPAA regulations.  In order to prevent data breaches and protect patient information, it is important that a detailed HIPAA Governance program be established.  With the start of a fresh new year, it is time to re-write the HIPAA story and manage how patient information is protected!

Danika

2014 Data Breaches: A Review of a Monumental Year

by Leave a Comment

2014-2015Looking back at 2014, it has brought a lot of concern and fear with the effective management of protected health information managed by healthcare organizations and business associates.  It has also been a memorable year for healthcare data breaches.  In 2014, healthcare organizations and business associates reported 301 large data breaches (data breach that impacts more than 500 people) – an increase from the 226 large data breaches reported in 2013.  With a 33% increase in large data breaches in 2014, it will also be known for the year the FBI warned healthcare organizations that they are at high risk for data breaches due to the lack of security measures and oversight of the protection of the data.

2014 Data Breach Facts

  • 88 of the 301 Data Breaches had business associates involved
  • 48.6% of the breaches were caused by theft
  • 21.6% of data that was breached was stored on paper
  • 11,506,782 people were impacted by data breaches
  • 10% of data breaches were caused by Hacking/IT Incidents
  • 7 States didn’t report any data breaches (MT, ND, HI, RI, VT, WV, ME)
  • $7,940,220 was collected in HIPAA fines by the Office of Civil Rights
  • 40 – Largest number of data breaches in one state (California)
  • 4,932,154 – Largest number of people impacted in one state (Tennessee)
  • 18 Data Breaches suffered by one covered entity (Oregon Health Insurance Exchange)

Data Breaches by State in 2014

State Number of Data Breaches People Impacted
Alaska 1 2,743
Alabama 3 55,466
Arkansas 3 10,713
Arizona 4 109,828
California 40 1,055,254
Colorado 6 41,096
Connecticut 3 7,390
Delaware 1 1,667
Florida 29 216,210
Georgia 10 365,793
Iowa 4 7,087
Idaho 1 6,900
Illinois 14 67,059
Indiana 11 268,208
Kansas 3 18,894
Kentucky 6 10,005
Louisiana 3 17,051
Massachusetts 12 62,189
Maryland 4 259,533
Michigan 4 11,688
Minnesota 5 25,446
Missouri 6 49,895
Mississippi 2 4,250
North Carolina 6 27,726
Nebraska 1 2,125
New Hampshire 2 1,979
New Jersey 5 76,314
New Mexico 3 4,040
Nevada 1 800
New York 19 247,268
Ohio 12 49,532
Oklahoma 1 6,000
Oregon 4 6,721
Pennsylvania 10 39,902
South Carolina 3 270,978
South Dakota 1 620
Tennessee 8 4,932,154
Texas 28 2,272,685
Utah 3 796,132
Virginia 8 22,688
Washington 6 22,771
Wisconsin 1 2,400
Wyoming 1 2,700

 

With 2015 looking to be another eventful year of HIPAA data breaches and HIPAA enforcement, healthcare organizations need to assure they are evaluating and implementing effective HIPAA oversight and governance programs.  It is essential that no matter what the size of the organization – large or small – protection of the privacy and security of patient information needs to be a front leader in the 2015 strategies.

Information Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027