The State of Security, Privacy & Compliance
In This Issue
Cybersecurity Needs to Get Better
Managing Data to Cut Costs
Free HIPAA Privacy & Security Workshops
New FERPA Guidance
CynergisTek Recognized for Growth
Compliance Q&A
Quick Links
Free Webinars


September 2015
Top Articles
OCR Ramps Up for Audit Program & Issues a $750,000 Settlement
On Wednesday, September 2nd, the NIST/OCR HIPAA Information Security Assurance Conference opened with a keynote address given by OCR Director Jocelyn Samuels. She reviewed a number of initiatives on which the agency is focusing, including the latest on the HIPAA compliance audit program. In her speech, Director Samuels announced that OCR's random audit program will be conducted primarily through desk audits but that there will be a few dozen on-site audits in the next phase.

On the same day OCR also released its newest enforcement settlement for non-compliance. OCR issued a $750,000 fine and assigned a robust corrective action plan after their investigation of a breach caused by the theft of an unencrypted laptop in August of 2012.

Both of these announcements reiterate that OCR is gearing up to be more active in holding covered entities and business associates accountable for protecting PHI and demonstrating compliance with HIPAA rules.
aBalancing the Mission with Security
The core mission of healthcare is to provide care and medical services to heal the sick, not technology, privacy and security programs. Mac McMillan reminds us that providers should adopt the mission as a central driver for determining action. He adds, " means they should seek to understand the key elements of the mission and what is important to its success, and use that knowledge to inform recommendations for technology and controls."

He also talks about how important it is to know the caregivers' workflows so that security isn't disrupting how they do their job. At the end of the day, healthcare has to balance providing quality care with protecting patient information. It is best achieved when IT has a thorough understanding of how caregivers use IT to accomplish the mission.
bThe Rise of the CISO
HealthITOutcomes  recently published another article on the evolving role of the CISO. Many organizations are recognizing the value of appointing a CISO, especially as the likelihood of suffering a breach escalates every day. Typically the CIO's plate is full from issues, new systems, new technology, etc. that it instead makes sense to have a CISO dedicated and focused solely on security. The CISO's role really started gaining traction about five years ago, but in the past two years it has become vital with the growing number of threats.

To be effective as a CISO, he or she should be interacting with many different employees, departments and leaders throughout the organization. For example, the CISO should be working with risk management, the chief privacy officer, human resources, marketing and communications, physical security and internal audit. The CISO should demonstrate leadership skills and be a change agent for the entire organization.
CTip of the Day: Manage Data Better to Cut Costs
CynergisTek's VP of Services, Jeremy Molnar, recently provided a "tip of the day" for Becker's Hospital Review readers. Jeremy says that kn owing where sensitive data is stored or transmitted within your IT environment is a strategic approach to the implementation of security controls, producing savings in administrative efforts and financial costs. 

For example, your organization has 1,000 workstations with a high probability that data containing PHI is saved to the onboard storage. Best practice is to encrypt stored data to minimize risks associated with theft or loss. Compare that to someone with 1,000 thin clients deployed in a similar environment. They don't have storage capabilities because these devices only provide a view of data; therefore cost and management of 
encryption controls are eliminated.
dUpcoming Free Educational Workshops
CynergisTek has held several educational HIPAA Privacy & Security Workshops across the nation this year. All sessions are led by seasoned experts and are designed to educate healthcare privacy, security, and compliance professionals on a variety of hot topics, such as recent enforcement activity, trending cybersecurity threats, an outlook of the forthcoming OCR HIPAA compliance audits, and much more. CynergisTek is holding ten more between September and December. Check out our infographic to learn where workshops will be held and why you should attend.
eNew FERPA Guidance on Student Medical Records
The US Department of Education (DoE) released draft Family Educational Rights and Privacy Act (FERPA) guidance for higher education institutions to address how student medical records (and student mental health records) can be disclosed in the event that there is a lawsuit or other legal action with a student. 

The new draft guidance starts with the premise that students should not be hesitant to use the institution's health or counseling services out of fear that information shared with a professional will be inappropriately disclosed to others. The guidance then outlines how colleges and universities should handle the privacy of student medical records under FERPA and how it should be in a manner similar to the way healthcare providers are required to handle a patient's records under the HIPAA Privacy Rule.
fCynergisTek Celebrates Ranking in Top 20% of Inc. Magazine's 5000
Thank you to all of our customers for helping us achieve another company milestone. Inc Magazine named CynergisTek in the top 20% of the 2015 Inc. 5000 list. Because of our loyal customers and a growing need for an information security and privacy partner, CynergisTek saw a three-year sales growth of nearly 500%. We were able to jump over 1,300 spots from our ranking in the 2014 Inc. 5000 list.
gCompliance Q&A: How Detailed Should HHS Breach Reports Be?
This month's Q&A is about reporting a breach. " When reporting a breach to HHS do you think it's better to give as many details as possible or do you think it's good to give a general summary?"
There are a few considerations. Minimally, they have to provide what was included in the notification to the individuals affected, a brief description of what happened including the date of the breach and discovery of the breach, and a description of compromised PHI. The covered entity also should provide a brief description of what it is doing to investigate the breach, how it will mitigate harm to individuals, and what is doing to protect against further breaches. 

Take note that it does not say business associate, as this is all the responsibility of the covered entity. In addition, the OCR Breach Portal asks for what compliance safeguards were in place at the time of the breach and what changes were made between the time of discovery and reporting. Other than the state of California, this would allow an organization to take the full 60 days prior to notify individuals and OCR, and to self-correct the compliance problems to show mitigation between the time of the incident and reporting it. 

The challenge in California is that the notification to individuals has to be made in 15 business days, which also triggers when you have to report to OCR. So the sweet spot is to accurately report what compliance policies were in place, show progress where possible in mitigation, and provide just the facts about the incident. Make sure you document everything about the investigation, notification process and mitigation.

Thank you for reading this month's newsletter. Have a question about security, privacy or compliance that you'd like to have us answer in next month's newsletter? Reply to this email and we'll get the appropriate subject matter expert in touch with you. If you want a printable version of the September newsletter click the download button for a PDF version.


The CynergisTek Team