Cybersecurity Needs to Get Better |
|
|
OCR Ramps Up for Audit Program & Issues a $750,000 Settlement |
|
On Wednesday, September 2nd, the NIST/OCR HIPAA Information Security Assurance Conference opened with a keynote address given by OCR Director Jocelyn Samuels. She reviewed a number of initiatives on which the agency is focusing, including the latest on the HIPAA compliance audit program. In her speech, Director Samuels announced that OCR's random audit program will be conducted primarily through desk audits but that there will be a few dozen on-site audits in the next phase.
On the same day OCR also released its newest enforcement settlement for non-compliance. OCR issued a $750,000 fine and assigned a robust corrective action plan after their investigation of a breach caused by the theft of an unencrypted laptop in August of 2012.
Both of these announcements reiterate that OCR is gearing up to be more active in holding covered entities and business associates accountable for protecting PHI and demonstrating compliance with HIPAA rules.
|
Balancing the Mission with Security |
The core mission of healthcare is to provide care and medical services to heal the sick, not technology, privacy and security programs. Mac McMillan reminds us that providers should adopt the mission as a central driver for determining action. He adds, "...it means they should seek to understand the key elements of the mission and what is important to its success, and use that knowledge to inform recommendations for technology and controls."
He also talks about how important it is to know the caregivers' workflows so that security isn't disrupting how they do their job. At the end of the day, healthcare has to balance providing quality care with protecting patient information. It is best achieved when IT has a thorough understanding of how caregivers use IT to accomplish the mission.
|
The Rise of the CISO |
HealthITOutcomes
recently published another article on the evolving role of the CISO. Many organizations are recognizing the value of appointing a CISO, especially as the likelihood of suffering a breach escalates every day. Typically the CIO's plate is full from issues, new systems, new technology, etc. that it instead makes sense to have a CISO dedicated and focused solely on security. The CISO's role really started gaining traction about five years ago, but in the past two years it has become vital with the growing number of threats.
To be effective as a CISO, he or she should be interacting with many different employees, departments and leaders throughout the organization. For example, the CISO should be working with risk management, the chief privacy officer, human resources, marketing and communications, physical security and internal audit. The CISO should demonstrate leadership skills and be a change agent for the entire organization.
|
|
Tip of the Day: Manage Data Better to Cut Costs |
CynergisTek's VP of Services, Jeremy Molnar, recently provided a "tip of the day" for
Becker's Hospital Review readers. Jeremy says that kn
owing where sensitive data is stored or transmitted within your IT environment is a strategic approach to the implementation of security controls, producing savings in administrative efforts and financial costs.
For example, your organization has 1,000 workstations with a high probability that data containing PHI is saved to the onboard storage. Best practice is to encrypt stored data to minimize risks associated with theft or loss. Compare that to someone with 1,000 thin clients deployed in a similar environment. They don't have storage capabilities because these devices only provide a view of data; therefore cost and management of
encryption controls are eliminated.
|
Upcoming Free Educational Workshops |
CynergisTek has held several educational HIPAA Privacy & Security Workshops across the nation this year. All sessions are led by seasoned experts and are designed to educate healthcare privacy, security, and compliance professionals on a variety of hot topics, such as recent enforcement activity, trending cybersecurity threats, an outlook of the forthcoming OCR HIPAA compliance audits, and much more. CynergisTek is holding ten more between September and December. Check out our infographic to learn where workshops will be held and why you should attend.
|
New FERPA Guidance on Student Medical Records |
The
US Department of Education (DoE) released draft Family Educational Rights and Privacy Act (FERPA) guidance for higher education institutions to address how student medical records (and student mental health records) can be disclosed in the event that there is a lawsuit or other legal action with a student.
The new draft guidance starts with the premise that students should not be hesitant to use the institution's health or counseling services out of fear that information shared with a professional will be inappropriately disclosed to others. The guidance then outlines how colleges and universities should handle the privacy of student medical records under FERPA and how it should be in a manner similar to the way healthcare providers are required to handle a patient's records under the HIPAA Privacy Rule.
|
CynergisTek Celebrates Ranking in Top 20% of Inc. Magazine's 5000 |
Thank you to all of our customers for helping us achieve another company milestone. Inc Magazine named CynergisTek in the top 20% of the 2015 Inc. 5000 list. Because of our loyal customers and a growing need for an information security and privacy partner, CynergisTek saw a three-year sales growth of nearly 500%. We were able to jump over 1,300 spots from our ranking in the 2014 Inc. 5000 list.
|
Compliance Q&A: Where to Find Samples of HIPAA Policies & Procedures |
|
This month's Q&A is about reporting a breach. "
When reporting a breach to HHS do you think it's better to give as many details as possible or do you think it's good to give a general summary?"
There are a few considerations. Minimally, they have to provide what was included in the notification to the individuals affected, a brief description of what happened including the date of the breach and discovery of the breach, and a description of compromised PHI. The covered entity also should provide a brief description of what it is doing to investigate the breach, how it will mitigate harm to individuals, and what is doing to protect against further breaches.
Take note that it does not say business associate, as this is all the responsibility of the covered entity. In addition, the OCR Breach Portal asks for what compliance safeguards were in place at the time of the breach and what changes were made between the time of discovery and reporting. Other than the state of California, this would allow an organization to take the full 60 days prior to notify individuals and OCR, and to self-correct the compliance problems to show mitigation between the time of the incident and reporting it.
The challenge in California is that the notification to individuals has to be made in 15 business days, which also triggers when you have to report to OCR. So the sweet spot is to accurately report what compliance policies were in place, show progress where possible in mitigation, and provide just the facts about the incident. Make sure you document everything about the investigation, notification process and mitigation.
|
|
|
Thank you for reading this month's newsletter.
Have a question about security, privacy or compliance that you'd like to have us answer in next month's newsletter? Reply to this email and we'll get the appropriate subject matter expert in touch with you. If you want a printable version of the September newsletter click the download button for a PDF version.
Sincerely,
The CynergisTek Team
|
Stay Connected
|
|
|