The State of Security, Privacy & Compliance
In This Issue
Tips to Protect Against Anthem-Like Hacks
OCR Updates Its Portal
Will Hired Hackers Hit Healthcare?
HIPAA Enforcement Infograph
M&A Security Risks
Encryption After Anthem Breach
CISO Role on the Rise
Compliance Q&A
Quick Links
Privacy & Security Services
Technical Testing Services
Managed Services
Where You'll Find Us



February 2015

The Anthem hack came as no surprise to CynergisTek and other industry experts, as many believed it was only a matter of time before healthcare experienced a breach of this magnitude. We are also convinced that healthcare will be victims of several cyber attacks that lead to large breaches throughout the year. Read this month's newsletter to learn about how you can protect yourself from similar attacks, as well as read about some of the latest updates on CMS and OCR initiatives and news around the industry.

AExpert Advice to Protect Against Anthem-Like Hacks
The Anthem breach that affected 80 million people is most likely the first of several big breaches to come in 2015, and many experts speculate that this could be the year of big healthcare breaches. Would your organization be able to identify, prevent and/or manage a cyberattack of this magnitude?
In this article, industry experts offer nine tips to help reduce security risks posed by cyber criminals. Some of the important tips include training your staff about phishing attacks, encrypting data where needed, taking a multilayer approach to security and going above and beyond HIPAA. One expert points out, "HIPAA's Security Rule was never intended by the government to be the 'be-all and end-all'".  
BOCR Updates Breach Reporting Portal & Now Requires Submitting Compliance Gaps
OCR now requires the same level of specific detail for small breaches as is required for large breaches. As a reminder, the Breach Notification Rule requires you maintain a log or other documentation of such breaches affecting less than 500 individuals, and you must submit the information annually to HHS for breaches occurring during the preceding calendar year. It must be reported 60 days after the end of each calendar year (that means 2014 breaches of less than 500 individuals are about to be due to HHS). 

What is clear from OCR's changes to the breach reporting portal, as well as from recent enforcement actions and resolution agreements, is that the stakes are significantly higher for covered entities, business associates, and their subcontractorsIt is not enough to just adopt a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in these organizations' respective cultures and day-to-day business practices. Additionally, entities that timely report a privacy or security breach resulting from a stolen laptop realistically can not assume that they can avoid investigation and potential civil monetary penalties.
GWill Hired Hackers Hit Healthcare?
With all of the attention received by the Anthem breach and a recent uptick in websites that allow people to hire hackers, many are left wondering if hired hackers will become a trend in healthcare. Many experts believe that the industry should be aware and take it into consideration. A recent report says that this year hackers will target healthcare data even more than credit cards. Hackers for hire are just one more security threat that proves how necessary it is to have an effective security program.
DHIPAA Enforcement and Compliance Infograph
OCR's HIPAA enforcement activities continue to expand, associated with the increasing amount of compliants they receive every year. We recently released an infographic that highlights data on both OCR's HIPAA audits and some of its enforcement activities in 2014. Some highlights include:
  • 89% of entities audited had findings
  • 69% of cases investigated by OCR required corrective action
  • The average monetary settlement was $1.3M  
JCybersecurity Risks in Hospital M&A
Has your organization recently gone through a merger or acquisition? As it becomes more commonplace in healthcare, we need to address the cybersecurity risks that can be involved. Mac McMillan points out that, "Oftentimes organizations that are being acquired are not up-to-date with their compliance posture or privacy and security controls, and so the minute you acquire them, they represent a liability to you." 

McMillan advises that there are many proactive things to consider from a security perspective prior to an acquisition or merger. For example, it is important to conduct a security audit on the organization that will be acquired. He explains this and other tips, along with the threats posed by a merger or acquisition.
HEncryption After the Anthem Breach

According to the Associated Press and FierceHealthIT, federal officials plan to rethink if encryption should be required under HIPAA rules. There has been a lot of scrutiny after the Anthem breach because the stolen information was reportedly unencrypted. What is concerning is that only 59% of healthcare employees use full-disk or file-level encryption.


EThe Rise of the CISO Role

The role of the CISO continues to become more important as cyber attacks continue to threaten the industry. Mac McMillan recently told HealthcareITNews that, "Security is a team sport. The CISO can't do it all by themselves. I'm looking for someone who knows how to budget, how to plan strategically, to be part of that leadership team."

McMillan will address the topic this year at HIMSS in a presentation, "Selecting the Right CISO and Building the Security Office." This presentation will identify some of 
the necessary skills and experience of effective CISOs and provide insight for recruiting the right candidates. 


FCompliance Q&A
With the forthcoming Meaningful Use deadline, David Holtzman addresses reporting requirements.

There has been a lot of talk that CMS is going to change the Meaningful Use reporting requirements for 2015. What should we do about our plans to attest for MU in 2015?

Last month CMS published a blog post about intentions to update the Medicare and Medicaid EHR Incentive Programs to help reduce the reporting burdens on providers. They are considering proposals to realign hospital reporting periods to the calendar year, shorten the EHR reporting period to 90 days, and modify other aspects of the program to reduce complexity. However, "the devil is in the details." Any changes to the MU program requirements would need to be made through formal agency rule making, and there is no indication of when those amendments may be published or when they might take effect. Our advice is to continue to collect your data to meet the MU requirements that are in place today. The required security risk analysis can be performed at any time during the reporting year, and we recommend that you plan now for scheduling when your risk analysis will be completed.

Thank you for reading this month's newsletter. Email us if you have a compliance question.


The CynergisTek Team

Want a printable version of February's news? Click below to download a PDF version of this email.