EHR and Health IT Consulting
35.5K views | +9 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

Your Cyber-Risk Policy: What it Covers and What it Doesn't

Your Cyber-Risk Policy: What it Covers and What it Doesn't | EHR and Health IT Consulting | Scoop.it

In healthcare, we deal with highly sensitive and very private electronic information, so of course our ears perk up every time we see headlines about the latest cyber threat or breach. The natural question is whether this could happen to us. This is constructive if it leads to cyber risk-prevention. But all too often, folks are responding with, "it could not happen to me," or "my insurance policy covers this so I'm prepared." These folks are ignoring the growing cyber threat around all of us. They are whistling past the "cyber" graveyard.

We live in a digital age where almost everything is accessible — even more now with the evolution of EHRs — so we have to run our businesses as though we are all at risk. To be prepared, we must first understand the common sources of cyber risk. Second, we must understand the basics of cyber insurance policies we may or may not have in place.


There are several ways breaches at small healthcare organizations may occur:


1. Disgruntled employees are one of the leading reasons for cyber attacks. They know your systems — likely better than you do — so keep a close watch on them and what type of data they have access to. Really pay close attention to new staff and those that may be on their way out. Also make sure they know they are monitored.

2. Cyber criminals are looking for remote Internet access services with weak passwords. Require and enforce more complex passwords and require employees to change their passwords regularly.


A smart form of cyber protection is a cyber-risk insurance policy. These provide bundled services designed to help you quickly respond to a data breach. However, there are many cyber insurance product options to consider. These range from standalone policies with high limits and comprehensive services to policy add-on coverages typically offering less coverage.


Rather than stumbling through a maze of complicated cyber-related insurance rhetoric, do yourself a favor and review your options with an experienced broker:


• Carefully scrutinize "free" cyber coverage or riders added onto your base coverage. While not totally worthless, the majority come nowhere near covering the exposure of a potential cyber breach (which explains why they are typically thrown in at no additional cost). In reviewing your insurance coverages with your broker, it's easy to brush by this one and mentally check off the fact that you have cyber coverage. Drill into the details of what's covered, as outlined below.


• Find out how much you are covered for and what out-of-pocket expenses you could expect. A data breach at a small physician practice could run into the hundreds of thousands of dollars or even higher. This type of uncovered damage could put a small practice out of business. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, and public relations and advertising expenses to reclaim patient goodwill as well as making the public aware of the steps taken to address the breach.


Cyber risk is not just a technology issue. It affects all elements of the healthcare business and needs to be well-planned and mitigated through ongoing education and risk-management programs.

more...
No comment yet.
Scoop.it!

Cybersecurity in healthcare is now center stage. So who should be responsible?

Cybersecurity in healthcare is now center stage. So who should be responsible? | EHR and Health IT Consulting | Scoop.it

I’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves.

We’re slowly and steadily moving from “HIPAA Compliance” silliness into a more mature and disciplined professional focus on risk management, continuous risk monitoring, and actual security tasks concentrating on real technical vulnerabilities and proper training of users (instead of just “security theater”). I believe that security, like quality, is an emergent property of the system and its interaction with users and not something you can buy and bolt on.

I’m both excited and pleased to see a number of healthcare focused cybersecurity experts, like Kamal Govindaswamy from RisknCompliance Consulting Group, preaching similar proactive and holistic guidance around compliance and security.

I asked Kamal a simple question – if cybersecurity is an emergent property of a system, who should be held responsible/accountable for it? Here’s what Kamal said, and it’s sage advice worth following:

Information Security in general has historically been seen as something that the organization’s CISO (or equivalent) is responsible for. In reality, the Information Security department often doesn’t have the resources or the ability (regardless of resources) to be the owners or be ultimately “accountable” or “responsible” for information security. In almost all cases, the CISO can and must be the advisor to business and technology leaders or management in the organization. He could also operate/manage/oversee certain behind-the-scenes security specific technologies.

If your CISO doesn’t “own” Information Security in your organization, who should?

At the end of the day, everyone has a role to play in Information Security. However, I think the HealthIT managers and leaders in particular are critical to making security programs effective in healthcare organizations today.

Let me explain…

Of all the problems we have with security these days, I think the biggest stumbling block often has to do with not having an accurate inventory of the data we need to protect and defining ownership and accountability for protection. This problem is certainly not unique to Healthcare. No amount of technology investments or sophistication can solve this problem as it is a people and process problem more than anything else.

Healthcare is unfortunately in a unenviable position in this regard. Before the Meaningful Use program that has led to rapid adoption of EHRs over the last five years, many healthcare organizations didn’t necessarily have standard methods or technologies for collecting, processing or storing data. As a result, you will often see PHI or other sensitive information in all kinds of places that no one knows about any longer, let alone “own” them – Network file shares, emails, a legacy application or database that is no longer used etc. The fact that HealthIT in general has been overstretched over the last five years with implementation of EHRs or other programs hasn’t helped matters either.

In my opinion and experience, the average Healthcare organization is nowhere close to solving the crux of the problem with security programs – which is to ensure ownership, accountability and real effectiveness or efficiencies.

Most of us in the security profession have long talked about the critical need for the “business” to take ownership among business and technology leaders. For the most part however, I think this remains a elusive goal for many organizations. This is a serious problem because we can’t hope to have effective security programs or efficiencies without ownership and accountability.

So, how do we solve this problem in Healthcare? I think the answer lies in HealthIT leadership taking point on both ownership and accountability.

HealthIT personnel plan, design and build systems that collect/migrate/process/store data, interact with clinical or business leadership and stakeholders to formulate strategies, gather requirements, set expectations and are ultimately responsible for delivering them. Who better than HealthIT leaders and managers to be the owners and be accountable for safeguarding the data? Right?

So, let’s stop saying that we need “the business” to take ownership. Instead, I think it makes much more pragmatic sense to focus on assigning ownership and accountability on the HealthIT leadership.

I present below a few sample mechanics of how we could do this:

Independence of the CISO. For a start, Healthcare CIOs or leaders should insist on independence for the CISO (or equivalent) in their organizations. Even if the CISO or security director or manager happens to be reporting to the CIO (as it still happens in many organizations), I think it is absolutely critical that you reorganize to make the role one of an advisor and support role and not an IT function itself. The CISO and his may also have their own operational responsibilities, such as management of certain security technologies or operations, performing risk assessments, monitoring risk mitigation or remediation programs, assisting with regulatory compliance and so on. Regardless, they must be an independent function with a strong backing or support from the CIO.

IT (Data) Asset Discovery, Classification and Management. To start with, all IT assets (hardware and software) that collect, receive, process, store or transmit data (CRPST) need to be identified, regardless of whether these assets are owned/leased/subscribed or where they are hosted. Every physical or virtual asset (network device, server, storage, application, database etc.) must have one assigned owner at a manager/director/VP level who is ultimately accountable for security of the information CRPSTed by the asset. As the owner may choose or need to delegate responsibilities (see #3 below) the asset meta-data should also include information regarding personnel that have delegated responsibilities. If you are a smaller organization, you may have one person being the owner that is “accountable” as well as “responsible” .

Directives to HealthIT executives and managers. It is important that Healthcare CIOs send a clear message of sponsorship and accountability to their executives and managers regarding their “ownership” related to security. The asset owners (see #2 above) may in turn delegate “responsibilities” to other personnel (not below a manager) in her department. For example, the VP or Director of IT Infrastructure may delegate responsibilities to Manager of Servers and Manager of networks. Similarly, the VP/Director of Applications may delegate responsibilities to the Database Manager and Manager of Applications and so on. Regardless of the delegation, the VP or Director retains the “ownership” and “accountability” for security of information CRPSTed by the asset.

Bolted-in Security. The HealthIT strategy and architecture teams need to work in close collaboration with the CISO’s team. It is critical that security is an important planning and design consideration and not something of an afterthought. It is much more cost effective to plan, design and implement secure systems from the start (hence bolted-in) than trying to look for a patch-work of controls after the systems are already in place.

Need for HealthIT managers with “responsibilities” to be proactive. Let me explain this with a few examples of the Server Manager’s role in #3 above.
The Server Manager must at all times know the highest classification of the data stored on his servers so he is sure he has appropriate controls for safeguarding the data as required by the organization’s Information Security Policy and standards. If a file server is not “authorized” to contain PHI or PII on its shares, he should perhaps reach out to the CISO with a request for periodic scans of his servers to detect any “sensitive” data that users may have put on their file shares, for example.
If a file server is authorized to store PHI for use by the billing department for example, the Server manager must work with the billing department manager to have her periodically review the access that people have to the billing file shares. If your organization’s Identity and Access Management (IAM) solution or program has capabilities for automating these periodic access reviews, the Server Manager must work with the CISO (or whoever runs the IAM program) to operationalize these access reviews as part of your Business-As-Usual (BAU) activities. The key point here is that it is the Server Manager’s responsibility (and not the Billing Manager or the CISO’s) to ensure that the Billing Manager performs the access reviews in compliance with the organization’s policies or standards for access reviews of PHI repositories.
The Server Manager must all times be aware of who all have administrative access to these servers, so he must look for ways to get alerts for every change that happens to the privileged or administrator access to the servers. If your organization has a Log Management or a Security Information Event Management(SIEM) solution, the Server Manager should reach out to the CISO or his designate so the SIEM solution can collects those events from your servers and send email alerts for any specific administrator or similar privilege changes to the Server Manager. While we are on SIEM, the Server Manager should also work with the CISO and the Billing Manager so the Billing Manager gets an email alert every time there is a change to the access privileges on the file shares containing PHI or PII used by the billing department.
If one of the servers happens to be a database server, the Server Manager may be responsible for the operating system level safeguards while the Database Manager may have the responsibility for the database “asset”. She will in turn need to work with the CISO and the relevant business managers for automation of access reviews, monitoring of potential high risk privilege changes in the database etc.

more...
Joel Finkle's curator insight, January 28, 2015 12:23 PM

Hospitals are playing catch-up to Pharma's security requirements - Pharma info is its principal asset, so it's always been protected, plus "part-11" validations on regulated records require info to be tightly controlled.

Scoop.it!

Electronic health records and data abuse: it's about more than medical info

Electronic health records and data abuse: it's about more than medical info | EHR and Health IT Consulting | Scoop.it

On the heels of the recent announcement that medical insurance firm Anthem was breached, we look at the nuance and impact of a medical record breach versus a medical data breach. They are certainly related, but digging through troves of data containing primarily identity information is significantly different to an attack that focuses on specific treatment of a specific patient.

If an attacker can harvest name, social security number, phone, address, email and the like, that haul has a much wider potential audience than, say, whether or not a patient underwent a specific medical procedure. A stolen medical record containing a lot of detail may sell for a lot of money, but that market is more specialized than the broader market for general identity data.

To help folks visualize the different levels of data that thieves might want to swipe from a medical facility, and then abuse, my colleague, Stephen Cobb, created this diagram of a generic electronic health record.

Level one is pretty basic info, things that are fairly easily knowable about you without any hacking, normally sourced through Open Source Intelligence (OSINT) gathering. However, grabbing a big fat collection of such data might still earn a bad guy some black market bucks, say if a spammer needed fresh targets.

The illegal earnings potential goes up a notch if you can grab Level 2 data. Scammers can use that to carry out several kinds of identity theft, creating fake IDs, opening credit card accounts, committing tax fraud (filing fake returns to get a refund) or even use it to answer challenge questions to online accounts, thereby pivoting the attack to new digital beachheads. Even Level 2 data is enough to commit some types of medical ID theft, though the bad guys have no clue how healthy or sick you really are (here’s a pretty scary case of what can be done with just a stolen driver’s license).

Level 3 data just makes all of the above that much easier; plus, it enables new forms of badness. Some crooks prefer taking over an established account to opening a (fake) new one. the number of electronic records or EHRs that actually contain financial or payment data is not clear, but obviously a lot of healthcare entities do handle it at some point, making them a target for digital thieves who turn around and sell it on carder forums.

When you get to Level 4 data, the badness takes on a new dimension. If an attacker has a patient’s full (or partial) history, it’s easy to imagine matching up a willing bidder who has a need for a similar medical procedure with a donor record to (roughly) match, in an attempt to get pinpointed specific services they would otherwise have difficulty receiving.

But the options for selling medical history-style Level 4 records may be much narrower in scope than, say, bulk repackaging and resale on the underworld markets of lower levels, appealing to any buyer who wants to assume an identity, spread a wider net and attack other properties, or engage in fraudulent activity which is then blamed on you (if it’s your record that was compromised).

Of course, the threatscape may well change as the EHR becomes more universal. With the proliferation and sprawl of third party providers who are somehow tapped into a cohesive health ecosystem, there will always be various specialized smaller providers whose business is targeted to a specific subset. That’s not bad, it’s just how the health segment does business; in many cases it leverages strengths of one organization to help another. But it does imply a larger potential attack surface, which has implications for security if the data sprawl is not carefully managed. For example, if an attacker can gain a beachhead in one of the providers in the ecosystem, will they then have an elevated trust relationship with other systems within this ecosystem?

And here’s the rub: having instant digital access to all of a patient’s medical data (or other sensitive information) wherever a doctor happens to physically be is a wonderful tool, but now we have many more endpoints in question with security environments to understand and corral. This implies an ongoing need, not just for really smart endpoint protection, but also strong encryption, and authentication, as well as sane network segmentation, vigilant network monitoring and reliable disaster recovery.


more...
No comment yet.
Scoop.it!

Why Should Your Practice Have a Cloud-Based EHR? - HITECH AnswersHITECH Answers

Why Should Your Practice Have a Cloud-Based EHR? - HITECH AnswersHITECH Answers | EHR and Health IT Consulting | Scoop.it

If you’re still debating whether to go with a web-based EHR or a server-based EHR, you should know why a growing number of practices are choosing to go with a cloud EMR.

How does a web-based EMR differ from the older technology of a client server-based EHR system?

A cloud EMR is different (and better, in our opinion) due to the following factors:

Your software is always up to date
With a web-based EMR, the software is always up to date, usually at no additional charge. No more expensive upgrades causing delays; just open the SaaS-based software and you have the latest version.

Rest easy on HIPAA data requirements
Data security is much easier to manage with a web-based system. Cloud EHR vendors can provide much more security for your data than you can internally with office servers. As reported by the Business Insurance site, “Data breaches seem to be everywhere these days except the one place everyone fears—the cloud.” That could be because cloud EMRs offer financial-level security for your data.

Accessibility—work from anywhere
One of the things many users love about the cloud is the ability to work from anywhere—whether it’s e-prescribing from a smartphone or checking a patient record from the beach while on vacation. We don’t recommend you work on your vacation, but we understand the realities of medical practice.

Cloud-based EHR systems allow continued functioning during and immediately after disasters
Hospitals and physicians discovered the benefits of cloud-based data first after Hurricane Katrina and again after Super Storm Sandy; with a web-based system, you can practice (and bill) from anywhere.

Reduced expense for both software and hardware
A cloud-based system is more cost-effective, particularly for small to medium sized practices, since there are no large hardware expenditures and the software expense is a consistent, low subscription rate. You won’t have to plan for large hardware and software expenditures.

Better IT support
Damn it, Jim, you’re a doctor—not an IT person. And you will probably not be able to hire IT support of the same caliber as the staff of a web-based EHR vendor. Why not make use of their resources and eliminate your headaches?

You can use a cloud-based EHR on a mobile device such as an iPad or other tablet
A survey of physicians by web-based EHR review group Software Advice showed that 39% of physicians want to use their EHR on a tablet such as iPad, and in another survey, a majority of patient respondents indicated that they find use of an EHR on a tablet in the exam room to be “not at all bothersome.”

Satisfaction levels are higher among mobile EHR users
A recent survey by tablet-based EHR review group Software Advice found that providers using a mobile EHR expressed twice the satisfaction levels of those using EHRs via non-mobile systems. And as mentioned above, an effective mobile EHR needs to be cloud-based.

It’s particularly important to note that cloud-based systems are nearly always more secure than any system you could set up in your office. For most practices, data security and HIPAA best practices are not their area of expertise—excellent patient care is. But for cloud EMR systems, those areas are key to our success. We are better at it because we must be in order to continue in business. And as mentioned above, the proof is in the lack of data breaches among cloud-based companies.

One proof of the idea that a cloud-based EHR is the best choice is the fact that most EHRs that were originally server-based have since developed cloud-based offerings as well. If server-based technology is state of the art, why are those vendors switching platforms?


more...
No comment yet.