On November 8^th, the Office for Civil Rights (OCR) officially unveiled its long anticipated audit program. These audits, mandated by Section 13411 of the HITECH Act, are intended to “ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.”[1]

If your organization has not been keeping up with recent changes to HIPAA Privacy and Security Rules, you may be unaware of significant new requirements for covered entities and business associates, such as breach notification, and the drastic overhaul of the enforcement process including a tiered penalty plan.

Audit 101

Beginning November 2011, and concluding December 2012, OCR will complete a pilot audit program of 150 covered entities to “assess privacy and security compliance.” If selected for an audit (and OCR indicates they intend to audit a broad range of covered entities and business associates), the organization will be notified in writing and provided with an initial documentation request. All documentation must be submitted within 10 business days. The audit will include an onsite visit expected to take 3 to 10 business days. The auditor will generate a report, which the organization will review and will have 10 days to submit their written response, including actions they have taken to resolve any compliance issues. A final report will be submitted to OCR, which will develop recommendations and evaluate the need for corrective actions. Note: Compliance audits may also occur as a result of a Privacy or Security Rule complaint.

How to be prepared

1. Your compliance officer should review your HIPAA compliance plan. Have you implemented the new requirements, such as Breach Notification, enacted by the HITECH Act?
2. Review and update policies and procedures. These documents are required and are a primary method to demonstrate compliance with the Rules.
3. Review and/or complete a Risk Assessment as required. This should include a technical and nontechnical review of the information system. Failure to complete the required analysis may be considered willful neglect under the new tiered penalty plan.
4. Review or develop a process to identify, document, mitigate and report privacy and security incidents including the required breach notifications.
5. Review and update Business Associate contracts. Remember that Business Associates are now required to comply with portions of the Privacy and Security Rules.

Employees are using the Internet inappropriately
Employees are shopping, sharing content peer-to-peer, and visiting social networking, dating and adult sites. This use puts your company’s productivity and reputation in jeopardy and increases the risk of Internet-based threats to your data network. Adult sites are notorious for hosting malware. The taboo nature of the sites is such that users remain silent about visiting them, even if they suspect their system has been infected. Meanwhile, online shopping sites are often the source of spyware, or feature links to third-party sites that may not be trustworthy.

Hackers have learned to use legitimate sites as bait for “social engineering” tactics, tricking users into clicking an embedded link or an email attachment. This happened with Facebook in December 2008.

Inappropriate use is more prevalent than you may think. Data collected by PricewaterhouseCoopers, on behalf of the United Kingdom’s Department of Business Enterprise & Regulatory Reform (BERR), reveals that as many as one in six businesses experienced staff misuse of their information systems in the past year. In the cases reported, approximately 36 percent were spending an excessive amount of time browsing the Internet, and an additional 41 percent accessed inappropriate websites.

Legitimate sites pose the biggest threat to your data
Even when used appropriately by your employees, the Internet is the primary source for threats such as spyware, trojans, bots, backdoors, and rootkits. In many cases, simply visiting a site triggers the infection. This method of transmission, called a “drive-by download”, occurs without the user’s knowledge at all.

NETGEAR® ProSecure has found that 79 percent of threats were on legitimate sites hijacked by hackers. In the first quarter of 2008, the websites of thousands of Fortune 500 companies, government agencies and schools were infected with malicious code, including security vendors such as Symantec, Trend Micro, and Computer Associates.

Hackers have learned to use legitimate sites as bait for “social engineering” tactics, tricking users into clicking an embedded link or an email attachment. This happened with Facebook in December 2008. Members received an email with the subject line “You look funny in this new video” and an embedded link to view it. The link led them to a non-Facebook video site where they were prompted to update their Flash player to see the video. Clicking the prompt installed a worm on the user’s system. In addition to containing spyware, the worm opened a backdoor that would enable private information to be sent from the system and code to be installed on it in the future.

Meanwhile, the remaining 21 percent of security threats are the result of users inadvertently visiting rogue websites designed to appear legitimate. Many incorporate search engine marketing and banner advertisements to increase the number of visitors. By developing rogue sites, attackers have more control over the threat. Either way, it’s clear that blocking sites based on content is no longer an effective way to protect your company from threats.

Steps to protect your business
The first line of defense against such threats is to create and enforce an acceptable Internet use policy. Your policy should cover both the amount of time employees are allowed to spend on personal business online and the type of sites they are allowed to visit.

Next, install a strong gateway security appliance that includes URL and content filtering, and bi-directional traffic inspection. When employees attempt to visit a banned site, or one with content prohibited by your company, the transmission is blocked, and a report is sent to IT. The real-time bi-directional traffic inspection adds a critical layer of defense. It proactively monitors inbound and outbound traffic for malware every time an employee visits a URL that hasn’t been blocked. If an employee inadvertently lands on a legitimate site that has been hacked, or a rogue site that appears legitimate, the inbound traffic triggers the appliance, which blocks the network transmission.

Conclusion
Every internet-connected company faces daily web-based security threats. The risk of infection is exponentially greater if you lack comprehensive gateway security. Implementing acceptable usage policies and proactive, real-time bi-directional traffic inspection will significantly reduce your risk.

[Courtesy of (c) Netgear, Inc. ]

Business today is all about connectivity. Available data suggests email and web access represent 90 percent of business-critical applications used by small- and mid-sized companies. Yet the gains in efficiency and productivity that companies have realized by incorporating the Internet into their business models have also benefited malware authors. Threats that once took months to infect a few thousand computers can now reach hundreds of thousands in mere minutes.

Gartner suggests that between 80 and 95 percent of all email entering a company’s network is spam ….two to six percent carries a threat such as viruses, Trojans and rootkits.

The evolution of computer threats
Computer threats have been part of our lives since 1986, when the boot sector virus Brain was discovered. Spread via floppy disks, boot sector viruses transferred to the user’s PC when it booted up. By 1995, these viruses had given way to macro viruses. Also spread via floppy disks, these viruses were written in script language, and specifically targeted Microsoft Word and Excel documents.

The threat landscape began to change in 1999 when Melissa, the first email-based virus struck. Very quickly, the Internet became the new medium of transportation.  Rather than infect one computer at a time, malware authors could now simultaneously take their creations to the masses through the speed and efficiency of network communications. They could also post and share code with fellow writers, meaning new versions of threats could be developed with just a few modifications to existing code. Even novices and script kids could now participate in spreading threats. And the owners of bot networks and spam email lists began to rent or sell their malicious code, providing writers a natural distribution network for their creations.

How malware users attack your network
Today’s attacks are even more sophisticated. The lessons learned from email viruses such as Loveletter have been refined as social engineering. This is a method malware authors employ to trick users into infecting their own systems. Social engineering takes advantage of the one thing security software can never protect against – the human user.  Meanwhile, data from technology research firm Gartner suggests that between 80 and 95 percent of all email entering a company’s network is spam. The sheer volume of spam is enough to impact a network’s performance, but what is more troublesome is that between two to six percent of it carries a threat such as viruses, Trojans and rootkits.

Other attacks involve bots – software programs automated to perform simple, repetitive tasks over the Internet. On average, a bot network can consist of 20,000 bot-infected computers and be used to do anything from steal sensitive information (e.g., credit card numbers, bank credentials and other consumer-oriented data) or shut down your network by flooding it with millions of connect request. The drive-by download has also become a popular method of attack. It’s unique in that it relies on users coming to it, instead of being sent to a victim’s system. Threats such as bots, spyware, adware, or Trojans are installed without the knowledge of, nor any interaction by, the user. The infected site can be a rogue site, developed by a malicious author to appear legitimate, or it can be a legitimate site that has been hijacked and infected with the threat.

Your antivirus software cannot protect you
In light of these developments, it’s no wonder that the rate and volume of new threats has grown exponentially over the years. Though it remains an important first step in securing your business and customer data from attacks, desktop security software simply cannot keep pace with the volume, speed, and efficiency of Internet-based threats. It must be complemented with a robust gateway security solution, which scans both inbound and outbound traffic to detect and remove threats before they reach individual desktops.

Most threats spread via email, web, or the company’s internal network, prior to finding an individual user’s system. Others, such as network worms, prey directly on the company network, with no need for the user’s system. As a result, a sound gateway security solution is essential to keep threats out.

Conclusion
Since 1999, the Internet has played an increasingly significant role in the spread of computer threats. This is due to the overwhelmingly efficient propagation capabilities it naturally offers, and the underground community it inadvertently supports. Between the vast number and array of threats available, coupled with the speed and efficiency with which the Internet has enabled them to travel, desktop security alone is unable to keep pace. This has resulted in the need for an additional layer of security at the network gateway to supplement the efforts at the user level.

[Courtesy of (c) Netgear, Inc. ]

The Office of Civil Rights (OCR), responsible for enforcing HIPAA regulation, has announced the hiring of KPMG of McLean, VA to implement an audit program of covered entities and business associate compliance with the HIPAA privacy and security standards. This action marks the first time proactive “periodic audits”, as required by the HITECH Act, will be implemented. Until now, investigations have been in response to complaints.[1]

Also announced this week is the settlement between WellPoint Inc. and the Indiana Attorney General’s Office. Since the HITECH Act authorized State’s Attorney’s General to enforce HIPAA compliance, several such cases have resulted in significant fines. In this case, WellPoint failed to provide timely notification of a data breach involving 32,051 records which were accessible on the internet over a 137 day period. In addition to paying the State $100,000, WellPoint has been ordered to provide credit monitoring and identity-theft protection to the affected consumers, and reimburse up to $50,000 for losses resulting from identity theft due to the breach.[2]

While theft and data loss top the list for breaches reported to HHS this year, this last example is reminder that it is not enough to have policies; they must be trained and enforced. On July 7, HHS announced that it had entered into a settlement with University of California Los Angeles (UCLA) Health System following an investigation of complaints of unauthorized access (snooping) of patient records. The actions of UCLA’s employees resulted in an $865,000 fine and a 3 year corrective action plan.

In the press release, OCR director Georgina Verdugo states:

Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider. Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.

Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.[3]

Looks like it’s time to dust off those old policies and conduct security awareness training.

On February 22^nd, HHS announced a landmark civil monetary penalty (CMP) against Cignet Health of Prince George’s County, Md., for violations of the Privacy Rule. The $4.3 million penalty was imposed for failing to provide 41 patients with copies of their records in the time frame required by HIPAA, and for failing to cooperate with the OCR investigation. It was the first time a penalty was assessed for Privacy Rule violations, and the first time the increased penalty amounts authorized by Section 13410(d) of the HITECH Act were applied.

In a press release announcing the action, HHS Secretary Kathleen Sebelius says, “The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.”

Just two days later, HHS announced that Massachusetts General Hospital has agreed to pay $1 million in a Resolution Agreement with HHS. This case involved 192 patients of an outpatient practice affiliated with the hospital. A data breach occurred when a hospital employee who was commuting to work left scheduling, billing and encounter records on a subway. Mass General has also agreed to a Corrective Action Plan which requires the development of comprehensive policies and procedures, employee training, external auditing oversight and ongoing reports to HHS.

In the announcement, OCR Director Georgina Verdugo echoed HHS Secretary Sebelius’ earlier remarks by saying, “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

She went on to add that “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

While these investigations arose out of complaints received by HHS, random audits are not out of the question. HHS has already engaged consulting firm Booz Allen Hamilton to help design their audit program, which is expected to be unveiled by the end of 2011.

This may be a good time for health care providers to take a hard look their compliance programs.

Protecting sensitive data is a hot button. Criminal data theft and fraud have grown alongside the explosion of day-to-day dependence on the internet, wireless and mobile technology. The Identity Theft Resource Center reported 662 data breaches in 2010, affecting 16,167,542 records. 76% of these records included Social Security numbers.

A crop of regulations such as HIPAA, Sarbanes Oxley, the FTC Red Flags Rule and PCI Security Standards stand guard over the explosion of personal information across cyberspace. Yet many business owners store sensitive data, unaware of the risks associated with data breach or the potential consequences to their business if they fail to adequately safeguard that information.

Just today, the Office of Civil Rights (OCR), announced a $4.3 million civil money penalty (CMP) against Cignet Health of Prince George’s County, Md., for violating the rights of 41 patients when it failed to provide requested copies of their medical records. According to the OCR press release the CMP is the first civil money penalty to be imposed for Privacy Rule violations. The fines were imposed under Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. $1.3 million was for failure to provide the records in the required time frame. $3 million was imposed for willful neglect for failing to cooperate with the OCR investigation.

The HITECH Act also tasks OCR with developing  plans for an auditing program. While the OCR has entered into settlements with companies such as CVS Caremark Corp, who agreed to pay $2.5 million settlement with OCR, that may be changing. According to the press release announcing the $4.3 million penalty, “Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

And that leads me back to my conversation in the lunch room. Ignorance is no protection from penalties or from the loss of patient confidence if a practice has a data breach. It is his life’s dream and he has worked hard for it.  It’s time to wake up and apply the same level care of care to patient data as to patient health.

Motorola Xoom shown with Dock and Keyboard (Courtesy Motorola Inc.)

With an Nvidia 1 GHz dual core processor, a large 10.1 inch screen and running Andoid’s latest 3.0 Honeycomb release optimized for tablets – this just may be the “ideal” lightweight tablet for the office. Certainly from an IT infrastructure standpoint, this unit will make virtual desktop access a breeze on which a physician can access their EMR and other network resources while still docking with a full size keyboard when returning to their desk. Is it a PC killer? Probably not, there is still a need to run heavy applications such as Photoshop and plug in complex peripherals such as scanners – but it may well mark the beginning of the end for laptop/tablet form factors which are heavier, plagued by short battery life, and more exposed to viruses, corruption and other vulnerabilities.

I am excited about the tablet revolution, and despite some early concern about its relevance in that space, I have become more intrigued with all the things one can do rather than the limitations that exist. Coupled with a secure and robust virtualized desktop environment, the Android tablet becomes more of a very effective thin client when in the shop (or even via VPN when out of the shop), and a useful roaming email/surfing tablet when not used in production. The benefits are huge, and I see this model blossoming in the coming year.

As a result, the information we find useful to have in email is increasing. And services like GMail have made it easy to integrated email, calendaring and contacts all available from web browsers, mobile devices and our home computers – all for a very reasonable price indeed! But hang on here… when we use our “personal” email in such a fashion, what have we really given to these third party providers? Are we really secure? Are we even compliant?

Think carefully if you are a physician. Mail sent to GMail is kept on their servers and made available via various protocols. Very convenient to be sure, but in their possession nonetheless. While most would not think much about this – healthcare providers, or rather, HIPAA “Covered Entities” and “Business Associates” of any kind do in fact need to think about this. The legal responsibility to maintain the integrity, availability and confidentiality of PHI is real. And the HITECH Act of 2009 made violations of these protections onerous to say the least.

Healthcare IT News’ recent report on Geisinger Health System’s disclosure is a clear illustration of the downside of not being attentive to these protections. In this incident, a Geisinger gastroenterologist e-mailed PHI from a medical center computer to his “home email account” in an unencrypted manner. The intent was to use the information to complete an analysis of his procedures. However, the very act of sending this information unencrypted and storing it unencrypted resulted in Gesinger Wyoming Valley Medical Center having to notify 2,928 patients that some of their protected health information (PHI) was disclosed in an unauthorized manner.

While there is no information as to any fines or other legal repercussion, what were the costs to the medical center to make such notifications? And perhaps even more importantly, what was the impact on their reputation in the market with the very public breach of patient data? Note that there was no evidence that the information had actually been seen by anyone other than the physician – but yet, it is still a violation under the security rules and a notification that much be made under the breach notification rules. This is certainly not something a practice would wish to endure.

So what can you do if you are a practice and want or need to work from another location on your information? There are solutions that work. Solutions that include the requirement to maintain data encryption (both at rest and in transit) and solutions which do not require the data to leave the practice at all (think remote access solutions). In either case – clear documentation of the process, the encryption, and the user rights need to be in place to be compliant. But a good rule of thumb is – no PHI should ever leave the walls of the practice (and I mean that electronically as well) without being encrypted, and an audit trail in place to track who is handling the information.