Skip to main content

Privacy & Security

SPONSORED
By Verizon | Verizon | 04:00 am | February 24, 2016
(SPONSORED) In February 2016, Verizon security team issued an alert regarding an elevated threat level affecting the payment systems within the hospitality industry.
By Chris Nerney | 12:31 pm | February 23, 2016
The Health Insurance Portability and Accountability Act requires certain healthcare organizations dealing with protected health information to implement stringent security measures to safeguard that data. Yet executives at many healthcare organizations are in the dark – sometimes willfully – regarding how compliant their covered entities are to HIPAA privacy and security rules, according to Brand Barney, a security analyst for SecurityMetrics. Barney will be running a session at HIMSS16 in Las Vegas next week on the importance of gaining a realistic assessment of your organization’s ability to meet HIPAA compliance mandates. [Also: 8 out of 10 mobile health apps open to HIPAA violations] In his role at SecurityMetrics, Barney consults with companies and conducts audits on their data security and compliance. “What I’m seeing in the industry is a massive gap between IT professionals and executives regarding HIPAA,” he said. “Most executives believe they are HIPAA-compliant, but few really even understand what HIPAA is. They don’t know what it does for them. They say, ‘I got sold an EMR, or my attorney handles my privacy, or my IT professional covers security.’” That gap between perception and reality is where danger lies, Barney added. “Patient data is being removed from your organization and you don’t even know,” he said. “We’re not talking about credit card information; my HIPAA information has 18 identifiers, and it’s unique.” Even worse, some C-suite members are willfully ignorant about the source of data privacy and security dangers. [Also: 11 essential quotes from notable HIMSS keynotes] “There’s a lot of avoidance,” Barney said. “They don’t want to even think about insider threats. But people with privileged use levels, such as managers with access to PHIs, pose the greatest insider threat to an organization. And business associates are a major liability.” During his session Barney will explore widespread HIPAA and data security assumptions among healthcare industry executives and IT, common barriers preventing organizations from implementing crucial security improvements, and he’ll take a look at how to minimize organizational data breach probability based on vulnerabilities, threats, and risks. “HIPAA Reality Check: The Gap Between Execs and IT” is scheduled to be held on March 1 from 11:30 a.m. to 12:30 p.m. PST in Sands Expo Convention Center Palazzo L. Twitter: @HealthITNews This story is part of our ongoing coverage of the HIMSS16 conference. Follow our live blog for real-time updates, and visit Destination HIMSS16 for a full rundown of our reporting from the show. For a selection of some of the best social media posts of the show, visit our Trending at #HIMSS16 hub.
By Mike Miliard | 12:07 pm | February 23, 2016
Group joins with insurance broker Willis Towers Watson on new program.
By Bernie Monegain | 11:17 am | February 23, 2016
Kalorama Information says electronic health record systems are here to stay after recent situations in Flint, Michigan and Hollywood Presbyterian in which electronic medical records played key roles in times of crisis. In Flint, Michigan, where residents are dealing with a lead poisoning water crisis, the lead was discovered as the result of searches conducted using data from an Epic EHR system. [Also: Flint hospital hit with cyberattack tied to hacker group Anonymous] Paper records would have failed the community, Kalorama claimed in its report, "EMR 2015: The Market for Electronic Medical Records." In Flint, the key physician involved in the case reviewed the EHRs of the children whose blood had been tested at the local hospital. Paper records alone would not have lent themselves to the kind of research needed to detect patterns, Kalorama researchers said. "The side benefit of EMR conversion, aside from cost savings, is that practice would improve and providers, academics and governments could obtain better epidemiological information," said Kalorama Information Publisher Bruce Carlson in a statement. "The visibility of the Flint, Michigan, story provides a real-world example of the benefits oft-stated during the conversion and incentive campaign," he said. [Also: Hollywood Presbyterian gives in to hackers, pays $17,000 ransom] The Kalorama report also points to EHR's vulnerabilities – most notably the recent case of medical data being held hostage by hackers at Hollywood Presbyterian Medical Center in Los Angeles, which ultimately opted to pay $17,000 to rescue its information from cybercriminals. Kalorama points to questions raised in that ransomware incident: whether the hospital properly encrypted information, whether staff was properly trained in anti-phishing techniques, whether EMR use audits were conducted, and if anyone was designated as chief security officer at the hospital. "Such services and consulting offer opportunities for the industry, which has always been as much of a service industry as a software one," the Kalorama report said. [Like Healthcare IT News on Facebook] The incident comes a time when many physicians and hospitals have and are continuing to convert to electronic records, driven by federal government incentives, Carlson points out. Three out of four U.S. hospitals have a basic EMR system and most EMRs are being used without incident," Carlson said. "Ransomware attacks are not limited by any means to EMR or healthcare facilities as corporations and even police departments have suffered attacks." Twitter: @HealthITNews
By Bernie Monegain | 03:30 pm | February 22, 2016
Los Angeles-based Complete P.T. Pool & Land Physical Therapy will pay $25,000 to settle HIPAA violations for allegedly posting patient testimonials, including full names and photos, on its website without obtaining authorization. The Department of Health and Human Services Office for Civil Rights announced the settlement terms on its website on Feb. 16. The settlement also requires Complete P.T. to adopt and implement a corrective action plan, and annual reporting of compliance efforts for one year. [Also: 8 out of 10 mobile health apps open to HIPAA violations] The complaint filed with the OCR on Aug. 8, 2012 said Complete P.T. was required by HIPAA to seek authorization for the testimonials. OCR’s investigation revealed that Complete P.T failed to reasonably safeguard protected health information, disclosed PHI without authorization,and failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements. "The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes," said OCR Director Jocelyn Samuels in a statement posted on the OCR website. "With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing." Twitter: @HealthITNews
By Jessica Davis | 12:37 pm | February 22, 2016
The Healthcare Leadership Council has identified six healthcare reforms that should be implemented by the White House, Congress and the healthcare industry to reform healthcare; it was announced last week at a Capitol Hill briefing and in a report highlighting the changes. For starters, nationwide health information interoperability in the private sector should be achieved by December 31, 2018, the group said. The group also targeted the Food and Drug Administration, saying reforms that focus on reducing administrative burdens placed on the organization should be enacted so the FDA can better bring innovative treatments and technology to patients. [Also: Hollywood Presbyterian gives in to hackers] “These steps aren’t revolutionary, but they're transformative,” said HLC President Mary R. Grealy, in a statement. “Innovation is too often put on the backburner when we discuss healthcare policy, but it’s critical to elevating health system value and to address quality and cost challenges." The Centers for Medicare and Medicaid Services also needs to improve the Enhanced Medication Therapy Management Model to reach its goal of improving patient health and should implement best practices for Medicare, insurers and healthcare providers to improve care for the chronically ill, the group said. The federal government should reform outdated physician self-referral and anti-kickback statutes and expand Medicare payment waiver policies to protect against fraud and abuse, while improving care coordination. Cybersecurity also needs focus, the group said, pointing to Congress and the states to standardize privacy laws and increase access to patient data. The recommendations are compiled from the HLC's National Dialogue for Healthcare Innovation initiative – a collaboration of patient advocacy leaders, drug company representatives, patient advocacy leaders, patient groups and other industry experts that convened over the course of a few months. David Barrett, CEO of Lahey Clinic and Bill Hawkins, chairman and CEO of Medtronic, co-chaired the group. [Like Healthcare IT News on Facebook] “There's a widespread understanding that, for all of our healthcare system’s considerable strengths, we need to make strides in providing high-quality care at sustainable costs," Susan DeVore, president and CEO of Premier, Inc. and HLC chair, said in a statement. "The six steps on which we have reached agreement will move us significantly in that direction." HLC has begun meetings with congressional leaders about the recommendations and will continue the conversations in the coming weeks. The compiled recommendations were produced by a partnership with NORC, the independent public policy research organization at the University of Chicago. Twitter: @JessiefDavis
By Mike Miliard | 12:18 pm | February 22, 2016
Healthcare organizations are making big investments in population health and patient engagement platforms as they prepare to move past meaningful use and toward value-based reimbursement, according to "The Big Mega HIT Purchasing Report" released Monday by market research firm peer60. Electronic health records remain core to healthcare IT, according to the report, which gathered 567 responses from CEOs, CIOs, nursing and financial leaders and others with purchasing authority at hospitals and medical practices. However,many customers are still dissatisfied with their products. Projected EHR replacement rates for 2016 show 23 percent of health providers (inpatient and outpatient combined) planning to look for new vendors, according to peer60. [Also: Hospitals keeping close eye on revenue cycle vendors] Still, "population health and patient engagement are the hottest areas by a wide margin," wrote peer60 executive vice president Chris Jensen in the report. "It’s really no surprise these two segments continue to lead the way among hospital IT upgrades considering their impact on successful migration to value-based care and value-based purchasing." As for pop health, peer60s sees some stabilization in contracting plans. In 2015, roughly 25 percent of providers were certain they'd keep their population health vendor; in 2016, that amount has doubled. "The pressure is on for vendors that have not already made their mark in this market because they’re about to be squeezed by increasing renewal rates and a declining pool of hospitals that have not already adopted," said Jensen. [Also: New trends ahead for imaging informatics] But when it comes to patient engagement, authors see the opposite. "More enterprise vendors are capturing more of the minds of providers, while interest in the best of breed crowd is beginning to dwindle," Jensen said. Other big purchasing trends are also unsurprising. Data security, enterprise analytics and revenue cycle management are all in play. Security technology, especially, has seen a big jump in provider interest. "In 2015 it was at the bottom of the list of top IT priorities and placed third this year," said Jensen. "Since this is not a growth market with 90 percent of hospitals already employing a true data security solution, the jump in interest in this area likely means the replacement market for more robust solutions in this very critical segment is heating up. Twitter: @MikeMiliardHITN
By Bernie Monegain | 11:47 am | February 22, 2016
The digital tool makes it easy for people to add a new device to their home – or clinic – Wi-Fi network.
By Eric Bailey | 11:16 pm | February 21, 2016
Carla Smith, Executive Vice President at HIMSS, highlights the major themes at the upcoming HIMSS Annual Conference and Exhibition in Las Vegas, including the the value of health IT and cybersecurity. Watch more video coverage of HIMSS16
By Bernie Monegain | 11:57 am | February 19, 2016
Protenus, a health data protection startup co-founded when the owners were medical students at Johns Hopkins University, has raised $4 million in Series A funding. Arthur Ventures led the investment, joined by LionBird Venture Capital, DreamIt Ventures, Cognosante, TEDCO and the Baltimore Angels. [Also: Snooping employees sacked, disciplined after HIPAA breach] Protenus founders Robert Lord and Nick Culberson said they started the company to address the privacy concerns raised by the use of EHRs, particularly from insider threats and employee snooping. “Essentially, we’ve built an immune system for patient data that identifies when medical records are accessed inappropriately,“ Culbertson said in a press statement, announcing the funding. “Our product gives health systems the ability to deeply understand how and why medical records are accessed and whether or not there is a legitimate reason to look at a given patient’s medical or financial information.” As Culbertson explains it, Baltimore-based Protenus’ holistic approach to anomaly detection prioritizes the most suspicious events, so healthcare systems focus on actual threats, rather than noise and false positives. The easy-to-use visualizations and automated reporting take what can be a tedious and long investigation to down to resolution in a just a few minutes. Today, Protenus protects data throughout Johns Hopkins Health System. The company is in pilot stage with Inova Health System in Virginia and Maryland’s regional HIE, CRISP, which covers interchanges of data between nearly all health systems in the Maryland/DC area. Sage Growth Partners, a Baltimore-based Health IT consulting firm and adviser to Protenus, was instrumental in establishing the CRISP pilot. Johns Hopkins has been a partner to Protenus since the company’s inception, with the university’s dedication to protecting patient privacy serving as an a catalyst to the development of the product, the founders said. Twitter: @HealthITNews