Liveblogging from MI-HIMSS!

Online Tech is liveblogging from the Michigan HIMSS 2012 Fall conference, HITECH Status in Michigan: Navigating the Future of Electronic Health Records at the Crown Plaza Hotel Detroit-Novi. Stay informed with our updates throughout the conference!

If you’re attending, don’t miss Online Tech President and COO Mike Klein’s presentation, Security and Compliance for Processing Facilities, at 10:30AM ET with Gail Einhaus, Compliance, Education and Privacy Officer of Trinity Health.

9:00AM – Keynote Presentation: HITECH: Evolving to the Next Stage

Mary Griskewicz, MS & HIMSS fellow, Senior Director Healthcare Information Systems, will kick off the MI HIMSS conference momentarily!

Some memorable quotes:

• Mary’s challenge for those in healthcare: how will YOU bring meaning to #MU Meaningful Use? How will what you do today help patients, reduce costs, or improve care?
• When you realize a small hospital can have over 100 different info systems, it’s no wonder #MU2 stresses “exchange” and “interoperability”.
• Think internet connectivity isn’t holding healthcare back? Some clinicians still need 1G. – Mary Griskewicz, FHIMSS
• We don’t need to invest in infrastructure? “Most countries in Africa have better internet connectivity than the rural US.” – Mary Griskewicz.
• Michigan: until our physicians can answer what % of their patients received their flu shot, we have a LOT more #MU & #MU2 work ahead of us.

Security and Compliance for Data Center Facilities:
Which audit should you look for? SSAE 16 is taking the place of SAS 70 as a new standard with the addition of attestation.

Mike is discussing the difference between all of these audits offered, and some of the main differences in components between the audits administered. It’s important to ask for the audit from your data center operator. Get a non-disclosure, and ask for that SSAE-16 audit to get the most information about what they’re going to do to secure their data.

PCI DSS is very prescriptive and includes some unnecessary costs and complexity. It requires an independent audit. However, HIPAA is specific to PHI (protected health information), and is not as prescriptive. It is much more about people, and the training that you follow. That includes how you manage a breach. It also includes physical, technical and administrative safeguards.

CE (Covered Entity) vs. BA (Business Associate) Responsibilities
Do BAs (business associates) get HITECH? Some do and some don’t. We [Online Tech] will never open a data file. It’s a fireable offense to open a file. It’s important to know who owns what when it comes to data. Other business associate and covered entity  responsibilities that are important to clarify include timeline of breach notification, advance preparation, and breach insurance.

Beware of data centers that claim to be ‘HIPAA Certified’…you can’t do it. You can be ‘HIPAA compliant,’ which means that they’re going to help with audits or breaches. ‘HIPAA certified’ doesn’t necessarily mean that they’ve been audited, so be sure to ask for their audit report.

Compliance is a culture, not just a checkbox. Being process-oriented and being transparent with your clients are values of a compliant culture.

HITECH Impact
Admin Safeguards include:

• Risk analysis and management
• HIPAA training (training for every employee)
• Disaster Recovery (we provide this for all customers, colo to cloud)
• Solid Business Associates Agreement(there are a lot of things that can’t go into a BAA)

Technical Safeguards include:

• Antivirus (will not sign BAA unless the CE has anti-virus)
• Dedicated firewall and VPN
• Log Monitoring and REVIEW (on a daily basis)
• Patch Management (non-negotiable. We do this to all servers)
• File Integrity Monitoring
• Web Application Firewalls (helps block SQL injections)
• SSL Certificate
• Vulnerability Scanning (best practice. Every month scan and do automated testing)
• Two-factor Authentication for VPN (want to control who gets in when)
• Data Encryption (different in HIPAA and PCI. Not required for HIPAA. Highly recommended for mobile devices)

Physical Safeguards include:

• Facility Security
• Offsite backup and DR (we require that HIPAA folks have DR in order to sign BAA)
• Proper Data Destruction and Disposal (what happens when we turn down these servers? If you lose your drives, how do you guarantee that it’s been destroyed).
• Show me the HIPAA report. If someone’s not going to show you the report, you should be asking the tough questions.

Win-Win culture:
Compliance, Trust, Process-Oriented, Transparency, Embraces Independent Input. Culture is extremely important to make sure that you’re getting all the tools at your fingertips so you can be sure you know what’s going to happen with your data.

Most people are just looking for their checkmark, but it’s not their business like it is for us. It’s key to understand the technology. You may or may not want some of those safeguards, but you need to be knowledgeable of what they are so you can make an informed decision.

Business Associate HIPAA Compliance – Impact on the Business Associate and Covered Entity:
Speakers Joe Dylewski of Health Care Management and Meredith Philips

Joe: Defining the ‘certain functions or activities’ safeguards: people are seeing them as vague language. HITECH: Health Information Technology for Economic Recovery and Reinvestment Act was developed to educate and enforce HIPAA and meaningful use.

The idea of security was out there, but there was no one to enforce it, before HITECH.
A few changes include:

• Physician attestation for meaningful use
• Office of civil rights is now auditing for meaningful use
• Improved enforcement
• HIPAA ignorance no longer tolerated.
• BAs (business associates) now have the same responsibilities as CEs (covered entities) they service
• When it came to breaches with 500+ people affected, not only did they have to report it, but the media had to be notified as well.

BAs were involved in 58% of breaches. From the the CE’s perspective:

• Increased effort and decreased risk.
• When a breach happens, even if a BA is involved, the CE is still responsible. It’s necessary to have a BAA (business associates agreement) in place if you’re working with BA.
• The BA needs to have done some sort of due diligence, by conducting a risk assessment, then seeing that your BA is working toward compliance, and the last step is having proof of HIPAA compliance.

Common Qs:

• Is the CE responsible for their BA’s HIPAA compliance, and vice versa? No
• Is the CE responsible for engaging in relationships with HIPAA compliant BAs? Yes
• If the BA claims HIPAA compliance, does this imply that the CE is HIPAA compliant? No – the CE has their own responsibility to be compliant.

Protected Health Information is being touched by potentially:

• EMR
• DR site
• Physician Practice
• IT services of practice
• Document Destruction of practice
• Data center
• Health System
• Lab

These all need to be compliant.

What constitutes compliance?

• Policies
• Privacy/security
• Proof (most important, to be able to show that the policies and securities are in place, and being able to show how you execute that)

Who enforces HIPAA compliance?

• US Dept. of Health and Human Services
• Office for Civil Rights
• Individual state’s Office of The Attorney General

Speaker: Meredith R. Phillips, CHC, CHPC, Chief Privacy Officer of the Henry Ford Health System

Data Breach Responses Involving Business Associates

The HFHS Landscape:

• Founded in 1915 and has:
• 4 acute care facilities
• 1200 member medical group
• Health plan serving 640,000 members
• Home health, retail pharmacy, optical care, Hospice, Occupational Health, Extended care divisions

In 2011:

• Awarded Malcolm Baldrige Natl Quality Award (big part of that was being transparent about the struggles that they’ve had within their system)
• Around 31,000 workforce members
• 3.3 million outpatient visits,
• around 550 BAs

Now everything is streamlined, standardized, and centralized.

Vendor Compliance: the group that manages BAAs to make sure that they don’t agree to things that they don’t like about vendors. They take part in notification in the event that there’s a breach. They created a manual process for conducting breach risk assessments and applied the plan to previous breaches to vet approach. Create plan to notify all known BAs about the HITECH implications. Your exposure is not going to come from someone breaking into the network. Exposure is going to come from someone making a spreadsheet, and then saving it on a device that gets lost or stolen.

They created a HFHS branded data breach response program so the workers could get more information and understand what the program does, and what protocol is in the event of a breach. That way people can react appropriately. Decided that it was the hospital’s responsibility to educate the BA on what their responsibility is in order to protect patient data.

Lessons Learned:

• BAs don’t always understand requirements and you are ‘protector’ of data
• Ensure incident response plan is communicated effectively to BAs
• Document any education or risk assessments that you provide or conduct on your BAs
• Ensure your BAA gives you ability to terminate relationship in the event of a breach or failed risk assessment with no penalty to you.

Things to Consider:

• Assess your organization’s culture to determine the best approach for BA breach response
• Risk tolerance assessment
• Rapid response teams
• Branding opportunities
• Communication strategy
• Breach response partners
• Continuous education
• Elimination of immediate risk (the low hanging fruit. Get encrypted flash drives, for example.)

Implement the following formalized programs:

• BA educational program
• BA risk assessment program

IT Security – Indirect Threats to Patient Data
Adam Goslin, Chief Operations Officer with High Bit Security

IT security trends:

• Medical community targeted
• Increase in small scale breaches (different than in the past, when it was big businesses. Now, bigger businesses have raised their security bar, so hackers have moved to smaller businesses where security is still lagging)
• Lost/stolen devices (phones, laptops, tablets)
• Social networking exposure (causing problems by exposing data more easily and frequently)
• Data encryption (not the end-all solution)
• Data breach notification regulations
• Mobile threats (with the upswing of mobile devices, mobile device insecurities and vulnerabilities)
• Critical infrastructure attacks
• Consumers leave/avoid after security attack

Recent medical security events:

• 9.12.12 CSO for Alaska Dept Health fined 1.7M
• 8.31.12 Cancer Care Group 55,000 records exposed
• 7.25.12 15% of FDA medical device recalls raise security and privacy concerns
• 6.15.12 Memorial Sloan-Kettering Cancer Center gives patient data away via PowerPoint presentation

Targeted attacks

• Specific institutions or companies.
• Insider threats (disgruntled employees, for example)
• Hacktivism
• Defacing web pages
• Denial of Service attacks
• Outing of private information (passwords and credit card lists)

Head of interpol stated:
May 2012 – Cost of cybercrime is larger than the combined costs of cocaine, marijuana, and heroin trafficking.

The US government is building a ‘hacking monitoring facility.’
Breach costs are presently averaged at $194 per record.(this includes detection, escalation, notification, resolution and after-the-fact response). At 2000 records, you’re already up to $388,000. There are huge costs associated with a breach.

Why is it so difficult to maintain security?

• Security covers a huge range of devices and channels, from websites to mobile apps to special medical equipment.
• Security is a specialty. Developers and administrators may be good at what they do, but they may not be the best security advisors, because that’s not their specialty.

Two questions to ask about your security:

• Where are my security holes today? Found via testing
• How do I create an environment that is as secure as possible? This is a big, and very difficult question to answer.

75% of total data loss happened or were targeted towards medical facilities/business.

Malware and Worms:
These pieces of software show up from email, the web, USB drives

• Malware: usually working to get protected data, display adware, stop operations
• Worms: these replicate themselves.
• Phishing is working to get data by acting like it’s something it’s not (an example would be an email that looks like it’s from Facebook, but then when you click on the link, it takes you to a malicious site)
• Botnets: computers that are controlled by a different server. Your computer becomes something of a puppet in order to administer a malicious attack.

Online Tech is liveblogging from the Michigan HIMSS 2012 Fall conference, HITECH Status in Michigan: Navigating the Future of Electronic Health Records at the Crown Plaza Hotel Detroit-Novi. Stay informed with our updates throughout the conference!

If you’re attending, don’t miss Online Tech President and COO Mike Klein’s presentation, Security and Compliance for Processing Facilities, at 10:30AM ET with Gail Einhaus, Compliance, Education and Privacy Officer of Trinity Health.

9:00AM – Keynote Presentation: HITECH: Evolving to the Next Stage

Mary Griskewicz, MS & HIMSS fellow, Senior Director Healthcare Information Systems, will kick off the MI HIMSS conference momentarily!

Some memorable quotes:

• Mary’s challenge for those in healthcare: how will YOU bring meaning to #MU Meaningful Use? How will what you do today help patients, reduce costs, or improve care?
• When you realize a small hospital can have over 100 different info systems, it’s no wonder #MU2 stresses “exchange” and “interoperability”.
• Think internet connectivity isn’t holding healthcare back? Some clinicians still need 1G. – Mary Griskewicz, FHIMSS
• We don’t need to invest in infrastructure? “Most countries in Africa have better internet connectivity than the rural US.” – Mary Griskewicz.
• Michigan: until our physicians can answer what % of their patients received their flu shot, we have a LOT more #MU & #MU2 work ahead of us.

---

10:00 AM – Mike Klein discussing Security & Compliance for Processing Facilities

Security and Compliance for Data Center Facilities:
Which audit should you look for? SSAE 16 is taking the place of SAS 70 as a new standard with the addition of attestation.

Mike is discussing the difference between all of these audits offered, and some of the main differences in components between the audits administered. It’s important to ask for the audit from your data center operator. Get a non-disclosure, and ask for that SSAE-16 audit to get the most information about what they’re going to do to secure their data.

PCI DSS is very prescriptive and includes some unnecessary costs and complexity. It requires an independent audit. However, HIPAA is specific to PHI (protected health information), and is not as prescriptive. It is much more about people, and the training that you follow. That includes how you manage a breach. It also includes physical, technical and administrative safeguards.

CE (Covered Entity) vs. BA (Business Associate) Responsibilities
Do BAs (business associates) get HITECH? Some do and some don’t. We [Online Tech] will never open a data file. It’s a fireable offense to open a file. It’s important to know who owns what when it comes to data. Other business associate and covered entity  responsibilities that are important to clarify include timeline of breach notification, advance preparation, and breach insurance.

Beware of data centers that claim to be ‘HIPAA Certified’…you can’t do it. You can be ‘HIPAA compliant,’ which means that they’re going to help with audits or breaches. ‘HIPAA certified’ doesn’t necessarily mean that they’ve been audited, so be sure to ask for their audit report.

Compliance is a culture, not just a checkbox. Being process-oriented and being transparent with your clients are values of a compliant culture.

HITECH Impact
Admin Safeguards include:

• Risk analysis and management
• HIPAA training (training for every employee)
• Disaster Recovery (we provide this for all customers, colo to cloud)
• Solid Business Associates Agreement(there are a lot of things that can’t go into a BAA)

Technical Safeguards include:

• Antivirus (will not sign BAA unless the CE has anti-virus)
• Dedicated firewall and VPN
• Log Monitoring and REVIEW (on a daily basis)
• Patch Management (non-negotiable. We do this to all servers)
• File Integrity Monitoring
• Web Application Firewalls (helps block SQL injections)
• SSL Certificate
• Vulnerability Scanning (best practice. Every month scan and do automated testing)
• Two-factor Authentication for VPN (want to control who gets in when)
• Data Encryption (different in HIPAA and PCI. Not required for HIPAA. Highly recommended for mobile devices)

Physical Safeguards include:

• Facility Security
• Offsite backup and DR (we require that HIPAA folks have DR in order to sign BAA)
• Proper Data Destruction and Disposal (what happens when we turn down these servers? If you lose your drives, how do you guarantee that it’s been destroyed).
• Show me the HIPAA report. If someone’s not going to show you the report, you should be asking the tough questions.

Win-Win culture:
Compliance, Trust, Process-Oriented, Transparency, Embraces Independent Input. Culture is extremely important to make sure that you’re getting all the tools at your fingertips so you can be sure you know what’s going to happen with your data.

Most people are just looking for their checkmark, but it’s not their business like it is for us. It’s key to understand the technology. You may or may not want some of those safeguards, but you need to be knowledgeable of what they are so you can make an informed decision.

---

Business Associate HIPAA Compliance – Impact on the Business Associate and Covered Entity:
Speakers Joe Dylewski of Health Care Management and Meredith Philips

Joe: Defining the ‘certain functions or activities’ safeguards: people are seeing them as vague language. HITECH: Health Information Technology for Economic Recovery and Reinvestment Act was developed to educate and enforce HIPAA and meaningful use.

The idea of security was out there, but there was no one to enforce it, before HITECH.
A few changes include:

• Physician attestation for meaningful use
• Office of civil rights is now auditing for meaningful use
• Improved enforcement
• HIPAA ignorance no longer tolerated.
• BAs (business associates) now have the same responsibilities as CEs (covered entities) they service
• When it came to breaches with 500+ people affected, not only did they have to report it, but the media had to be notified as well.

BAs were involved in 58% of breaches. From the the CE’s perspective:

• Increased effort and decreased risk.
• When a breach happens, even if a BA is involved, the CE is still responsible. It’s necessary to have a BAA (business associates agreement) in place if you’re working with BA.
• The BA needs to have done some sort of due diligence, by conducting a risk assessment, then seeing that your BA is working toward compliance, and the last step is having proof of HIPAA compliance.

Common Qs:

• Is the CE responsible for their BA’s HIPAA compliance, and vice versa? No
• Is the CE responsible for engaging in relationships with HIPAA compliant BAs? Yes
• If the BA claims HIPAA compliance, does this imply that the CE is HIPAA compliant? No – the CE has their own responsibility to be compliant.

Protected Health Information is being touched by potentially:

• EMR
• DR site
• Physician Practice
• IT services of practice
• Document Destruction of practice
• Data center
• Health System
• Lab

These all need to be compliant.

What constitutes compliance?

• Policies
• Privacy/security
• Proof (most important, to be able to show that the policies and securities are in place, and being able to show how you execute that)

Who enforces HIPAA compliance?

• US Dept. of Health and Human Services
• Office for Civil Rights
• Individual state’s Office of The Attorney General

---

Speaker: Meredith R. Phillips, CHC, CHPC, Chief Privacy Officer of the Henry Ford Health System

Data Breach Responses Involving Business Associates

The HFHS Landscape:

• Founded in 1915 and has:
• 4 acute care facilities
• 1200 member medical group
• Health plan serving 640,000 members
• Home health, retail pharmacy, optical care, Hospice, Occupational Health, Extended care divisions

In 2011:

• Awarded Malcolm Baldrige Natl Quality Award (big part of that was being transparent about the struggles that they’ve had within their system)
• Around 31,000 workforce members
• 3.3 million outpatient visits,
• around 550 BAs

Now everything is streamlined, standardized, and centralized.

Vendor Compliance: the group that manages BAAs to make sure that they don’t agree to things that they don’t like about vendors. They take part in notification in the event that there’s a breach. They created a manual process for conducting breach risk assessments and applied the plan to previous breaches to vet approach. Create plan to notify all known BAs about the HITECH implications. Your exposure is not going to come from someone breaking into the network. Exposure is going to come from someone making a spreadsheet, and then saving it on a device that gets lost or stolen.

They created a HFHS branded data breach response program so the workers could get more information and understand what the program does, and what protocol is in the event of a breach. That way people can react appropriately. Decided that it was the hospital’s responsibility to educate the BA on what their responsibility is in order to protect patient data.

Lessons Learned:

• BAs don’t always understand requirements and you are ‘protector’ of data
• Ensure incident response plan is communicated effectively to BAs
• Document any education or risk assessments that you provide or conduct on your BAs
• Ensure your BAA gives you ability to terminate relationship in the event of a breach or failed risk assessment with no penalty to you.

Things to Consider:

• Assess your organization’s culture to determine the best approach for BA breach response
• Risk tolerance assessment
• Rapid response teams
• Branding opportunities
• Communication strategy
• Breach response partners
• Continuous education
• Elimination of immediate risk (the low hanging fruit. Get encrypted flash drives, for example.)

Implement the following formalized programs:

• BA educational program
• BA risk assessment program

---

IT Security – Indirect Threats to Patient Data
Adam Goslin, Chief Operations Officer with High Bit Security

IT security trends:

• Medical community targeted
• Increase in small scale breaches (different than in the past, when it was big businesses. Now, bigger businesses have raised their security bar, so hackers have moved to smaller businesses where security is still lagging)
• Lost/stolen devices (phones, laptops, tablets)
• Social networking exposure (causing problems by exposing data more easily and frequently)
• Data encryption (not the end-all solution)
• Data breach notification regulations
• Mobile threats (with the upswing of mobile devices, mobile device insecurities and vulnerabilities)
• Critical infrastructure attacks
• Consumers leave/avoid after security attack

Recent medical security events:

• 9.12.12 CSO for Alaska Dept Health fined 1.7M
• 8.31.12 Cancer Care Group 55,000 records exposed
• 7.25.12 15% of FDA medical device recalls raise security and privacy concerns
• 6.15.12 Memorial Sloan-Kettering Cancer Center gives patient data away via PowerPoint presentation

Targeted attacks

• Specific institutions or companies.
• Insider threats (disgruntled employees, for example)
• Hacktivism
• Defacing web pages
• Denial of Service attacks
• Outing of private information (passwords and credit card lists)

Head of interpol stated:
May 2012 – Cost of cybercrime is larger than the combined costs of cocaine, marijuana, and heroin trafficking.

The US government is building a ‘hacking monitoring facility.’
Breach costs are presently averaged at $194 per record.(this includes detection, escalation, notification, resolution and after-the-fact response). At 2000 records, you’re already up to $388,000. There are huge costs associated with a breach.

Why is it so difficult to maintain security?

• Security covers a huge range of devices and channels, from websites to mobile apps to special medical equipment.
• Security is a specialty. Developers and administrators may be good at what they do, but they may not be the best security advisors, because that’s not their specialty.

Two questions to ask about your security:

• Where are my security holes today? Found via testing
• How do I create an environment that is as secure as possible? This is a big, and very difficult question to answer.

75% of total data loss happened or were targeted towards medical facilities/business.

Malware and Worms:
These pieces of software show up from email, the web, USB drives

• Malware: usually working to get protected data, display adware, stop operations
• Worms: these replicate themselves.
• Phishing is working to get data by acting like it’s something it’s not (an example would be an email that looks like it’s from Facebook, but then when you click on the link, it takes you to a malicious site)
• Botnets: computers that are controlled by a different server. Your computer becomes something of a puppet in order to administer a malicious attack.