Chat with us, powered by LiveChat

Follow me on

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft.

On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR regulation has been characterized as the most sweeping and impactful change to privacy and data protection regulations in history. GDPR goes into effect on May 25, 2018 with broad reaching implications for EU-based organizations and multinationals around the globe. It is critical to note that GDPR imposes new rules on organizations that offer goods and services to people in the EU or those that collect and analyze data tied to EU residents, no matter where they are located.  This means that US based healthcare covered entities and organizations defined as controllers or processors of an EU citizen’s or resident’s healthcare data will be directly affected by GDPR and must be prepared to meet these regulatory requirements.

The General Data Protection Regulation (GDPR) sets a new bar for privacy rights, security, and compliance, which will be enforced through heavy penalties. Microsoft has made the commitment that all its online services will be GDPR compliant and backed by contract, providing assurance that any of their personal info is protected and in compliance. With Privacy-by-design as a core guiding principle, Microsoft provides a comprehensive set of software services to enable customers to meet their GDPR requirements.  Microsoft recognizes that end-to-end compliance is required and must be implemented as a holistic process across the organization including (and beginning with) the protection of endpoints. Windows 10 enables organizations to begin their GDPR compliance journey.

GDPR Focus: Data Protection and Security – Not Technology

Like the HIPAA regulations, GDPR makes no direct reference to technical or technology requisites. However, GDPR does require organizations to build a holistic & structured approach to data protection and overall security.

More specifically, GDPR states the following:

(Art. 24.1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary,

(Art. 24.2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller,

(Art. 28.1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Microsoft GDPR Readiness and Assessment Tool

Microsoft Windows 10 enables an organization’s GDPR security and privacy requirements with its cloud-enabled security stack that includes device protection, identity protection & management, information protection, threat detection and protection, and security management and operations. For example, beginning with the Windows 10 Anniversary Edition, Microsoft includes the Windows Information Protection (WIP) component that provides integrated protection against accidental data leaks.

With WIP Windows 10 can:

  • Protect data at rest locally and on removable storage
  • Enable corporate versus end user data to be identified wherever it rests on the device with the ability to wipe that data
  • Provide a common experience across all Windows 10 devices and prevent unauthorized apps from accessing business data and users from leaking data with copy and paste protection
  • Enable seamless integration into the Microsoft cloud platform
Additional Resources

Quality Reporting: A Drain on Practice Resources, New Study Shows

As featured in EMR & HIPAA, Powered by HeathScene.

If time is money, medical practices are sure losing a lot of both based on the findings in a new study published in Health Affairs. The key take-a-way, practices spend an average of 785 hours per physician and $15.4 billion per year reporting quality measures to Medicare, Medicaid and private payers.

The study, conducted by researchers from Weill Cornell Medical College, assessed the quality reporting of 1,000 practices, including primary care, cardiology, orthopedic and multi-specialty and the findings are staggering.

Practices reported spending on average 15.1 hours per week per physician on quality measures. Of that 15.1 hours per week, physicians account for 2.6 hours with the rest of the administrative work divided between nurses and medical assistants. About 12 of those 15.1 hours are spent logging data into medical records solely for quality reporting purposes. Additionally, despite a wealth of software tools on the market today, about 80 percent of practices spend more time managing quality measures than they did three years ago and half call it a “significant burden.”

Aside from the major drain on administrative resources, there are heavy financial ramifications for such lengthy and cumbersome reporting as well. The report found practices spend an average of $40,069 per physician for an annual national total of $15.4 billion.

The findings of this study clearly demonstrate the need for greater reporting automation in the healthcare industry. By embracing technology to manage labor-intensive, error-prone and mundane tasks; practices free up their staff to focus on patient care. In the past few years, we have watched electronic medical record (EMR) companies do just that by embracing cloud-based software solutions.

This overwhelming administrative bloat and financial burden can be addressed by implementing software tools and solutions designed to streamline reporting and compliance management. For example, if your practice or organization is still conducting your annual risk analysis through spreadsheets and other manual methods, it is time to embrace automation and a Security Risk Analysis software solution. Designed to control costs, a cloud based Security Risk Analysis solution automates 78% of the manual labor needed to calculate risk for organizations of all size.

There’s no time like the present to embrace best practices for your quality reporting. Allow technology to do the heavy lifting and free up your resources.

Fighting Ransomware: A Success Story

When the HHS Office for Civil Rights released the HIPAA guidance on ransomware in the summer of 2016, collectively the health care community sat up and took notice. The guidance (found here) outlines various activities required by HIPAA that assist organizations in the prevention and detection of threats. One of the key activities listed in the guidance is completing an annual Security Risk Analysis.

As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  By utilizing the HIPAA One® Security Risk Analysis (SRA) tool, I am able to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site with one of our clients, which I will call “Care Health” to preserve their confidentiality, working on organization-wide identity protection. Care Health utilizes our SRA to safeguard their critical data and provide security and protection from Ransomware, malware and the proverbial “sophisticated malware attacks”.

blogWhile at the Care Health office, two staff members in the Billing department were utilizing shared files in a network-mapped drive (e.g. N: drive). One of the staff members noticed new files were being spontaneously created and the file icons in the network folder were changing. By watching the changing file names, the staff member noticed one showed up as ransom.txt.

Acting quickly, she contacted the IT Helpdesk for assistance. The Helpdesk had been trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer (HSO). Upon being notified of the issue, the HSO logged-into the N: shared drive and found their files were slowly being encrypted!

How do you stop a Ransomware attack?

blog-2Promptly, the HSO ran Bitdefender full-scans on the Billing department computers and found nothing. He then installed and ran Microsoft’s built-in Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected the encryption, but also removed it.

This specific Ransomware variant had somehow infected the system and was systematically encrypting these files.  Thankfully, the quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before any patient data was compromised. Following the incident, backups were used to restore the few-dozen encrypted files on the network-drive. Due to appropriate safeguards and training, the Care Health team was ready and a crisis was averted.

Upon a configuration review of Care Health’s security appliances, WebSense was configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page. This forced website visitors to download the executable virus from the banner-ad and unknowingly install the Ransomware on their local computer. Once downloaded, the Ransomware would begin encrypting files in high-lettered network-drives.

Next steps…

Unfortunately, Ransomware is here to stay and the number of attacks are rising.  Now more than ever, it is critical that health care organizations have updated policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program. Let the Care Health incident be a reminder that a well-trained employee is an organization’s best defense against Ransomware, Phishing and sophisticated malware attacks.

The HIPAA One® software suite offers an automated approach to implementing and maturing your organization’s HIPAA Security Compliance Program. To learn more, visit us at  https://www.hipaaone.com/contact/

OCR’s Updated HIPAA Audit Program – What you need to know

Health and Human ServicesWith the pinnacle of patient breaches hopefully behind us (e.g. Anthem/WellPoint breach, Premera, Blue Cross, and others in 2015), it is clear the industry has struggled with proper security of our electronic health information (ePHI).  As such, the federal government has stepped in to ensure measures are in place to secure ePHI, abide by privacy rules granting all of us access to our health information, and making it illegal to discover a breach and not take appropriate steps to notify those affected.

The Office for Civil Rights (OCR) is a division of Health and Human Services with the responsibility to ensure industry compliance with an individual’s rights to Privacy, safeguards to electronic PHI and to investigate an organization’s diligence when breaches occur.  Part of the OCR’s focus is also to develop audit rules in its activities ensuring the industry is adopting compliance efforts, reducing risk of breaches and improving health care.  This is called the HIPAA Audit Program, and leverages the instructions, called the Audit Protocol, to test compliance.

Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016 they announced the updated HIPAA Audit Protocol.  To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded.

The HIPAA Audit Protocol is something the Healthcare Information Technology compliance and audit communities have been asking for a long time, which is more guidance on HIPAA regulations.  In addition to NIST-based risk analysis methodologies, this new set of protocols (instructions) are the most comprehensive guidance we have for HIPAA security (safeguards around electronic protected health information, or PHI), privacy (rights and restrictions to PHI) and breach notification requirements (what to do when a breach of PHI happens).  This graphic shows the number of top-level HIPAA citations covered under the OCR’s checklist, color-coded by discipline:

HIPAA Audit Protocol 2016

To summarize the changes between Phase 1 and Phase 2 of the Audit Program:

What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
  1. HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
  2. Contained 169 total protocols.
  3. Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
  1. OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
  2. Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
  3. 180 Enhanced protocols (groups of instructions) which contain the following updates:
    1. Privacy – 708 updates (individual lines of instructions)
      1. Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
    2. Security – 880 updates (individual lines of instructions)
      1. Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.

HHS Spreadsheets Outdated?With so many recent changes, it is clear that checklists, spreadsheets, the ONC’s SRA tool , HITRUST and most commercial compliance software companies are now out of date with the new HIPAA Audit Protocol.   As we get to the end of the Meaningful Use incentive program, we risk having a high number of covered entities potentially using outdated software tools for modern HIPAA compliance requirements.

Regarding the HIPAA Audit Protocol’s compliance date, says Brad Trudell of MetaStar, “Remember it’s intended to detail the specific questions OCR plans to ask in Phase 2 audits to determine compliance with the previously existing HIPAA/HITECH requirements.  If possible, CEs/BAs should use the protocol as the basis for conducting their own internal audits to make sure compliance is whipped into shape before the REAL auditors come knocking.”

In other words, the compliance date would match the release date – April of 2016 (about 2 months before this article was written).

Specific steps to take in light of the new HIPAA Audit Protocol:
  1. Check your “Clutter”, “Junk” or “Spam” folders to ensure that an email sent from OSOCRAudit@hhs.gov (OCR office) is forwarded to the appropriate person (e.g. Compliance Officer, legal counsel, etc.) and responded to accordingly. Example of the email is here.
  2. Conduct an accurate and thorough HIPAA Security Risk Analysis. Be sure to include Privacy and Breach notification assessments since these are often overlooked
  3. Review your organization’s policies and procedures along with the associated processes, compliance programs and other supporting documentation proving compliance. For gaps, update processes, policies and procedures to address identified issues.
  4. Address risks found in previous risk analysis efforts. This requires documented progress of gaps in compliance and associated vulnerabilities (e.g. installing enterprise-wide encryption, implementing a training and awareness program, updating policies and procedures).  This also includes having supporting documentation tracking these updates.
  5. Identify who your business associates (BA) are (or subcontractors a BA would give PHI to in order to facilitate a particular service for the upstream BA). Get a copy of each signed BA Agreement, ensure your agreements are updated per the HIPAA Omnibus update (after March, 2013), and collect proof (e.g. reasonable assurances) that the BA or Subcontractor actually has a HIPAA Security, Privacy and Breach Notification assessment and/or other proof of compliance (e.g. proof of encryption, training and awareness, policies and procedures).
  6. Ensure any software tools used are updated with the new release of the OCR’s updated HIPAA Audit Protocol (e.g. as part of OCR’s Phase 2 of their Audit Program); therefore, your risk management and compliance program will become compliant today (not months from now).

Why invest in yesterday’s Audit Protocol?  HIPAA One® announced on June 15, 2016 they are current with the OCR’s Phase 2 of the Audit Program.  To learn more on how your organization can simplify and automate HIPAA Security, Privacy and Breach Notification Assessments, Mock-Audits and Risk Analysis in compliance with the HIPAA Audit Protocol, HITECH and NIST-based methodologies contact us or email info@hipaaone.com.

 

Demystifying HIPAA Security Risk Analysis

Steven Marco

As a business owner, my professional conversations with physicians run the gamut, from how my business services can solve their problems, to exchanging ideas and best practices, and offering support in starting and growing a business. I get the feeling that physicians running a medical practice often feel like they have a target on their back because staffing, management, regulations, documentation, and reimbursement have become such big parts of medicine.

Building a business requires tremendous time, money and effort in order to become profitable.  The compliance landscape shifts and evolves.  Today, a HIPAA Security Risk Analysis has become paramount for almost any medical practice to collect state and federal reimbursements.  An often overlooked benefit, however, is the Security Risk Analysis, which can improve the efficiency and professionalism of these same practices.

But how does complying with HIPAA help?

First, HIPAA Security is greatly misunderstood.  HIPAA was originally conceived because patients were not able to access their own health information.  Today, HIPAA enforcement is the main driver to ensure we don’t mishandle or otherwise treat patient’s protected health information (PHI) with neglect—willful, or not.

Many practices believe that if they complete a quick checklist or perform a risk assessment with an auditor on the phone and get a final report, they are done and have “checked the box.”    Like doing a fast tax-return, this quick approach diminishes the value of HIPAA. If embraced, HIPAA’s Security Risk Analysis checklist of best practices provides ongoing benefits, such as:

Staff morale:Improve morale

  • Policies and Procedures establish a code of conduct on how staff should represent the clinic in day-to-day interactions with patients.
  • Guidance on handling patients, staff, processes and technology provides operational clarity
  • Assurance that the IT department makes Electronic Medical Records available (e.g. performance, backups and recovery), complete, accurate and confidential.
  • A clear baseline on how to handle all aspects of patient releases, authorizations, business associates and internal operations.

Technology:Improve technology

  • One aggregated place for information about patient visits can contribute to population health research and disease management.
  • Encryption of laptops, desktops, smartphones and all portable media can reduce the risk of having to report a breach by up to 68% (according to OCR breach data for theft, loss and improper disposal).
  • Meaningful Use provides incentives and ongoing reimbursements (soon to become MACRA).

Clinic appearance:Improved appearance

  • Staff attire, name badges and a proper patient waiting area separate from the clinic complies with HIPAA and improves the professional look and feel of the clinic.
  • Training and employee awareness reinforces policies and procedures which drives improved moral and reduces risk to the clinic.

The Bottom Line:

Conducting a HIPAA Security Risk Analysis covers Administrative, Technical and Physical (PAT) safeguards and provides a snapshot into where the clinic is performing well and where improvements are needed.  If a HIPAA Security Risk Analysis is the snapshot, then the “moving picture” is the ongoing process of improving gaps in compliance, not only to reduce the chances of a security breach but also to improve the efficiency of the health care organization.   For a quick 5-minute assessment, take our high-level HIPAA Security Assessment quiz and see how your practices measures-up to the the top 13 HIPAA items typically missed.  Contact us today to learn how to get more of a return on investment in HIPAA than simply, “checking the box”.

HIPAA One Releases Privacy Risk Analysis

After releasing the HIPAA One Security Risk Analysis, we received exceptional feedback on the product and how much our clients appreciated the simplicity and automation provided by the product. We have been committed to expanding our solutions and add products to be “all things HIPAA”. With the launch of the Privacy Risk Analysis, we now offer a full suite of products to address all citations and requirements related to HIPAA Security, Privacy and HITRUST.

Having implemented and performed the HIPAA One Security Risk Analysis at over 2000 locations, we know the importance of having a cloud-based process that is easy to understand and allows collaboration among different departments.   Furthermore, our Privacy Analysis, like our Security Risk Analysis, is offered in three different levels of engagement to meet the needs of not only the large practices, but also the small health and dental practices.

With the rise in hacking and breaches, our goal is to provide timely solutions to clients to ensure the patient information they keep is safe and secure. Furthermore, the OCR is accelerating the frequency and number of audits, with HIPAA One solutions, you are guaranteed to pass.

LEARN MORE

Meaningful Use Attestation Extended!

Instead of “hoping” not to get audited, consider this:  your organization can have guaranteed compliance with HIPAA One® because CMS has extended the Meaningful Use attestation period to February 29, 2016!

HIPAA Isn't Going Away

HIPAA Isn’t Going Away

Good news – with the mixed-bag of recent news from CMS, the boat has not yet left the dock!  If you conducted a “last-minute” spreadsheet or checklist to meet December 2015 deadline, the odds of passing an audit are not good.  Take advantage of the extension and guarantee compliance with HIPAA One®.

Both Meaningful Use Stage 1 and Stage 2 require that a Security Risk Analysis be completed as part of the Medicare and Medicaid EHR Incentive Programs.  In spite of the recent proclamation from CMS that MU will end in 2016; any Eligible Provider (EP) or Eligible Hospital (EH) must still file for 2015.  The specific requirements to “Protect Electronic Health Information” are described by CMS as listed in the following table:

table1The filing period for Meaningful Use Attestation and reporting is from January 4 through February 29, 2016.  This means that if you were not able to complete your Security Risk Analysis (SRA) during calendar year 2015; there is still time!  The SRA will need to be for 2015 and cannot be used for the 2016 reporting year.

HIPAA One® has a simple and automated solution for the SRA process; using a cloud-based, step-by-step- approach (see quick video here:  https://youtu.be/9G_B7U_pnuo).  As such, you will be able to comprehensively address the HIPAA required safeguards (listed below) in an efficient, logical and clear fashion:

table2A “new program” is slated to be announced by CMS on or about March 25, 2016 that will replace (some think “augment”) the current MU program.  It will focus less on technology adoption and more on clinical outcomes and value-based reimbursement.  There will also be special attention paid to APIs and interoperability.  That said; data security will still be of paramount concern.

The new MACRA (Medicare Access and CHIP Reauthorization Act of 2015) program will still include some version of the EHR incentive (not yet defined) and certainly will still include the Security Risk Assessment.  The key elements are The Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs).

HIPAA One®’s take:

With respect to the MU Program:

  • Current participants still need to complete attestation / reporting:
    • By 02/29/2016
    • HIPAA Security Risk Analysis (SRA) is always required
  • A “new program” is slated to be announced on or about 03/25/2016
    • There will still be quality and process measures
    • The SRA is still a requirement – ePHI Systems/Assets always need to be secured
    • The new program will focus on “patient outcomes rather than technology use”
  • The new MACRA program will still include some version of the EHR incentive (not yet defined)

With respect to DHHS OCR:

Common Sense:

  • HIPAA Security Risk Analysis is the benchmark for any Risk Management Program
  • Reducing risk to patient breaches is saving goodwill, time and money
  • HIPAA One® provides operational clarity for staff to know what is needed to maintain a great code of conduct
  • Keep your Meaningful Use Incentives and avoid payment discounts by maintaining automated documentation proving compliance

Prevent HIPAA Violations
Get Started by Contacting Us Today

HIPAA One® has over 1600 sites leveraging the streamlined, best-of-breed cloud-based HIPAA Security Risk Analysis Software (SRA) and has a fully-certified Audit Support Team (AST) to provide support & consulting solutions.   We have a full-service package for awareness training, Privacy, Breach Notification, Policies and Procedures, and more.

Contact us today at www.hipaaone.com/contact to learn more. HIPAA One® guarantees compliance for your 2015 Meaningful Use Security Risk Assessment for 164.308(a)(1)(ii)(A) so you be assured you are compliant.

HIPAA Security for Meaningful Use : Myths and Facts

fact-vs-myth

After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information

AHCCCS Audit Notice Announced

Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) Audit for IT System Security Notifies of AHCCCS Audits

Courtesy of DHHS

Courtesy of DHHS

 

HIPAA One® works with several Health Plans and Clinics that operate a Managed Care Organization (MCO)  in the great state of Arizona providing AHCCCS Audits pursuant to Policy 108 and HIPAA.  As such, we have helped these clients respond to several audits since Policy 108 took place back in 2013.

Yesterday the Arizona Health Care Cost Containment System (AHCCCS) was notified by the DHHS OIG they will be performing on-site audits of three Managed Care Organizations regarding IT system security.  To summarize the notice:

  1. The MCOs may begin the audits as soon as November 2, 2015.
  2. One MCO will be audited this year, and two more MCOs will likely be performed in 2016.
  3. DHHS OIG will provide a draft report with the combined findings to AHCCCS.
  4. A final report of the combined audit findings will be published with non-identifying information.
  5. The first MCO will be contacted Monday, October 19, 2015.

As of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

In March of 2015, we posted an update to our AHCCCS blog with a responses to the annual guidance request by AHCCCS:

“Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…”

You can find the updated Policy 108 compliance guidance here, that states the audit needs to be done every year, and must be submitted using third-party attestation by June 1st:

 Policy 108 – AHCCCS SECURITY RULE COMPLIANCE

In Audit and Security circles, this is a HIPAA Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at info@hipaaone.com.

Windows 10 and HIPAA Security Officer Compliance

Windows 10 Settings

CIOs, IT Directors and IT Managers are often deputized as their organization’s HIPAA Security Officer.  In addition to being responsible for HIPAA security and compliance, there may be a push to upgrade to Windows 10.   After all, everyone in the organization is already using it at home.  But during testing and planning deployment, Cortana and the mobile-OS-like features of sending data to third-parties begs the question, “Does Windows 10 violate HIPAA Privacy?”

The short answer is that the default configuration of Windows 10 may violate HIPAA.  The Windows 10 Privacy Statement as part of the Microsoft License terms July 2015 provides very flexible language on how Personal Data is collected, used and shared.    Specifically this provision states:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”

As with any convenient features, there is always an impact on security.  Unfortunately, security and functionality are often inversely related.

Windows 10 Privacy Settings

The following Windows 10 features are new and cause concern for anyone responsible for maintaining HIPAA compliance in their organization:

  1. Cortana: Microsoft’s answer to Siri and Google Talk.  Cortana “learns” how each person speaks and writes by taking samples.  In addition, names, nicknames, recent calendar events and contacts are maintained.
  2. Data Sync: Default setting allows the operating system to sync settings and data into Microsoft’s servers. It is intended to sync passwords, website plugins, favorites, etc.; however it may lead to users’ credentials being vicariously breached by Microsoft.
  3. 3rd party Advertisers: The Advertising ID provides a unique identifier per user allowing collections of data to be shared with 3rd party advertisers.  This may help fund the “free” upgrade to Windows 10 from previous versions, and is provided to help provide more effective targeted ads when using 3rd party applications.  Turning this off will not block ads from appearing, but they may not be as targeted, as your users will remain more anonymous with this feature turned off.
  4. Bitlocker: Windows 10 will automatically backup your encryption key to OneDrive, unless you are using Active Directory Group Policy to manage this element.  Also, if you are using Bitlocker or planning to use Bitlocker, ensure you use the TPM+PIN option or turn off hibernation/sleep support to avoid having to report a breach if a Bitlocker-encrypted laptop is lost or stolen.
  5. Telemetry:  Those familiar with the Windows Pop-up sending diagnostic information after a program crashes to Microsoft for product improvement will want to know about Telemetry.  Telemetry is an enhanced diagnostics and tracking service which sends additional information to Microsoft for new features such as per-application updates, Windows 10 upgrade offers, etc.  This is a well-documented How-To disable Telemetry from our friends at Winaero.

Although it is still early to tell if specific HIPAA Privacy considerations are violated with Windows 10; HIPAA Privacy, at a high level, ensures individuals have the minimum protections which may be violated. Therefore depending on whether ePHI is released as these Windows 10 features are used; we believe the violation of the following laws may lead to HIPAA non-compliance:

  • Access to the health record – see patient rights §164.522, §164.524 §164.526
  • Minimum necessary uses of PHI – see use and disclosure §164.514
  • Content and right to an Accounting of Disclosures – see privacy management process §164.528
  • Business Associate Contracts – see privacy management process §164.504, §164.502, §164.524, §164.526,§164.528.

To ensure diligence with HIPAA Privacy, it is unclear whether Microsoft will be sending ePHI from PCs anytime soon, which may result in “collateral damage” for those Covered Entities using Windows 10.   And although the question on HIPAA Privacy violations is a tenuous answer, following some basic steps may significantly reduce your organization’s risk of violating HIPAA.

Windows 10 Cortana settings

To maintain your organization’s level of due-diligence under HIPAA and the HITECH act, there are items to configure in Windows 10 to help avoid long-term repercussions that result from upgrading to Windows 10.   By taking measures to test, configure and restrict information being sent outside your organization’s networks with Windows 10; you may request set of instructions below.

In conclusion, Windows 10 does send information back to Microsoft and does such on a per-feature, per-benefit basis.  Microsoft has provided a way to turn off these data-collecting features however, traditional system-level information will still be sent (as it always has been) to Microsoft.  We strongly recommend turning these data-collecting features off.  It is better to be safe than sorry!

To request your copy of the full whitepaper, which includes specific instructions on which Active Directory Group Policies to edit, along with sources of Microsoft Administrative Templates for Windows Server 2012 and the Windows 7 & 8 KB patches to avoid, please request it by contacting us now, and we will be happy to send you a full copy.

 

For a copy of the pcapng file replay of our tested Windows 10 Enterprise configuration in the updated version of this whitepaper, win10Run1.