This page contains news stories from 2012
Click for the latest news stories
Click for the Directory of News Stories
HHS ONC Introduces New Site for Mobile Device Security
On December 12, 2012, the US Department of Health and Human Services Office of the National Coordinator for Health IT made available a new web site dedicated to Mobile Devices and Health InformationPrivacy and Security. The site is intended to help hospitals and physicians better understand how and why to protect sensitive health data stored on mobile devices. The site includes explanatory videos, fact sheets and downloadable posters. See: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
HHS OCR Releases Guidance on De-Identification of PHI
On November 26, 2013 the US Department of Health and Human Services Office for Civil Rights published Guidance Regarding Methods for De-identification of PHI in Accordance with HIPAA via a web page that includes general statements of guidance as well as frequently asked questions that help illustrate the guidance. There is actually a lot of useful information on the page and it would be of great use to anyone wrestling with issues of de-identification and PHI under HIPAA. See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
Verizon Data Breach Investigations Report 2012 Snapshots
In March, 2012, the Verizon RISK Team released the 2012 Data Breach Investigations Report, detailing trends in information security based on numerous incidents investigated in 2011. In general, the external threats are growing, in particular for "soft" targets like hospitality and healthcare. The Verizon page with links to the 2012 report (available as a PDF or as a free iBook) and reports from 2009-2011 is at: http://www.verizonbusiness.com/about/events/2012dbir/
There is also a Healthcare Industry-specific snapshot of the report available at: http://www.verizonbusiness.com/resources/reports/rp_dbir-industry-snapshot-healthcare_en_xg.pdf Make sure you take care of their basic recommendations to avoid security issues!
Verizon Announces HIPAA-compliant Cloud Services and BAA
On October 1, 2012, Verizon Enterprise Solutions unveiled a comprehensive cloud and data center infrastructure portfolio specifically designed meet HIPAA requirements for safeguarding electronic protected health information. Where appropriate, Verizon is prepared to sign a HIPAA Business Associate Agreement, unlike many other cloud service providers. The press release is available at http://www.verizonbusiness.com/about/news/pr-25994-en-Verizon+Introduces+Cloud+Portfolio+to+Help+Health+Care+Industry+Meet+HIPAA+Security+Requirements.xml and an article in Computerworld magazine on Verizon's announcement is available at http://www.computerworld.com/s/article/9231911/Verizon_launches_HIPAA_compliant_eHealth_cloud_service
NIST September ITL Bulletin Focuses on Incident Handling
On September 28, 2012, the NIST Computer Security Resource Center announced the availability of the September ITL Bulletin, focusing on the topic of the month: Revised Guide Helps Organizations Handle Security Related Incidents. The bulletin discusses the recently updated NIST SP 800-61 Computer Security Incident Handling Guide. The September, 2012 bulletin is available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf and SP 800-61 is available at http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
To view other NIST ITL (Information Technology Laboratory) Security Bulletins, see: http://csrc.nist.gov/publications/PubsITLSB.html
NIST Releases Updated Risk Assessment Guide SP 800-30 rev 1
On September 18, 2012, the National Institute of Standards and Technology released Revision 1 of Special Publication SP 800-30, Guide for Conducting Risk Assessments, which is the foundation of risk analysis procedures under HIPAA. The new guide is much larger, contains a great deal of background information, and is much harder for the average compliance officer to approach. It is thick with theory and explanations that only serve to obfuscate the meaning and goals. The process described is much more complicated than the one in the original version, and is not necessarily appropriate for many health care organizations.
So warned, the new version is available at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf, and the old version (recommended) is still available at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
ONC Releases Privacy & Security Training Game for Practices
The Office of the National Coordinator for Health Information Technology has released Cybersecure: Your Medical Practice, which is a game developed to teach good basic privacy and security principles for health care offices, by requiring users to respond to privacy and security challenges. Users choosing the right response earn points and see their virtual medical practices flourish, and vise versa. The game is available at no cost at: http://www.healthit.gov/providers-professionals/privacy-security-training-games and additional resources from ONC are available at http://www.healthit.gov/providers-professionals/ehr-privacy-security
MEEI Gets $1.5 million Settlement for Laptop Security Issues
On September 17, 2012, the US Department of Health and Human Services Office For Civil Rights announced a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) concerning insecure laptops and a lack of risk analysis, mitigation of risk, and policies and procedures. The HHS information page on the settlement, with links to the resolution agreement and more, is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html
HIPAA Audit Protocol Quietly Revised, Has New Web Address
At some point during September, 2012, without announcement, the US Department of Health and Human Services Office For Civil Rights updated the recently released HIPAA Audit Protocol with some modifications, a few more questions, and some improvements in usability. The updated protocol is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html and the prior version is still at the old URL. The OCR page on the HIPAA Audit Program is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
Revised NIST Computer Security Incident Handling Guide
During August, 2012, the National Institute of Standards and Technology published Revision 2 of the Computer Security Incident Handling Guide, an updated version of the very useful NIST Special Publication 800-61. NIST SP 800-61 Revision 2 includes major chapters on Organizing a Computer Security Incident Response Capability, Handling an Incident, and Coordination and Information Sharing, as well as appendices that include such information as Incident Handling Scenarios. Strongly recommended, available at: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
HIPAA Privacy, Security and Breach Audit Protocol Released
On June 26, 2012, The US Department of Health and Human Services Office for Civil Rights released the audit protocol for the current round of random HIPAA Privacy, Security, and Breach Notification compliance audits, to be completed by the end of 2012. In all, 115 random compliance audits for HIPAA covered entities are planned for 2012. See how your organization would do -- the audit protocol is available at http://ocrnotifications.hhs.gov/hipaa.html
The protocol has 165 questions, most with several sub-questions, and multiple references of comparisons to "established performance criteria" and "specified criteria" that are NOT defined in the protocol, limiting its usefulness, and there are some issues with some of the questions, but it is a great way to see just what kind of documentation you might be asked to produce in an audit. There is plenty of call for explanations and justifications under the addressable specifications, so it's clear that full documentation of your compliance decisions is necessary.
Unfortunately, there is no obvious way to simply download the entire table with all the cell contents showing so you can create your own tool or table and use their questions in a more accessible way, but the online access is of real value.
Alaska Medicaid Hit With $1.7 million Settlement for Security
On June 26, 2012, The US Department of Health and Human Services Office for Civil Rights announced it had reached a settlement of $1.7 million with the Alaska Department of Health and Social Services, the state Medicaid agency, for possible violations of the HIPAA Security Rule. A USB drive with PHI was stolen; investigation found inadequate policies and procedures, no risk analysis, incomplete security training, lack of device and media controls, not addressing encryption, and overall insufficient risk management measures.
The press release makes it clear that state agencies are not exempt from HIPAA. In addition to the penalty, the settlement calls for a corrective action plan and monitoring of compliance. There are no sacred cows in HIPAA compliance any more, not even up in Alaska. See the HHS OCR page on the settlement agreement at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html
California Releases HIPAA Security Toolkit for Small Providers
On June 7, 2012, the California Health and Human Services Agency’s (CHHS), Office of Health Information Integrity (CalOHII) announced the release of its HIPAA Security Rule Toolkit. It is an online toolkit that helps entities better understand the requirements of the HIPAA Security Rule, and assist organizations in implementing HIPAA requirements. The online toolkit can be accessed via the CalOHII website: http://ohii.ca.gov/calohi/ The the toolkit is available at: https://www.ohii.ca.gov/securitytool/compliance/login.aspx and the user guide is at: https://www.ohii.ca.gov/securitytool/downloads/CalOHII_HSR_User_Guide.pdf
NIST/OCR HIPAA Security Conference Presentations Released
On June 7, 2012, NIST released the presentation slides given at the 2012 NIST/OCR HIPAA Security Conference in Washington, DC, now available for download at http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html. The topics cover a great deal of useful information including one particularly useful study by the Office of the National Coordinator detailing the security features of various smart phones, laptops, and tablets. See the link for the ONC Mobile Device Project in the June 6 topic list. And the entire webcast of the presentations is available for viewing at: http://www.nist.gov/itl/csd/hipaa-security-conference-2012-webcast.cfm
HHS OCR Releases HIPAA Enforcement Training Materials for State Attorneys General
On June 4, 2012 the US Department of Health and Human Services Office for Civil Rights announced the availability of training materials in HIPAA Enforcement for State Attorneys General to help them use their new authority to enforce the HIPAA Privacy and Security Rules. The materials include videos and slides from in-person training sessions for State AGs conducted in 2011, as well as computer-based training modules that can be downloaded and saved to your own computer. Although developed for State AGs, the training materials provide a great deal of information about the content and enforcement of the HIPAA Rules that may be of interest to a broader audience. For more information, see: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/sagmoreinfo.html
NIST Releases Cloud Computing Synopsis & Recommendations
On May 29, 2012, NIST released the final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations which is a is NIST’s general guide to cloud computing. It explains cloud systems in plain language, provides recommendations for information technology decision makers, and presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing. The guide is available at: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
Apple Releases its First Guide to iOS Security for Users and System Administrators
In May 2012 Apple released a new guide: iOS Security providing details about how security technology and features are implemented within the iOS platform. It also outlines key elements that organizations should understand when evaluating or deploying iOS devices on their networks. The move is unprecedented for Apple; up until now Apple has not provided definitive documentation for users and system administrators on using iOS security features and capabilities. See: http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf
Symantec Releases Internet Security Threat Report - 2011 Trends
Symantec released in April 2012 its Internet Security Threat Report: 2011 Trends spotlighting how the threat landscape is changing and what businesses and individuals should do to protect themselves. Troubling for Healthcare is the news that Healthcare reports more breaches by far than any other sector, 43% of the total, although it is ranked third, at 8%, for the number of identities exposed. This is an easy-to-use report that includes a lot of useful information, and is available at: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf
ONC Issues Guide to Protecting Privacy & Security of PHI
On May 8, 2012, The Office of the National Coordinator for Health IT released a 47-page 10-step plan for protecting the privacy and security of health data, developed in conjunction with the American Health Information Management Association. Any entity that wishes to attest to the meaningful use of their EHR so that they can receive Federal funding would be well advised to take note – if you're audited for meaningful use compliance, you will want to be sure you've covered these bases. The list of steps itself echoes many of the same themes we've been espousing for years, but makes it clear that if you want to attest to meaningful use, you need to take privacy and security seriously. The guide is available at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Questions Used in Current HIPAA Privacy and Security Audits
The Malvern Group's Sue Miller has published a briefing with a list of information requests submitted to the covered entity in one of the first round of random HIPAA Privacy and Security Rule compliance audits. The two-page list contains no real surprises – make sure you have policies and procedures and can show you've been using them – but it does provide the first publicly available list of questions specifically related to Privacy compliance as well as Security compliance questions. Sample security questions have been available for five years. For a copy of Sue Miller's briefing including the two-page questionnaire, please see: http://malverngroup.com/uploads/OCR_Audit_Document_Request_Brief_20120424_v_2.pdf
HHS Hits Phoenix Cardiac Surgery Group with $100K Penalty
On April 17, 2012 the US Department of Health and Human Services announced it has reached a settlement with Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, which has agreed to pay $100,000 and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
This penalty hits the nail on the head: You can't ignore the HIPAA Security Rule any longer. Go read the press release (with links to the settlement agreement) at http://www.hhs.gov/news/press/2012pres/04/20120417a.html and take note -- Every item they touch on I've been harping on for years now: Policies and Procedures, Training, Risk Analysis, and Business Associate Agreements; all ignored over a period of years. Sounds like a great poster child for how NOT to do HIPAA security compliance! Note the quote from Leon Rodriguez, director of OCR in the release: "We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity."
NIST/OCR HIPAA Security Conference for 2012 Announced
On April 2, 2012, The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced they are co-hosting the 5th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on June 6 & 7, 2012 at the Ronald Reagan Building and International Trade Center in Washington, D.C. The fee is just $395, a bargain for a two-day event featuring just about everyone you need to hear from or talk with about HIPAA Security. In fact, Jim Sheldon-Dean will be speaking on a panel discussing HIPAA Security Rule Toolkit Use Case studies during the conference the morning of June 7.
This event will highlight the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The conference will offer important keynote addresses and plenary sessions as well as breakout sessions following two learning tracks around specific areas of security management and technical assurance. For information and registration, please see: http://www.nist.gov/itl/csd/hipaasec.cfm
New HIPAA Rules Submitted to OMB; Released by End of June?
On March 24, 2012, the Office of Management and Budget received the final new HIPAA rule changes, including final rules for all of the proposed and interim final rules put forth as a result of the HITECH Act, except for the rules pertaining to Accounting of Disclosures, but also including changes pursuant to the Genetic Information Nondiscrimination Act. The final rule will be out within 90 days, which puts it at the end of June.
Expectations are that changes from the proposed and interim final rules will be minimal, with the possible exception of modifications to the "harm standard" within the Breach Notification Rule. The OMB Regulatory Dashboard for pending regulations is at http://www.reginfo.gov/public/jsp/EO/eoDashboard.jsp (scroll down to the section for HHS) and the status of the process for this rule is available at http://www.reginfo.gov/public/do/eoDetails?rrid=121784
Breaches Lead to Bankruptcy, $1.5 million Settlement; ANSI Report Shows Financial Impacts of Breaches of PHI
A March 12, 2012 entry in the WSJ Blog Bankruptcy Beat reports that a national firm that reviews medical records has filed for bankruptcy as a result of a break-in last New Year's Eve in their California office. The cost of dealing with the breach was more than the company was worth so the company filed for Chapter 7 bankruptcy. See: http://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm’s-collapse/
March 13, 2012 saw several stories on the first reported settlement of violations discovered under the HIPAA Breach Notification rule, by Blue Cross and Blue Shield of Tennessee, for $1.5 million. The breach involved the theft of 57 hard drives loaded with voice and video recordings of customer service conversations that involved personal information. (BCBST now encrypts data-at-rest but it should probably have been disposed of before.) For the article in Modern Healthcare, please see: http://www.modernhealthcare.com/article/20120313/NEWS/303139960/ The settlement agreement between BCBST and HHS can be obtained at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf
In addition, a new report has just been released by the American National Standards Institute (ANSI): The Financial Impact of Breached Protected Health Information -- A Business Case for Enhanced PHI Security, available at no charge with registration. It includes information on how to calculate the potential costs of breaches, but you don't have to look far beyond the examples above to see the potential costs. See: http://webstore.ansi.org/phi/
NIST Releases Guidelines on Wireless Networks and Draft Update to SP 800-53 Recommended Security Controls
On February 21, 2012 the National Institute of Standards and Technology (NIST) released Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANS), a tidy little document providing valuable guidance on security configuration and monitoring of wireless networks. The announcement is available at: http://csrc.nist.gov/news_events/index.html#feb21 and SP 800-153 is available at: http://csrc.nist.gov/publications/nistpubs/800-153/sp800-153.pdf
On February 28, 2012, NIST released its February ITL Bulletin, also focusing on guidelines for the secure use of wireless networks, available at: http://csrc.nist.gov/publications/nistbul/february-2012_itl-bulletin.pdf . Previous ITL Security Bulletins are available on the CSRC website at: http://csrc.nist.gov/publications/PubsITLSB.html
Also on February 28, 2012, NIST released the initial public draft of SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations which includes changes such as:
• New security controls and control enhancements;
• Clarification of security control requirements and specification language;
• New tailoring guidance including the introduction of overlays;
• Additional supplemental guidance for security controls and enhancements;
• New privacy controls and implementation guidance;
• Updated security control baselines;
• New summary tables for security controls to facilitate ease-of-use; and
• Revised minimum assurance requirements and designated assurance controls.
SP 800-53 is the go-to guide for protecting information, and this new version is updated to reflect the changing security landscape. The announcement is available at: http://csrc.nist.gov/news_events/index.html#feb28 and the draft is available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
CMS Proposes Meaningful Use Stage 2 Regs: Increased Security
On February 23, 2012 the Centers for Medicare and Medicaid Services (CMS) released the proposed Stage 2 Regulations on Meaningful Use of EHRs, and the new rules call for increased attention to the security of data at rest, specifically on portable devices that contribute to so many of the breaches reported to HHS. They also call for the use of secure messaging with patients.
The CMS fact sheet is at http://tinyurl.com/6rvrjex, the proposed regulation is at http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf, and I have posted an extract of the proposed rule covering the security issues here.
California Releases Updated Breach Handling Recommendations
On January 3, 2012, the California Office of Privacy Protection released a new version of their Recommended Practices on Notice of Security Breach Involving Personal Information, updated to reflect the latest changes in California law, as well as the latest thinking on security and breach prevention. This guide includes some excellent recommendations for anyone in any state to reduce the chances of a breach, as well as the specifics relevant to California. Available at: http://www.privacy.ca.gov/business/recom_breach_prac.pdf
Click for the latest news stories
Click for the Directory of News Stories