This 5 physician practice, with two locations in Arizona, is owned by Pierre R. Tibi, M.D. and H. Kenith Fang, M.D. Based on a review of their website, these physicians are well regarded in their community and each have authored multiple research publications.

The HHS investigation stems from a 2009 complaint that the practice posted its surgery schedule on a publicly-accessible, Internet-based calendar. On February 19, 2009, just days before the new, stiffer HIPAA penalties went into effect, The Department of Health and Human Services Office for Civil Rights (“OCR”) notified the practice of the complaint and started its investigation.

The  investigation found:

• The practice never documented any training for its employees for HIPAA Privacy or Security
• The practice did not implement appropriate administrative and technical safeguards required by HIPAA Security. In addition to publically posting its surgery schedule, the practice used unencrypted, internet-based email to transmit ePHI on a daily basis
• The practice never appointed a HIPAA Security Officer
• The practice never conducted a computer security risk analysis
• The practice did not obtain a Business Associate agreement from its cloud-based email provider

After a review of the Resolution Agreement in this case, Eagle’s assessment is that the practice never even attempted to implement the HIPAA Security rules, which went into effect in 2005. This is not unusual. By 2005, small practices across the country suffered from “HIPAA fatigue.” From 2001 to 2003, the medical community was in a frenzy with the implementation of the HIPAA Privacy rules. In 2004 they were required to invest in updated software and learn new billing procedures to implement the HIPAA Transaction rules which converted all billing to the ANSI 837 format. In 2005, when the HIPAA Security regulations went into effect, practices had a simple response when the HIPAA messengers arrived for a 3^rd time: “go away.”

Seven years later, this case should serve as a wake-up call to small practices who noted that most of the HIPAA enforcement penalties to date have been levied against large organizations like Mass General, CVS, and Rite-Aid.

With the massive federal incentives for electronic records, especially with the health information exchanges and the transmission of sensitive information between providers, the importance of the HIPAA Security measures are plain to see, even by the average consumer.

The feds are stressing HIPAA compliance by including in the Meaningful Use criteria a Privacy and Security Objective which obligates practices to perform a HIPAA computer security risk analysis, and to correct deficiencies identified. Because small practices have limited resources, Eagle Consulting offers affordable subscription services to assist with this objective.

Today the Wall Street Journal reports a cooperative effort of the FCC, Verizon, AT&T, Sprint and T-Mobile to develop a national database of stolen cell phones in response to an “explosion of thefts” nationwide. The article cites an internal NYC police department report indicating 21,000 incidents of mobile phone thefts in the first 10 months of 2011. Based on a number of assumptions, this would represent roughly a 1% chance of theft per person per year. This presumably is based on police reports of theft.

Of course, smartphones increasingly store Protected Health Information and access the healthcare organization’s networks.  The fact that this nationwide cooperative effort to mitigate theft has begun is evidence of the significant and growing risk of smartphone theft, and the subsequent risk of data breach.

Mobile security firm Lookout, Inc. recently published a study quantifying cell phone loss. Lookout offers a security app for 15 million iPhone and Android users. Their product includes a phone locator feature which utilizes the smartphone’s GPS to locate a lost phone for the owner.

The company recently published statistics on usage of their phone locator feature. After “filtering” the usage to eliminate tests, their research reported that users in the U.S. lose their phones about once per year, or almost a 100% chance of loss per person per year. However, their definition of loss is unclear and might better be described as “misplaced,” because presumably many of these phones are recovered by the users. Further, their reported research methodology is vague. Nonetheless, interested readers might enjoy their feature “Mobile Lost and Found” which includes additional data with an interactive web application.

A HIPAA risk analysis should consider theft, loss, and temporarily misplaced devices. The available statistics indicate significant risks. Consequently, for organizations that use smartphones, the following controls are appropriate:

• Security training for users
• Policies requiring encryption for any apps that store data on the phones, including email
• Policies regarding use of employee-owned devices on the company network
• Policies that limit storing of passwords to company networks on smartphones
• Technical tools to track and inventory devices that connect with the company network
• Remote locate and wipe capabilities for lost or stolen devices

The study design was an 18 question survey. Half of respondents were employed by organizations with over 1000 employees, the other half less than 1000. 52% were employed by hospitals or integrated delivery systems, and 63% indicated that “compliance” was their functional role.

The results indicated the following breach prevalence for 2011:

• Medical Records Snooping – Employee – 35%
• No Breaches Occurred – 28%
• Medical Records Snooping – Friend/Relative – 28%
• Loss/Theft of Physical Records – 25%
• Loss/Theft of equipment Holding PHI – 20%
• Other – 20%
• Unauthorized System/Application Access – by Insider – 9%
• Medical Records Snooping – 9%
• Medical Records Snooping – 6%

With any survey instrument, the results are influenced by the survey design. This survey provides high granularity on insider threats, particularly medical records snooping. A technical control to prevent snooping is the access control mechanism in medical record software. In actual practice, however, large organizations have problems when they attempt to limit employee access too tightly because of job rotations, the need for interdisciplinary consultations, and the nature of certain functions. As a result, employees frequently have the technical ability to look at records for patients they are not involved with.

As a result, additional controls should include:

• Unique User Ids, strong passwords, and a computer usage policy that stresses to employees not to share User Ids or passwords, and consistent enforcement of this policy
• Employee and physician training, educating them about HIPAA allowed uses and disclosures, and that employees will be held accountable for all activity conducted using their user ID
• A robust auditing program to detect inappropriate accesses by employees
• A meaningful sanction program that sanctions employees (including non-employee physicians!) for inappropriate use and disclosure, with sanctions commensurate with the severity of the violation

For readers interested in reviewing the complete study, a copy of the study, 2011 Survey of Patient Privacy Breaches, may be downloaded from the study author. Registration is required. Extrapolation to environments different from those of the respondents may be done, but with caution.

Vice President Cheney displays the external battery pack for his surgically implanted pump

A slimmed-down and symptom-free Bill Clinton now enjoys his plant-based, whole foods diet

Lesson 1. Heart disease remains a deadly and costly condition among the Medicare population. Coronary artery disease often involves multiple costly interventions over the life of a patient.

Lesson 2. A significant body of peer-reviewed medical literature exists that demonstrates that lifestyle interventions can reverse coronary artery disease. This research can be found by anyone who looks. The specific interventions are well documented and supported with over 20 years of history.

Lesson 3. Achieving behavior change among patients is difficult. Of course, we all knew that already. It was widely reported that Bill Clinton enjoyed junk food. Clinton was first introduced to Ornish’s diet in 1993; it took him 17 years and multiple heart procedures to embrace this lifestyle change.

Lesson 4. Teachable moments exist. Clinton’s came in the Spring of 2010. Two months after two stents were inserted, Clinton reports that he was discouraged when his new bypasses are re-clogged again. He wanted to live to be a grandparent. He conducts his own research, and begins Esselstyn’s heart disease arrest and reversal diet. These teachable moments exist with many patients. If the ACO can re-engineer its delivery system to detect and intervene appropriately at these teachable moments, the health system can succeed in empowering patients with radical lifestyle changes that improve health, reduce costs and increase profits.

This author thanks both of these men for their many years of public service and wishes both of them good health in the future.

First of all, this new study is based on interviews with 72 organizations, primarily hospitals and hospital systems. An average of 4 interviews with different individuals in each organization were conducted. A wide range of health privacy and computer security matters were explored in the study. Some extrapolation to other environments is reasonable but should be done with caution.

One of the key findings was that these organizations experienced an average of 4 data breaches over the last two years, with an average of 2575 lost or stolen records per breach. Among the respondents, 14% had no breach and 29% had 5 or more. The breach is a failure of one of the 3 key objectives: confidentiality.

The following were the root causes of the breaches:

The sum of the percentages is greater than 100% because multiple causes may be involved in a single breach.

The organizations were also asked to quantify the impact of the breach. They cited the following factors as impacts:

The study detailed a methodology for quantifying the financial impact which requires many assumptions, primarily designed to quantify revenue loss. One piece of hard data provided is that the average legal fees – for all privacy and breach matters – were $249,290 per organization. The sample included primarily hospitals and hospital systems, some of which could be presumed to be large. The study authors projected that lost revenue was likely much higher than these costs.

Key takeaways from this study are that the most likely problems for similar organizations will arise from loss or theft of mobile devices, problems with 3^rd parties who can be assumed to be business associates, and unintentional employee actions. All organizations have limited resources – so the value of the risk analysis process is to allocate those limited resources to provide the greatest protection. Investments in data encryption for mobile devices, attention to and scrutiny of the security practices of business associates, and employee training should be prioritized.

Interested readers may download the Ponemon Institute’s study, Second Annual Benchmark Study on Patient Privacy & Data Security. Registration is required for free access. Readers interested in Eagle’s services for risk assessment are invited to explore Eagle’s Risk Assessment Services for Hospitals or Risk Assessment Services for Physician Practices.

There is another risk – theft of your money using your online banking credentials.

Small and medium sized organizations – businesses, non-profits and government – are the target. This includes HIPAA covered entities: hospitals, all flavors of healthcare providers, self-insured health plans and government agencies offering health-related services. The threat: crooks that want your money. The vulnerabilities include technical weaknesses on your network, unpatched software on the PC where you do your online banking, and human susceptibility to trickery. The threat agent: malicious software that hijacks your online banking credentials.

Here is how the scheme goes. Hackers cast a wide net with their malicious software, with the hope of landing on the PC of a business owner or an organization’s financial officer. The malicious software, most famously of the ZeuS family and its successors, is designed to steal the user’s online banking credentials. Once a target is infected, the crooks recruit “money mules,” often through bogus “work at home” arrangements. Then, using the financial officer’s online credentials, funds are wire transferred to the accounts of the money mules. The mules (often naive and unsuspecting individuals) withdraw the funds make irrevocable money transfers via Western Union to the masterminds, often overseas. When the fraud is detected, the banks attempt to reverse the unauthorized transactions. These reversals are not always successful.

Recent examples of healthcare victims include

Oncology Services of North Alabama, which lost $120,000,

the dental practice Smile Zone, which lost $205,000,

Orange Family Physicians, which lost $46,000 but was later reimbursed by their bank

There are variations to the basic approach. Some banks use so-called “two factor authentication” with their business banking. One example is a RSA token that displays a random number which must be entered along with the user’s strong password. This number is synchronized with software at the bank. To defeat this security measures, the malicious software might modify the web browser while the user is online, to capture the password and current token value. The screen then displays the message “System Unavailable – Try Again Later.” The token value is sent to the crooks. At this point, the crooks immediately initiate a batch of wire transfers.

The more money you have in your bank account, the greater the risk. Business accounts do not include the same protections that consumer accounts enjoy.

A recommended security measure is to use a dedicated PC for online banking. That means that on this PC there is no other web browsing, no email viewed, no other programs run, and no USB devices inserted. This eliminates most paths of infection. A second security measure is to invest in additional security awareness training for financial officer.

Administration Account.  The first step is to secure the administration account for your wireless router or wireless access point. Change the factory admin account name, and use a strong password (at least 8 characters with upper case letters, lower case letters, and digits). Disable remote access, that is, set it up so that it must be administered from a computer connected directly with an Ethernet cable. Don’t forget the password!

Use WPA2 with AES. Your router comes with multiple authentication options. Choose WPA2. The recommended encryption to use with WPA2 is AES only. You will need to choose a password. Choose one with at least 20 characters. Make sure you don’t use old methods, particularly WEP, which are insecure.

Disable WPS. Most consumer-grade routers include a feature called WPS, or Wi-Fi Protected setup. This is a feature designed to help you quickly and easily setup your security options. Disable this feature. In December, 2011 researchers published details on how to easily hack this feature and gain access to your network.

Enable the Beacon. In a change from earlier advice, leave the beacon enabled. Set it to something unique and different from the default which might be something like “linksys”. Keeping the beacon enabled helps protect your devices (laptops, phones) from attacks while away from home using a technique known as the “Evil Twin” attack.

The Preferred Network List

Consider OpenDNS. While this is not related to wireless security specifically, since you are into your router settings now would be a great time to add another layer of defense. OpenDNS is a free service that helps you avoid unsafe websites which are a major attack vector. Check the OpenDNS web site for instructions on configuring your router and for more information on what DNS is and how their service protects you.

Don’t Forget to Secure your Devices! The weakest link in your wireless security could be your laptop or mobile phone. Keep the operating system and wifi drivers updated. Switch off wifi when not in use. Delete networks from your list of saved networks (the Preferred Network List) that you do not regularly use.

These simple steps can give you the convenience of home wifi, without doing the equivalent of dangling an Ethernet cable out to the street.

The Stage 2 Meaningful Use Proposed Rules, released yesterday, include strengthened protections for privacy and security. The Stage 2 Objective for both Eligible Providers (EPs) and Eligible Hospitals (EHs) is identical:

“Protect electronic health information created or maintained by the Certified EHR Technology through implementation of appropriate technical capabilities.”

The Stage 2 Measure is also identical for EPs and EHs:

“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

First of all, 45 CFR 164.3xx is the HIPAA Security Rule. Now for the details you are looking for:

• 45 CFR 164.308(a)(1) is the requirement to conduct a risk assessment. See my previous post for details, which include a graphic with the exact language of this citation. Everything in this earlier post is applicable to Stage 2 as well as Stage 1.
• 45 CFR 164.306(d)(3) details part of the framework of the of the HIPAA Security rule which specifies 42 security controls: a combination of 20 “required” security controls, and 22 which are “addressable”. 22 of these controls are termed “addressable” in order to provide flexibility to different organizations based on their size, the technologies they use, and risks involved. For each “addressable” control, a provider must evaluate whether it is “reasonable and appropriate” and would likely contribute to protecting its health information. If the control is “reasonable and appropriate” then it must implement the control. If it is not reasonable and appropriate, it must 1) Document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure if reasonable and appropriate. See here for the exact language.
• 45 CFR 164.312(a)(2)(iv) is one of the 22 “addressable” controls. It states simply “Implement a mechanism to encrypt and decrypt electronic protected health information.”

So, Stage 2 is a continuation of the requirements of Stage 1, with encryption specifically called out. The feds are highlighting encryption due to the fact that hundreds of breaches are occurring due to lost or stolen laptops, flash drives, smartphones and other mobile devices – which would be secured if encryption was used. The Stage 2 rule also states that the risk assessment should be reviewed at least annually, once during each reporting period for meaningful use.

HIPAA Business Associates and advisors alike have noted that the Federal Department of HHS has not yet finalized the HIPAA changes enacted in the HITECH act, signed on February 17, 2009. However, the HITECH statute is clear that Business Associates would be regulated by HIPAA one year later, on February 17, 2010. Further, HITECH empowered state Attorney Generals to enforce HIPAA.

While the federal government has announced that they will not enforce these regulation changes until 6 months after they publish the final regulations – state AG’s made no such promise of such a grace period. While this is the first action against a business associate, AGs in Vermont and Connecticut have filed HIPAA cases. The lesson is that business associates – billing companies, technology companies, and collection agencies to name a few – should comply with the HIPAA Security Rule now.

For more information, see the Minnesota AG’s press release and the complaint.

• Level 1: Large payers/providers (revenues > $1 Billion)
• Level 2: Regional hospital systems / regional insurers ($300M to $1 Billion)
• Level 3: Community hospitals, outpatient surgery centers, regional pharmacies, self-insured plans ($50M to $300M)
• Level 4: Small providers, community or rural pharmacies (less than $50M)

In order to better understand compliance patterns in all types of organizations, the audits will be split evenly between the 4 size levels. The audits are conducted by another contractor, KPMG. The lucky current selectees include:

The audits are rigorous reviews of the entire HIPAA compliance process conducted by teams of 3-5 auditors of different specialties. The process begins with an extensive documentation request, an on-site phase conducted by 3-5 auditors of different areas of expertise, a preliminary report, and a final report which includes the response by the audit target.

In cases where “serious non-compliance” is identified, a referral may be made to the Office of Civil rights compliance department and may lead to settlements/penalties.

Covered entities of all types are encouraged to conduct their own internal audit as one part of an overall compliance program, and to address deficiencies identified.