Tuesday, March 3, 2015

This Blog Has Moved!

The Technology and Multi-Employer Employee Benefit Plans blog has moved. The blog can now be located at http://techbenefitfunds.lpartnersinc.com/. Thank you for your interest.

Monday, January 12, 2015

Securing ePHI Outside of the Office – Northwestern Memorial HIPAA Breach

It is highly advisable to take precautions applicable to notebooks or other devices which leave the office if they are likely to store ePHI. Measures must be taken in order to protect confidential information and avoid costly penalties. At LaSalle Consulting Partners, we recommend that all data be encrypted using the highest encryption standard available before it leaves your location, and that it remains encrypted at all times.

Should the laptop or device become misplaced or stolen, the data contained on its encrypted drive is completely inaccessible without the associated encryption key. This extra level of protection prevents unauthorized users from accessing sensitive information. It also means that organizations are not required to notify those whose ePHI is contained on the device should it be misplaced.

In October 2014, a Northwestern Memorial HealthCare laptop computer that was not protected with disk encryption was stolen from an employee’s vehicle. In accordance with the HIPAA Breach Notification Rule, Northwestern Memorial was required to notify the 2,800 patients whose ePHI was contained on the computer (Read more here). Breaches such as this can be easily avoided through the encryption of device hard drives.

Please contact LaSalle Consulting Partners to find out how we can help you develop and implement policies that help safeguard ePHI, even away from the office.

Monday, October 27, 2014

The Need for Risk Assessment of Peripheral Devices

LaSalle Consulting Partners continues to emphasize the importance of security and risk assessment in the workplace, particularly for HIPAA covered entities and business associates. One of the areas we have seen overlooked in risk assessment is the peripheral devices that exist on a computer network.

Peripheral devices are devices on your network other than your computers and servers. These include devices such as printers, multi-function copiers, scanners, tablets, and mobile phones. If any of these devices are used to store or process sensitive information, and contain a hard drive or other form of memory, then your organization may be vulnerable to a security breach.

The HIPAA Security Rule risk analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) mandates that organizations identify and assess exposures that may compromise the confidential nature of ePHI. Failure to protect confidential ePHI can result in hefty penalties and other legal action.

Affinity Health Plan, Inc. paid federal regulators a settlement amounting to $1.2 million after they returned copy machines to a leasing company, unknowingly releasing the ePHI of over 300,000 individuals contained on the machines’ hard drives. The breach was discovered by CBS Evening News, who purchased the copy machines as part of an investigation, after Affinity Health Plan returned them to the leasing company. While the incident was the first HIPAA settlement involving copiers, it may not be the last.

We recommend subjecting peripheral devices to a risk analysis. This precaution can assist in avoiding the legal and financial consequences of violating HIPAA regulations. Please contact LaSalle Consulting Partners for more information on the risk assessment of peripheral devices.

Wednesday, June 18, 2014

HIPAA Security Rule and Home Workers

The number of staff that work from home has continued to increase at benefit fund offices as it has with many other organizations. While this can be beneficial for both the Fund office and the remote worker, it also poses HIPAA related security concerns. Lack of security in the home computer environment can lead to a fund office network breach and/or unauthorized access to electronic personal health information (“ePHI”).

Without proper policies and security in place the following can occur:
  • Lack of a firewall or an improperly configured DSL or cable modem could allow unauthorized access by a hacker to the home worker’s computer. Once the hacker has gained access to the computer they could possibly use the connection to access the fund office network.
  • Depending on the security in effect, it may be difficult to prevent a home worker from copying files from the fund office network to the home worker’s PC. If there is any possibility of this happening, the home worker’s computer should be encrypted similar to the PC encryption at the fund office. This would help prevent unauthorized access to ePHI if the computer were to be stolen.
  • Lack of sufficient and up to date Microsoft security patches could allow unauthorized access by a hacker to a home workers computer. Once the hacker has gained access to the computer they could possibly use the connection to access the Fund office network.
These are just a few examples of potential security issues that can occur. Only through proper policies, staff training and technical safeguards can these threats be kept to a minimum. We recommend that HIPAA covered entities establish the same policies for home computers as they do for computers located at the fund office premises. Click here for a document by the Department of Health & Human Services which provides additional guidance to HIPAA covered entities that provide remote access to ePHI.

LaSalle Consulting Partners can help you develop and implement policies that help safeguard ePHI. Please contact me at 312-361-3313 if we can be of help.

Tuesday, March 18, 2014

HIPAA Permanent Audit Program: the Pre-Audit Survey

The Office for Civil Rights (OCR) is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. On February 20, 2014 the Department of Health and Human Services announced plans to utilize a Pre-Audit Survey form to gather information in an effort to assess the size, complexity and fitness of an entity for an audit. Below is a summary of the announcement. 
  • The Office for Civil Rights (OCR) will be sending the survey to as many as 1,200 HIPAA covered entities and business associates to determine suitability for an audit, as part of the much anticipated permanent HIPAA audit program. Approximately two-thirds of that survey will be completed by HIPAA Covered Entities and the remainder, Business Associates. Information will be gathered to evaluate the “fitness of a respondent for an audit.”
  • The OCR is required to conduct audits to ensure the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. By acquiring information through the Pre-Audit Survey, the OCR will attempt to determine which organizations may benefit from their audit.
  • The survey will take approximately 30-60 minutes. Organizations will need to install software prior to the survey. In response to this requirement, and other time constraints placed on organizations by issuance of the permanent HIPAA audit, the OCR has released the following Burden Statement:
“Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information.”

Organizations must be prepared for the Pre-Audit Survey. Preparations will entail certain actions (for instance, installing the necessary software), but another significant aspect of preparedness is becoming knowledgeable on OCR mandates and keeping up-to-date with information concerning the permanent HIPAA audit program that will begin soon.
Other possible preparations include, but are not limited to, performing an independent Risk Assessment (a less understood mandate of the OCR), forming policies and procedures to protect ePHI and/or respond to a data breach, and drafting Business Associate Agreements with clients and Business Associates (in the case of HIPAA Covered Entities). For the full announcement, please visit the Federal Register. Please contact LaSalle Consulting Partners for more information on the upcoming Pre-Audit Survey.

Friday, January 24, 2014

The HIPAA Security Rule and Necessity of Risk Assessment

Though most would agree that risk analysis is an important consideration for any organization, HIPAA covered entities are required to conduct such risk assessment to ensure compliance with the HIPAA Security Rule. The Security Rule states that covered entities, organizations responsible for the transmission of e-PHI, must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization” (§ 164.308(a)(1)(ii)(A)).

While the necessity of risk assessment is certain, the Security Rule does not specify the frequency with which assessment must occur. Instead, the Rule addresses the breadth of analysis which must be conducted. The Rule indicates some considerations for analysis which include (but are not limited to) e-PHI within the organization, external sources of e-PHI, and potential threats to information systems that contain e-PHI. The Security Rule recognizes, however, that risk assessment cannot be standardized due to each organization’s unique relationship with e-PHI.

Listed below are the “Elements of a Risk Analysis”, provided by the U.S. Department of Health & Human Services. The list is intended to aid covered entities in implementing risk analysis methodologies that will best suit their needs.
1.       Section 164.308(a)(1)(ii)(A) states: Scope of the Analysis
2.       Data Collection
3.       Identify and Document Potential Threats and Vulnerabilities
4.       Assess Current Security Measures

5.       Determine the Potential Impact of Threat Occurrence

6.       Determine the Level of Risk
7.       Finalize Documentation
8.       Periodic Review and Updates to the Risk Assessment
LaSalle Consulting Partners, Inc. is familiar with several organizations that can assist with Risk Assessments. We can help in selecting the best firm to suit your needs. We can also help you prepare for an assessment and remediate any technology related risks that are identified during an assessment. Please contact Frank Zurek at frank.zurek@lpartnersinc.com or call 312-361-3313 for further information.

Thursday, October 10, 2013

Windows XP - Upcoming HIPAA Security Concern

Healthcare security breaches have, in recent years, resulted in costly penalties to covered entities. Data security threats that can lead to these breaches originate from many sources. A new source will be born early next year.

As of April 8, 2014 Microsoft will end support for the Windows XP operating system, initially released in August 2001. Microsoft and security experts are cautioning that Windows XP users will face increased security risks as a result of this change, largely due to the lack of new security updates. Windows XP will be significantly more susceptible to attacks as criminals will have free reign to exploit vulnerabilities in the operating system without response from Microsoft in the form of security updates or technical content updates.

As in the past, users who handle electronic personal health information (ePHI) face a greater risk than others. Over 18 million patient records were breached between 2009 and 2011, and a single personal health record is now worth more on the black market than a credit card number, social security number, and date-of-birth combined.

With strict enforcement of the HIPAA and HITECH Acts, and increased computer hacker interest in ePHI, it is increasingly necessary for covered entities to be confident in their ability to secure the data from threats. Microsoft’s decision to end support for Windows XP users will make XP users handling ePHI an even greater target for criminals attempting to exploit the operating system’s potential new, unprecedented vulnerabilities.

LaSalle Consulting Partners, Inc. recommends that Fund administrators upgrade or replace any existing Windows XP computers that have access to ePHI prior to April of next year in order to avoid exposure to potential security threats inherent to Windows XP.