Thursday, October 10, 2013

Windows XP - Upcoming HIPAA Security Concern

Healthcare security breaches have, in recent years, resulted in costly penalties to covered entities. Data security threats that can lead to these breaches originate from many sources. A new source will be born early next year.

As of April 8, 2014 Microsoft will end support for the Windows XP operating system, initially released in August 2001. Microsoft and security experts are cautioning that Windows XP users will face increased security risks as a result of this change, largely due to the lack of new security updates. Windows XP will be significantly more susceptible to attacks as criminals will have free reign to exploit vulnerabilities in the operating system without response from Microsoft in the form of security updates or technical content updates.

As in the past, users who handle electronic personal health information (ePHI) face a greater risk than others. Over 18 million patient records were breached between 2009 and 2011, and a single personal health record is now worth more on the black market than a credit card number, social security number, and date-of-birth combined.

With strict enforcement of the HIPAA and HITECH Acts, and increased computer hacker interest in ePHI, it is increasingly necessary for covered entities to be confident in their ability to secure the data from threats. Microsoft’s decision to end support for Windows XP users will make XP users handling ePHI an even greater target for criminals attempting to exploit the operating system’s potential new, unprecedented vulnerabilities.

LaSalle Consulting Partners, Inc. recommends that Fund administrators upgrade or replace any existing Windows XP computers that have access to ePHI prior to April of next year in order to avoid exposure to potential security threats inherent to Windows XP.

Sources:
http://www.secureworks.com/assets/pdf-store/other/infographic.healthcare.pdf
http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx

Thursday, May 30, 2013

Safeguarding Health Information: Building Assurance through HIPAA Security – 2013 Webcast

Members of LaSalle Consulting Partners recently attended a two-day conference on Safeguarding Health Information:Building Assurance through HIPAA Security 2013, co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Presentations covered a variety of current topics including the Omnibus HIPAA/HITECH Final Rule.

Speakers included Leon Rodriguez, Director of the HHS Office for Civil Rights and other knowledgeable presenters. The webcast was recorded and is now available here for playback. We highly recommend it to anyone responsible for the protection of ePHI.

Click here to request further information.

LaSalle Consulting Partners, Inc.
200 W Madison St | STE 940 | Chicago, IL 60606
312.361.3326 office | 312.361.3313 office direct | 312.543.8678 cell

HIPAA/HITECH and Data Encryption

While specific measures of data encryption are not explicitly addressed in the HIPAA and HITECH Acts, the topic is far from irrelevant. With regard to security considerations, organizations that work with electronic personal health information (ePHI) must be aware of the Breach Notification Rule. That is, covered entities and business associates must issue notification of a breach when the accessed information was left unsecured. Those organizations which properly encrypt their data need not issue such notification. The Security Rule allows some flexibility, stating that data need not necessarily be encrypted, though equivalent measures of protecting ePHI must be taken.

There are additional considerations which must be made by covered entities and business associates to ensure compliance with the HIPAA and HITECH Acts. Those organizations must be sure to assess all security risks in order to determine where the greatest risks lie and subsequently what data should be encrypted. Next, those organizations will need to select an EHR vendor that will adequately protect that data. That vendor should be able to facilitate secure communication between patients and the associated covered entity or business associates, clean “viewing devices” such as tablets of ePHI, and also allow select patients access to their personal health records as needed (Anderson, 2013). Not all HER vendors offer such services, and care ought to be taken in assessing the security requirements of a particular organization.

Risk assessment and the selection of an EHR vendor are significant strides toward HIPAA and HITECH compliance, but covered entities and business associates are often still unclear as to what specific data or devices should be encrypted. While the details of organizations’ security policies will surely differ we recommend that all mobile devices, all easily-accessible servers and desktops, and USB drives be encrypted. Backup tapes and other backup storage devices should also be encrypted, in case those devices are lost in transit.

Once an organization makes the decision of what data should be secured, they may discover a variety of challenges in implementing the encryption of that data. Reviewing where ePHI is stored and the level of risk that the data would be breached should constitute the bulk of that assessment (Anderson, 2013). Only then is it possible to choose from the various methods and technologies for encrypting data both at rest and in transit. Not all solutions are considered “best practices” by the industry. LaSalle Consulting Partners has reviewed and evaluated various encryption options and assisted many clients with implementing solutions that are responsive to HIPAA compliance.

If you are interested in learning more about how to effectively implement security measures in your organization, the National Institute of Standards and Technology (NIST) published a Guide to Storage Encryption Technologies for End User Devices that can assist in your efforts.

Anderson, Howard. "Encryption: Four Essential Steps - HealthcareInfoSecurity." Healthcare infosec news, training, education - HealthcareInfoSecurity. N.p., 15 May 2013. Web. 30 May 2013. http://www.healthcareinfosecurity.com/encryption-four-essential-steps-a-5755.

Click here to request further information.

LaSalle Consulting Partners, Inc.
200 W Madison St | STE 940 | Chicago, IL 60606
312.361.3326 office | 312.361.3313 office direct | 312.543.8678 cell

Wednesday, May 22, 2013

Microsoft Offers Hosted E-mail and Cloud Based Services Which Specifically Address HIPAA Concerns and the Needs of Taft-Hartley Health and Welfare Funds

"Addressing the clarifications and changes incorporated in the final omnibus HIPAA rule reaffirms Microsoft's commitment to comply with security and privacy requirements and maintain its status as a transparent and trusted data steward for healthcare organizations leveraging the cloud."
Hemant Pathak, Assistant General Counsel at Microsoft
 
LaSalle Consulting Partners, Inc. has expertise in the implementation and utilization of Microsoft Office 365 Cloud solutions tailored specifically for Taft-Hartley Funds. The firm has been selected by Microsoft to join the elite ranks of the Microsoft Cloud Champions Club due to our in-depth knowledge and promotional skills related to Microsoft's Office 365 cloud-based products.

As with most cloud services Office 365 is provided as a subscription rather than at an upfront cost. There are multiple business-related benefits associated with this model, not the least of which is potential cost savings. An Office 365 e-mail subscription starts at $4.00 per user, per month, which represents a significantly lower outlay than buying licenses for all the functionality it provides. Importantly, the monthly cost of Office 365 includes all updates, including security patches, ensuring that all users are on the most up-to-date version of the various components at all times.

It is not just the upfront cost of software that Office 365 alleviates. By having this software hosted in the cloud, organizations are not required to house expensive servers, and the staff necessary to maintain them. This enables smaller organizations, which cannot justify the outlay for on-premise solutions, to enjoy enterprise-level features without the associate cost or administration overhead.

Furthermore, Microsoft provides 24x7 Office 365 support, so organizations need not have support staff on-site to assist users as they encounter problems with the software.

Another important feature of Office 365 is its 99.9% Service Level Agreement which ensures that the vast majority of users are unlikely to ever notice downtime. Whereas organizations with on-premise solutions would have to schedule downtime to apply updates or be unable to work if there was an unexpected outage, Microsoft accounts for all these concerns behind the scenes.

Additionally, Microsoft takes responsibility for the security and integrity of the data it stores for users. The scale at which Microsoft operates enables it to take far greater pains in this area than many Benefit Plans could, ensuring that even a catastrophic hardware failure won't affect the integrity of your data.

Microsoft is also one of the few vendors of cloud services that have put forth a Business Associates Agreement between them and their healthcare customers. The agreement is in compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the final omnibus HIPAA rule, effective March 26, 2013. HIPAA has reformed modern healthcare, allowing for administrative simplification and improved privacy and security of patient records. Dennis Schmuland, chief health strategy officer, U.S. Health & Life Sciences at Microsoft boasts that “Microsoft Office 365 is the only major cloud business productivity solution to programmatically offer a BAA built with the industry, and for the industry, to HIPAA-regulated customers, allowing healthcare organizations to be confident in the security and privacy of their patient data while empowering their staff to communicate and collaborate virtually anytime and almost anywhere.”

We can help you implement cloud solutions that will allow you to effectively communicate, collaborate and stay up-to-date. Learn more about our Cloud consulting services here.

To learn more about Microsoft's Office 365 Cloud services click here.

SOURCE Microsoft Corp.

Contact Frank Zurek at frank.zurek@lpartnersinc.com for further information on Office 365 and other cloud services tailored for multi-employer benefit funds.


LaSalle Consulting Partners, Inc.
200 W Madison St | STE 940 | Chicago, IL 60606
312.361.3326 office | 312.361.3313 office direct | 312.543.8678 cell