Share Button

As part of my work at SeedHIT and building secure and federally compliant digital health companies and products, I get asked several times about HIPAA compliance and ways to achieve it. These questions are from different viewpoints and use cases such as investments, enterprise usage, insurance, technology-related etc.

At its heart, HIPAA is about giving the right of the protection of the privacy and security of patients identifiable information. There is a lot of stuff which has been written about it in different blogs and news site but I wanted to put together a simple checklist which deals with some things that every company can take in order to work towards HIPAA compliance. This list is also applicable to digital health and Healthcare IT startups which are now sprouting across the country. Vendors who deal with healthcare companies and data can also use this list as a starting point. HIPAA compliance is not just necessary from the standpoint of compliance (and marketing as companies tend to use it for), but also a good way to avoid expensive data breaches. Here are examples of some ways healthcare data is breached: http://www.artilient.com/10-ways-that-healthcare-data-gets-breached/

Subscribe to latest posts

As a disclaimer (and as required of me by my legal team), I am not providing legal or security advice. I am sharing some of my own experiences as part of building digital health products and companies out of SeedHIT. This list is by no means a complete checklist and I would like to welcome other experts to contribute to this list and share their experiences as well. Please always consult your legal and security advisory team also before implementing any changes.

1. Hosting: All your databases should be hosted with companies which offer a Business Associate Agreement (BAA). Your databases may contain potentially sensitive data (such as confidential Protected Health Information or patient data) and thus it is important to use a premium service which offers a BAA.

Here are some examples of companies which offer a BAA to healthcare companies which meet specific criteria:

AWS: http://aws.amazon.com/compliance/

FireHost: http://www.firehost.com/secure-cloud/compliant/hipaa

Rackspace: www.rackspace.com/print.php?page_id=8‎

I personally like to use AWS for our products and companies out of SeedHIT for the ease of use, pay-what-you-use and DIY tools it offers to its users.

 

2. SSL encryption: Obtaining an SSL certificate from a reputable provider ensures that there is secure transmission going on between the browser session of your users and your servers. Strong encryption can reduce the chances of your data communication being overheard by an unauthorized person during transmission.

A padlock icon and “https” in the address bar indicates that SSL encryption in transit is taking place.

There are several levels of SSL available starting with 128-bits. For HIPAA compliance, use a minimum of 256-bit SSL. You can upgrade to as much as 2048-bits if you would like (or your enterprise clients insist upon).

Some vendors for SSL certificates include:

Symantec (formerly VeriSign): http://www.symantec.com/verisign/ssl-certificates

GoDaddy: http://www.godaddy.com/ssl/ssl-certificates.aspx

DigiCert: https://www.digicert.com/order/order-1.php

For those who are interested in more detailed reading about how encryption applies to medical providers, I thought this article from the American Medical Association was very useful: http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

 

Subscribe to latest posts

3. Encryption at Rest: This requires that all your databases and file systems as well as servers and disks are encrypted. This reduces the likelihood of PHI being accessed by unauthorized persons in the event of hacking or theft.

Here are some companies whose products can be used:

Truecrypt: http://www.truecrypt.org/ (Open source)

Gazzang: http://www.gazzang.com/solutions/achieving-compliance/hipaa

Microsoft Encrypting File System: http://windows.microsoft.com/en-US/windows7/What-is-Encrypting-File-System-EFS

 

4. Audit trail program: Ensure that all actions and interactions of all your users are tracked along with their timestamp. Also, al

l processes happening within the system need to be tracked. From the user standpoint, think about it as: WHO did WHAT, WHEN was it done and WHY was it done.

This is useful in the event of any audits that might be needed as part of data breaches and determine

unauthorized access.

 

5. Data retention rules: Ensure that all your data is archived after last use for a minimum of 7 years and available upon request by an authorized person or entity. In the event that the data belong to the PHI of a child younger than 18 years old, then ensure that the data is available for at least 7 more years after the child turns 18 (adult) and after last use. To be on the safe side, consider retaining all data for 25 years after last use. Of course, there is a significant cost factor to this.

Here’s a comprehensive report from US HHS: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf

6. Session timeouts: Ensure that a client session times out and logs the users off automatically after 3-minutes of non-activity. This helps with non-authorized access to PHI. When the user wants to re-use the system, he/she will be required to log back in with full credentials.

 

Subscribe to latest posts
7. BAA with vendors: Any time you use a vendor such as programmers or consulting companies, make sure you execute a BAA. When it comes to vendors touching live PHI (such as production support and SysAdmins) should be doing so from within the continental United States.

 

8. Have secure backups done of your data: Make sure you take back-ups of all your data and databases. Of course, all storage of these back-ups should be done with HIPAA-compliant storage companies only which offer BAA’’s (as mentioned in #1 above). Ideally you want to back-up your data in a vendor and location which is different from your primary data storage. Also, all back-ups just like primary data should be encrypted.

This is required for disaster recovery and emergency operations.

 

9. Restrict access to right people/ unique user identification: Establish the right policies and procedures to ensure that only people who should be accessing certain aspects of your application and / or tPHI are able to do so. This access should also be tracked using an identifiable number or user name which is unique to the specific person. This identifiable information should be contained in the Audit Trail (#4 above). As an eg., a user’s email ID could be used to create a user name in order to grant that user access to your application and any PHI, if required.

Also, there should be a way to establish access to PHI in the event of emergencies such as natural disasters and technical crashes.

For more details, check out: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

 

10. 2-factor authentication: In order to establish an additional layer of verification on the users access PHI within your system, establish a second authentication layer on top of the username and password asked as part of the login information. This could be implemented in several ways such as:

– Asking for information such as pet’s name

– Calling or texting the mobile number associated with your account

– Using a security token for a 2nd randomly generated password

This ensures that in the event the user did not follow proper protocol for their login, a 2nd level authentication will hopefully be able to prevent unauthorized access.

For more details, check out: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf

 

BONUS (10 + 1)

11. Using secure email: Ensure that all data and PHI being used in any communication remains on a HIPAA-compliant server. This relates to #3 above. Thus, it is important to use a company which provides such an email service. I personally use SafeDr for this (Disclosure: SeedHIT has developed and owns SafeDr).

Subscribe to latest posts

 

I would love to hear other safeguards that you have implemented in your company which either stored PHI or has access to it as a vendor. Here’s the complete list of HIPAA tecnical safeguards too for your reading pleasure: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

–nrj

Subscribe to latest posts

Share Button

News of penalties for data breaches and HIPAA violations are splashed and highlighted in every media outlet covering Healthcare IT. The magnitude of these numbers is mind boggling (in millions) both in terms of the number of individuals impacted as well as the penalties enforced by the United States Department of Health and Human Services.HHS-Logo

The HITECH Act requires that all reported data breaches of unsecured protected health information affecting 500 or more individuals is listed and made available to the public along with the cause of the breach. Here’s some impact of breaches over the past 3 years: http://www.artilient.com/medical-records-for-over-21-million-individuals-impacted-due-to-security-breaches-in-last-three-years/ . To get a list of some reported breaches which have impacted over 500 or more individuals, click here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

As part of my work at SeedHIT, we come across several use cases of providing the right tools for our enterprise clients to SeedHIT Logo for BCprotect their data as part of communication, collaboration and storage. I wanted to create a list of some of the ways that healthcare data gets breached. The objective of this post is to not critique the companies which have been impacted by these breaches but rather to create awareness.

Subscribe to The Blog of Nikhil Jain by Email

1. Theft: This kind of breach happens when data is intentionally stolen. The theft could be of data in the form of electronic physical devices or could be electronic data itself over a network or of old-fashioned paper. Of course, there are a lot of other imaginative ways to steal data and causing breaches for enterprises.

An examples of healthcare data breach by theft includes:

– Two back-up tapes belonging to New York City Health & Hospitals Corporation’s North Bronx Healthcare Network were reported to be stolen in December 2010. The tapes reportedly contained personal health information of 1,700,000 individuals

2. Loss of devices: This could be as a result of enterprises or individuals losing possession of the physical device which actually contains healthcare data on it. BYOD lostLots of times, the device which contains the healthcare data belongs to the individual (BYOD) and in other cases, the device belongs to the enterprise. The devices might not necessarily be meant for personal use. They could also be enterprise-level devices such as back-up tapes.

Here are some recent examples of healthcare data breaches as a result of devices being lost:

TRICARE Management Activity 4,901,432 Individuals Affected in September 2011 and is now facing a $4.9 billion class-action lawsuit. Occurred due to loss of back-up tapes. These tapes could have possibly contained the personal and protected health information.

Health Net, Inc reported the loss of server drives in January 2011. These server drives contained personal information such as Social Security numbers, names and personal health information of 1,900,000 individuals.

– Miami, FL based AvMed, Inc. reported the loss of two encrypted laptops containing personal information including Social Security Numbers and health records. The loss which occurred in December 2009 supposedly impacted 1.22 Million individuals.

 

3. Hacking: When an unauthorized person gains access to the computer networks and devices, it can potentially result in the hacker getting their hands on sensitive patient information. Once a hacker gets hold of this sensitive information, it could potentially fall in hands of other areas of organized crimes too. Hacker

Utah Department of Health reported that one of its servers containing information such as addresses, social security numbers and date of birth was hacked into in March 2012 and impacted 780,000 individuals.

 

4. Incorrect Mailing: This happens when letters including sensitive patient data is inadvertently sent to the wrong people at the wrong addresses.USPS First Class

MO HealthNet reported in June 2013 that it mailed out information of its patients to the wrong addresses. The information contained in the letter potentially included Name, date of birth and last 4 digits of SSN.

 

5. Loss of Paper: Lots of information is still captured on paper and left on paper and file folders. This represPaper Recordsents several instances of breach such as the paper falling in the wrong hands or shredding not done properly or paper just lost.

In May 2007, Georgia Division of Public Health reported that 140,000 paper records containing SSN’s and medical histories were impacted as those records were “discarded” without shredding.

Subscribe to The Blog of Nikhil Jain by Email

6. Unauthorized access/ Disclosures/ Internal theft: This happens as a result of employees getting curious about certain patient’s medical history. This patient could be a celebrity or even a family member or friend. This unauthorized access could also have been made for personal financial gain.Internal Theft

– In June 2013, Los Angeles based Cedars-Sinai Medical Center reported the unauthorized access of TV personality Kim Kardashian: http://www.latimes.com/news/local/la-me-hospital-security-breach-20130713,0,7850635.story

Office of the Medicaid Inspector General reported that in October 2012 an internal employee had emailed himself over 17,000 Medicaid patient records. These records potentially included information such as patient names, date of birth and social security numbers.

 

7. Malware: This is a software or program which is designed to get access to the sensitive data in your computers when it is able to infect that computer successfully. When such a program gets access to the company’s private computer systems, it is then able to create data breaches. This method of data breach is gaining a lot of popularity recently.

La Grange, TX based St. Mark’s Medical Center reported that an employee’s computer containing patient information such as names, date of birth and social security numbers was infected by a malware in 2012. Almost 2,900 records were stored on that computer.

8. IT issues: This could be as a result of issues within configuration of internal IT or as a result of not addressing key security aspects within the organization and also enforcing it with third-party vendors.IT

– Nashville, TN based Cogent Healthcare reported that the firewall of one of its vendor’s website was down. This resulted in Google’s spiders including almost 32,000 patient records in its index in May 2013.

 

9. Lack of encryption: Any sensitive data should usually have been encrypted in order to prevent unauthorized access. This also means hardware such as laptops should have encrypted hard drives. Data breaches also happen when devices fall in the wrong hands and there is no encryption on them.

ssl-encryption–. Chattanooga, TN based Blue Cross Blue Shield of Tennessee reported the theft of several unencrypted computer hard drives. Occurring in October 2009, the theft impacted over 1 Million individuals.

 

10. Lack of internal IT policy and / or its enforcement: This happens when employees do not follow the laid out policy of the enterprise. This might happen due to lack of internal company education on policies. An example of an internal IT policy is that patient data should not be stored on hard drives of laptops.

SynerMed reported that in April 2013, an employee’s laptop containing member information of Inland Valleys IPA such as names and date of birth was stolen from his automobile. This breach impacted over 1,500 individuals.

BONUS (10 + 1):

11. Improper Handling/ Disposal: This breach usually happens when an employee or a third party vendor does not follow proper policies and procedures regarding handling of sensitive data.Improper disposal

University of Virginia’s 18,000+ students’ Social Security Numbers were included in brochures by Aetna Health Care’s third party vendor in July 2013

 

Texas Health Harris Methodist Hospital Fort Worth reported in May 2013 that a portion of the microfiche which was supposed to be destroyed by its vendor, Shred-it, was found in a park. The microfiche could included information such as patient names, addresses, dates of birth and Social Security numbers

 

What are some instances of healthcare data breaches that your organization has been part of or you have observed?

nrj

Subscribe to The Blog of Nikhil Jain by Email

26. March 2013 · Comments Off · Categories: HIPAA
Share Button
Here’s a 2012 report released by the U.S. Department of Health & Human Services Office of Civil Rights titled: Keeping Health Information Private and Secure . As per this report, over 21 Million individuals have been impacted due to security breaches which involved their medical records. These 21 Million individuals are only a part of those breaches which were big enough (500+ individuals impacted) which are required to be reported to the Federal Government as per the Breach notification rule. Thus the total number of individuals impacted is potentially higher than the 21 Million reported here.

Subscribe to The Blog of Nikhil Jain by Email

Here are some examples of recently reported security breaches at healthcare organizations in the US:

Lucile Packard Children’s Hospital at Stanford (57,000 patients potentially impacted*)
Froedtert Health (43,000 patient data records potentially impacted**)
Montfort Hospital (25,000 patient data records potentially impacted***)
Stanford Hospital (20,000 patient data records published on a website*****)
The entire list of organizations which have been breached can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
There are new reports published regularly on how laptops were stolen which somehow contained several thousand patient records or how a hospital employee checked out some patient records without any need to do so or of patient records which were simply lost like in the case of Massachusetts General Hospital******.

Subscribe to The Blog of Nikhil Jain by Email

Below is an interesting infograph by Backgroundcheck.org which points out that:
– 94% of polled healthcare organizations have been breached in the past two years
– 2,769 records are lost or stolen per breach
– The price tag for dealing with a medical breach is $2.4 Million
Even more interesting is the stat that 95% of all devices which are stolen or lost which result in breaches are portable devices such as laptops and smartphones. This indicates that there is a huge amount of data which is stored on physical hard drives of these devices and increases the risk of potential breaches.
A patient medical record breach is a very serious matter as it can potentially contain not just information and history about his health and scheduling information but also financial information such as bills, credit card information, insurance details and often times their social security number.
21 Million individuals impacted by security breaches at healthcare organizations
Source of image: Backgroundcheck.org
nrj

Subscribe to The Blog of Nikhil Jain by Email

20. September 2012 · Comments Off · Categories: China, Uncategorized
Share Button

Thanks to the invitation of the Weihai Bureau of Commerce and the brand recognition of OnGreen in China due to its work and expansion there over the past two years, I got a chance to visit Weihai this week as their guest. For those who have never heard of Weihai, you can read the Wikipedia article here.

The first thing that hit me upon coming out of the airport after arrival was the freshness of the air and the blue skies – both of which are very rare commodities in other parts of China. The city reminds me of Santa Barbara (a sister city of Weihai) and San Sebastian (Basque region of Spain).IMG_4548

Weihai is known for its very clean environment, amazing seafood, friendly people, low cost of living and best of all, a very good climate to do business driven by several incentives provided by the local government agencies and economic and investment zones.

I got a view of Liugong Island from my hotel room at sunrise. Known as the birthplace of the Chinese navy, it also has China’s first golf course which was built by the British.

The theme of the city is Joy and Happiness as evidenced by the Happiness Gate and a sculpture made with several versions of the Chinese words for Joy and Happiness. IMG_4541

The city also is home to some of the best golf courses and hot springs in the country.

My trip agenda consisted of getting a feel of the eco-system and community of Weihai as well as meeting with some officials and visiting the economic zones which offer incentives to foreign companies.IMG_4612

Weihai and its neighbor, Yantai, are building the largest wine-producing region in the world. Yantai has over 40 vineyards. The one I got to visit was Weihai Weal. Good wine, I must say. They also have a sister brewery serving some very fresh beer. The food served during the various banquet dinners consisted of some extremely rare seafood delicacies such as thorned sea cucumbers, massive shrimp, abalone and sea urchins. IMG_4672

I was able to visit Shandong University‘s Weihai campus and was told that Shandong province is one of the largest universities in the world in terms of the number of registered students at a give time. IMG_4747

During a tour of their IT/Computer Science Department, I walked into an ongoing Hackathon where a huge hall filled with students and instructors were going at it for 72 hours straight.

IMG_4738

The city officials gave a presentation of the different incentives available. Weihai and its various districts are very interested in attracting top talent – both from within China and from outside China – to Weihai and showering them with some great financial incentives – most of which are performance based. A big emphasis for them remains growth in IT given the economical and highly talented resources available in the city. The incentives come from different level – from the Central Administration to the provincial level to the City level and down to the appropriate economic zone – in a very cumulative manner. Very attractive indeed.IMG_4709

The City is also investing heavily in building the green and blue economies and keen on inviting and investing into “new energy” companies. With ample water resources and a strategic location, I thought that they were some great objectives for the local government. IMG_4694

Weihai and its neighboring cities are going through some major infrastructure advancements with a high speed rail connecting it to Yantai and Qingdao (home of Tsingtao beer) – which in turn connects to the main Chinese hub of high speed rail going to Beijing. It is also building express ways between all major cities. Most developments are expected to complete and open to the public by 2015.

Can’t wait to go back again!

–nrj

16. September 2012 · Comments Off · Categories: China
Share Button

Current as of September 2012.

I recently upgraded to an iPhone 4S and by using different Apps, technology became a better friend – especially with global travel – and having traveled to China over 20 times in the past 2 years for work.  Using-iPhone-in-China

Back in the US, I am on the Sprint network and have an unlocked 4S. Before you start using your iPhone in China, you will need to make sure its unlocked. You can check this by calling your network carrier. Also, I do not use Sprint’s international plan as it is pretty expensive – so you can disable it by going to Setting –> General –> Network. This option is very important in case you are not planning to get an international SIM card and intend using your iPhone over WiFi which is available in most cafes, hotels, airports and restaurants – and that too for free in most cases.

In China, I prefer using the China Unicom network and SIM card rather than China Mobile as Unicom offer’s 3G for the iPhone whereas China Mobile’s 3G network is not yet compabitble with the iPhone. The China Unicom card costs 100RMB for first time buyers (~ USD14) and includes a ton of talk time and data. Renewal of the card runs at about 50RMB. You might need to “trim” the regular China Unicom SIM card to make it fit into your iPhone. Most vendors will cut it for you. Make sure you don’t discard your US SIM card as you will probably need it when you arrive stateside.

For me, communication with my family and team is extremely important. And I also am very frugal with things so try to find the cheapest – in most cases FREE – ways to get my job done. Here are some of my favorite Apps to use on my iPhone when in China.

Facetime: My favorite App for communication back with my family. Free. Great quality video calls. The only downside is that it works at this time only when both parties are on WiFi (I believe this will change with the iOS6) and using Apple devices.

Skype: Great to IM, video calls, Skype-to-Skype calls – all for free. You only pay for data usage if using the China mobile network – but can avoid it by using WiFi. Free to download App from iTunes.

Tango: Great for video calls as an alternate to Facetime when you are not on WiFi. Fre App and Free to use.

Viber: Good to send IM’s and make phone calls for free to other Viber users.

WhatsApp: Very nice IM App – also allows for sharing photos and videos. Used to be free when I downloaded but they have recently started charging $0.99.

Voxer: For quick walkie-talkie style messages to other Voxer users. You can send messages when offline too and they would get transmitted when you are back on the grid.

Vtok: Google Talk’s unofficial Ap for the iPhone. Good for IM’s as well as video and audo calls to other G-Chat users.

Whenever I am in China on business, no matter how many business cards I bring, I seem to run out of them. I also end up with a million business cards. Most Chinese business cards are bi- lingual. But in order to not carry them home with me, I like to scan them into my address book on my flight back home or when I have some down time. The App I like to use is ScanBizCards. You can take a picture of the business card and it automatically fills in the contact information into your address book (you can edit it) – saves you a ton of time and also preserves the contact information on your iPhone. Free for scanning up to 5 cards a week and then you can upgrade it if you like it.

Good luck!

–nrj