HIPAA Compliance Week #3 Blog Post

Reading about all these data breaches has made me wonder, exactly how do hospitals, clinics, insurance agencies, or any other place that handles electronic information. In other words, how do they prove they are in compliance? The 1996 Health Insurance Portability and Accountability Act (HIPAA) mandates rules and regulations to protect patients’ information. There are two separate rules for this. The first rule is the HIPAA Security Rule which states that “standards that must be applied to safeguard and protect ePHI when it is at rest and in transit” (HIPAA Journal). The second is the HIPAA Privacy Rule, which just “governs how ePHI can be used disclosed” (HIPAA Journal). The first rule can be broken into three parts: technical, physical, and administrative safeguards”

                

So just how do covered entities become compliant. The US Department of Health and Human Services Office for Civil Rights (OCR) is responsible for tracking compliance. The covered entities are held responsible for their compliance, as there is no compliance certification process. Covered entities just need to make sure they have procedures and policies in place, have a security rule assessment, make sure they properly training employees, and document. However OCR can and has begun audits on covered entities.

 Healthsecurity.com provided an example of what this audit looks like. A company Night Nurse had an audit conducted against them. It covered the three phases mentioned above. There were over 400 questions. “The questions required everything from base descriptions of our services and procedures to in-depth descriptions of each technical component of our system infrastructure…the report also required a vulnerability assessment for each technology component, and how these risks were mitigated.” (Pologe, 2017). The second part was an on-site physical inspection to assess physical security. They also conducted hacking attempts to get into the systems. The third and final part was about remediation. They had to provide prove of compliance that they were at risk for.

Reading about these audits belay my fears a little bit knowing that the covered entities are being audited to ensure compliance. Though I think it is safe to believe that not every program is audited every year. I do feel safer about my health records being stored electronically. I also feel like it is safer at a larger hospital since these seem like the most likely to be audited.

References

Snell, E. (2017). Preparing for an OCR HIPAA Risk Assessment Audit. Retrieved from: http://healthitsecurity.com/news/preparing-for-an-ocr-hipaa-risk-assessment-audit

HIPAA Journal. HIPAA Compliance Checklist. Retrieved from: http://www.hipaajournal.com/hipaa-compliance-checklist/

Ransomware attacks against medical records Week #2 Post

So while looking for interesting health field issues going on, I found one article reporting recent ransomware attacks against health services. A ransomware attack is a software attack in which information is stolen and returned after a sum of money has been returned. One of the places, Metropolitan Urology (http://healthitsecurity.com/news/metropolitan-urology-ransomware-attack-affects-18k-patients) , actually experienced that attacks in 2006. They didn't even become aware of the incident until January of 2017. Think about that for a second, it took them 11 years before they realized that they had become aware of the incident. This made me think of my data that was possibly compromised. It took them a long time to find out that the data may have been compromised. This made me wonder why it took that long to discover the issue.

One of the reasons I have found was that little of the attacks actually disrupt their network, They do get notifications of potential issues but they receive so many it is hard for the companies to sort through them all. In fact "According to Verizon, 66 percent of breaches take months of even years to detect" (Thompson, 2017). That thought bothers me quite a bit. My data could be held out there being stolen without it being discovered until it could be too late.

The other vendor, Summit Reinsurances Services, was also a victim of ransomware. It this case several other medical companies used that vendor and all of those companies had to notify their patients of the potential breaches. I may touch on 3rd party vendors with regards to healthcare in a later blog.

Ransomware can definitely cause several issues in the healthcare field. Again, you have so much valuable information in those medical files that the cost to retrieve that information could be high. Not only that, but there is no guarantee you get your data back, or that the criminal doesn't sell it for profit anyways.

References:

Thompson, M. (2017). You Had an Ongoing Data Breach for Months. How Could You Not Know?. Retrieved from: https://www.business.com/articles/data-security-breach-why-they-go-unnoticed/

Even Medical Records Can Be Hacked

More and more personal information is being kept online. There are several benefits for this. Primarily it makes it easier for your health information to be available to other doctors and hospitals quickly. If something were to happen while you were in a separate state the hospital you are at can get your medical records quickly to see any possible allergies or complications you may have had in the past. However, as there are benefits, there is also a pretty big negative: security.

I had my hospital information potentially stolen. I attended Texas A&M during 2006-2008. In 2007, I was admitted to the hospital. I had never thought about my information being in jeopardy when I was admitted. In 2010, I received a letter from the hospital that my information may have been compromised in a hack of the system. They could not be sure what information had been stolen The first thought that occurred to me is what type of information could they had stolen. Medical records contain social security numbers, home addresses and obviously medical history.

This forced me to watch my credit reports to make sure that no one had stolen my identity. This made me think as to how much of a problem this is. In fact, doing some research I found an article: http://www.computerworld.com/article/3090566/healthcare-it/hackers-are-coming-for-your-healthcare-records-heres-why.html showing just how often these breaches can occur. In the article there was this image attached:

As you can see, the compromise of medical information has steadily been growing. More emphasis needs to be placed on protecting medical data to prevent valuable information being stolen.