Mental Health with Regards to HIPAA week #11 post

The last topic I want to discuss relates to mental health with respect to the HIPAA rules and regulations. Mental health has been a popular topic in the news. Any time there is a mass shooting there seems to be talk about the lack of mental health issues. Or people ask were there mental issues related to the incident. Or another question you tend to hear relates to actual discussions with the therapist. People may wonder “what I cansay without other people finding out?”. This always made me wonder with regards to HIPAA, what can be released by mental health professionals. According to U.S. Department of Health and Human Services the privacy rule applies to all protected health information. They do make an exception with regards to psychotherapy notes. 

“The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.  Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.” (U.S. Department of Health & Human Services, 2014)

This means that the mental health provider must get a patient’s permission to release information. There is one exception, and that is in the judgement of the provider whether or not to release information. This would include if a patient is about to harm himself or others or mandatory abuse reporting. 

Release without patient approval is solely based on the judgement of the doctor as to whether or not they feel as though the patient is a threat to ones’ self or others. 

Something else that comes into play are state laws with regards to PHI information. “The privacy regulations do not preempt state law that is ‘more stringent than’ federal law.” (Malek & Krex, 2002). This is something that mental health care providers must also take into account when dealing with patient notes.

For the most part federal law maintains the same privacy with regards to mental and health records. The difference is with the notes the mental health provider keeps. They contain no info related to medical treatment, just notes about the actual therapy sessions. This should make patients feel safer to open up and talk about their issues, thus allowing them to get the help and care they need without judgement. 

References

Malek, L. A., & Krex, B. (2002, November). HIPAA and Mental Health Information: Know the law. Retrieved from AHIMA: http://bok.ahima.org/doc?oid=58560

U.S. Department of Health & Human Services. (2014, February 20). HIPAA Privacy Rule and Sharing Information Related to Mental Health. Retrieved from HHS.gov: https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/

'WannaCry' ransomware damages UK National Health Services organizations ability to conduct business Week #10 Blog Post

This blog is going to focus on an incident last week that provides an example of some things that I have talked about in previous blogs. A ransomware attack, “WannaCry”, hit Friday afternoon and spread rapidly. One of the groups affected by this was the National Health Service organizations in the UK. The ransomware is malware that affects a vulnerability in Windows XP or Windows Server 2003. Both of these are operating systems that Microsoft had stopped supporting. So what exactly does this do?

WannaCry gets passed through emails or fake ads. It creates encrypted copies of files on the victim's computer, and deletes the originals, leaving the victim with only the encrypted copies, which cannot be accessed without a decryption key (Curtis, 2017). It then demands a ransom, which has been small thus far, in the $300-$600 range. This caused major issues with the NHS.

Barts health NHS Trust In London had to cancel routine appointments and ambulances were diverted to other hospitals. It also affected their referral system. It recommends patients for treatment with specialists and cancels the treatment if the referral isn’t made within two weeks (Veselinovic & Hilary, 2017). Organizations were not able to access any health records. In fact Dr Emma Fardon told the BBC that they couldn’t tell what drugs patients were on and what allergies they had (Health, 2017). So why did this happen and could it have been prevented?

Microsoft knew of the vulnerability and actually released a patch for it in March (Graham, 2017). Unfortunately, many people do not regularly update their software as recommended. For example, whenever I turn on my computer the first thing I do is update my Anti-virus software, and then check for updates from Microsoft. Thus, my system was protected from this exploit. Another issue that affected the hospitals however was that many of them are using outdated software; software that Microsoft no longer updates. Microsoft, however is pushing out updates to older systems to prevent spreading to older systems (Johnson, 2017). This issue in part addresses my previous blog, the fact that the health community doesn’t have adequate training and resources to operate securely. The most important thing to prevent this was to update the software in the first place. This, however, requires funding since systems must be maintained including switching from Windows XP or 2003 to the current OS, Microsoft 10.

What this incident shows is that governments need to invest more resources into healthcare, in particular, with regards to the IT aspect. Look at how much damage this incident has created, rerouting ambulances, preventing access to patients’ records, and preventing referrals. All of these impacts can cause people their lives.

References

Curtis, S. (2017, May 15). Who is behind the WannaCry ransomware attack crippling NHS hospital trusts across the UK? Retrieved from Mirror: http://www.mirror.co.uk/tech/who-behind-nhs-cyber-ransomware-10410865

Graham, C. (2017, May 13). NHS cyber attack: Everything you need to know about 'biggest ransomware' offensice in history. Retrieved from The Telegraph: http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/

Health. (2017, May 13). NHS cyber-attack: GPs and hospitals hit by ransomware. Retrieved from BBC: http://www.bbc.com/news/health-39899646

Johnson, A. (2017, May 15). 'WannaCry' Malware Attack Could Just Be Getting Started: Experts. Retrieved from NBC News: http://www.nbcnews.com/news/us-news/blockbuster-wannacry-malware-could-just-be-getting-started-experts-n759356

Veselinovic, M., & Hilary, M. (2017, May 12). UK prime minister: Ransomware attack has gone global. Retrieved from CNN: http://www.cnn.com/2017/05/12/health/uk-nhs-cyber-attack/index.html

Lack of Cybersecurity Personnel in the Healthcare Industry Week 9 post

With the emergence of the cyber threats to medical providers, you would think that hiring employees with cybersecurity skills would be plentiful. However, according to ISACA Chief Innovation Officer Frank Schettini, there is a huge skills gap. He “found that nearly one in three organizations take six months or more to fill an open cybersecurity role. Additionally, 37 percent of organizations said that basically 1 in 4 candidates are qualified.” (Schettini as quoted in Snell, 2017). In fact looking at the chart below you can see that most cybersecurity jobs are being posted in the professional, scientific, and technical field.

Figure 1. Cybersecurity Jobs posted in 2014. Retrieved from: http://www.modernhealthcare.com/article/20151024/MAGAZINE/310249962

Right now there is a large job market for cybersecurity workers, thus it makes sense that not only healthcare, but all markets are finding it hard to find employees. “The supply is 10% of the demand—from the Defense Department to banks to cybersecurity companies.” (Inbar as quoted in Conn, 2015). “Demand is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million” (Brown as quoted in Morgan, 2016).

That is why ISACA created the Cybersecurity Nexus Training Platform. They created it in order to assist employees gain that technical on hands training. Of course they are not the only source of training, but this is one example in which healthcare can aid in making sure they are ensuring security of their information and information systems. With the shortfall of skilled employees as the previous paragraph highlighted, organizations must take matters into their own hands to ensure their staff is trained as much and as feasible as possible. Establishing policy and training to cover the basics would be a huge asset to every organization. Until supply meets demand, hospitals and medical companies must be doing everything in their power to ensure their employees know how to protect valuable information.

References:

Conn, J. (2015). Healthcare struggles to recruit top cybersecurity pros. Retrieved from: http://www.modernhealthcare.com/article/20151024/MAGAZINE/310249962

Morgan, S. (2016). One Million Cybersecurity Job Openings In 2016. Retrieved from: https://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#277bf10d27ea

Snell, E. (2017). Addressing the Cybersecurity Skills Gap with Improved Training. Retrieved from: http://healthitsecurity.com/news/addressing-the-cybersecurity-skills-gap-with-improved-training

Interoperability in the Healthcare Network Blog Post Week 8

This week I am going to focus on interoperability. Currently this is a big issue not just for health care as a whole but including the armed forces. “Interoperability means the ability of health information systems to work together within and across organizational boundaries in order to advance the effective delivery of healthcare for individuals and communities.”(Healthcare Information and Management System Society, 2017). Basically, different systems need to be able to communicate to each other. Say for example you visit a hospital in Florida, and then later in the year you go to a hospital in Nebraska that is on a different healthcare network, there needs to be a system in place that can allow the Nebraska hospital to pull those records.

Interoperability is not easy. The Office of the National Coordinator for Health Information Technology (ONC), created an interoperability roadmap in 2015. This April, they released a proposed interoperability standards measurement framework and are requesting feedback “to evaluate progress so far by healthcare sector stakeholders - including health IT vendors, healthcare providers and health information exchange organizations - in implementing and using standards facilitating health information exchange now that electronic health record use is widespread.” (McGee, M. 2017). Being able to do create interoperability makes access to patients’ records for healthcare much simpler.

The ONC is also creating a competition to create an algorithm for patient matching. Patient matching describe the techniques used to match the data about you held by one health care provider with the data about you held by another (or many others). (Posnack, S. 2017). They are awarding 6 cash prizes worth a total of $75,000. First place would gather $25,000. If you are interested you can enter at: https://www.patientmatchingchallenge.com/challenge-information/challenge-details.

Interoperability is a must. In the military you need all services to be able to communicate with each other. The same should apply to medical records in my opinion. With that being said it does bring another risk to security. By gaining access to one network, the perpetrator would be able to access any medical information from anywhere. In my opinion though, the benefit of having an interoperable healthcare network is much greater than the risk of compromise.

References:

Healthcare Information and Management System Society. (2017). Retrieved from: http://www.himss.org/library/interoperability-standards/what-is-interoperability

McGee, M. (2017). ONC Seeks Help Measuring Interoperability Progress. Retrieved from: http://www.healthcareinfosecurity.com/onc-seeks-help-measuring-interoperability-progress-a-9879

 Posnack, S. (2017). Demystifying Patient Matching Algorithms. Retrieved from: https://www.healthit.gov/buzz-blog/interoperability/demystifying-patient-matching-algorithms/