Close Server: KOPWWW05 | Not logged in

Welcome to Health Care POV | sign in | join
CRI Lab Quality Advisor

Cyber Insecurity

Published January 29, 2016 11:42 AM by Irwin Rothenberg

Last September, the FBI issued a warning that devices and objects that connect to the internet to send and receive data are vulnerable to cyber-attack. While this warning referenced many popular lifestyle devices such as smart phones and wearable fitness monitors, it also included devices common to laboratories and other businesses, such as printers, security systems and even thermostats.

The FBI recommended that the following steps be taken to reduce the risk of being a victim of such cybercrime, including:

• Protect wireless networks with strong passwords
• Isolate devices on their own protected networks
• Use security patches when available

Since HIPAA compliance is about ensuring the security of patient records, now is the time to evaluate the effectiveness of your compliance program. The G2 Compliance Advisor listed six actions you can do now:

1. Conduct a self-appraisal of compliance with HIPAA’s privacy and security rules. For instance, conduct a risk analysis of patient information in electronic form to check for vulnerabilities, such as lack of firewalls or weak passwords. Take steps to reduce or eliminate vulnerabilities identified. Make sure all staff members are trained in HIPAA compliance.

2. Make sure you’ve entered into business associate agreements with any entity or individual handling patient protected information on the lab’s behalf, such as a billing company. HIPAA requires labs and other covered entities to enter into these agreements to ensure that the business associate will safeguard the patient information adequately.

3. Consider encrypting patient information. Encryption is technically not required by HIPAA. However, a lab that opts not to encrypt has to at least address why it isn’t encrypting and document what alternative it will use instead to protect the data, according to Deven McGraw, deputy director, health information privacy division for the HHS’ Office for Civil Rights (OCR). “‘Addressable’ does not mean optional. It never has. We expect you to address it," she explained. Note that patient data that is lost or stolen but has been encrypted in accordance with NIST standards is "secure" and does not need to be reported to patients or HHS.

4. Have an action plan to handle a breach of unsecured patient information. There are steps a lab needs to take, such as conducting an assessment of the likelihood that the information was compromised; timely notifications to HHS, patients and, in some cases, the media; and corrective action to forestall future breaches. You don’t want to be caught scrambling to comply once a breach has occurred.

5. Remember state law. State laws are often broader than HIPAA. For instance, labs suffering a breach of patient information may have to report it more quickly to state authorities than to HHS.

6. Keep an eye out for future developments. There’s a lot of activity concerning the privacy and security of patient data. In addition to the revised audit protocol expected this year, OCR is planning on releasing new guidance on patient access to their data. Other guidance or rules that are still forthcoming include clarification on what disclosures of patient information are the "minimum necessary," as well as a proposed rule on how individuals that have been harmed by a data breach should receive a portion of the penalty imposed on the violator. Both of those are part of the HITECH Act of 2009 that amended HIPAA.


leave a comment

To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the image, reload the page to generate a new one.

Enter the security code below:


About this Blog

Keep Me Updated