0
0
was successfully added to your cart.

Cart

Monthly Archives

April 2014

HIPAA Security Risk Analysis

By | Uncategorized | No Comments

Badge-iStock_000012585384XSmallAs a healthcare provider, much of the Electronic Protected Health Information (ePHI) you maintain and share with other entities is crucial to your business and important in the care you provide to your patients.

Lost or stolen laptops, identity theft, malfunctioning computers and hackers are just a few of the risks you face when you receive, store, and transmit electronic health information.

Providers face major troubles if their patient’s ePHI is stolen, lost, misused, incorrect or if it is unavailable.

The US Department of Health and Human Services (HHS) developed and signed into law the HIPAA (Title II) Administrative Simplifications.

The Administrative Simplifications included the security rule to insure that covered entities, including small and medium-size providers like you, guard against security incidents.

Furthermore, to make sure that organizations take steps to protect ePHI, the law included increased requirements, penalties and investigative authority.

Although there are many core elements that make up the security rule, a documented risk analysis is seen as one of the most important by HHS.

The purpose of making you perform a risk analysis is to help you identify when and where there’s a risk where someone could compromise the confidentiality of your ePHI, inappropriately alter or delete the ePHI, affecting it’s integrity or if ePHI might not be available when needed.

Another key requirement is that you establish security measures to decrease risks to a reasonable and appropriate level. While complete protection from risk is impossible, HHS feels that by having good policies and procedures in place you can help protect your ePHI against risks that can be reasonably anticipated.

The point is, that by law and under the threat of huge penalty, your office
must have on record, documentation of the following:

  1. Detailed, Policies and procedures regarding ePHI
  2. A documented risk analysis including a review of:
  • SYSTEM CHARACTERIZATION
  • THREAT VULNERABILITY IDENTIFICATION
  • CONTROL ANALYSIS
  • LIKELIHOOD DETERMINATION
  • IMPACT ANALYSIS
  • RISK DETERMINATION
  • CONTROL RECOMMENDATIONS
  • RESULTS DOCUMENTATION
  • A CONTINGENCY PLAN
  • DOCUMENTED STAFF TRAINING

Sometimes I think politicians with better things to do, spend their time thinking of things for us to do as though we had nothing better to do.

WINDOWS XP and HIPAA COMPLIANCE

By | Uncategorized | No Comments

Tired-Man-computeriStock_000024086772LargeAre you using computers that run on Windows XP in your office? If you are you may be violating HIPAA laws by doing so.

If you haven’t heard, on April 8th, 2014 Microsoft ended support for windows XP; putting an end to the operating system.

Microsoft announced that they are no longer providing security updates and stated that:

“If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses. What this means is that when using computers with Windows XP, you potentially expose your computers to a security risk. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter greater numbers of apps and devices that do not work with Windows XP.”

The OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.

Unsupported systems by definition are unsecure and pose a risk, not only to the data they hold, but the network they reside on, as well.

Additionally, any known vulnerabilities of an operating system should be considered in the covered entity’s risk analysis.

For example, as a compliance and auditing specialist, I tell my doctors that an operating system which includes a known vulnerability, which XP does, has to be considered an issue with regard to your “risk analysis.”

Addressing the risks means that as a doctor, you know what can happen by running XP and that you have a written plan for minimizing the risk.

This plan must be described in detail in your risk analysis and should include a timeline for your transition away from Windows XP.

To stay protected after support ends, you have two options:

  1. Update any current devices that are running Windows XP

This is definitely, the simplest route, and for most doctors offices, it’s the most cost effective.

Unfortunately few older computers will be able to run Windows 8.1, which is the latest version of Windows.

Compliance & Auditing services recommends that you download and run the Windows Upgrade Assistant to check if your PC meets the system requirements.

The Windows 8.1 system requirements are nearly the same as Windows 8, so if your PC can run Windows 8, in most cases, you can get the free update to Windows 8.1.

Upgrade Assistant will also check program and device compatibility, and provide a free compatibility report.

Here is a summary of the system requirements:

Processor: 1 gigahertz (GHz) or faster

RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)

Free hard drive space: 16 GB (32-bit) or 20 GB (64-bit)

Graphics card: Microsoft DirectX 9 graphics device with WDDM driver

You will need to perform a “clean installation.” This means you won’t be able to keep any files, settings, or programs when you upgrade.

We recommend you back up all files and locate any program installation discs prior to updating.

  1. If your current PC can’t run Windows 8.1, it’s time to consider a new one. Given the fact that the fines for a HIPAA Security Violation would be significantly in excess of purchasing a few new computers.

For most doctors, dealing with the technical stuff is a little bit challenging. After all, you’re an expert at treating patients not computers.

If this is you, then talk with your IT person. They have the expertise in this area and should know exactly what to do.

Regards,

Dr. John Davenport
Chief Compliance Officer
Compliance & Auditing Services