Cisco Blogs


Cisco Blog > Healthcare

7 of 9 HIPAA Network Considerations

The HIPAA Omnibus Final Rule is now in effect and audits will continue in 2014. At the HIMSS Privacy and Security Forum in Boston on Sept. 23, Leon Rodriguez, director of the Department of Health and Human Services’ Office for Civil Rights said to those who are wondering how the new rule will be enforced: “You’ll see a picture of where we’ll spend our energies” based on previous enforcement actions.  Enforcement actions to date have focused on cases involving major security failures, where a breach incident led to investigations that revealed larger systemic issues, Rodriguez said.

On our list of 9 HIPAA Network Considerations, it is timely that our topic in this blog is on #7, Security best practices are essential.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

The general rule for the HIPAA Security Rule is to ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained, or transmitted [45 CFR 164.306(a)].  Protect against threats to PHI.  That relates directly to network security best practices.  In the 2012 HIPAA audits, security had more than its share of findings and observations, accounting for 60% of the HIPAA audit findings and observations, even though the Security Rule accounted for only 28% of the audit questions.  At the NIST OCR Conference in May, OCR presented the summary below.

7 of 9

Read More »

Tags: , , ,

What Moving to the Cloud Means for Healthcare Organizations

This marks the 32nd year I’ve worked in healthcare. It doesn’t seem like very long ago that I worked as a registered nurse, caring for critically ill patients. Although I’m no longer working at a patient’s bedside, today’s healthcare organizations continue to put patient care first -- starting with transformation in healthcare technology.

HealthcareDue to increased digitization of patient data and increased collaboration among insurance providers and doctors, IT innovation and integration in healthcare is on the rise.  A new survey from Black Book shows that economic factors and government regulations are beginning to nudge independent physician practices to the cloud.

As more move to the cloud, the recent package of HIPAA changes known as the “final omnibus rule” clarifies the legal framework for healthcare organizations to work with cloud services, as David F. Carr highlighted in his recent article in Information Week.

This is a fundamental shift for healthcare organizations that could set precedent for other industries like education, financial services and government. Are you ready for it? Read More »

Tags: , , , ,

Care Networking, Care Anywhere, Care Customization

Join Cisco, Intel, and other leading healthcare and  technology organizations for a series of leadership webcasts on October 23-24 that address the top challenges facing healthcare and IT professionals today.  The third annual Intel Health & Life Sciences Innovation Summit will focus on relevant topics such as care networking, how mobility expands care from the hospital to the community, and customizing care with big data. This free, unique online event includes:

  • Live webcasts
  • Networking opportunities
  • Live interaction
  • White papers
  • Case studies

Get a preview of this online event by listening to Barbara Casey, Senior Executive Director for Healthcare at Cisco, discuss clinical mobility devices and connecting the unconnected.

Register for the 2013 Intel Health & Life Sciences Innovation Summit webcast series on October 23-24 to hear more about how mobility can expand care from the hospital to the community.

Tags: , ,

6 of 9 HIPAA Network Considerations

The HIPAA Omnibus Final Rule, released January 2013, goes into effect this month – Sept 23, 2013. Over the last several weeks, I’ve been posting a blog series around nine HIPAA network considerations.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

This blog focuses on #6 – Risk Management is Continuous.

You can look at the Risk Management implementation specification as the actions taken in response to the Risk Assessment.  The HIPAA Security Rule defines Risk management (Required):  “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [§ 164.306(a)]”

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information

One common mistake companies make in compliance programs is taking the approach that once the work is done, the network doesn’t have to be looked at again for compliance.  If they put the security programs, processes, and technologies in place, they don’t have to spend time on compliance until next year (or the year after that, or even longer).

This makes compliance a onetime effort that is then ignored.  Worse, securing PHI often follows the same path, making it easy to hack and steal, causing a lot of problems for everyone involved.  Risk management―reducing risk―needs to be a continuous activity.   Through your risk assessment, you’ll know where your PHI is, what your highest risk factors are, and where to implement more continuous risk management tools in the network.

Continuous risk management does not mean tracking every single event on every single device throughout the network.  It may mean turning on automatic alerts on critical devices, setting traffic thresholds in network areas where PHI resides, logging anomalous events in those critical areas, and using network management tools to make sense of all this information the network devices are collecting.

Risk management is about a lot more than achieving HIPAA compliance, reducing risk to PHI and helping to prevent theft of PHI is of critical value.

Recommendation: Understand where you should implement continuous risk management, and what logging, alert, detection, and management tools you already have that can help with risk management.

To learn more about Cisco® compliance solutions and HIPAA services, please visit http://www.cisco.com/go/compliance

Tags: , , ,

New Solution: Cisco Virtual Patient Observation

No longer does your organization need to incur the sometimes unreimbursed cost of hiring one-on-one patient sitters, dedicating staff that can be better utilized elsewhere, or imposing on distressed family members to sit by their family member’s bedside around the clock.

With Cisco Virtual Patient Observation, centralized staff can observe multiple high-risk patients over your hospital’s existing network, and quickly alert caregivers if a patient is at risk.

This is one of those rare solutions that can pay for itself in months not years.

SpeakersIf this sounds “too good to be true”, then we invite you to join a live educational webcast that I’m hosting on September 12th at 11PST / 2EST to learn first-hand how HCA’s Clear Lake Regional Medical Center worked with Cisco to integrate Virtual Patient Observation into their operation.

You’ll learn about Clear Lake Regional Medical Center’s approach to implementing Cisco Virtual Patient Observation, the hurdles they encountered, and the lessons they learned along the way to a highly successful implementation and a satisfying ROI.

We’ll hold a live Q&A at the end so you can ask your questions directly of the experts.

Register now to hold your spot.  If you can’t make the live webcast on September 12, you’ll want to register anyway so that we can send you the replay link.

In the meantime, if you’d like to learn more about Cisco Virtual Patient Observation, here’s how to get started:

  • At-a-Glance: Benefits of Virtual Patient Observation
  • Blueprint:  Take advantage of existing networking investments for rapid investment payback
  • Ten use cases: Real-life scenarios for using video surveillance in hospitals
  • Request a call from Cisco:  Discuss how video surveillance can help you lower costs and improve patient safety

Tags: , , ,