The HIPAA Omnibus Final Rule, released January 2013, greatly expands the number of organizations that must comply with HIPAA beyond the known ‘Covered Entities.’

The Final Rule expands the definition of a Business Associate to include an organization that ‘creates, receives, transmits or maintains’ PHI. Adding the term ‘maintains’ into the definition makes a big difference and will include a lot more businesses than before. The Department of Health and Human Services (HHS) estimates that 250,000 – 500,000 additional entities will be considered a Business Associate and therefore must comply with HIPAA. Read More »

Tags: Cisco Compliance Solutions Framework, Cisco Security, compliance, covered entities, HIPAA, HIPAA omnibus final rule

This post is part of a new series featuring Brian Higgins, Principal Healthcare Consultant at Comstor US. Comstor is a recognized global leader in Cisco product distribution and an established provider of networking and advanced technology solutions. Brian is a sales and business development executive with 35 years of experience in the global healthcare information technologies industry. He has a proven and successful track record of establishing and executing go-to-market strategies for both start-ups and well-established companies in the healthcare space. He is also a trusted sales and business development advisor to information and medical technology companies selling into all segments of the healthcare industry.

I recently hosted a webinar on the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) for a community of technology resellers.

HIPPA and HITECH are the US version of “privacy and security” laws that are getting so much attention in our industry. I thought I had a reasonably good grasp on the subject, but my intuition was that the subject was complex enough to warrant an expert. We brought in a nationally recognized expert by name of Bob Chaput, Founder and CEO of Clearwater Compliance LLC, and (luckily for me) he did an outstanding job of explaining a very complicated set of rules and regulations in a simple and easy to understand way. 

While it was interesting to learn more about specifically who is covered by these laws and what their specific obligations are, the more enlightening discussion related to how far behind most industry stakeholders are in their compliance and the resulting economic ramifications.

For those of us in the channel that recognize the enormous opportunity of delivering technology to the healthcare sector, this is an important subject about which to have a first level of understanding. It not only gives us the credibility that our healthcare end users are looking for in a vendor, it also represents an opportunity to deliver valuable advice and services.  Finally, it’s a law that we might fall under if we are in the business of maintaining healthcare communications or information technology (HCIT) platforms, or delivering cloud services.

Similar privacy and security laws exist around the world, requiring partners to play close attention to what is occurring in their regions relative to this topic. Read More »

Tags: ciscochannels, comstor, HIPAA, HITECH, PIMS

There’s a natural struggle between those who write rules around compliance to a standard and those who must implement IT systems to ensure compliance with that standard. The former want to create guidelines rather than hard and fast requirements so there’s flexibility in how to achieve compliance. Plus, they want guidelines that allow for advances in technology. The latter want technical specificity – do X and become compliant.

With a compliance standard like PCI DSS, which specifies credit card information security requirements, there’s a great deal of technical specificity about what is required in order to become PCI DSS compliant. In fact, all but a handful of PCI DSS’s 211 sub-requirements call for specific technical actions. But even then, some PCI DSS sub-requirements are subject to interpretation by the various auditing authorities.

Most compliance mandates, especially those imposed by governments, aren’t as cut and dried as PCI DSS and they always include many specific requirements around acceptable compliant behavior in addition to non-specific requirements around technology-oriented compliant safeguards.

The privacy and security of health information in the U.S. is governed by a Federal law called the Health Insurance Portability and Accountability Act (HIPAA). As written, HIPAA is vague in many behavioral and technological areas. The law turned over “rule-writing,” whose aim is to provide more specificity, to the U.S. Department of Health and Human Services (HHS). HHS wrote a key rule – the HIPAA Security Rule – that is relevant to information security professionals.

But alas, even the HIPAA Security Rule is ambiguous! Read More »

Tags: due care, HIPAA, pci, PCI Compliance, security

On June 6-7, the National Institute of Standards and Technology (NIST) co-hosted a conference focused on HIPAA, the foundational U.S. health care information law. I attended the conference and came away with the sense that a) health care entities have begun to see clarity in the things they must do from an IT perspective to abide by the law’s requirement to protect patient information and b) they are motivated to do so through Federal moves to enforce the law.

The links between vague laws and concrete technical requirements to support them are usually ambiguous because the laws are written by non-technical lawyers and they often turn over implementation details to government departments.

Read More »

Tags: compliance, HIPAA, security

There are some interesting security developments on the BYOD front that may present serious HIPAA challenges for healthcare delivery organizations.  If you’re not following the story I’ll give you the quick summary.   Security consultant Trevor Eckhart discovered monitoring software from Carrier IQ on his Android based smart phone.  The software which he could not disable was placed there by the cellular carrier in an effort to monitor and enhance the end user experience.  His testing reviled that the software was able to log keystrokes, URL’s, GPS location and SMS text messages amongst other items.  All of the juicy information that is collected encrypted and uploaded to the carrier or manufacturer for “analysis” – NICE!

 The seriousness of the issue sparked a federal probe with Senator Al Franken sending a request to the software vendor, manufacturers and cellular carriers asking for specific details of the monitoring software capabilities and how the information collected is being used.   Many of the responses received to date raised many more questions than they answered. 

By the time you read this, the holiday season will be behind us.   The second longest post-holiday line over the dreaded Toys-R-Us return line is likely to be in front of the IS Support desk come “Monday Morning”.  All the Cindy Lou Who’s will be in line asking that their smart device be given access.      

It will be interesting to see the statistics, but I suspect that in comparison to previous years, it’s highly likely that many more BYOD smartphones and tablets will enter the healthcare environment.  One of the top care about for CIO’s is to provide rapid provisioning within their organization.  This is great, but I often wonder if responding to the demand could result in cutting the proverbial corner without knowing it!

Given the need to deploy a wide variety of BYOD devices quickly and securely, the healthcare Chief Security Officer (CSO) certainly has their job cut out for them these days.  The shire volume of consumer devices entering the enterprise environment raises some serious questions as to their readiness, especially in regard to security and privacy – add ePHI and the responsibilities of covered entities and you have some significant reason for concern.  Perhaps before a healthcare system adopts a BYOD policy, one should consider the ramifications of allowing the wide range of consumer devices (and contracted carriers) to access protected resources.  I’d suggest that it’s certainly time to consider the use of an enterprise ready device – one such as the Cisco Cius where you can control key aspects related to maintaining security and enhancing the user experience.

Cisco Cius with AppHQ is an Enterprise Ready Tablet

First, with the monitoring software described, don’t assume that your security policy by itself is sufficient.  Remember this software, as with others to likely follow, are key loggers.  Such applications by definition capture each and every keystroke and button press regardless of the application or transport/network encryption being used.  Many CSO’s may incorrectly conclude data loss is impossible given the use of VPN technology.   Likewise some will conclude that their adoption of VDI assures that the data stays local to the healthcare system and not to the device.  While partially true, we are effectively talking about keystrokes being logged.  Clearly a physician WILL over time enter data that is classified as ePHI – all nicely collected and uploaded unknowingly to a 3^rd party.  Even SMS text messages sent or received by such a device is within scope!

My advice is to stay abreast of this developing story, and in the meantime, take the time necessary to fully understand the ramifications of allowing various devices (and carriers under contract) to access your protected resources.  It’s no longer about robust authentication mechanisms, secure encryption and remote wipes – It’s now much more than that!  Also remember that a device that is classified as “safe” today might not be in compliance after an OS upgrade or application install in the future.  Taking accountability for the device and the applications being loaded onto it by either the user or carrier is YOUR business.  Having a system in place that facilitates YOU being able to control the OS and the applications that are being installed on BYOD devices is a critical objective. 

So make sure that the next time you’re planning a BYOD party that you recognize all the guests being invited – otherwise some valuables in the form of ePHI may be slipping out the back door!

Tags: byod, Carrier IQ, CarrierIQ, Cisco Cius, Cius, HIPAA, Smart phone, smartphone