Resource Search Results

Strategic Cybersecurity Investments: Leveraging American Rescue Plan Funding to Enhance Infrastructure and Services: HITEQ Highlights webinar (2021). Resource Type: Archived Webinar. Description: Healthcare continues to be the sector most targeted globally by ransomware and related malware attacks and leads in the average total cost of data breach across industries. The FY 2021 American Rescue Plan Funding provides an excellent opportunity for Health Centers to make strategic investments in cybersecurity infrastructure and services. This HITEQ Highlight, presented by Adam Kehler of Online Business Systems provides an overview of assets that can increase Health Center cybersecurity. Topics covered include cybersecurity infrastructure and services that can increase defense-in-depth for health IT, including EHRs, telehealth tools and services, mobile medical devices, patient portals, and related health information software applications. More Details...

Cybersecurity Checklist for Health Center Staff Working Remotely (2020). Resource Type: Publication. Description: This PDF checklist, developed by HITEQ, provides a guide for health center staff to mitigate cybersecurity risks and threats during times of emergency and incident response that have them working remotely from the health center. More Details...

HITEQ Highlights: Health Center Defense Against the Dark Web: Strategies for Building Security Awareness, Education, and Compliance in 2020 (2020). Resource Type: Archived Webinar. Description: This HITEQ Center webinar explored key concepts and best practices that should be followed by Health Centers seeking to develop Defense in Depth and effectively implement hardened security programs at their sites. There are ever-increasing cybersecurity guidelines and protection measures that Health Centers must navigate and digest. This webinar sought to motivate and educate the health center workforce on critical privacy and security concepts and methods for defense. Aspects of Security Risk Assessment, security awareness training, and breach protection were covered with an emphasis on health center-wide information protection. More Details...

The Roadmap to Becoming a Data-Driven Organization l: Understanding the Foundational Elements of Business Intelligence (2020). Resource Type: Archived Webinar. Description: This webinar will discuss the key components of developing an effective business intelligence program. Participants will learn how to retrieve accurate data and analyze it based on strategic goals that impact patient care delivery, health outcomes and business operations. \ More Details...

Cyber Security Risks — COVID-19: Best Practices for Health Center Staff Working Remotely (2020). Resource Type: Publication. Description: The number of COVID-19 cases continue to increase throughout the United States, requiring more and more of our health systems to rely on employees working from home at times. While some of us are required to "shelter-in-place," unfortunately that shelter can create increased risks such as cyber security breaches. With good planning, policies, and employee and family education, health centers can minimize risk and support their employees while working remotely. This presentation will inform your Health Center remote workers on best practices for increasing cybersecurity at home. More Details...

Strategic Cybersecurity Breach Protection and Incident Response: Guidance and Resources for Health Centers (2019). Resource Type: Other. Description: This is Part 2 of HITEQ's Health Center Defense Against the Dark Web presentation series. This presentation provides general knowledge about breach mitigation and planning strategies for incident response. More Details...

Health Center Defense Against the Dark Web Presentation: Strategies for Building Security Awareness, Education and Compliance (2019). Resource Type: Other. Description: This cybersecurity presentation explores key concepts and best practices that should be followed by Health Centers seeking to develop Defense in Depth and effectively implement hardened security programs at their sites. Part 1 of this series will seek to motivate and educate the health center workforce on critical privacy and security concepts and methods for defense. Aspects of Security Risk Assessment, security awareness training, and breach protection will be covered with an emphasis on health center-wide information protection. More Details...

Health Center Security & Compliance System Implementation Guide: 1/1/2019 (2019). Resource Type: Publication. Description: This toolkit provides a framework for Health Centers to evaluate compliance and security concerns as they purchase, adopt, and implement technology solutions. There are ever-increasing cybersecurity guidelines and protection measures that Health Centers must navigate and digest. Newer and rurally located Health Centers can especially benefit from guidance and decision support that assists them in determining how to implement systems in a manner that meets compliance requirements and doesn’t expose information to undue security risk. Identifying and managing these types of risk can be especially important when procuring new Health IT e.g. EHRs, Medical Devices, Data Warehouses for the Health Center. This toolkit provides a framework for Health Centers to evaluate compliance and security concerns as they purchase, adopt, and implement technology solutions. Every time a Health Center adopts and implements newly procured technology, they could be exposing themselves to compliance gaps and security risks. Often these topics are addressed after the solution is implemented and are an after-thought. Unfortunately, the later in the adoption process that security is considered, the costlier it becomes to address as it may require redesign or reconfiguration of software, systems, and processes. Especially important for covered entities, like Health Centers, is for this process to meet the regulations outlined within HIPAA. Throughout this document, the related HIPAA requirements are highlighted within each section so as to better understand where this process sits within broader security risk assessment SRA practices. In the Appendix of this guide is an EHR/Health IT Systems checklist that can be used as an implementation interview guide when procuring new resources. This guide can help organizations identify security concerns and design the appropriate solution starting at the design and vendor-selection phase, thereby increasing the likelihood that security will be considered fully throughout the implementation process. Download the full toolkit below, which includes the following sections: System overview Information classification and inventory Business Associate Agreements and Contracts Risk Analysis Identity management Encryption Auditing and logging Contingency planning Workstation requirements Patching Security testing Vendor and developer access Physical security Network segmentation More Details...

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (2019). Resource Type: Publication. Description: Cyber threats to healthcare entities put patient health, business continuity, and IT systems at risk. Under the auspices of the Cybersecurity Act of 2015 (CSA), Section 405(d), HHS convened the CSA 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity. More Details...

Creating and Managing Strong Passwords at Your Health Center: Guidance in relation to updated NIST security requirements and HIPAA (2018). Resource Type: Publication. Description: Is it acceptable/recommended for health centers to adopt the new password policy guidelines under NIST Special Publication 800-63B and will that still uphold the HIPAA security rule? This question had been posed to the HITEQ Center asking whether we had any guidance or recommendations on implementing the new NIST Guidelines regarding password security.  New Digital Identity Guidelines under NIST Special Publication 800-63-B presents new guidelines regarding password security that are much more user-friendly and consequently more likely to be observed by health center staff since constantly changing, complex password on multiple systems can be a source of frustration for the end user.  Question: Is it acceptable/recommended for health centers to adopt the new password policy guidelines under NIST Special Publication 800-63B and will that still uphold the HIPAA security rule? This question had been posed to the HITEQ Center asking whether we had any guidance or recommendations on implementing the new NIST Guidelines regarding password security.  New Digital Identity Guidelines under NIST Special Publication 800-63-B presents new guidelines regarding password security that are much more user-friendly and consequently more likely to be observed by health center staff since constantly changing, complex password on multiple systems can be a source of frustration for the end user.  After consulting with HITEQ cybersecurity experts and consultants who have helped publish cybersecurity guidelines, the recommendations outlined below were communicated. Answer: The short answer is Yes. HIPAA is not prescriptive and takes the general stance that authentication mechanisms should be “reasonable and appropriate” for the risk they present. Being able to say that you are implementing NIST Standards is a good way to show that you are implementing “reasonable and appropriate” controls. Some standards are relaxed in regards to password change and complexity, those items shouldn’t be taken in isolation. The additional controls in the 800-63 recommendations should also be put in place and can include: Having users check passwords against password lists from breaches e.g., https://haveibeenpwned.com/Passwords  Increasing the length requirements Getting rid of password reminder questions Increasing usability Further Guidance from NCCIC/US-CERT: NCCIC/US-CERT reminds users of the importance of creating and managing strong passwords. Passwords are often the only barrier between you and your personal information. There are several programs attackers can use to help guess or "crack" passwords. However, choosing strong passwords and keeping them confidential can make it more difficult for others to access your information. NCCIC/US-CERT recommends users take the following actions: Use multi-factor authentication when available. Use different passwords on different systems and accounts. Don't use passwords that are based on personal information that can be easily accessed or guessed. Use the longest password or passphrase permissible by each password system. Don't use words that can be found in any dictionary of any language. Refer to Tips on Choosing and Protecting Passwords and Supplementing Passwords for best practices and additional information. More Details...

Health IT Privacy & Security Skill Sets: The Importance of Information Security for all Health Center Staff (2017). Resource Type: Publication. Description: Since 2010, the healthcare industry has seen a remarkable increase in the use of technology in the administration and delivery in healthcare. This has led to a mass migration of data from paper charts and isolated systems to Electronic Medical Records EMRs and interconnected systems that transmit patient health and financial information across trusted and untrusted networks. While this has been a boon for the industry in its ability to provide timely information to those who need it the most, this transition has introduced a great deal of risk to the confidentiality and integrity of the information. Coupled with the fact that the information can be quickly monetized by criminals through insurance fraud and identity theft, the ecosystem is target-rich. Since 2010, the healthcare industry has seen a remarkable increase in the use of technology in the administration and delivery in healthcare. This has led to a mass migration of data from paper charts and isolated systems to Electronic Medical Records EMRs and interconnected systems that require ever-evolving privacy and security requirements to safely transmit patient health and financial information across trusted and untrusted networks. For an overview of the information contained herein access this recorded webinar and companion materials including a transcript and slides for reference.     Why Information Security Teamwork is Important for Health Centers Resource Context While the increase in the adoption of health IT across all service levels has been a boon for the healthcare industry in its ability to provide timely information to those who need it the most, this transition has introduced a great deal of risk to the confidentiality and integrity of the information. Coupled with the fact that the information can be quickly monetized by criminals through insurance fraud, extortion, and identity theft, the ecosystem is target-rich. Read More... What this means for health centers is that they are storing and transmitting high-value information in a dangerous environment which adds up to High Risk to the organization. The results of breaches include:  Reputational Breach Notification Laws require public notification of breaches Reduced ability to provide care Patients may withhold information if they cannot trust that it will be maintained confidentially Records that have been breached may contain incomplete or inaccurate information Financial Fines from the Office for Civil Rights Breach Notification costs; administrative and legal Remediation costs; technical remediation, staff retraining, Corrective Action Plans CAPs Legal action from affected patients and third party organizations Lost Business Loss of reputation may lead patients to seek care elsewhere Audience The strategies and tools in this Guide are targeted to all levels of health center staff, and health center partners that support Health IT Privacy & Security goals. Read More... Everyone who actively participates in the guidance and day to day operations of a health center have a responsibility to: Increase their awareness of primary healthcare security risk domains and the responsibilities of staff depending on their role within the health center to ensure better information security.   Improved their ability to recognize security risks within their own organization and better understand how to plan and mitigate for information security risks identified. Why Using this Guide is Important for Health Centers Community Health Centers need to continually refine their health IT security and privacy strategy. A lack in a clear strategic direction throughout all levels of health center services are being met with continually rising costs, across factors that include penalties, time expenditure, patient safety,trust and satisfaction, and the overall perception of quality held by related healthcare institutions. Health Centers need to invest in and devise a concrete roadmap and systems development and maintenance lifecycle that is transparent and supported by all levels of health center staff, including clinicial staff, front and back office staff, privacy and security staff, and the board of directors. Read More... Below are a few examples key stakeholders and their respective health IT privacy and security responsibilities All Clinical Staff: Even under emergency circumstances be diligent in handling and managing PHI Front and Back-Office Staff: Protect the confidentiality, integrity, and availability of electronic PHI at all times  Health Center Administration: Promote an organization-level committment to upholding best practices in health information privacy & security management.  Health Center Board of Directors: While a board is generally not involved in the day-to-day operations of cybersecurity, they do have a responsibility to ensure that proper structures are in place and that the organization is taking appropriate steps to identify and address cybersecurity risks How to Use this Guide Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean varius sapien nisl, id convallis justo semper nec. Pellentesque massa urna, cursus vitae accumsan eu, feugiat vel ipsum. Maecenas commodo libero lacus, non congue leo condimentum ullamcorper. Morbi vehicula accumsan quam. Integer accumsan velit ac lacinia pulvinar. Cras at arcu quam. Quisque a sagittis tortor. Nulla ut urna quam. Sed sodales justo ut rutrum luctus. Sed a tellus sollicitudin, bibendum dolor at, condimentum urna. Cras venenatis eu lectus eget interdum. Read More... Nam a euismod dolor. Etiam in ornare magna. Praesent eu posuere enim, mollis sagittis lectus. Praesent pharetra sit amet arcu sed tincidunt. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Ut finibus, dui quis laoreet vestibulum, purus arcu vestibulum mi, nec rhoncus ex purus ac orci. Duis egestas ligula eros, in commodo turpis vehicula nec. Donec vulputate pharetra sapien, non vestibulum quam consequat non. Nulla elementum tempus risus, eget dapibus purus faucibus vel. Quisque vitae volutpat est. Suspendisse molestie at nulla vitae cursus. Donec efficitur leo sed scelerisque elementum. Phasellus lacinia ante in bibendum aliquam. Fusce tempor mi sed risus egestas viverra. Sed quis nisl luctus, tristique est sit amet, vestibulum diam. Vivamus in eros tincidunt neque rutrum volutpat. Duis vulputate turpis a lacus eleifend volutpat. Nunc vel interdum felis, ut sollicitudin massa. Ut ac aliquam lorem, nec ultrices enim. Nulla volutpat eros libero, non malesuada risus faucibus eu. Donec ultrices sodales accumsan. Duis gravida, mi non pretium porttitor, mauris est pellentesque eros, id vestibulum augue lectus non eros.   Health IT Privacy & Security Key Factors Compliance The HIPAA Privacy and Security Rules provides a set of standards for the Confidentiality, Integrity, and Availability of electronic Protected Health Information ePHI. Health Centers are required to demonstrate compliance with the HIPAA Privacy and Security Rules through the implementation of Administrative, Technical, and Physical safeguards. Read More... The HIPAA Security Rule is designed as a Risk Management Framework that consists of conducting regular Security Risk Analysis and implementing a Risk Management Process that implements reasonable and appropriate safeguards. The HITECH Act of 2009 builds on the HIPAA Privacy and Security Rules to include Breach Notification Requirements, increased patient access to their medical records, compliance of Business Associates, and stronger enforcement of compliance. The Meaningful Use MU program also enacted in the HITECH Act included requirements to conduct an annual Security Risk Assessment as a prerequisite for collecting incentive moneys. While MU did not add any requirements that were not already a part of the HIPAA Security Rule, it did provide the incentive for many organizations to conduct regular Security Risk Assessment where they previously had not.   Security While the HIPAA Security Rule does provide the foundation for information security, it is important for organizations to understand that being compliant does not necessarily equate to having good security. It is important for organizations to continuously evaluate their organization and their systems against industry standards and guidance to ensure appropriate security controls are in place. This can certainly be performed in conjunction with a HIPAA compliance program. Read More... It is important for Health Center IT leadership to understand the key differences between security and compliance. As illustrated in the graphic below, while there is a cross-over between compliance and security to the degree that compliance establishes some security baselines, it is important to know that security encompasses a broader domain of required practices and controls in order to be effective.   Approach The Security Risk Assessment approach outlined in the HIPAA Security Rule is designed to allow organizations to implement “reasonable and appropriate” safeguards. Said another way, the Rule does not prescribe what specific safeguards must be in place. This allows for flexibility based on the size of the organization, the technology in place, the number of medical records, and other organization-specific considerations. Read More... An example of this flexibility is can be seen when considering Disaster Recovery Planning. What is a reasonable disaster recovery plan for a large health system would be excessive for a small doctor’s office. An OCR auditor would certainly have different expectations of these two types of organizations. While the framework of the HIPAA Security Rule provides flexibility, the non-prescriptive nature of it can make it difficult to understand how to comply with its requirements and find concrete examples and expertise. Many organizations become concerned about identifying and documenting risks in their risk assessment as they worry it will be an indicator of non-compliance. Between the lack of understanding of the requirements and the fear of documenting risks, many assessments end up being an enumeration of security controls or simple checklists. Neither of these deliverables would meet the expectations of a Security Risk Assessment. When looking at what is a “reasonable and appropriate” safeguard, organizations can look at what other similar organizations are doing. If other similar organizations are encrypting their laptops, it would seem reasonable to expect your organization to do the same. Finally, one can look at industry standards and guidance for information on what security controls are not only reasonable and appropriate, but also effective. Remember, the goal is effective security, not just checking the checkboxes for compliance.   Health Information Security Basics An important place to start with protecting ePHI is with the basics. This is considered the “blocking and tackling” of information security, or those things that users, managers, and IT staff should be performing day-in and day-out to protect information. Step 1: Identify ePHI Many organizations only consider their EMR when considering the security of their ePHI. What one must consider is that EMRs do not reside in a bubble. ePHI is transmitted to and from EMR systems, communication with patients and other third parties often occurs outside the EMR, and data is generated and stored outside the EMR.   Read More... ePHI must be protected both at rest and in transit i.e. as it is being transmitted both internally and externally. Consider the following typical areas where ePHI is stored or transmitted: Practice Management System Email Text Messages Other messaging systems Fax transmission and storage of faxes Billing Systems Patient Portals Phone conversations and voicemail Photocopiers and network printers Medical Devices Image storage Reports Backup Storage If the people using ePHI on a day-to-day basis can learn to recognize when they are handling ePHI and where it is stored and/or transmitted, they can start to have the awareness of how it can be protected. Step 2: Protect ePHI When EMR and other product vendors market the fact that their system is “HIPAA-Compliant”, many take that as assurance that the system is secure and don’t give additional thought to protecting the information. Read More... Unfortunately, no matter how secure the system is, it is when the ePHI is used that the risk of a breach increases. Examples of potential openings for breach include: A user uses the same or slightly modified password between their personal email account and their EMR account. That password is compromised either because their email system has been compromised or a family member may know or find out the email password. Now that password can be used to access the EMR system by a third party. A staff member exports a report from the EMR and attaches it to an email for a colleague, referring provider, or billing company use. The message is sent using a public email system to another public email system. The risks involved include: While the message is being transmitted unencrypted over the Internet, it could be intercepted A typo in the email address could lead to the message being read by an unintended recipient Either person’s email system could be compromised and the information breached Information from an EMR system is exported to a USB drive in order to transfer to another computer. USB drive is lost or reused by another staff member and therefore information is breached. Step 3: System Protections Most operating systems these days are capable of protecting information, however the out-of-the-box configuration is generally focused more on usability than security, so enabling security protections is something that must be performed deliberately. Read More... Here are a few steps that can be taken to increase the security posture of modern workstations, laptops, and tablets: Password protection – Password protecting your system enables the user to prevent unauthorized access to information and/or tampering with the system. This also prevents others from connecting to a system over the network, so even if a workstation is located in a more secure area, it is important that all sessions be properly authenticated. Current standards for strong passwords include: At least 8 characters Mixture of uppercase/lowercase, numbers, and symbols Not based off a single dictionary word though phrases are good Do not use the same password for multiple systems Individual user accounts – If more than one person will be using a system, create an account for each person. This will allow you to determine who used a system and when as well as grant access to information to other users on an as-needed basis. Encryption – Many systems have built-in encryption capabilities; however, it may not be enabled by default. If a system with ePHI is lost or stolen and the data is encrypted, this will provide safe harbor from breach notification. <citation needed> Furthermore, the HIPAA Security Rule requires that organizations encrypt ePHI wherever “reasonable and appropriate”. Failure to do so would require an organization to provide evidence that it was not reasonable and appropriate or to provide evidence that equivalent alternate safeguards are in place. End-Point Protection – Traditionally, end-point protection consists of Anti-Virus software that detects malware based on signatures. While this is still an important protection, today’s attacks have become adept at evading detection by anti-virus signature-based detection. End-point protection adds additional protections including: Additional behavior-based heuristics for detecting malware Built-in antispyware protection More intelligent host-based firewall Intrusion Detection and Warning Application control and user management Data input/output controls such as locking down USB ports and other removable storage Step 4: Continuous Maintenance One of the toughest aspects of privacy and security management is the diligence required to maintain safety. Security is not a one-time task and requires ongoing maintenance, upgrades, training and changes to workflow. Read More... Below are a few examples of ongoing maintenance tasks that organization should be performing: Security Awareness Training – This is all about creating a culture motivated and dedicated to securing patient data. Workforce members require regular reminders regarding how to detect suspicious activity, handling of ePHI, and what to do in the event of a security incident. This is especially important as threats evolve and new threats appear. Patching – Many breaches occur because systems have security vulnerabilities that have fixes available, however the fix has not been applied. Be diligent about operating system updates and updating of third party software and components. Review Policies and Procedures – As technology and work processes change, policies and procedures should be reviewed and updated accordingly. HIPAA requires that organizations have a policy for review of policies. Standard practice is to perform this task annually or as changes occur. Health Information Security Basics While the HIPAA Security Rule does provide a framework for security risk management, it can be difficult to know what specific steps to take to implement “reasonable and appropriate” security controls. Ways of determining this may include looking at what other similar organizations are doing and adopting relevant industry standards. One such standard organization effort that security administrators may wish to consider is The Center for Internet Security’s CIS Top 20 Critical Security Controls CSC. This standard is internationally recognized and provides guidance that is flexible for organizations of all size and maturity. The guidance is specific and practical and can often be adopted without spending a lot of money. Per the Australia Signals Directorate ASD: “Incorporating the Top 4, the eight mitigation strategies with an 'essential' rating are so effective at mitigating targeted cyber intrusions and ransomware that ASD considers them to be the cyber security baseline for all organisations.” Critical Security Controls Read More... While ASD recommends the Top 4, CIS indicates “Controls CSC 1 through CSC 5 are essential to success and should be considered among the very first things to be done.” The top 5 controls include: CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges These controls do map to requirements of the HIPAA Security Rule and can be used to assist organizations in finding specific technical measures that can help meet the requirements. A mapping of the Top 5 Controls provides an example: # Control Family HIPAA Security Controls 1 Critical Security Control #1: Inventory of Authorized and Unauthorized Devices 164.310c: Workstation Security - R 164.310d1: Device and Media Controls: Accountability - A 2 Critical Security Control #2: Inventory of Authorized and Unauthorized Software 164.310c: Workstation Security - R 3 Critical Security Control #3: Secure Configurations for Hardware and Software 164.310c: Workstation Security - R 4 Critical Security Control #4: Continuous Vulnerability Assessment and Remediation 164.308a8: Evaluation 164.308a6: Security Incident Procedures 5 Critical Security Control #5: Controlled Use of Administrative Privileges 164.310b: Workstation Use - R 164.310c: Workstation Security - R 164.312: Access Control: Unique User Identification - R 164.312b: Audit Controls 164.312d: Person or Entity Authentication   Acknowledgements Origins and Ongoing Refinement of this Guide: The content in this resource is drawn from and builds on widely used Information and Security standards, tools and protocols that have continually increased in terms of required measures, especially over the past couple decades in which the Internet and the ever-growing Internet of Things have evolved and expanded. The HITEQ Center plans to continue refining this Guide based on input from users like you, so please consider sharing your feedback through the comment form. Read More... This guide was developed in collaboration with Adam Kehler, CISSP, a Senior Consultant within the Healthcare Information Privacy and Security division of Online Business Systems. Adam specializes in assisting healthcare organizations in managing and meeting compliance requirements such as conducting security risk assessments, systems vulnerability assessments and regulations associated with HIPAA and Meaningful Use criteria. Adam is assisting the HITEQ project in building out resources and guidance to health centers on privacy and security best practices. More Details...