COVID-19 Booster Readiness Webcast for Health Centers:

Watch Now

Resource Search Results

Menu

Edit Your Search


New Search

View MyCitations

s

Displaying records 1 through 6 of 6 found.

Strategic Cybersecurity Investments: Leveraging American Rescue Plan Funding to Enhance Infrastructure and Services: HITEQ Highlights webinar (2021). Resource Type: Archived Webinar. Description: Healthcare continues to be the sector most targeted globally by ransomware and related malware attacks and leads in the average total cost of data breach across industries. The FY 2021 American Rescue Plan Funding provides an excellent opportunity for Health Centers to make strategic investments in cybersecurity infrastructure and services. This HITEQ Highlight, presented by Adam Kehler of Online Business Systems provides an overview of assets that can increase Health Center cybersecurity. Topics covered include cybersecurity infrastructure and services that can increase defense-in-depth for health IT, including EHRs, telehealth tools and services, mobile medical devices, patient portals, and related health information software applications. More Details...

HITEQ Highlights: Health Center Defense Against the Dark Web: Strategies for Building Security Awareness, Education, and Compliance in 2020 (2020). Resource Type: Archived Webinar. Description: This HITEQ Center webinar explored key concepts and best practices that should be followed by Health Centers seeking to develop Defense in Depth and effectively implement hardened security programs at their sites. There are ever-increasing cybersecurity guidelines and protection measures that Health Centers must navigate and digest. This webinar sought to motivate and educate the health center workforce on critical privacy and security concepts and methods for defense. Aspects of Security Risk Assessment, security awareness training, and breach protection were covered with an emphasis on health center-wide information protection. More Details...

Ransomware Guidance Presentation for Health Centers: Updated with Ransomware Strategies from CISA (2019). Resource Type: Publication. Description: This ransomware guidance presentation for health centers, updated with ransomware strategies from CISA, provides information about ransomware, HIPPA implications, recent examples from the news, and suggested resources. More Details...

Security Risk Assessment: A HITEQ Privacy & Security Resource - New Templates Added May 2017 (2017). Resource Type: Template. Description: To successfully attest, providers must conduct a security risk assessment (SRA), implement updates as needed, and correctly identify security deficiencies. By conducting an SRA regularly, providers can identify and document potential threats and vulnerabilities related to data security, and develop a plan of action to mitigate them. More Details...

Health IT Privacy & Security Skill Sets: The Importance of Information Security for all Health Center Staff (2017). Resource Type: Publication. Description: Since 2010, the healthcare industry has seen a remarkable increase in the use of technology in the administration and delivery in healthcare. This has led to a mass migration of data from paper charts and isolated systems to Electronic Medical Records EMRs and interconnected systems that transmit patient health and financial information across trusted and untrusted networks. While this has been a boon for the industry in its ability to provide timely information to those who need it the most, this transition has introduced a great deal of risk to the confidentiality and integrity of the information. Coupled with the fact that the information can be quickly monetized by criminals through insurance fraud and identity theft, the ecosystem is target-rich. Since 2010, the healthcare industry has seen a remarkable increase in the use of technology in the administration and delivery in healthcare. This has led to a mass migration of data from paper charts and isolated systems to Electronic Medical Records EMRs and interconnected systems that require ever-evolving privacy and security requirements to safely transmit patient health and financial information across trusted and untrusted networks. For an overview of the information contained herein access this recorded webinar and companion materials including a transcript and slides for reference.     Why Information Security Teamwork is Important for Health Centers Resource Context While the increase in the adoption of health IT across all service levels has been a boon for the healthcare industry in its ability to provide timely information to those who need it the most, this transition has introduced a great deal of risk to the confidentiality and integrity of the information. Coupled with the fact that the information can be quickly monetized by criminals through insurance fraud, extortion, and identity theft, the ecosystem is target-rich. Read More... What this means for health centers is that they are storing and transmitting high-value information in a dangerous environment which adds up to High Risk to the organization. The results of breaches include:  Reputational Breach Notification Laws require public notification of breaches Reduced ability to provide care Patients may withhold information if they cannot trust that it will be maintained confidentially Records that have been breached may contain incomplete or inaccurate information Financial Fines from the Office for Civil Rights Breach Notification costs; administrative and legal Remediation costs; technical remediation, staff retraining, Corrective Action Plans CAPs Legal action from affected patients and third party organizations Lost Business Loss of reputation may lead patients to seek care elsewhere Audience The strategies and tools in this Guide are targeted to all levels of health center staff, and health center partners that support Health IT Privacy & Security goals. Read More... Everyone who actively participates in the guidance and day to day operations of a health center have a responsibility to: Increase their awareness of primary healthcare security risk domains and the responsibilities of staff depending on their role within the health center to ensure better information security.   Improved their ability to recognize security risks within their own organization and better understand how to plan and mitigate for information security risks identified. Why Using this Guide is Important for Health Centers Community Health Centers need to continually refine their health IT security and privacy strategy. A lack in a clear strategic direction throughout all levels of health center services are being met with continually rising costs, across factors that include penalties, time expenditure, patient safety,trust and satisfaction, and the overall perception of quality held by related healthcare institutions. Health Centers need to invest in and devise a concrete roadmap and systems development and maintenance lifecycle that is transparent and supported by all levels of health center staff, including clinicial staff, front and back office staff, privacy and security staff, and the board of directors. Read More... Below are a few examples key stakeholders and their respective health IT privacy and security responsibilities All Clinical Staff: Even under emergency circumstances be diligent in handling and managing PHI Front and Back-Office Staff: Protect the confidentiality, integrity, and availability of electronic PHI at all times  Health Center Administration: Promote an organization-level committment to upholding best practices in health information privacy & security management.  Health Center Board of Directors: While a board is generally not involved in the day-to-day operations of cybersecurity, they do have a responsibility to ensure that proper structures are in place and that the organization is taking appropriate steps to identify and address cybersecurity risks How to Use this Guide Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean varius sapien nisl, id convallis justo semper nec. Pellentesque massa urna, cursus vitae accumsan eu, feugiat vel ipsum. Maecenas commodo libero lacus, non congue leo condimentum ullamcorper. Morbi vehicula accumsan quam. Integer accumsan velit ac lacinia pulvinar. Cras at arcu quam. Quisque a sagittis tortor. Nulla ut urna quam. Sed sodales justo ut rutrum luctus. Sed a tellus sollicitudin, bibendum dolor at, condimentum urna. Cras venenatis eu lectus eget interdum. Read More... Nam a euismod dolor. Etiam in ornare magna. Praesent eu posuere enim, mollis sagittis lectus. Praesent pharetra sit amet arcu sed tincidunt. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Ut finibus, dui quis laoreet vestibulum, purus arcu vestibulum mi, nec rhoncus ex purus ac orci. Duis egestas ligula eros, in commodo turpis vehicula nec. Donec vulputate pharetra sapien, non vestibulum quam consequat non. Nulla elementum tempus risus, eget dapibus purus faucibus vel. Quisque vitae volutpat est. Suspendisse molestie at nulla vitae cursus. Donec efficitur leo sed scelerisque elementum. Phasellus lacinia ante in bibendum aliquam. Fusce tempor mi sed risus egestas viverra. Sed quis nisl luctus, tristique est sit amet, vestibulum diam. Vivamus in eros tincidunt neque rutrum volutpat. Duis vulputate turpis a lacus eleifend volutpat. Nunc vel interdum felis, ut sollicitudin massa. Ut ac aliquam lorem, nec ultrices enim. Nulla volutpat eros libero, non malesuada risus faucibus eu. Donec ultrices sodales accumsan. Duis gravida, mi non pretium porttitor, mauris est pellentesque eros, id vestibulum augue lectus non eros.   Health IT Privacy & Security Key Factors Compliance The HIPAA Privacy and Security Rules provides a set of standards for the Confidentiality, Integrity, and Availability of electronic Protected Health Information ePHI. Health Centers are required to demonstrate compliance with the HIPAA Privacy and Security Rules through the implementation of Administrative, Technical, and Physical safeguards. Read More... The HIPAA Security Rule is designed as a Risk Management Framework that consists of conducting regular Security Risk Analysis and implementing a Risk Management Process that implements reasonable and appropriate safeguards. The HITECH Act of 2009 builds on the HIPAA Privacy and Security Rules to include Breach Notification Requirements, increased patient access to their medical records, compliance of Business Associates, and stronger enforcement of compliance. The Meaningful Use MU program also enacted in the HITECH Act included requirements to conduct an annual Security Risk Assessment as a prerequisite for collecting incentive moneys. While MU did not add any requirements that were not already a part of the HIPAA Security Rule, it did provide the incentive for many organizations to conduct regular Security Risk Assessment where they previously had not.   Security While the HIPAA Security Rule does provide the foundation for information security, it is important for organizations to understand that being compliant does not necessarily equate to having good security. It is important for organizations to continuously evaluate their organization and their systems against industry standards and guidance to ensure appropriate security controls are in place. This can certainly be performed in conjunction with a HIPAA compliance program. Read More... It is important for Health Center IT leadership to understand the key differences between security and compliance. As illustrated in the graphic below, while there is a cross-over between compliance and security to the degree that compliance establishes some security baselines, it is important to know that security encompasses a broader domain of required practices and controls in order to be effective.   Approach The Security Risk Assessment approach outlined in the HIPAA Security Rule is designed to allow organizations to implement “reasonable and appropriate” safeguards. Said another way, the Rule does not prescribe what specific safeguards must be in place. This allows for flexibility based on the size of the organization, the technology in place, the number of medical records, and other organization-specific considerations. Read More... An example of this flexibility is can be seen when considering Disaster Recovery Planning. What is a reasonable disaster recovery plan for a large health system would be excessive for a small doctor’s office. An OCR auditor would certainly have different expectations of these two types of organizations. While the framework of the HIPAA Security Rule provides flexibility, the non-prescriptive nature of it can make it difficult to understand how to comply with its requirements and find concrete examples and expertise. Many organizations become concerned about identifying and documenting risks in their risk assessment as they worry it will be an indicator of non-compliance. Between the lack of understanding of the requirements and the fear of documenting risks, many assessments end up being an enumeration of security controls or simple checklists. Neither of these deliverables would meet the expectations of a Security Risk Assessment. When looking at what is a “reasonable and appropriate” safeguard, organizations can look at what other similar organizations are doing. If other similar organizations are encrypting their laptops, it would seem reasonable to expect your organization to do the same. Finally, one can look at industry standards and guidance for information on what security controls are not only reasonable and appropriate, but also effective. Remember, the goal is effective security, not just checking the checkboxes for compliance.   Health Information Security Basics An important place to start with protecting ePHI is with the basics. This is considered the “blocking and tackling” of information security, or those things that users, managers, and IT staff should be performing day-in and day-out to protect information. Step 1: Identify ePHI Many organizations only consider their EMR when considering the security of their ePHI. What one must consider is that EMRs do not reside in a bubble. ePHI is transmitted to and from EMR systems, communication with patients and other third parties often occurs outside the EMR, and data is generated and stored outside the EMR.   Read More... ePHI must be protected both at rest and in transit i.e. as it is being transmitted both internally and externally. Consider the following typical areas where ePHI is stored or transmitted: Practice Management System Email Text Messages Other messaging systems Fax transmission and storage of faxes Billing Systems Patient Portals Phone conversations and voicemail Photocopiers and network printers Medical Devices Image storage Reports Backup Storage If the people using ePHI on a day-to-day basis can learn to recognize when they are handling ePHI and where it is stored and/or transmitted, they can start to have the awareness of how it can be protected. Step 2: Protect ePHI When EMR and other product vendors market the fact that their system is “HIPAA-Compliant”, many take that as assurance that the system is secure and don’t give additional thought to protecting the information. Read More... Unfortunately, no matter how secure the system is, it is when the ePHI is used that the risk of a breach increases. Examples of potential openings for breach include: A user uses the same or slightly modified password between their personal email account and their EMR account. That password is compromised either because their email system has been compromised or a family member may know or find out the email password. Now that password can be used to access the EMR system by a third party. A staff member exports a report from the EMR and attaches it to an email for a colleague, referring provider, or billing company use. The message is sent using a public email system to another public email system. The risks involved include: While the message is being transmitted unencrypted over the Internet, it could be intercepted A typo in the email address could lead to the message being read by an unintended recipient Either person’s email system could be compromised and the information breached Information from an EMR system is exported to a USB drive in order to transfer to another computer. USB drive is lost or reused by another staff member and therefore information is breached. Step 3: System Protections Most operating systems these days are capable of protecting information, however the out-of-the-box configuration is generally focused more on usability than security, so enabling security protections is something that must be performed deliberately. Read More... Here are a few steps that can be taken to increase the security posture of modern workstations, laptops, and tablets: Password protection – Password protecting your system enables the user to prevent unauthorized access to information and/or tampering with the system. This also prevents others from connecting to a system over the network, so even if a workstation is located in a more secure area, it is important that all sessions be properly authenticated. Current standards for strong passwords include: At least 8 characters Mixture of uppercase/lowercase, numbers, and symbols Not based off a single dictionary word though phrases are good Do not use the same password for multiple systems Individual user accounts – If more than one person will be using a system, create an account for each person. This will allow you to determine who used a system and when as well as grant access to information to other users on an as-needed basis. Encryption – Many systems have built-in encryption capabilities; however, it may not be enabled by default. If a system with ePHI is lost or stolen and the data is encrypted, this will provide safe harbor from breach notification. <citation needed> Furthermore, the HIPAA Security Rule requires that organizations encrypt ePHI wherever “reasonable and appropriate”. Failure to do so would require an organization to provide evidence that it was not reasonable and appropriate or to provide evidence that equivalent alternate safeguards are in place. End-Point Protection – Traditionally, end-point protection consists of Anti-Virus software that detects malware based on signatures. While this is still an important protection, today’s attacks have become adept at evading detection by anti-virus signature-based detection. End-point protection adds additional protections including: Additional behavior-based heuristics for detecting malware Built-in antispyware protection More intelligent host-based firewall Intrusion Detection and Warning Application control and user management Data input/output controls such as locking down USB ports and other removable storage Step 4: Continuous Maintenance One of the toughest aspects of privacy and security management is the diligence required to maintain safety. Security is not a one-time task and requires ongoing maintenance, upgrades, training and changes to workflow. Read More... Below are a few examples of ongoing maintenance tasks that organization should be performing: Security Awareness Training – This is all about creating a culture motivated and dedicated to securing patient data. Workforce members require regular reminders regarding how to detect suspicious activity, handling of ePHI, and what to do in the event of a security incident. This is especially important as threats evolve and new threats appear. Patching – Many breaches occur because systems have security vulnerabilities that have fixes available, however the fix has not been applied. Be diligent about operating system updates and updating of third party software and components. Review Policies and Procedures – As technology and work processes change, policies and procedures should be reviewed and updated accordingly. HIPAA requires that organizations have a policy for review of policies. Standard practice is to perform this task annually or as changes occur. Health Information Security Basics While the HIPAA Security Rule does provide a framework for security risk management, it can be difficult to know what specific steps to take to implement “reasonable and appropriate” security controls. Ways of determining this may include looking at what other similar organizations are doing and adopting relevant industry standards. One such standard organization effort that security administrators may wish to consider is The Center for Internet Security’s CIS Top 20 Critical Security Controls CSC. This standard is internationally recognized and provides guidance that is flexible for organizations of all size and maturity. The guidance is specific and practical and can often be adopted without spending a lot of money. Per the Australia Signals Directorate ASD: “Incorporating the Top 4, the eight mitigation strategies with an 'essential' rating are so effective at mitigating targeted cyber intrusions and ransomware that ASD considers them to be the cyber security baseline for all organisations.” Critical Security Controls Read More... While ASD recommends the Top 4, CIS indicates “Controls CSC 1 through CSC 5 are essential to success and should be considered among the very first things to be done.” The top 5 controls include: CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges These controls do map to requirements of the HIPAA Security Rule and can be used to assist organizations in finding specific technical measures that can help meet the requirements. A mapping of the Top 5 Controls provides an example: # Control Family HIPAA Security Controls 1 Critical Security Control #1: Inventory of Authorized and Unauthorized Devices 164.310c: Workstation Security - R 164.310d1: Device and Media Controls: Accountability - A 2 Critical Security Control #2: Inventory of Authorized and Unauthorized Software 164.310c: Workstation Security - R 3 Critical Security Control #3: Secure Configurations for Hardware and Software 164.310c: Workstation Security - R 4 Critical Security Control #4: Continuous Vulnerability Assessment and Remediation 164.308a8: Evaluation 164.308a6: Security Incident Procedures 5 Critical Security Control #5: Controlled Use of Administrative Privileges 164.310b: Workstation Use - R 164.310c: Workstation Security - R 164.312: Access Control: Unique User Identification - R 164.312b: Audit Controls 164.312d: Person or Entity Authentication   Acknowledgements Origins and Ongoing Refinement of this Guide: The content in this resource is drawn from and builds on widely used Information and Security standards, tools and protocols that have continually increased in terms of required measures, especially over the past couple decades in which the Internet and the ever-growing Internet of Things have evolved and expanded. The HITEQ Center plans to continue refining this Guide based on input from users like you, so please consider sharing your feedback through the comment form. Read More... This guide was developed in collaboration with Adam Kehler, CISSP, a Senior Consultant within the Healthcare Information Privacy and Security division of Online Business Systems. Adam specializes in assisting healthcare organizations in managing and meeting compliance requirements such as conducting security risk assessments, systems vulnerability assessments and regulations associated with HIPAA and Meaningful Use criteria. Adam is assisting the HITEQ project in building out resources and guidance to health centers on privacy and security best practices. More Details...

Breach Protection Overview Presentation for Health Centers: A HITEQ Privacy & Security Resource (2017). Resource Type: Publication. Description: Data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost. High-level breaches are increasingly occurring in a more targeted manner toward health centers. This presentation provides Health Center leadership and trainers with a template to use to build out their own organization-specific presentation on breach. Data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost. High-level breaches are increasingly occurring in a more targeted manner toward health centers. This presentation provides Health Center leadership and trainers with a template to use to build out their own organization-specific presentation on breach. This presentation template covers the following agenda: Quick Start Healthcare Privacy & Security Healthcare Privacy & Security Policies and Legislation Implications for Breach Management and Mitigation Strategies Questions and discussion More Details...

This project is supported by the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) as part of an award totaling $6,625,000 with 0 percentage financed with non-governmental sources. The contents are those of the author(s) and do not necessarily represent the official views of, nor an endorsement, by HRSA, HHS, or the U.S. Government. For more information, please visit HRSA.gov.