Archive for August, 2008
-
2 SETA – Security Education, Training, and Awareness Programs
Aug 27, 2008. Opinion.Thank you for joining us as we continue our HIPAA compliance series. This week, we will discuss the importance of Security Education, Training, and Awareness (SETA) programs. HIPAA section 164.308(a)(5) states that covered entities must “implement a security awareness and training program for all members of its workforce (including management).” The most expensive security technologies can be thwarted by people who lack sufficient training. You don’t have to spend thousands of dollars sending your staff to elaborate security training classes, but you should outline some responsibilities, and set policies governing staff behavior.
This section has four implementation specifications: security reminders, protection from malicious software, log-in monitoring, and password management. Security reminders are simply a mechanism to make sure employees are aware of security risks, policies, and their responsibilities. The reminders can take any form, but you must document the reminder, its message, and the date it was sent.
Anti-virus and anti-spyware software usually provides protection from malicious software. Your staff should understand how it works, and should check each morning to make sure it scanned and updated overnight. Your staff should also know how malicious software infects computers – usually through fraudulent or infected websites, email attachments, or open firewalls. Train your staff be on the lookout for these threats.
Login monitoring can be handled through Windows – providing you are using the professional and not the home version. You can use the local security policy setting to record login attempts and lock users out after a specified number of failed attempts.
Password management is a critical and difficult issue. Your practice should have policies and procedures for “creating, changing, and safeguarding passwords.” You should set minimum standards for creating passwords, such as number of characters, using numbers, capital letters, and special characters. You should also set policies for changing passwords. You can set password policies under Windows to expire after a certain time, and prevent employees from using the same password over again.
However, the third criteria should balance the first two. You should have policies that forbid employees from sharing or writing down their passwords. You do want your employees to choose good passwords, but you also want them to remember their passwords without writing them down. Otherwise anyone can look through their desk and find the passwords, and if that happens, they have circumvented your entire security system.
The take-home message is that your staff needs to be aware of security. They should understand the consequences your practice will face if it is found to be non-compliant with HIPAA or worse, loses or discloses sensitive patient information. Finally, they should know their responsibilities and how to keep your systems safe.
Ryan Ricks
Continue Reading...
Security Officer
www.xlemr.com -
0 Optimize your EMR/EHR – Connect your lab instruments
Aug 26, 2008. Implementation.Fletcher-Flora Health Care Systems, Inc. released their FFlex eLink™ laboratory instrument integration software for small to mid-sized laboratories, including Clinical Laboratory Improvement Amendments (CLIA) waived laboratories.
In absence of a traditional Laboratory Information System (LIS), FFlex eLink is software designed to provide much needed connectivity directly between a laboratory’s clinical instruments and an Electronic Medical Records, Practice Management System, Electronic Health Records or other host system. FFlex eLink streamlines integration of one or more instruments to a host reducing the need for manual transcription of results. This will help increase lab efficiency, improve accuracy in the patient’s electronic record, and reduce liability associated with transcription errors.
FFlex eLink not only accepts and transmits data, but also provides a user interface that allows you to define tests and reference ranges, approve or reject results and monitor real-time instrument logs. If offline results from manual tests need to be entered, FFlex eLink provides an intuitive way to manually enter results.
“FFlex eLinkis a simple and cost effective integration solution for an underserved segment of the laboratory market,” said Neal Flora, President and CEO of Fletcher-Flora Health Care Systems, Inc. “While a full LIS may be too large an investment for many labs, FFlex eLink can help streamline operation in the lab and optimize your IT investment by integrating otherwise separate pieces of your operation.”
More information can be found at www.fletcher-flora.com or email FFlexeLinkSales@fletcher-flora.com.
Continue Reading... -
1 Workforce Security – A Brief Overview of HIPAA Requirements
Aug 20, 2008. Opinion.Hello and welcome back. This week we continue our discussion of HIPAA compliance with the workforce security requirement. Section 164.308(a)(3) of the HIPAA security rule requires covered entities to “implement policies and procedures to ensure that all members… have appropriate access to protected health information… and to prevent those workforce members who do not have access… from obtaining access…” We will look at three of the requirements here: limited access using role-based access controls, supervision procedures to check up on your employees, and termination procedures that will protect your systems when you must dismiss an employee.
First, make a list of your employees and determine their job function. Role-based access control is the best approach for determining what data your employees need to know. Think about the different positions within your practice. You probably have one or two providers, a practice manager, nurses, billing staff, and maybe a receptionist. Once you identify the different jobs in your practice, decide what kind of information they need. The general rule of thumb is that if they do not need to see it, they should not have access to it. Limited data access using role-based access controls will significantly improve your security.
The next requirement of this section calls for authorization and supervision procedures. Authorization can be handled through passwords, windows file permissions, or controls built-into your EMR software. Supervision can be a burden though, if you have a large office. Consider installing remote administration software on your computers such as pcAnywhere or Log Me In. There are even remote administration packages that will run from smart phones and PDAs. If you use a third-party IT service provider, they may already have remote access software installed on your system. You can use remote administration software to connect to their computers to give them assistance, or just pop in and see how they are doing.
Your practice should also have termination procedures that will go into effect if you must fire, layoff, or otherwise dismiss an employee, contractor, or anyone with access to your data. Generally speaking, you should revoke all their access before you terminate them. This way it will not be possible for them to cause any damage should they be upset and wish to get revenge or take out their anger on your computer systems. Be sure to change or disable their user accounts in Windows, and your EMR software, if applicable. You will also want to disable or remove any email or instant messaging accounts they have.
While it may seem paranoid and callous to lock your system down against your own employees, workforce security requirements are included in the HIPAA security rule for a good reason. Studies show that you are much more likely to suffer harm from an employee than from a hacker over the internet. Employees can steal or destroy your data, either maliciously or by accident. The best way to protect yourself is to make sure your employees only have access to the information they need to perform their job.
For some brief statistics about the insider threat, click here.
Ryan Ricks
Continue Reading...
Security Officer
www.xlemr.com -
1 Risk Analysis – A basic How-to Guide
Aug 11, 2008. Opinion.Welcome to part three of our risk analysis discussion. We know that the HIPAA security rule Section 164.308(a)(1) requires all covered entities to periodically conduct a formal risk analysis. Last week, we looked at some general categories of vulnerabilities and threats. This week, we will cover a simple method for conducting your analysis.
Risk Analysis Steps:
Identify the scope – First, you should make a list of all computers, networking equipment, and backup devices. You should include anything that stores, transmits, or processes your data. If your practice uses smart phones, blackberries, palm pilots, or other handheld devices, be sure include those in your list.
Identify and document potential vulnerabilities – Second, you should make a list of potential vulnerabilities in your system. Refer to our last article “Who’s Who – Vulnerabilities and Threats,” for a list of different types of vulnerabilities. You will want to check for these vulnerabilities on each device in your list. Security scanning tools, such as NMAP or NESSUS are invaluable.
Identify and document potential threats – Third, refer to your list of vulnerabilities for each device, and identify potential threats. This step will be the most difficult. Vulnerabilities are concrete, but threats are amorphous and largely outside of your control. Refer to our last article “Who’s Who – Vulnerabilities and Threats,” for a list of different types of threats. Be creative for this step, and don’t forget the possibility of a threat from your staff or patients.
Assess current security measures – Fourth, take a look at the security you have in place now and decide how they affect your vulnerabilities. Do they eliminate vulnerabilities and protect your system? Are the partially effective? Are there any measures in place at all?
Determine the probability of threat occurrence – Fifth, reference your list of vulnerabilities and threats, and try to determine the probability that a threat will exploit one of your vulnerabilities. A simple three-level approach is best. High probability means that there are multiple vulnerabilities and no effective controls. Medium probability implies a single vulnerability and the absence of controls. Low probability means controls are in place, but they might be weak or miss-configured.
Determine the potential impact of threat occurrence – Sixth, review your list of vulnerabilities and threats, and try to determine what would happen if a threat exploits a vulnerability. There are generally five possible outcomes, from best to worst case scenarios: Temporary loss or unavailability of your data; unauthorized access or disclosure of your data; loss of physical assets; permanent loss or corruption of your data; and loss of your revenue. You should decide which of these scenarios apply and rate them as low, medium, or high.
Determine the overall level of risk – Seventh, review the output of steps five and six. Pay attention to the probability and impact you listed for each vulnerability and threat. The impact usually drives the level of risk. However, you must make your own judgment to determine the level or risk for any given scenario.
Identify Security Measures and finalize documentation – Lastly, you should identify new security controls to reduce your overall risk. Start with the high-risk items and work your way down. If you do not already have a comprehensive information security policy, now is a good time to start planning. For more information on security policy, see my article “Security for Healthcare” in the spring edition of EHR Scope, volume 5.
I hope you found this guide useful for understanding risk analysis. It is the first and probably most important step towards complying with the HIPAA security rule. If you hire consultants to conduct your analysis, be sure to ask them about their methods and make sure they cover these points.
Ryan Ricks
Continue Reading...
Security Officer
www.xlemr.com -
0 Massachusetts requires EHRs in hospitals by 2015
Aug 11, 2008. Government Initiatives, News.Massachusetts requires EHRs in hospitals by 2015
Continue Reading...
FCW.com
Massachusetts Gov. Deval Patrick has signed into law a health care bill that will require hospitals and community health centers to use interoperable electronic health records (EHR) systems if they seek to obtain or renew licenses to operate in 2015 or afterward. -
0 MacPractice assists clients to ePrescribe for free
Aug 11, 2008. News, ePrescribing.MacPractice assists clients to ePrescribe for free
Continue Reading...
DNAT Blog
eRx NOW is a free internet-based electronic prescribing system provided by Allscripts, a member of the National ePrescribing Patient Safety Initiative (NEPSI). eRx NOW stores prescription history, provides drug interactions and is accessible via the Internet on a computer, a PDA or a cell phone. Free training and support for eRx NOW is provided by Allscripts. -
0 Government EHR Incentives
Aug 8, 2008. Insight.Health & Human Services’ Secretary Mike Leavitt announced 12 communities that will participate in a national Medicare demonstration project that provides incentive payments to physicians for using CCHIT-certified electronic EHRs to improve the quality of patient care. The five-year project is expected to improve the quality of care provided to an estimated 3.6 million people.
Chosen among a field of more than 30 applicants, the communities selected include Alabama, Delaware, Jacksonville, Fla., Georgia, Maine, Louisiana, Maryland/Washington, DC, Oklahoma, Pittsburgh, Pa., South Dakota, Virginia and Madison, Wis.
Financial incentives will be provided to as many as 1,200 primary care physician practices in the selected communities that use certified EHRs to improve quality as measured by their performance on specific clinical quality measures. Total payments under the demonstration for all five years may be up to $58,000 per physician, or $290,000 per practice.
If you are a PR practitioner for one of the EHR vendors who have participating doctors in these communities, it’s a good opportunity to leverage the project. Promote to the media how your EHR solution is helping move the country toward the National Health Information Infrastructure. Demonstrate the ROI and payment incentives your software is delivering to your customers in the form of a case study pitched to the healthcare IT trades and local media. Encourage trend stories on the project which could include your customer reference.
__________________________________________________________________________________________
By Shawn Whalen, SVP & Director, Healthcare IT Practice, Schwartz Communications
Continue Reading...
