Leading Texas Hospice Embraces Secure Messaging
The Solaris Hospice is one of the largest palliative care providers in the Southwest – operating from sixteen locations to provide care and support for more than four hundred patients each day. The hospice´s 150 physicians and nurses work in a vast rural area in which effective communication is a must in order to maintain the organization´s reputation as a healthcare leader among the communities it serves. One of the biggest issues experienced by the organization was maintaining the integrity of its client´s protected healthcare information (PHI) while its workforce was distributed throughout the community. Following the enactment of new regulations within the Health Insurance Portability and Accountability Act (HIPAA), all PHI now has to be encrypted and monitored when it is at rest or in transit. The new regulations mean that “traditional” methods of communicating patient data – such as SMS and email – are effectively outlawed, and this created an issue for community nurses who wanted to escalate patient concerns to the organization´s medical team or send images...
HIPAA Audits to Recommence in 2015
Following on from a series of pilot HIPAA audits, the HHS Office for Civil Rights (OCR) is planning a second round of random audits to ensure healthcare organizations are fully compliant with current HIPAA regulations. The next round of audits will also carry severe financial penalties for any violations uncovered. The next round of HIPAA audits was planned to start in October 2014, although the date has now been pushed back until 2015. It was announced at the San Diego American Health Information Management Association (AHIMA) annual convention that a round of 350 audits would be conducted on healthcare organizations, with a further 50 audits to be conducted on business associates to ensure compliance. Insurers and clearinghouses will also be subjected to audits in 2015. The healthcare organizations due to be audited have already been selected, although entities have also been selected to ensure better coverage across the whole of the United States and to ensure that a good diversity of entities are assessed for HIPAA compliance. This only gives healthcare organisations a few...
FDA Finalizes Guidelines on CyberSecurity and the Usage of Medical Devices
This month the Food and Drug Administration (FDA) has finalized its guidelines on the development of management strategies covering cybersecurity, the use of medical device and requirements for premarket submissions. The document is titled: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and is available on the FDA website. The document is essential reading for any medical device manufacturer to ensure future premarket submissions are accepted, and that steps are taken to ensure current medical devices being produced adhere to the new guidelines. The guidelines were prepared to force manufacturers to take the potential risk of cyber attacks into consideration and to incorporate appropriate security measures and safeguards to reduce the risk of susceptibility of attack and of device failure. The FDA identified potential vulnerabilities which could lead to the loss or theft of private data, although the agency has so far not released any information on specific injuries caused by cyber attacks. The presence of spyware/malware on doctors or...
FDA to Address Security Issues and HIPAA Compliance of Older Medical Devices
The FDA is to take action to address problems relating to the cybersecurity of medical devices following complaints from hospitals and healthcare providers that manufacturers of the devices are not being proactive in providing protection against cyber attacks. There has also been criticism of the makers of medical equipment for failing to upgrade older models, meaning threats remain or new equipment must be purchased. The FDA has already commenced a drive to build a more strategic and comprehensive cybersecurity program and has been running workshops to hear about security risks and concerns. The Agency is determined to get manufacturers to build in security controls rather than bolt them on afterwards and is in the process of finalizing its guidelines on pre-market approval procedures, which were first issued in the summer of 2013. The FDA director of Emergency Preparedness/Operations and Medical Countermeasures, Suzanne Schwartz, has stated that new guidance will be released imminently. Debunking Myths There is a common misconception that makers of medical devices have to obtain...
Cedars-Sinai HIPAA Breach Worse than Feared
A member of staff at the Cedars-Sinai Medical Center in Los Angeles, CA, reported the theft of a laptop computer in a home burglary in June this year. That laptop was reported to contain the medical records of “at least 500” individuals; however a forensic analysis has now been conducted that has revealed that the number of affected individuals is actually 33,136. The laptop was password-protected; however passwords can be cracked and they do not offer a sufficient level of protection to safeguard Protected Health Information. While HIPAA Rules do not demand that data must be encrypted – it is only an addressable area in the HIPAA Security Rule – Cedars-Sinai had decided to use data encryption software on all its portable devices. Unfortunately, this particular laptop had recently had operating system updates performed and the encryption software had mistakenly not been reinstalled. As a result, under HIPAA Rules Cedars-Sinai was obliged to send breach notification letters to all affected individuals to advise them that their PHI may have been inappropriately accessed and...



