Archive for Technology

You Can Help Improve Transparency in the Certified Health IT Market

You Can Help Improve Transparency in the Certified Health IT Market

Visit Open Forums in May to Inform a New Comparison Tool

Stop by to provide input at an upcoming open forum on the new EHR Reporting Program, which will provide publicly-available, no-cost, comparative information on certified health IT available on the market.

We are also providing a link for regional stakeholders to participate in the open forums virtually.  Please note that the open forums are scheduled for two hours, but feel free to drop-in when you’re available.

In the 21st Century Cures Act of 2016, Congress directed the US Department of Health and Human Services (HHS) to establish a new EHR Reporting Program, which the Office of the National Coordinator for Health IT (ONC) is currently developing. The goal of this program is to provide publicly-available, comparative information about certified health IT features related to security, usability, interoperability, conformance to certification testing, and other areas in order to improve the transparency of the market.

ONC has contracted with the Urban Institute and its subcontractor, HealthTech Solutions, to obtain stakeholder input on how to develop the EHR Reporting Program through public open forums across the country. Input from people like you will help determine:

  • What information should developers of certified health IT report? What information from users could be made available?
  • How that information is collected
  • How this information will be disseminated to the public (for example, would you prefer a product comparison website, data in a spreadsheet, or something else?)

Upcoming Open Forums

Public Health/AL Medicaid/AL Health Information Exchange
Monday, May 20, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/155156076

AL Primary Healthcare Assn (FQHC)/ Rural Health
Monday, May 20, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/432907928

AL Academy of Pediatrics/Primary Care
Monday, May 20, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/505593044

Health Systems/Hospitals
Tuesday, May 21, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/824124145

General Public Open Forum
Tuesday, May 21, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/806771227

General Public Open Forum
Tuesday, May 21, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/675043250

Can’t make any of these events? Watch for more events where stakeholders can make suggestions at: https://healthtechsolutions.com/EHR-reporting-program.

If you have any questions regarding the  Open Forum, please contact Pam Zemaitis of HealthTech Solutions at Pam.Zemaitis@HealthTechSolutions.com.

 

Posted in: Technology

Leave a Comment (0) →

The Painful Reality of Ransomware and How to Protect Against It

The Painful Reality of Ransomware and How to Protect Against It

Imagine if in a split second you were unable to access all of your patients’ health care records. A cruel ransomware attack had locked you out of your computer system, and in order to regain your precious data you needed to pay a cybercriminal’s demand in bitcoin.

Unfortunately by the time you finish reading this article several businesses in the U.S. will experience this dreadful reality. Most commonly the disaster will occur when an infected email attachment is opened and spreads through a network.

Health care providers have a significantly higher risk of being targeted by ransomware. The reason for this is simple: you possess a large amount of data that is valuable to cybercriminals. In addition, hackers know you need to access medical records, digital x-rays, and test results to provide medical services to your patients. This, they hope, will motivate you to meet their demands to get your protected health information back.

A sudden disruption to a business proves to be a strong impetus. Nearly three-quarters of businesses infected by ransomware pay up to recover their data. Studies show, however, that less than half of them receive the necessary decryption key to unlock their data. The good news is there’s a simple, secure solution to avoid going through this painful scenario.

Ironclad Data Protection

Many practices don’t have the expertise, time or resources to deal with a ransomware attack. Many feel confident that their IT service provider has addressed security and backup needs in the event of a disaster. As a leading provider of HIPAA compliance software, we know several cases where a practice’s IT provider has not properly backed up their system. This can put you in the unenviable position of having to deal with unsavory cybercriminals. Here’s how our OfficeSafe software protects your data with the most secure online backup storage service available, and alleviates worries about a ransomware attack.

We provide a HIPAA compliant data backup solution with 256-bit encryption and SQL database restoration. This makes backing up and restoring your practice’s crucial data easy. In the event of a ransomware attack, you’ll have ten days of data backup, enabling your practice to easily find a clean data backup set. This is critically important. If your practice doesn’t have the capability to reinstate your data to multiple restore points in the past, you don’t have a sufficient disaster recovery solution.

OfficeSafe’s centralized management portal is designed for healthcare service providers and goes beyond file-and-folder backups, delivering a secure hybrid local and cloud solution. With our point-to-point encryption, you can use your existing email address to send messages via Gmail and other popular email client services. OfficeSafe also includes an emergency planning tool that helps members of your team expedite their response to unexpected situations.

The HIPAA Security Rule mandates that ransomware on your computer system or on that of a business associate must be reported to the government, as well as to the affected patients. If more than 500 records have been breached, you need to alert the media. The only caveat to this rule is if you can prove there’s a low probability that your protected health information has been compromised. Don’t let an unexpected incident cripple your business and tarnish your practice’s reputation.

Call us today at (800) 588-0254 or find out how we can work alongside your IT team to provide your business with full data protection in the event of a disaster.

Posted in: Technology

Leave a Comment (0) →

HHS Proposes New Rules to Improve Interoperability of EHI

HHS Proposes New Rules to Improve Interoperability of EHI
Could new innovations in technology promote patient access and make no-cost health data exchange a reality for millions?

The U.S. Department of Health and Human Services (HHS) has proposed new rules to support seamless and secure access, exchange and use of electronic health information. The rules, issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), would increase choice and competition while fostering innovation that promotes patient access to and control over their health information. The proposed ONC rule would require patient electronic access to this electronic health information (EHI) be made available at no cost.

“These proposed rules strive to bring the nation’s health care system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said HHS Secretary Alex Azar. “By outlining specific requirements about electronic health information, we will be able to help patients, their caregivers, and providers securely access and share health information. These steps forward for health IT are essential to building a health care system that pays for value rather than procedures, especially through empowering patients as consumers.”

CMS’ proposed changes to the health care delivery system support the MyHealthEData initiative and would increase the seamless flow of health information, reduce burden on patients and providers, and foster innovation by unleashing data for researchers and innovators. In 2018, CMS finalized regulations that use potential payment reductions for hospitals and clinicians to encourage providers to improve patient access to their electronic health information. For the first time, CMS is now proposing requirements that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans in the Federally-facilitated Exchanges must provide enrollees with immediate electronic access to medical claims and other health information electronically by 2020.

In support of patient-centered health care, CMS would also require these health care providers and plans to implement open data sharing technologies to support transitions of care as patients move between these plan types. By ensuring patients have easy access to their information, and that information follows them on their health care journey, we can reduce burden, and eliminate redundant procedures and testing thus giving clinicians the time to focus on improving care coordination and, ultimately, health outcomes.

“Today’s announcement builds on CMS’ efforts to create a more interoperable healthcare system, which improves patient access, seamless data exchange, and enhanced care coordination,” said CMS Administrator Seema Verma. “By requiring health insurers to share their information in an accessible, format by 2020, 125 million patients will have access to their health claims information electronically. This unprecedented step toward a health care future where patients are able to obtain and share their health data, securely and privately, with just a few clicks, is just the beginning of a digital data revolution that truly empowers American patients.”

The CMS rule also proposes to publicly report providers or hospitals that participate in “information blocking,” practices that unreasonably limit the availability, disclosure, and use of electronic health information undermine efforts to improve interoperability. Making this information publicly available may incentivize providers and clinicians to refrain from such practices.

ONC’s proposed rule promotes secure and more immediate access to health information for patients and their health care providers and new tools allowing for more choice in care and treatment. Specifically, the proposed rule calls on the health care industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured and unstructured EHI formats using smartphones and other mobile devices. It also implements the information blocking provisions of the 21st Century Cures Act, including identifying reasonable and necessary activities that do not constitute information blocking. The proposed rule helps ensure patients can electronically access their electronic health information at no cost. The proposed rule also asks for comments on pricing information that could be included as part of their EHI and would help the public see the prices they are paying for their health care.

“By supporting secure access of electronic health information and strongly discouraging information blocking, the proposed rule supports the bi-partisan 21st Century Cures Act. The rule would support patients accessing and sharing their electronic health information while giving them the tools to shop for and coordinate their own health care,” said Don Rucker, M.D., National Coordinator for Health IT. “We encourage everyone – patients, patient advocates, health care providers, health IT developers, health information networks, application innovators, and anyone else interested in the interoperability and transparency of health information – to share their comments on the proposed rule.”

Policies in the proposed CMS and ONC rules align to advance interoperability in several important ways. CMS proposes that entities must conform to the same advanced API standards as those proposed for certified health IT in the ONC proposed rule, as well as including an aligned set of content and vocabulary standards for clinical data classes through the United States Core Data for Interoperability standard (USCDI). Together, these proposed rules address both technical and health care industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access essential health information. Aligning these requirements for payers, health care providers, and health IT developers will help to drive an interoperable health IT infrastructure across systems, ensuring providers and patients have access to health data when and where it is needed.

For a fact sheet on the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/newsroom/fact-sheets/cms-advances-interoperability-patient-access-health-data-through-new-proposals

For fact sheets on the ONC proposed rule, please visit: https://healthit.gov/nprm

To receive more information about CMS’s interoperability efforts, sign-up for listserv notifications, here: https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_12443

To view the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/Center/Special-Topic/Interoperability-Center.html

Posted in: Technology

Leave a Comment (0) →

Are Your Electronic Devices Physically Secure?

Are Your Electronic Devices Physically Secure?

In the age of electronic medical records and ransomware attacks, recent focus with regard to HIPAA compliance seems to be on electronic security. How are your electronic medical records stored? Do you require two-factor authentication to access your electronic system remotely? What firewalls and malware detection systems do you have in place to prevent a cyber-attack?

However, in the May 2018 OCR Cyber Security Newsletter, the Office of Civil Rights (OCR) reminded providers that, in the midst of electronic security, appropriate physical security controls are also an important component. The HIPAA Security Rule requires that all workstations (including laptops, desktops, tablets, smartphones and portable electronic devices) accessing PHI must have physical safeguards in place to restrict access to authorized users.

According to OCR, the following methods may be helpful in achieving compliance with this requirement: privacy computer screens, cable locks, port and device locks (preventing access to USB ports or removable devices), positioning work screens in a manner in which they cannot be viewed, locking rooms that store electronic equipment, security cameras and security guards. Of course, which methods are appropriate for each provider will vary based on the provider’s risk analysis and risk management process.

In reviewing the physical security of electronic devices, OCR recommends that providers ask the following questions:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  • Could additional physical security controls be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

A copy of the May 2018 OCR Cyber Security Newsletter is available at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf.

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →

Keep the Medical Association in Your Facebook News Feed

Keep the Medical Association in Your Facebook News Feed

Facebook changed its news feed algorithm to prioritize content from friends, family and groups so you are less likely to see public content from businesses, brands and news media now than before the first of the year. Facebook justified the change for “people’s well-being” and suggesting that businesses will have to work harder to get their members’ attention.

So, what can you do to keep the Medical Association in your Facebook news feed?

Desktop Computers

Go to the Medical Association Facebook page and make sure you have “liked” the page. Hover over “Following” and select “See first” from the drop-down menu.

 

Also switch “Events, Suggested Live Videos” to “On,” and you’re all set!

Phone and Tablet Users

On your smartphone or tablet, go to the Medical Association Facebook page and click “Like.”

Then select “Follow” or “Following;” click it and turn “Get Notifications” to the on position. Don’t forget to Like and Share our posts with your friends and family!

Posted in: Technology

Leave a Comment (0) →

What Eight Things You Should Do to Protect Your Business from Cyber Threats

What Eight Things You Should Do to Protect Your Business from Cyber Threats

Cyber threats take many forms. The widespread WannaCry ransomware attack in May 2017 highlighted how computer files could be held hostage in return for payment, while the Dyn denial of service in October 2016 highlighted how websites like Airbnb and Twitter could be made inaccessible. Cyber threats are on the rise within the health care industry, as the information gained as a result is lucrative in value. Thus, it is important every physician practice take steps to protect itself from a cyberattack.

Identify the types of cyberattacks to which your practice is most likely vulnerable.

By doing so, you can invest in measures that will be most relevant to your practice. For instance, practices that host websites must preempt denial of service attacks, while those that hold private customer information electronically must prevent unauthorized access to their data. Of course, many practices will likely be vulnerable to a variety of cyberattacks.

Develop a framework to prevent, investigate and respond to the cyberattacks to which your practice is most vulnerable.

In 2014, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued and continues to update, a voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). In addition to their own independent initiatives, practices should periodically consult the Framework to keep abreast of cybersecurity best practices in order to assess their security status relative to others. In addition, the website for the Office of Civil Rights, the government entity responsible for HIPAA compliance, contains guidance on various cybersecurity topics that may also prove helpful.

Invest in the latest computer security and protection measures.

To the extent feasible, practices should strive to use the most up-to-date software and avail themselves of periodic releases of software updates. Cyberattack methods constantly evolve, and older versions of software are more vulnerable to newer and more complex threats. For example, victims of the WannaCry ransomware attack were mainly those organizations that ran older versions of Windows operating software. Practices should also consider regularly backing up data and insulating that data from their computer network, segmenting their computer network, and monitoring network activity.

Implement employee vigilance and training measures.

Perpetrators of cyberattacks often employ phishing scams by sending emails with attached malware to individuals who then promptly download the attachments and infect their employers’ computer networks. Practices should train employees to identify suspicious emails in order to guard against phishing schemes. Such training can be incorporated into your practice’s periodic HIPAA training.

Given that malicious emails are often sent by seemingly familiar senders, practices should teach employees how to spot subtle clues that indicate dangerous emails. For instance, employers should instruct employees to check whether the domain name of the originating account is a “near-miss” from what would be expected. For example, an employee recognizing “dot com” and “dot co” could be the difference in avoiding hefty losses.

Test your cybersecurity measures and monitor the effectiveness.

To test whether employees take instructed precautions against phishing attacks, practices should send their employees emails from a “near-miss” domain and tally how many employees fall for them. Of course, even after enhancing computer security systems and increasing employee awareness of network defenses, practices may nonetheless succumb to a cyberattack, but at least the chances of doing so may be reduced.

Obtain effective cyberattack insurance coverage.

Practices should compare potential damages in the event of a cyberattack to the coverage provided in their existing insurance policies and seek out supplementary insurance for any uncovered damages or liabilities that may arise in the event of a cyberattack. For instance, since courts are divided as to whether computer systems constitute “tangible property” for purposes of an insurance claim, practices should consider consulting their insurance companies, brokers, or legal counsel to obtain insurance that covers the types of damages that arise in cyberattacks, including, but not limited to, expenses associated with providing patients with written notice when a reportable HIPAA breach occurs.

Adopt an effective legal strategy for your practice that preempts and limits liability.

As practices retain confidential personal and medical information, any data breach or unauthorized disclosure could subject the practice to liability under a host of federal and state law claims, in addition to HIPAA fines and penalties. Thus, the establishment of an effective legal strategy that preempts and limits liability is essential.

Employ traditional security measures for your practice at locations that could be vulnerable to physical disruption of your cyber capabilities.

Practices should account for some of the more traditional ways in which perpetrators can disrupt their computer networks. To prevent someone from unplugging the power source to a computer network or server, you could consider installing CCTV cameras and limiting access to such areas. In addition, have security incident procedures in place and be prepared to continue operations if an interruption occurs. For example, if an interruption with respect to your EMR system occurs, be prepared to continue business utilizing paper medical records until the interruption can be resolved and your EMR is back online.

Article contributed by David D. Dowd III, Elizabeth B. Shirley and Kelli C. Fleming with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP, is an official Bronze Partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →