Posts Tagged security

You Can Help Improve Transparency in the Certified Health IT Market

You Can Help Improve Transparency in the Certified Health IT Market

Visit Open Forums in May to Inform a New Comparison Tool

Stop by to provide input at an upcoming open forum on the new EHR Reporting Program, which will provide publicly-available, no-cost, comparative information on certified health IT available on the market.

We are also providing a link for regional stakeholders to participate in the open forums virtually.  Please note that the open forums are scheduled for two hours, but feel free to drop-in when you’re available.

In the 21st Century Cures Act of 2016, Congress directed the US Department of Health and Human Services (HHS) to establish a new EHR Reporting Program, which the Office of the National Coordinator for Health IT (ONC) is currently developing. The goal of this program is to provide publicly-available, comparative information about certified health IT features related to security, usability, interoperability, conformance to certification testing, and other areas in order to improve the transparency of the market.

ONC has contracted with the Urban Institute and its subcontractor, HealthTech Solutions, to obtain stakeholder input on how to develop the EHR Reporting Program through public open forums across the country. Input from people like you will help determine:

  • What information should developers of certified health IT report? What information from users could be made available?
  • How that information is collected
  • How this information will be disseminated to the public (for example, would you prefer a product comparison website, data in a spreadsheet, or something else?)

Upcoming Open Forums

Public Health/AL Medicaid/AL Health Information Exchange
Monday, May 20, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/155156076

AL Primary Healthcare Assn (FQHC)/ Rural Health
Monday, May 20, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/432907928

AL Academy of Pediatrics/Primary Care
Monday, May 20, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/505593044

Health Systems/Hospitals
Tuesday, May 21, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/824124145

General Public Open Forum
Tuesday, May 21, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/806771227

General Public Open Forum
Tuesday, May 21, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/675043250

Can’t make any of these events? Watch for more events where stakeholders can make suggestions at: https://healthtechsolutions.com/EHR-reporting-program.

If you have any questions regarding the  Open Forum, please contact Pam Zemaitis of HealthTech Solutions at Pam.Zemaitis@HealthTechSolutions.com.

 

Posted in: Technology

Leave a Comment (0) →

The Painful Reality of Ransomware and How to Protect Against It

The Painful Reality of Ransomware and How to Protect Against It

Imagine if in a split second you were unable to access all of your patients’ health care records. A cruel ransomware attack had locked you out of your computer system, and in order to regain your precious data you needed to pay a cybercriminal’s demand in bitcoin.

Unfortunately by the time you finish reading this article several businesses in the U.S. will experience this dreadful reality. Most commonly the disaster will occur when an infected email attachment is opened and spreads through a network.

Health care providers have a significantly higher risk of being targeted by ransomware. The reason for this is simple: you possess a large amount of data that is valuable to cybercriminals. In addition, hackers know you need to access medical records, digital x-rays, and test results to provide medical services to your patients. This, they hope, will motivate you to meet their demands to get your protected health information back.

A sudden disruption to a business proves to be a strong impetus. Nearly three-quarters of businesses infected by ransomware pay up to recover their data. Studies show, however, that less than half of them receive the necessary decryption key to unlock their data. The good news is there’s a simple, secure solution to avoid going through this painful scenario.

Ironclad Data Protection

Many practices don’t have the expertise, time or resources to deal with a ransomware attack. Many feel confident that their IT service provider has addressed security and backup needs in the event of a disaster. As a leading provider of HIPAA compliance software, we know several cases where a practice’s IT provider has not properly backed up their system. This can put you in the unenviable position of having to deal with unsavory cybercriminals. Here’s how our OfficeSafe software protects your data with the most secure online backup storage service available, and alleviates worries about a ransomware attack.

We provide a HIPAA compliant data backup solution with 256-bit encryption and SQL database restoration. This makes backing up and restoring your practice’s crucial data easy. In the event of a ransomware attack, you’ll have ten days of data backup, enabling your practice to easily find a clean data backup set. This is critically important. If your practice doesn’t have the capability to reinstate your data to multiple restore points in the past, you don’t have a sufficient disaster recovery solution.

OfficeSafe’s centralized management portal is designed for healthcare service providers and goes beyond file-and-folder backups, delivering a secure hybrid local and cloud solution. With our point-to-point encryption, you can use your existing email address to send messages via Gmail and other popular email client services. OfficeSafe also includes an emergency planning tool that helps members of your team expedite their response to unexpected situations.

The HIPAA Security Rule mandates that ransomware on your computer system or on that of a business associate must be reported to the government, as well as to the affected patients. If more than 500 records have been breached, you need to alert the media. The only caveat to this rule is if you can prove there’s a low probability that your protected health information has been compromised. Don’t let an unexpected incident cripple your business and tarnish your practice’s reputation.

Call us today at (800) 588-0254 or find out how we can work alongside your IT team to provide your business with full data protection in the event of a disaster.

Posted in: Technology

Leave a Comment (0) →

Don’t Forget Your Risk Assessments!

Don’t Forget Your Risk Assessments!

Many medical practices are planning their Security Risk Assessments for the new year. Whether to better qualify for the 2019 Merit-based Incentive Payment System (MIPS) or to fulfill obligations to comply with the HIPAA Security Rule, a strong strategy now will reap benefits later. It’s a good time to remember what is required when conducting a Security Risk Assessment, as there tends to be confusion around what the Risk Assessment should include.

Here are some helpful reminders as we move through the first quarter of the year:

It’s Not Just a Checklist. A proper Security Risk Assessment is a thorough process where a covered entity under HIPAA should identify, prioritize and estimate the risks to practice operations resulting from the use of or implementation of a specific technology. Once the risks are identified, a plan of mitigation should be created that provides a roadmap for ongoing risk management.

Don’t Just Focus on EMR. While your EMR system, and the safeguards in place to protect EMR data, should absolutely be part of the Risk Assessment process, time should also be spent analyzing and assessing the risk to protected data that sits outside the EMR system. Identify the ePHI in the practice that resides outside the EMR application (e.g. files stored on users’ personal computers, data stored in ancillary systems, copiers and scanners, etc.) and assess the risk associated with this data as part of the assessment.

No Specific Methodology Required. While OCR has provided practices with guidance regarding the Security Risk Assessment Requirement, there is no mandatory process or method by which a practice must follow to comply with the requirement. However, most security professionals recommend following accepted industry frameworks, such as those provided by the National Institute of Standards and Technology (NIST).

Revisit Previous Risk Assessments to Show Progress. When conducting a new Security Risk Assessment, review past analysis and make an effort to document progress made with regards to risk mitigation. As the spirit of the Security Rule has always been to encourage covered entities to use the Risk Assessment as a starting point for ongoing Risk Management, documenting progress made will show the practice doesn’t simply consider the Assessment a rote exercise but a vital part of managing and mitigating risk on an ongoing basis.

You Don’t Have to Outsource Your Security Risk Assessment. OCR is very quick to point out there is no requirement, neither in the Security Rule nor under MIPS, for covered-entities to outsource their Security Risk Assessment. In fact, OCR has published a free, downloadable tool that practices can use to help with efforts to fulfill requirements (https://www.healthit.gov/topic/security-risk-assessment-tool). However, OCR does go out of its way to explain the time commitment and skillset required to adequately evaluate and utilize the tool, and encourages all covered-entities to seek professional assistance when considering using these resources to self-perform the Security Risk Assessment.

A thorough Security Risk Assessment must stand up to an auditor or investigator, especially in the event of a security incident. A lack of proper Risk Analysis is cited in many investigative findings that have also carried large financial penalties. Take the time to consider how your practice will approach the Security Risk Assessment in 2019, and consider it as an opportunity to genuinely look at where you might be vulnerable and how the Assessment can be used as a springboard for true Risk Management.

References:

https://www.healthit.gov/topic/privacy-security/security-risk-assessment-tool

https://www.cms.gov/Medicare/Quality-Payment-Program/Resource-Library/2018-Cost-Performance-Category-Fact-Sheet.pdf

https://www.healthit.gov/topic/privacy-security/top-10-myths-security-risk-analysis

Nic Cofield is Director of Client Services with Jackson Thornton Technologies LLC (JTT). JTT is one of the Southeast’s leading providers of managed IT services, cybersecurity services/consulting and IT Risk Assessments to health care providers. JTT is wholly owned by Jackson Thornton CPAs & Consultants, which is a partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

Record Year for HIPAA Enforcement

Record Year for HIPAA Enforcement

In the current environment of regulation reduction, it is notable that the Department of Health and Human Services (HHS) received a record $28.6 million dollars in publicized settlements and judgments for HIPAA violations in 2018.  These numbers surpass previous years with the closest year on record being 2016 in which HHS collected $23.5 million dollars. These numbers reflect that HIPAA enforcement actions are on the rise.

There are several factors that are leading to this increase in fines:

  1. A lack of understanding about what encompasses an adequate HIPAA Risk Assessment;
  2. Failure to attain Business Associate Agreements when applicable;
  3. Failure to comply with physical, technical and administrative safeguards to secure protected health information (PHI); and
  4. Failure to implement encryption solutions or alternative adequate measures.

It is important to note that this record-setting total does not encompass all of the enforcement action taken by HHS against covered entities in 2018.  These numbers simply represent larger, more notable settlements and judgments.  In fact, HHS took corrective action against countless health care providers, health plans and business associates last year and it does not appear that these numbers will decrease in 2019.  As of February 22, 2019, HHS has officially begun investigating over 50 entities for large scale breaches.  For more information on these investigations of breaches of 500 individuals or more, visit the Wall of Shame on the HHS website. Pursuant to the HITECH Act of 2009, the Secretary of HHS is required to post information about entities who breach the PHI of 500 people or more to demonstrate transparency to health care consumers.

Health care providers can take action to reduce their risk by doing the following:

  1. Performing annual Risk Assessments;
  2. Identifying Business Associates and entering into adequate Business Associate Agreements;
  3. Creating and updating HIPAA policies and procedures;
  4. Ensuring that employees and staff members receive up-to-date training; and
  5. Proactive monitoring of electronic systems containing PHI.

This uptick in penalties illustrates that HHS is serious about their mandate to protect the privacy and security of PHI.  Their record demonstrates that they can be successful at attaining multi-million dollar settlements with health care entities and health plans that don’t comply with HIPAA regulations.  This is a good time for health care providers and HIPAA Business Associates to review their compliance programs to ensure that they are meeting the requirements. In HIPAA compliance, the lack of a specific strategy to secure PHI is an actionable failure that could result in a large fine and a loss of goodwill with the entity’s customers, its patients.  If you are unsure about whether your HIPAA compliance program is adequate or if you know that it is time to update your policies, procedures and training, consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Are Your Electronic Devices Physically Secure?

Are Your Electronic Devices Physically Secure?

In the age of electronic medical records and ransomware attacks, recent focus with regard to HIPAA compliance seems to be on electronic security. How are your electronic medical records stored? Do you require two-factor authentication to access your electronic system remotely? What firewalls and malware detection systems do you have in place to prevent a cyber-attack?

However, in the May 2018 OCR Cyber Security Newsletter, the Office of Civil Rights (OCR) reminded providers that, in the midst of electronic security, appropriate physical security controls are also an important component. The HIPAA Security Rule requires that all workstations (including laptops, desktops, tablets, smartphones and portable electronic devices) accessing PHI must have physical safeguards in place to restrict access to authorized users.

According to OCR, the following methods may be helpful in achieving compliance with this requirement: privacy computer screens, cable locks, port and device locks (preventing access to USB ports or removable devices), positioning work screens in a manner in which they cannot be viewed, locking rooms that store electronic equipment, security cameras and security guards. Of course, which methods are appropriate for each provider will vary based on the provider’s risk analysis and risk management process.

In reviewing the physical security of electronic devices, OCR recommends that providers ask the following questions:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  • Could additional physical security controls be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

A copy of the May 2018 OCR Cyber Security Newsletter is available at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf.

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →

Alabama Legislature Considers State Law on Cybersecurity

Alabama Legislature Considers State Law on Cybersecurity

At the time of the writing of this article, Alabama is one step closer to having a law on the books related to cybersecurity. As one of only two states without a state data breach law, Alabama is considering legislation that requires certain entities, “covered entities,” to report to state agencies and affected individuals when there has been an unauthorized acquisition of “electronic, sensitive personally identifying information.”

On March 1, 2018, the Alabama Senate passed SB318, and if passed by the House and signed by the Governor, it would require “covered entities” to notify Alabama’s Attorney General, Alabama residents whose information has been compromised, and consumer credit-reporting agencies of a data breach. For health care providers covered by the Health Insurance Portability and Accountability Act (“HIPAA”), federal law already requires notification when they experience unauthorized disclosures of protected health information. In addition to HIPAA’s breach notification requirements, the new Alabama law would require reporting at the state level for healthcare providers who experience a data breach. It is important to note that the term “covered entities” in the proposed legislation is much broader and applies to persons or business entities that acquire or use personally identifiable information.

Investigation and Reporting

Under SB318, a covered entity is required to investigate any data breach and in some instances report the breach. The investigation must include:

  1.  an assessment of the nature and scope of the breach,
  2.  identification of any sensitive personally identifying information involved and the individuals involved,
  3.  a determination as to whether the information was acquired by an unauthorized individual and could result in substantial harm, and
  4.  identify and implement measures to restore security and confidentiality of the system involved in the breach.

It is the second factor that determines whether the breach is reportable:  Is the sensitive information reasonably believed to have been acquired by an unauthorized person? And is the unauthorized acquisition reasonably likely to cause substantial harm to the individuals?

The law sets forth four factors to consider when evaluating whether the information is “reasonably believed” to have been acquired by an unauthorized individual. In making this determination, the covered entity must evaluate “indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information; indications that the information has been downloaded or copied; indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; and whether the information has been made public.” Unfortunately, the law does not provide guidance on whether the breach is reasonably likely to cause substantial harm to the affected individual.

Even if a breach is not a reportable event, the covered entity must maintain relevant records for at least five years. For instance, if the covered entity determines the breach is not reasonably likely to cause substantial harm then no notification is required, but the entity should keep all records related to the breach and their determination that notification was not necessary for five years following the incident.

Required Security Measures

The proposed legislation also requires covered entities to implement “reasonable security measures” to protect an individual’s data.  Similar to HIPAA, the bill requires the covered entity to designate an employee to coordinate security measures (i.e. HIPAA Security Officer) and to identify risks of data breaches. In recognizing that not all covered entities face the same risks or have the same resources, the required “reasonable” security measures should take into account the size of the covered entity, the amount of data maintained and stored by the covered entity and the cost to implement security measures. Good news for healthcare providers, if a healthcare provider has performed the necessary security and risk assessments required under HIPAA, it should easily meet the standards required in SB318.

Information that Triggers Notification

Not all information qualifies as “sensitive personally identifiable information.” To meet this definition, the accessed information must consist of the individual’s first name or initial and last name in combination with any one of these data elements:

  • A non-truncated (or shortened) Social Security or tax identification number;
  • Non-truncated driver’s license, state-issued identification card number, passport number, military identification number or any unique, government-issued number used to verify identity;
  • A financial account, credit or debit card number along with a required security code, expiration date, PIN, access code or password necessary to access a financial account or conduct a transaction;
  • Individual medical or mental history or treatment information;
  • A health insurance policy or identification number; and
  • A username or email address along with a password or security question and answer that gives access to an online account that is likely to contain sensitive personal information.

Elements and Method of Notification

If the investigation concludes that notification must be made, the covered entity must provide notification as “expeditiously as possible but no more than 45 days after the determination of the breach. The notification may be made by mail or email and must include the following elements: 

  • The date, estimated date, or estimated date range of the breach;
  • A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;
  • A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach;
  • A general description of steps a consumer can take to protect himself or herself from identity theft; and
  • Information that the individual can use to contact the covered entity to inquire about the breach.

Penalties

The legislation also includes penalties for failing to provide the required notifications, including a potential violation of the Alabama Deceptive Trade Practices Act (“ADTPA”). The Deceptive Trade Practice Act penalties would apply for willful or reckless disregard of the notification requirements. Civil money penalties are capped at $5,000 per day for each consecutive day the covered entity fails to comply with the notice provisions and there is a $500,000 cap for violations under the ADTPA. A violation does not constitute a criminal offense and does not provide for a private right of action.  In other words, a patient/consumer cannot sue the covered entity for the breach.

The bill is currently pending before the Alabama House of Representatives, bill number HB410.

Article contributed by Burr & Forman, LLP. Burr & Forman, LLP, is a partner with the Medical Association. Please read other articles from Burr & Forman, LLP, here.

Posted in: Legal Watch

Leave a Comment (0) →

Cyber Security:  Five Common Phish Attack Schemes

Cyber Security:  Five Common Phish Attack Schemes

Hackers only need you, that’s right just you. They are sneaky and know the general population is busy and doesn’t pay close attention to the emails they receive. Hackers know people are comfortable in their daily habits. They exploit this behavior by creating email scenarios designed to encourage a click. They need just one person to click just one time to infect their computer with malware that grants them access to the information they need to launch a more sinister attack.

“Phishing attacks are by far the most common cyber attack today, and these attacks continue to get more and more sophisticated.  Gone are the days of the ‘dear sir’ attack-now we have to worry if an email appearing to be directly from a co-worker is actually from them,” said Steven Hines, president of Threat Advice.

Because hackers are continually changing their tactics, clicking on a nefarious email or link leading to a cyber attack can happen to anyone. Recognizing the threat before it turns into a disaster is just one way we each can be more prepared. The following are five ways hackers are currently trying to access your business and personal information:

  1. Look but don’t click. If the email address or the attachment name seems “phishy,” it probably is. Are there spelling or grammatical mistakes? Companies with professional staff are not going to make these types of mistakes.
  2. Analyze the salutation and signature closely. Most legitimate businesses will use your name rather than a generic greeting like “Dear customer.” The business should provide ways to contact them in the signature. If that’s not provided, it could be a phishing attempt.
  3. Know your brands. Hackers will spoof your favorite brands and make their emails look enough like the actual brand to fool you. Is the logo color wrong? Are there additional words in the brand name? Did you sign up to receive emails from them? Don’t click any links before you examine the email to confirm the sender.
  4. Urgent or Threating – No one likes a bully. A common phishing technique is to use harassing or threating language in the subject line or email content or to create a sense of urgency to handle a fake problem. Most legitimate banks, utilities/municipalities and businesses will not ask you to provide your private information via email nor threaten you in an email.
  5. What grandma said…“If it’s too good to be true, it probably is!” Hackers will continue to send phishing emails promising riches and prosperity if you only send your social security and bank information. Why? Because unfortunately, people still take the bait.

Article contributed by Cobbs Allen. Cobbs Allen is an official Gold Partner with the Medical Association. For more information about cyber liability insurance and how it protects your business, contact Margaret Ann Pyburn.

Posted in: MVP

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to HHS.gov, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.

##

 

 

 

About PCIHIPAA
PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at OfficeSafe.com and PCIHIPAA.com.

Posted in: MVP

Leave a Comment (0) →

CMS Reveals New Medicare Card Design; Strengthens Fraud Protections

CMS Reveals New Medicare Card Design; Strengthens Fraud Protections

The Centers for Medicare & Medicaid Services has redesigned its Medicare card to remove Social Security numbers and use a unique, randomly-assigned number in an effort to better protect users from identity theft and fraud.

CMS will begin mailing the new cards to people with Medicare benefits in April 2018 to meet the statutory deadline for replacing all existing Medicare cards by April 2019. People with Medicare will also be able to see the design of the new Medicare card in the 2018 Medicare & You Handbook. The handbooks are being mailed and will arrive throughout September.

“The goal of the initiative to remove Social Security numbers from Medicare cards is to help prevent fraud, combat identify theft, and safeguard taxpayer dollars,” said CMS Administrator Seema Verma. “We’re very excited to share the new design.”

CMS has assigned all people with Medicare benefits a new, unique Medicare number, which contains a combination of numbers and uppercase letters. People with Medicare will receive a new Medicare card in the mail, and will be instructed to safely and securely destroy their current Medicare card and keep their new Medicare number confidential. Issuance of the new number will not change benefits that people with Medicare receive.

Health care providers and people with Medicare will be able to use secure look-up tools that will allow quick access to the new Medicare numbers when needed. There will also be a 21-month transition period where doctors, health care providers, and suppliers will be able to use either their current SSN-based Medicare Number or their new, unique Medicare number, to ease the transition.

This initiative takes important steps towards protecting the identities of people with Medicare. CMS is also working with healthcare providers to answer their questions and ensure that they have the information they need to make a successful transition to the new Medicare number. For more information, please visit: www.cms.gov/newcard.

How can providers get ready for the changes?

  • Ask your billing and office staff if your system can accept the new 11-digit alphanumeric Medicare Beneficiary Identifier or
  • If your system cannot accept the new number, system changes should be made by April 2018
  • If providers use vendors to bill Medicare, ask them about their MBI practice management system changes and make sure they are ready for the change
  • Verify your patients’ addresses: If the address you have on file is different than the address you get in electronic eligibility transaction responses, ask your patients to contact Social Security and update their Medicare records. This may require coordination between your billing and office staff.

For more information go to https://www.cms.gov/Medicare/New-Medicare-Card/Providers/Providers.html

Posted in: Medicare

Leave a Comment (0) →

“WannaCry” Ransomware Holds True to its Name

“WannaCry” Ransomware Holds True to its Name

This week, countries around the world faced an unprecedented cyber security attack. On May 12, 2017, the Critical Infrastructure Protection Lead for the Department of Health and Human Services Laura Wolfe first reported it as a “significant security issue.” Hours later, the Department of Homeland Security’s Computer Emergency Readiness Team warned the public of a malware virus called “WannaCry.” As with typical ransomware, an individual would receive an email purposely designed to look like an email sent by a business or individual the recipient may be familiar with and contain either a link or attachment. Once opened, the virus spreads giving the attackers access to computer systems and the ability to encrypt the information and extort money from the victim.

What’s the relationship between HIPAA and ransomware?

When a health care entity is the victim of a ransomware attack, the protected health information accessed during the attack is considered to be breached. Therefore, unless the affected entity can prove the information was encrypted prior to the attack, it must go through all of the usual steps to comply with the HIPAA Breach Notification Rule. This includes, but is not limited to, reporting the breach to people whose information was compromised no later than 60 days from discovering the breach. If the breach includes the protected health information of greater than 500 people, there must also be contemporaneous notice to HHS and news media outlets.

Why can’t you just follow the money?

Often, individuals connected to ransomware activity will use a currency called “Bitcoin.” Since around 2009, bitcoin has allowed for the exchange of goods and services without regard to the identity of the sender or recipient. Since there is no bank to act as a conduit, there are no transaction fees which have allowed the use of bitcoins to increase in popularity among merchants. However, the anonymous nature of the transactions makes it difficult, if not impossible, to trace. This anonymity makes it a currency of choice among hackers.

Who does this affect?

Many health care entities built their information technology infrastructure around Windows XP when it was introduced in 2001. Windows XP was discontinued in 2014 and is no longer supported by Microsoft. As a result, it has not received necessary updates or security patches. Due to its initial popularity, many entities may still have at least one Windows XP device and have been sluggish to fully convert to a more secure operating system. Fortunately, as of the date of this article, experts have been able to identify the threat and dramatically slow the spread of the most recent virus. However, health care entities must be vigilant about addressing these cyber security concerns. Hackers are aware of these vulnerabilities and will continue to use their resources to exploit those weaknesses.

How can you protect yourself?

Make sure that you are using up-to-date antivirus software, and be sure to implement updates and patches as they are made available. Educate your staff on the importance of not opening suspicious emails, and teach them how to look for subtle irregularities hackers often use when they are attempting to pose as someone familiar to the recipient. Additionally, ensure you and your staff never click on links in emails that appear bizarre. A common example is an email from your banking institution that you were not expecting or a link to collect a fictitious lottery prize.

Victims of this cyber crime are encouraged not to pay the ransom because most often the information is still not made available by the hacker. Instead, if you believe that your system has been exposed to this malicious software, please report this threat to authorities. You can begin the process by contacting your FBI Field Office Cyber Task Force by visiting https://www.fbi.gov/contact-us/field-offices.  You can also report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center at https://www.ic3.gov/default.aspx.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Liability

Leave a Comment (0) →
Page 1 of 2 12