Health IT and Electronic Health Activate your FREE membership today |  Log-in

Data Security for HIPAA Compliance

June 25, 2010  5:20 PM

Out of band content on your network can contain phi that is not encrypted

Posted by: Azaltsman
electronic transcription, encryption, excel, microsoft word, powerpoint

So you’re wondering what does “out of band” mean? In the world of computer networks we use that term to describe ways of connecting to devices outside of a computer network. For example, network routers are often programmed using Telnet or SSH, which is considered “in band” because those protocols are used to connect to routers over a computer network. Using a serial cable to connect to a router would be considered “out of band”, because the connection doesn’t happen on a network but through a physical cable.

So how does this relate to protected health information (PHI)? In the context of healthcare, CIOs assume all patient information to be stored inside electronic health records (EHR) systems and spend time and resources securing those systems. These would be “in band”. Out of band would be the Microsoft Word, Excel, even PowerPoint document containing PHI, medical transcription stored in a .wav file on a computer, screenshots of charts stored as JPEG files on computers, etc. In other words, documents and content containing PHI but NOT stored in an EHR system.

Healthcare organizations need to cognizant of data breach risks, and the impending violation of federal and state laws, should these out of band files be accessed by unauthorized individuals. Out of band content needs to be located and either restricted or encrypted to ensure that it does not fall into the wrong hands.

June 25, 2010  4:08 PM

Do you know your state breach notification laws?

Posted by: Azaltsman
HIPAA, HIPAA Security Rule, pci compliance, phi, robert hudock, state breach notification laws

Almost every state in the nation has some sort of data breach notification law intended for companies domiciled in each state. Each state has its own definition of what constitutes private information. For example, the New York Information Security and Breach Notification Act defines private information as:

“personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:

(1) social security number;

(2) driver’s license number or non-driver identification card number; or

(3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual’s financial account.”

This type of information is often associated with financial information, which is often considered to be associated with PCI compliance. However, considerable overlap could occur with this type of data and protected health information (PHI). For example, if “private information” is stored in conjunction with PHI and that private information is not secured using encryption and is breached your organization may be subject to these types of state laws in addition the HIPAA Security Rule.

State laws, such as the New York law mentioned above, view encryption as a method of securing data. Implementing encryption to secure either PHI or financial information on your network will likely protect your organization from a myraid of laws regulating unauthorized disclosure of such information.

Robert Hudock, an attorney with Epstein Becker Green in Washington, DC has a great blog called Law Blog 2.0 and lists breach notification laws for all states. You should always check with your state for the latest updates but Robert’s blog is a great place to start.

June 25, 2010  3:27 PM

Do your backup tapes hold PHI that is not encrypted?

Posted by: Azaltsman
aes, backup tapes, data breach, des, disaster recovery, disk to disk backup, encryption, HIPAA, pgp, phi, symantec

Most organizations today use tapes as target media for data backup software. Although disk to disk and offsite backup technology has been around for many years companies continue to use backup tapes as their means for data and disaster recovery. A backup tape is a highly portable medium has the capability to easily expose your organization to a data breach.

Tape backup systems contain at least three components: tape backup drive, data backup software application, and backup tapes. A typical tape backup configuration is a tape backup drive connected using a cable (usually SCSI or USB) to a server with data backup software installed and configured. The data backup software, such as Symantec Backup Exec, is programmed to backup data on computers systems on your network. Agents are sometimes deployed to remote systems to enable a faster backup process. Data is backed up over a network, from directly attached (to the backup server) storage devices, or storage area networks (SANs). That data is mechanically copied to tape using a proprietary backup format.

If you have electronic protected health information (PHI) on your computer network and it is being backed up to a tape you should do the following:

  • Enable data encryption on the tape backup software. Make sure you understand how data is encrypted and how data is decrypted in case you need to restore it. Make sure the encryption technology is secure (cipher strength, algorithm, etc). For example if the tape backup is using DES encryption it is not a secure method of securing your data. AES 128 bit is highly recommended.
  • Encrypt the data before it is copied to tape. This means you need software to encrypt files on your network. Encrypted data copied over to a tape is secure!

Tapes are susceptible to loss and require people and/or various third parties to store them off-site for disaster recovery purposes. Consider moving to an offsite backup service or implement a secure disk to disk backup system.

June 18, 2010  2:30 PM

Is PHI leaving your network and putting you at HIPAA and HITECH compliance risk?

Posted by: Azaltsman
data leakage prevention, DLP, encryption, hitech act

Electronic protected health information (PHI) lives on your network in many places: file shares, e-mail systems, databases, proprietary EHR, and practice management applications to name a few. It’s important to understand where this data is stored on your network so that you can properly secure it. Although encryption should be considered its important to have peace of mind in knowing that data containing unencrypted PHI does not leave your internal network or outside of a secure wide area network.

New technologies from data leakage prevention (DLP) vendors have made easy as ever to monitor your network for PHI. DLP solutions can alert you when PHI is leaving your network and some can even block and prevent it from leaving your network. For example, a user connecting to her Gmail account in an attempt to send an unsecured (and perhaps unauthorized) email with an attachment containing PHI is one of the major fears of any IT security executive. Another example: a user can also connect to one of many file transfer portals like,, and even mainstream ftp servers, to move documents containing PHI off your network.

DLP products are sometimes used with web proxys to detect and even block electronic PHI from leaving your network. Investigating this technology for our network could be time well spent and save you from a potential compliance headache.

June 9, 2010  12:49 PM

How HIPAA Security Rule Enforcement works

Posted by: Azaltsman
corrective action, enforcement, HIPAA Security Rule, hitech act, OCR, office of general counsel, resolution agreement

Marylou King from the U.S. Department of Health and Human Services (HHS) Office of General Counsel recently spoke at the NIST 2010 HIPAA Security Conference about how the HIPAA Security Rule is enforced. Her presentation was in the context of the HITECH Act and was specifically targeted toward an audience that needed to understand how violations are dealt with.

The key number to be aware of is 500. The HHS Office of Civil Rights (OCR) opens a review of all breaches affecting more than 500 records. Clearly, it’s very easy for a breach containing electronic protected health information (PHI or ePHI) to easily surpass 500 records. The usual number of records that has been recorded recently is in the tens of thousands of ePHI.

Covered entities need to be prepared to investigate the breach and provide a root cause analysis of the breach. Thoroughly documenting the breach, how it happened, and specifically what has been done to address the security issue so that a breach doesn’t happen is required.

At the conclusion of the investigation OCR could reach an agreement, which is an informal process called a Resolution Agreement and Corrective Action Plan (as allowed in 45 CFR 160.312). These types of agreements seem to apply in “good faith” investigations where the CE/BA cooperate with HHS OCR in resolving the issues. More serious breaches are subject to a more formal investigation that includes formal fact finding and potential civil monetary penalties (CMP).

Most common issues were found to be:

– Information access management

– Access control

– Security awareness training

– Security incident procedures

– Devices and media controls.

May 17, 2010  10:03 PM

Best Practices for Securing Social Media in Healthcare – NIST Conference Part 4

Posted by: Azaltsman
audit, best practices, DLP, facebook, linkedin, phi, social media, standard of conduct, twitter

Social media touches many sectors and healthcare is one them! But how do you maintain compliance standards and ensure that social media is not only used appropriately, but by the right people? Sharon Finney from Adventist Health System in Winter Park, Florida prepared an excellent presentation at the 2010 NIST HIPAA conference. She shared her experience in developing and implementing a comprehensive, risk-based policy at her organization.

The cornerstone of Sharon’s work has been the creation of a corporate policy and standard of conduct for social media. In order to be successful in creating these documents you must have executive buy-in from an “executive sponsor”. This sponsor is typically a VP of Marketing or PR.

Sharon recommends assembling a team that includes representatives from legal, HR, compliance, data security, and IT departments to help shape and implement the social media policies. She recommends the following steps:

  • Create a policy on social media – define scope of use such as who has legitimate business reasons (marketing, HR, communications, training, outreach, etc).
  • Create a standard of conduct manual so that employees know how they should conduct themselves online. Ensure that proper disclaimers are placed. Look at HP, IBM, Microsoft standards of conduct as a goods start.
  • Watch out for exceptions to policies. If you grant too many exceptions the exceptions become the rule. Create a tedious exception policy to discourage exceptions.
  • Define your organization’s risk tolerance.
  • Define sanctions for non-compliance and ensure employees know them.
  • Create a plan for monitoring including who will be doing the monitoring, what is being monitored, and the frequency of monitoring.
  • Create a quarterly audit policy trickled down to department heads to ensure that they review how their direct reports spend time online.
  • Clearly define what employees should and should not do (Adventist has about 36 points).
  • Create a policy on monitoring and enforce it. Setup alerts for certain conditions.
  • Implement DLP (Data Loss Prevention) technologies to prevent critical data (like PHI) from leaving your network.
You should also create an incident response plan that includes all the appropriate parties. Ensuring that all employees are properly trained and understand the policy and standards is the key to success.

May 17, 2010  9:12 PM

EHR Certification Criteria Correlation to HIPAA Security Rule – NIST Conference Part 3

Posted by: Azaltsman
access control, audit, authentication, ehr, encryption, HIPAA Security Rule, integrity, Meaningful use, NIST

Covered entities seeking to obtain reimbursement funds for implementing an electronic health records (EHR) system must choose a product that has been certified to comply with “meaningful use” criteria. In his presentation about the correlation of the HIPAA Security Rule to the certification criteria, Steven Posnack from the Office of the National Coordinator for Health Information Technology (ONC) described how key elements are correlated.

ONC has created criteria for both a complete EHR and an EHR module. It should be noted that components of the HIPAA Security Rule apply to both the complete EHR and an individual module. Key elements common to both the HIPAA Security Rule (45 CFR 164.302) and the proposed criteria for EHR certification (45 CFR 170.302) are as follows:

  • Access control
  • Emergency Access
  • Automatic Logoff
  • Encryption
  • Audit
  • Integrity (of data)
  • Authentication
EHR products need to meet this criterial in order to be eligible for certification. It’s also important to understand that using a certified EHR system in and of itself does not guarantee compliance with the HIPAA security rule. You must ensure that all other IT systems that contain PHI are properly secured and compliant with the HIPAA security rule.
Also, certification criteria applies to technology not the organization, meaning that you must actually use the certified technology in order to be meaningful user. You must properly implement the security controls!
Updates on methods for certification of EHR systems being developed can be viewed on the NIST Healthcare IT web site.

May 17, 2010  9:00 AM

White House is serious about data and PHI security – NIST Conference Part 2

Posted by: Azaltsman
cyber security, deterrence, encryption, howard schmidt, phi, privacy, private partnerships, resilience, white house

Howard Schmidt, the newly-appointed White House cyber security coordinator, gave a fantastic presentation about the four guiding principles of his cyber security plan:

  • Apply Deterrence
  • Resilience
  • Privacy
  • Partnerships (with private industry)
Deterrence is a primary factor in preventing cyber security threats. Applying strong protection, like two factor authentication, one time passwords, smart cards, and implementing standard data protection systems were mentioned.
Resilience is the ability to recover from an attack. Designing systems that are able to recover from an attack is paramount to national security, and especially protected health information (PHI). It was noted (in a different part) of the NIST Conference that doctors relying on Health information systems (HIT) need to ensure that a disaster recovery and backup plan is in place and is tested regularly. A doctor’s office or a hospital would be nearly impossible to operate if access to PHI is not available after moving entirely to electronic medical records.
Privacy is important to the White House. It’s clear that legislation and the regulations that follow have privacy in mind. An good example is the Breach Notification law written into section 13402 in the HITECH ACt, part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act specifically provides safe harbors in case of a breach of encrypted PHI. The government is clearly incentivizing the use of data encryption to protect privacy.
Partnerships with private industry were mentioned as well, although not in too much detail. Perhaps the White House wants to make sure that whatever steps they put in place have transparency to the public and the private industry.

May 14, 2010  10:16 AM

Risk Management Framework is Key to HIPAA Compliance – NIST HIPAA Conference Part 1

Posted by: Azaltsman
breach notification, HHS, HIPAA, HIPAA Security Rule, OCR, phi, Risk Management, RMF

Risk management was the centerpiece of discussions at the 2010 NIST HIPAA Security Conference. In her presentation, Pat Toth, a computer scientist working for NIST (National Institute of Standards and Technology), discussed the importance of the integrating risk management and security into your enterprise computing environment.  Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.

In order to help the government and private industry standardize on a risk management process NIST created the RMF – Risk Management Framework. The framework into 6 steps:

  • Categorize the information systems
  • Select security controls
  • Implement security controls
  • Access security controls
  • Authorize information systems
  • Monitor security controls
A guide is written on each process and documents the steps necessary to complete the research. The RMF is not a new concept, nor is it a new guide. Instead, the RMF is a process by which all IT systems could benefit.
The HIPAA security rule specifically requires that a risk assessment be performed on IT systems that contain PHI (protected health information). Rather than creating the assessment from scratch the RMF is a great place to start your research and perhaps implement the steps recommended by NIST to secure your HIT systems.
The RMF is of particular importance for helping to obtain a safe harbor from penalties in the HIPAA security rule, particularly when deciding to implement (or not implement) technologies like data encryption. For example: if you decide that encryption is not needed in your environment and an incident happens where PHI is breached you will need to show the reason behind your decisions to HHS OCR (U.S Department of Health and Human Services, Office of Civil Rights).

May 3, 2010  1:23 PM

Meaningful Use to Require Doctors Provide Records to Patients within 96 hours

Posted by: Azaltsman
encryption, Meaningful use, patient records, phi

According to meaningful use [of EHR] guidelines patients must be provided with their health information electronically and securely within 96 hours.

“Consistent with the HIT Policy Committee’s recommendations, we propose the following additional clarification of this objective. Electronic copies may be provided through a number of secure electronic methods (for example, personal health record (PHR), patient portal, CD, USB drive). Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies) within 96 hours of the information being available to the EP. Also, consistent with the HIT Policy Committee recommendations, we propose the following additional clarification of this objective. Electronic access may be provided by a number of secure electronic methods (for example, PHR, patient portal, CD, USB drive). Timely is defined as within 96 hours of the information being available to the EP either through the receipt of final lab results or a patient interaction that updates the EP’s knowledge of the patient’s health. We judge 96 hours to be a reasonable amount of time to ensure that certified EHR technology is up to date. We welcome comment on if a shorter or longer time is advantageous.”
PHI will need to be protected using encryption technologies. Healthcare organizations who intend on submitting reimbursements for implementing EHR systems should ensure that they have a plan on meeting the meaningful use requirements. There are a lot (25 of them for providers) and the devil is in the details.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: