Posts Tagged: Data security

How Does the New California Consumer Privacy Act Impact Healthcare?

Posted by & filed under Healthcare, Regulatory News.

California Consumer Privacy Act Impact on Healthcare

The new California Consumer Privacy Act is now law. The new legislation was enacted to fill in the gaps of data privacy laws. Previously, healthcare data privacy laws were regulated through HIPAA; however, HIPAA only applies to “covered entities” holding protected health information (PHI). So how will the new California Consumer Privacy Act impact healthcare?

New Laws Will Significantly Impact Healthcare Data

The California Consumer Privacy Act applies to all for-profit organizations that operate in California above a specific revenue and data processing threshold. The Act exempts personal data protected by HIPAA and California’s Confidentiality of Medical Information Act (CMIA). Thus, some types of personal healthcare data will continue to be covered by existing rules. The new law will now pertain to most other personal data that the healthcare industry uses.

How Will the Act Change the Game in Healthcare?

impact of California Consumer Privacy Act on healthcare

The California Consumer Privacy Act will alter the rules of the game for personal data in the healthcare ecosystem. Here are what the changes mean and how to prepare.

All individuals within healthcare organizations will have their data privacy protected.

Prior to the new law, individuals who are not patients did not enjoy data privacy protection via HIPAA. Now, the personal data of clinicians and staff will also be protected. All the personal data of nonpatients engaging with HIPAA-covered organizations must now establish policies and processes to protect employee personal data. This includes any data shared with third parties.

Other organizations that handle personal healthcare data must put protections in place.

Many organizations do not have to abide by HIPAA but do collect healthcare data. This can include everything from a wearable that captures health stats to pharmaceutical companies. Now all these entities will have to comply with data privacy regulations. They will now need to institute new processes that focus on data security. Further, they must communicate these new practices to users. What’s interesting is that most individuals are not aware that their personal healthcare data is not legally protected. Organizations will have to bear this in mind and consider how they present the message so that it builds trust instead of suspicion.

Healthcare organizations that do business in California will need to apply the changes issued by the new law to their entire company in the U.S.

In many situations in healthcare, entities operate in state silos, as the laws can be different from region to region. The new law breaks these silos and calls for consistency across the board. An organization will need to ensure that data privacy protections are in place for every California resident. Ultimately, this is the perfect storm for compliance challenges.

California Law Is Just the Beginning

California is known for implementing protective laws first, but they aren’t alone. Washington state and New York are also working on similar legislation. At the federal level, a new data privacy law has bipartisan support.

Any impacted organization needs to develop a strategy for the short and long-term in complying with data privacy regulations. Being proactive and thinking enterprise-wide will be critical. It’s an opportunity to improve data privacy and security, building more trust with patients and customers.

Top Cybersecurity Threats for Healthcare

Posted by & filed under Healthcare.

Cybersecurity threats for healthcare

Cybersecurity threats for healthcare aren’t going anywhere. The reality is that healthcare is hit with more cyber attacks than any other industry apart from the government. And they cost real money. According to one report from Radware, that number can top $1.4 million for recovery. Those costs add up due to loss of productivity, reputation damage, and service disruption. 

What can healthcare organizations due to combat this trend? There are some key threats to recognize and prepare for that can ensure you mitigate damages.

Threats to Healthcare—Both Now and in the Future

Cybersecurity threats for healthcare aren’t new. The same issues that were valid last year will still be a problem next year. The key is to manage those threats.

Cloud Security

Healthcare has lots of data. It makes sense to store it in the cloud, rather than on physical servers that sit onsite. With cloud security, the main concern will continue to be a data breach. It takes much more effort for you to protect your cloud than for a cybercriminal to target it. 

What’s critical is for your organization to have a system in place that tracks and monitors traffic. You need to be proactive in your approach, rather than simply having a plan for a breach.

Unsecured Mobile Devices

Everyone’s connected all the time. While that’s great for communication and collaboration, it opens the door for a hack. If you have a BYOD (bring your own device) policy, then it needs to take into consideration what those mobile devices might be accessing. Is it patient data? Is it proprietary information? Because you can’t have that information being transferred or stored on an unsecured device.

Even if the mobile devices being used have a high layer of security, it never hurts to add more. Consider authentication capabilities so that mobile devices stay secure.

healthcare cybersecurity

Ransomware

Hackers have shifted gears in their attack on healthcare, using ransomware attacks more often. While healthcare and other industries have been able to prevent most automated ransomware attacks, attackers now focus on targeted approaches. 

Hampering future attacks requires you to understand your weaknesses, which is something a threat assessment can provide. With healthcare information having a high value on the black market and turning up there regularly, you need to optimize the visibility of traffic. This can help identify patterns that could save you from being a victim.

Exploiting IoT

The use of the Internet of Things (IoT) in healthcare has massive opportunities to improve care. However, it raises new concerns over security. It’s already been proven that wearable devices can be hacked. It’s not just the data that’s being collected but also the actual operation of the equipment. 

One issue is that many IoT devices don’t support an endpoint security agent. Without this, they cannot block an attack successfully. Additionally, the volume of devices and the diversity of platforms makes it challenging to have a security plan in place that is holistic. 

People

Yes, people. They are often your biggest weakness. Human error is a leading cause of breaches. But note that it’s an error, not a malicious act. The way to combat this is with consistent and continuous education of your employees. Cybersecurity is not just the duty of IT; it’s everyone’s responsibility. 

No matter how many policies and procedures you have, they’ll fail without education and awareness. Take time to create an educational program that could include elements like daily reminders or gamification.

Cybersecurity healthcare threats will continue to be a significant challenge for your organization. Being proactive in how you prepare for them could be the difference between lost revenue and secure data. 

HIPAA Trends and Emerging Challenges: What to Expect in 2020

Posted by & filed under Healthcare.

hipaa trends compliance

HIPAA is now over two decades old. In that time, much has changed. When it was written, the Internet was in its infancy, and most healthcare data was still on paper only. The objective of HIPAA was to modernize the flow of healthcare information and protect patients from fraud and theft. HIPAA compliance is critical to every healthcare organization, but that doesn’t mean it’s easy to keep up with HIPAA trends and emerging challenges. 

To help you prepare for any changes in 2020, we’re breaking down what to expect in the next year regarding HIPAA regulations. 

National Patient Identifier

As part of HIPAA’s passage in 1996, a National Patient Identifier was to be established. However, Congress overruled the legislation and restricted funding to develop it. In June of 2019, the House voted in favor of lifting this ban. There are two sides to the argument.

Most health IT leaders believe that creating an identifier is vital to solving challenges with patient matching and has the potential to minimize medical errors and misidentification. The American Health Information Management Association (AHIMA) supports the lift of the ban and development of the identifier. 

The identifier could help reduce interoperability issues, as well. The fierce objections to the identifiers are still coming from politicians, namely Sen. Rand Paul, R-Ky. He introduced a repeal act of the identifier in Congress recently. Paul argues that the national identifier would threaten patient privacy. Critics say his arguments are without merit and don’t align with the current reality of healthcare data needs.

A healthcare identifier for Medicare beneficiaries has been approved and goes into effect on January 1, 2020. This is a HIPAA trend that will continue to be a hot topic in the next year.

Compliance and Enforcement HIPAA Trends

Enforcement of HIPAA by HHS OCR has been picking up speed in 2019. After a record-breaking year of recovery of over $28 million, the OCR started 2019 with a $3 million settlement related to two breach incidents. 

Later in the year, the OCR announced its first settlement under the Right of Access Initiative. The case involved a healthcare organization that failed to respond to a patient’s request for medical records in a timely manner. With this settlement, it sends a clear sign that entities will be held accountable for not providing access to patients per HIPAA requirements. 

The largest settlement in 2019 will reportedly be a fine of $145 million paid by Allscripts Healthcare Solutions. The settlement is in reference to Practice Fusion, an entity purchased by Allscripts in 2018 that was under investigation regarding HIPAA’s anti-kickback statutes. 

Data breaches continue to be an Achilles heel for healthcare. Healthcare again leads all industries in cybersecurity attacks and data breaches. What’s interesting and provides context to this statement is that most incidents originated inside the organization.

Healthcare organizations must begin to evolve and modernize their infrastructure to combat this. They should also think of HIPAA compliance as a baseline and exceed requirements for better protection.

More Risk Assessments Will Occur

Healthcare organizations often think, incorrectly, that general insurance will cover a data breach. This is rarely the case. To ensure companies have insurance, they’ll likely need to perform risk assessments, which are already part of HIPAA audits. While you can undergo a risk assessment internally, it’s often a good idea to work with an experienced third-party expert.

Social Media Continues to be a Compliance Miss

hipaa trends social media

There have been many tales associated with social media and HIPAA noncompliance. Social media is another channel for communication and must be treated with the same perspective. Under HIPAA, violations on social media networks include:

  • Gossip or hearsay posted to unauthorized individuals even if no name is disclosed
  • Sharing any patient photos without express permission
  • Posting pictures from your office that contain any visible patient files
  • Directly publishing any PHI

Much of this noncompliance challenges comes to appropriate employee training. Organizations need to have a clear and accessible policy on social media, so there is no room for misinterpretation.

State AGs Ramping Up General HIPAA Enforcement

While the healthcare industry generally thinks about the OCR as the agency to be concerned about the most, they can’t overlook state attorney generals. State AGs are becoming more active and have begun to band together to initiate multi-state suits. 

In addition to OCR, states are bringing their own actions on entities found to be in violation of HIPAA. The OCR is profoundly encouraging state AGs to take a stand. They were once not really a party. That all changed in 2010 when the Connecticut AG took aim at a company responsible for the breach of 446,000 patient records in the state.

Since then, multiple state AGs have sued noncompliant businesses and recouped monies on behalf of their impacted residents. That isn’t expected to decline. Research has shown that of the enforcement actions taken by state AGs, much of the time ePHI is the risk. Yet another reason to strengthen cybersecurity programs.

As technology advances and new innovative tools like AI and blockchain become part of the healthcare infrastructure, there will be new HIPAA trends to consider. Healthcare organizations must be proactive, rather than reactive, in sustaining HIPAA compliance and data security. We’ll keep you updated. Stay in touch by subscribing to the blog