|
CHP + CSCS = 2 Highly Valued Credentials!
FREE iPad CHP PROGRAM PHOENIX, AZ - JUNE 7-8
LAS VEGAS, NV - JULY 13-14 Learn about key aspects of the HIPAA regulation including Transactions and Code Sets, Identifiers, Privacy and Security. Step through new requirements related to the HITECH Act. This is an exceptional program delivered by Lorna Waggoner, a HIPAA expert. To register, visit www.HIPAAAcademy.Net.
CSCS PROGRAM
PHOENIX, AZ - JUNE 9-10
LAS VEGAS, NV - JULY 15-16
To attend the only certification program in the industry that addresses PCI DSS, ISO 27001/27002, HIPAA, FISMA, and other information security regulations, please register at www.ecfirst.com, and click on the CSCS Program. The CSCS Program is presented by compliance and cyber security experts. CSCS is the world's first program focused exclusively on compliance and security. To register, please visit
www.ecfirst.com. Now! |
|
HIPAA Violation Leads to Prison Term
A former UCLA Healthcare System surgeon has been sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others.
Huping Zhou of Los Angeles is the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California.
Zhou pleaded guilty in January to four misdemeanor counts of violating the HIPAA privacy rule. He admitted obtaining individually identifiable health information without a valid reason.
The case dates back to 2003, when Zhou, a licensed cardiothoracic surgeon, received notice that he was being dismissed from his job. On the day he received the notice, Zhou accessed and read his immediate supervisor's medical records and those of other co-workers, according to prosecutors. For three weeks, he continued illegally accessing patient records, including those of celebrities, accessing the patient records system 232 times.
In his plea agreement, Zhou admitted he read private electronic records on four occasions after he was formally terminated.
Prosecutors say there is no evidence Zhou improperly used or attempted to sell any of the information he illegally accessed.
Source: Healthcare InfoSecurity
Talk to ecfirst about compliance with federal and state privacy and security mandates. We can prepare your organization to address HIPAA & HITECH requirements. |
|
POLICY HEADQUARTERS
HIPAA Privacy, HIPAA Security & HITECH Require Policies!
Ask about our New PCI DSS Policy Templates!
Policies set the "dial-tone" for meeting compliance mandates in your organization. Are your policies updated to meet the requirements of HIPAA Privacy, HIPAA Security and the HITECH Act?
Visit the ecfirst RESOURCE CENTER @ www.ecfirst.com to download privacy and security policies. ecfirst can customize the policies to meet the standards and requirements of your organization.
Call John Schelewitz at +1.480.663.3225 to discuss how to cost effectively address compliance mandates for policies. |
|
DID YOU KNOW?
Cyber Security
"If the nation went to war today in a cyberwar, we would lose. We're the most connected. We're the most vulnerable. We have the most to lose."
Former Director of National Intelligence, Mike McConnell
Cybersecurity Act of 2010 is a legislation being proposed by senators Jay Rockefeller and Olympia Snowe.
President Obama calls "cyberspace" a "stragetic national asset."
Source: WSJ, April 2, 2010 |
|
DID YOU KNOW?
U.S. Mobile Health Market
- Value of U.S. mobile health market is expected to be $4.4 billion by 2013
The # of wireless health devices is expected to increase from 300,000 in 2009 to 5.2 million by 2014
BusinessWeek, April 12, 2010 |
|
On-Demand Compliance
Flat-Rate Solutions
We at ecfirst refer to this consulting model as - "you can do it, we can help." ecfirst resources may be applied to work along with your IT and compliance personnel to help create and update information security policies, technical procedures, processes, forms, supporting documentation and other required tasks.
The ecfirst On-Demand Solution is highly flexible and includes the following characteristics:
- Fixed, flat rate service
- Starting at a minimum 10-hour commitment
- Delivered anywhere in the United States or abroad
- Highly specialized information security skills
- Experienced compliance expertise
- Mix and match skills
- 2-page contract
- Get started with resource commitment immediately
To learn more about ecfirst On-Demand Compliance, please contact John Schelewitz at +1.480.663.3225 or at John.Schelewitz@ecfirst.com. |
|
RISK ANALYSIS
HIPAA SECURITY RULE MANDATE
The Security Management Process standard in the Security Rule requires organizations to "Implement policies and procedures to prevent, detect, contain, and correct security violations." (45 C.F.R. § 164.308(a)(1).)
Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:
Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information held by the organization.
The following questions adapted from NIST Special Publication (SP) 800-66 are examples organizations could consider as part of a risk analysis.
These sample questions are not
prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule
-
What are the external sources of EPHI? For example, do vendors or consultants create, receive, maintain or transmit EPHI?
In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other
standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled "addressable" rather than "required." (68 FR 8334, 8336 (Feb. 20, 2003).)
An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so.
To schedule a private Webcast to learn more about the risk analysis mandate, contact Lorna @ 1.877.899.9974 x17. |
Follow ecfirst on Twitter to receive special offers and updates! Special discounts are available for HIPAA, HITECH, ISO and PCI DSS policies on Twitter. Follow ecfirst on Twitter today!www.twitter.com/ecfirst
|
|
Learn about key aspects of the HIPAA regulation including Transactions and Code Sets, Identifiers, Privacy and Security.
Step through new requirements related to the HITECH Act. Understand requirements for covered entities and business associates.
CSCS PROGRAM
To attend the only certification program in the industry that addresses PCI DSS, ISO 27001/27002, HIPAA, FISMA, and other information security regulations, please register at www.ecfirst.com, and click on the CSCS Program.
The CSCS Program is presented by compliance and cyber security experts. CSCS is the world's first program focused exclusively on compliance and security. |
Ali Pabrai Presentation at the MidWest InfraGard SuperConference 2010
"Getting Started with ISO/IEC 27000 - A Global Information Security Framework"
Mr. Pabrai will deliver an executive presentation on May 19, 2010 at the Kalahari resort in the Wisconsin Dells between 6:00pm and 7:00pm.
"We are very pleased that Mr. Pabrai will be presenting information about the global information security standard (ISO 27000) to our Infragard members and their guests. We will have an opportunity to learn how to apply this standard to address key requirements for regulations and standards including HIPAA, HITECH and the PCI DSS," stated Ken Shaurette. |
|
Are You Ready for an Audit?
Pabrai's Recommendations | |
Covered entities and business associates need to ensure that the requirements of regulations such as HIPAA Privacy, HIPAA Security and the HITECH Act are met on a continual basis. As they say, compliance mandates should be viewed as a journey and not a destination. This requires not just capabilities established through policies and associated security controls, but genuine processes - where security capabilities are baked in, NOT bolted on - only this will ensure continual compliance.
Here is a checklist - to get started...
I have included a short list of critical documents and other controls that all organizations must ensure are developed, updated and implemented as needed. This is NOT a complete list. ecfirst would be happy to schedule a private 29-minute highly focused Webcast to walk through the entire checklist and answer any questions or additional information you may need.
In the area of policies and plans, every organization must ensure that these documents have been developed, approved by senior executive management and communicated as appropriate to members of the workforce:
-
Entity-wide Security Plan
- Risk Analysis (most recent)
- Risk Management Plan (addressing risks identified in the Risk Analysis)
-
Security violation monitoring reports
-
Vulnerability scanning plans
-
Results from most recent vulnerability scan
-
Network penetration testing policy and procedure
-
Results from most recent network penetration test
-
List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees)
-
Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI
Documents and capabilities that must be developed and updated as required include:
- Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI
-
Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures
-
Policies and procedures governing the use of virus protection software
-
Data backup procedures
-
Disaster Recovery Plan (DRP)
-
Disaster recovery test plans and results
-
Analysis of information systems, applications, and data groups according to their criticality and sensitivity
-
Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI
-
List of all Primary Domain Controllers (PDC) and servers
-
Inventory log recording the owner and movement of media and devices that contain EPHI
In today's high risk environment, covered entities and business associates is to go beyond PHI or EPHI and focus on PII - Personally Identifiable Information.
As I look further into 2010, organizations must clearly establish:
- What PII does your organization come into contact with?
- Where is PII in your organization?
- How is the PII secured in your organization?
Senior Executives - Compliance Must Be An Executive Priority: Risk to PII = Risk to Organi zation
My checklist of recommendations for senior executives impacted by HIPAA and HITECH regulations include:
- Conduct a formal risk analysis to establish baseline
- Use Corrective Action Plan (CAP) to Prioritize and Budget
- Update Security Policies
- Develop Contingency Plans (e.g. Disaster Recovery Plan)
- Implement Security Controls
- Deploy Encryption Across Laptops, Backups, Removable Media
- Deploy Single Sign-On (SSO) Solution
- Activate Auditing Capabilities to Manage/Track Access
- Schedule Regular Scans of the Infrastructure
- Conduct Security Training & Awareness
For a complimentary private Webcast to learn more about how your organization can be better prepared for a HIPAA or a HITECH audit, please contact Audra Curtis at Audra.Curtis@ecfirst.com or at 1.877.899.9974 x16. |
| Burden of Proof: HITECH Act |
Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.
The HITECH Act requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
|
| Data Breach Update |
As required by section 13402(e)(4) of the HITECH Act, the following breaches have been reported to OCR (recent, partial list).
| Our Lady of Peace Hospital | | State: | Kentucky | | Approx. # of Individuals Affected: | 24,600 | | Date of Breach: | 3/31/10 | | Type of Breach: | Theft, Loss | | Location of Breached Information: | Portable Electronic Device, Other |
| Medical Center at Bowling Green | | State: | Kentucky | | Approx. # of Individuals Affected: | 5,418 | | Date of Breach: | 3/24/10 | | Type of Breach: | Theft | | Location of Breached Information: | Portable Electronic Device |
| Beatrice Community Hospital and Health Center | | State: | Nebraska | | Business Associate Involved: | McKesson Information Solutions, LLC | | Approx. # of Individuals Affected: | 660 | | Date of Breach: | 3/19/10 | | Type of Breach: | Other | | Location of Breached Information: | Paper Records |
Typical causes of reported breaches are portable electronic devices, laptops, and compromised paper records. For more information about ecfirst compliance and security solutions, please contact John.Schelewitz@ecfirst.com. |
| Conducted a Technical Vulnerability Assessment? |
TRACER is an ecfirst program targeted in the area of technical vulnerability assessment to address HIPAA and HITECH mandates to identify gaps that may be maliciously exploited.
A key requirement of the HIPAA Security Rule is that covered entities and business associates must conduct a comprehensive and thorough assessment of the potentials risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of all electronic Protected Health Information (EPHI).
ecfirst specializes in conducting comprehensive technical vulnerability assessments to address compliance mandates for HIPAA, HITECH and other regulations. Find out more about our services for external, internal, wireless, and DMZ/firewall assessments.
For more information about TRACER and our technical vulnerability assessments, please contact John.Schelewitz@ecfirst.com. |
| Compliance | Security
Interview of the Month
U.S. Healthcare & India: Expanding Opportunities
India is incredible! Travelling through 28 states of India is like travelling through 28 countries. The land of spices, Information Technology (IT), colors, music, and dances, is now emerging as a destination site for American healthcare in many ways. It is a nation in the midst of the biggest and the most ambitious infrastructure roll-outs in the world today - a tough target of 20 km of roads a day, about 7,000km a year and 20,000 km of highway infrastructure work in progress. India is looking to double infrastructure spending from $500 billion to $1 trillion over the next five years. |
 1. Why is India emerging as a "valued partner" to address U.S. healthcare challenges?
India has always been a valued partner to the US Healthcare industry from time immemorial, be it in the form of doctors or technology. The word "emerging" therefore may be a moot point.
Two specific trends are taking hold in a major way: The health care industry's need to use IT to operate more efficiently, and an aging population's need and desire to use remote health care monitoring to promote better care for the chronically ill in their own homes.
Whilst often moving separately, those two trends do converge to create a booming demand for health care networking that ties together all the piece parts of the enormously sprawling U.S. health care system: hospitals and clinics, doctors and other health care professionals, insurance payers including the federal government, and patients as well as their caregivers.
We seem to understand the challenges faced by the US healthcare industry and offer the most cost effective solutions. 2. What are the specific areas of cost efficiencies that India delivers to U.S. healthcare?
"Do you want something inexpensive? Do you want it immediately? Do you want it to be qualitatively superior to everything that you have come across?" If you were given these choices and asked to pick only two, you would be in a bit of a quandary.
The most common misconception is "cost efficiencies equal cheap".
Cost effectiveness would be the phrase that I would use. India not only helps you stretch that Dollar but also aids in arriving at an "effective and efficient" solution.
3. How do firms such as pi International based in Hyderabad, India address the concerns of privacy and security as mandated by U.S. regulations such as HIPAA and HITECH?
In my very humble opinion, The United States is the only country in the world that truly respects, protects and safeguards her citizens' privacy.
We have been governed by HIPAA from the day we chose to enter the market catering to the US Healthcare Industry.
Serious business calls for serious measures.
As an organization I have instilled in my team the need to be far more stringent than what is required. For instance all my staff has to be registered with NASCOM as individuals. My HR department verifies their authenticity by using OFAC. We dispensed with card entry into the office and installed fingerprint biometric devices. We do not allow them to bring anything personal into the office. As a policy we do not have any home based staff.
All electronic devices such as cell phones would have to be placed in a locker outside the data centre. All print and save functions have been barred. We use ecfirst as our security and HIPAA compliance auditors
HIPAA and HITECH regulations are followed even more stringently by us for we do not ever wish to be found wanting in that arena.
The proof of the pudding they say is in the eating, our endeavors bore fruit when we were the first company in India to be found compliant by the HIPAA Academy.
4. What challenges exist to further enhance opportunities to leverage India in addressing American healthcare?
The key challenge will always continue to be outsourcing of health records. If organizations like ecfirst can provide that "stimulus" to Indian companies to participate in security audits it would be beneficial for India to emerge as "Secure Valued Partner" to the US Healthcare Industry.
5. In the next 12 months, what specific areas of growth do you envision emerging with India and U.S. healthcare?
Cost effective technological solutions. HIPAA & HITECH Audits and Practices. In fact I see the next year or so focusing quite heavily on the HIPAA & HITECH regulations. Indian companies both big and small will have to start not just contemplating but get into real action, which I presume, now brings in revenue for the US companies such as ecfirst, for who better than a certified US corporation to guide, train, audit and certify.
 
Established in 1999 pi international is the first Indian Company to be found HIPAA Secure and Compliant by the HIPAA Academy. pi international is a software and IT Enabled services company with a sharp focus on the US health care industry.
pi international has offices in the US, Singapore & India. pi international is about to launch the most cost effective and single window EMR solution pi-safe in the US very shortly.
|
|
|
