Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

What Are You Doing To Protect Your Organization Against Your Biggest Security Threat? People

Posted on July 28, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


This was a great tweet coming out of the HIM Summit that’s run by HealthPort. I agree with the comment 100%. Sure, we see lots of large HIPAA breaches that make all the news. However, I bet if we looked at the total number of breaches (as opposed to patient records breached), the top problem would likely be due to the people in an organization. Plus, they’re the breaches that are often hardest to track.

What’s the key to solving the people risk when it comes to privacy and security in your organization? I’d start with making security a priority in your organization. Many healthcare organizations I’ve seen only pay lip service to privacy and security. I call it the “just enough” approach to HIPAA compliance. The antithesis of that is a healthcare organization that’s create a culture of compliance and security.

Once you have this desire for security and privacy in your organization, you then need to promote that culture across every member of your organization. It’s not enough to put that on your chief security officer, chief privacy officer, or HIPAA compliance officer. Certainly those people should be advocating for strong security and privacy policies and procedures, but one voice can’t be a culture of compliance and security. Everyone needs to participate in making sure that healthcare data is protected. You’re only as strong as your weakest link.

One of the attendees at the session commented that she’d emailed her chief security officer about some possible security and compliance issues and the chief security officer replied with a polite request about why this HIM manager cared and that the HIM manager should just let her do her job. Obviously I’m summarizing, but this response is not a surprise. People are often protective of their job and afraid of comments that might be considered as a black mark on the work they’re doing. While understandable, this illustrates an organization that hasn’t created a culture of security and compliance across their organization.

The better response to these questions would be for the chief security officer to reply with what they’ve done and to outline ways that they could do better or the reasons that their organization doesn’t have the ability to do more. The HIM manager should be thanked for taking an interest in security and compliance as opposed to being shot down when the questions are raised. It takes everyone on board to ensure compliance and security in a healthcare organization. Burning bridges with people who take an interest in the topic is a great way to poison the culture.

Those are a few suggestions about where to start. It’s not easy work. Changing a culture never is, but it’s a worthwhile endeavor. Plus, this work is a lot better than dealing with the damaged reputation after a security breach.

The Evolving Security and Privacy Discussion

Posted on April 1, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HIMSS put out the great tweet above. The image itself is worthy of a laugh. Although, only a partial laugh since in healthcare many people don’t understand that a password doesn’t mean it’s encrypted. Plus, that’s just emblematic of how elementary healthcare’s implementation of security is in most healthcare organizations.

Yes, there are the outlier organizations and there are even the outlier security and privacy individuals within a large organization. However, on the whole healthcare is not secure. The hard thing is that it’s not because of bad intentions. Almost everyone I’ve met in healthcare really want to ensure the privacy and security of health information. However, there’s a general lack of understanding of what’s needed.

With that said, I have seen a greater focus on privacy and security in healthcare than I’ve ever seen before. HIMSS featuring so many sessions is just one indicator of that increased interest in the topic. It’s hard to ignore when every other day some major corporation inside and outside of healthcare is getting breached.

One of the biggest security holes in healthcare is business associates. Most don’t have a real understanding of how to be HIPAA compliant and that’s a massive risk for the healthcare organization and the business associate. That’s why I’m excited that people who get it like Mike Semel are offering HIPAA Compliance training for business associates. Doing HIPAA compliance right is not cheap, but it’s cheaper than getting caught in a breach.

Personally, I’ve seen a whole wave of HIPAA compliance products and services coming out. In fact, I’m looking at creating a feature on EMR and HIPAA which lists all of the various companies involved in the space. I’m sure I’ll hear a lot of discussion around this topic at HIMSS.

How To Respond to Data Breaches

Posted on May 19, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

A lot of people have really liked this whitepaper on the 6 Reality Checks of HIPAA compliance. It’s a good download for those concerned about their HIPAA readiness. It will wake you up to the fact that you need to be ready and compliant with HIPAA.

Mac McMillan recently did a great HIPAA compliance interview with me where he said “A little bit of prevention goes a heck of a long way to preventing a bad event.” That’s great advice and if you read this whitepaper I think you’ll be woken up to the need to do a little more than you’re doing today to be HIPAA compliant.

While prevention is better, I was intrigued by this article (annoying registration required) in Health Data Management that talks about what to do in the event of a data breach. I love this quote from Rita Bowen, Senior VP at Healthport, “Breaches are inevitable.” It’s true. Despite your best efforts, breaches happen in every organization large and small.

Rita also points out that the key to a data breach is to have a system in place to “learn what went wrong and fix it.” I’ve always found HIPAA to be pretty generous with mistakes. As the HIPAA name says, it’s more about accountability than anything else. If you’re accountable for the decisions you’re making, then it’s more lenient than a lot of laws out there.

The article also gives three insights worth considering if you experience a data breach:

  • Honesty, the best policy
  • Keep Asking, “What if?”
  • Go the Extra Mile

All of these are great advice. If you go the extra mile and are honest about what happened, then you’ll usually be able to recover from a data breach. If you try and cover it up or hide what happened, then that will often come back to haunt you and damage you much more than if you were just honest and up front about what happened.

Windows XP Is No Longer HIPAA Compliant

Posted on April 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those of you who missed it, thousands in healthcare are now out of compliance with HIPAA thanks to Microsoft’s decision to stop supporting Windows XP. I wrote about the details of Windows XP and HIPAA compliance previously. Microsoft stopped supporting the Windows XP operating system on April 8, 2014 and as Mac McMillan says in the linked post, OCR has been clear that unsupported systems are not HIPAA compliant.

I asked Dell if they had any numbers on the number of PCs out there that are still running XP. Here was their response (Note: These are general numbers and not healthcare specific)

The latest data I’ve seen shows that around 20-25% of PCs are still running XP (number vary depending on the publication). But most of those are consumer devices or very small businesses. Larger organizations seem to be complete, on track to completing by April, or have already engaged Dell (or competitor) to migrate them.

Dell also told me that globally, they have helped more than 450 customers (exact count is 471) with Windows 7 migration and automated deployment.

I’m not sure I agree with their assessment that the larger organizations have pretty much all upgraded beyond Windows XP. I agree that they’re more likely to have upgraded, but I’m sure there’s still plenty of Windows XP in large hospital systems across the nation. I’d love to hear from readers to see if they agree or disagree with this assertion.

I’ve heard some people make some cases for why Windows XP might not be considered a HIPAA violation if it was a standalone system that’s not connected to a network or if it was in a highly controlled and constrained use case. Some medical devices that still require Windows XP might force institutions to deal with HIPAA like this. However, I think that’s a risky situation to be in and may or may not pass the audit or other legal challenges.

I think you’re a brave (or stupid if you prefer) soul to still be running Windows XP in healthcare. Certainly there wasn’t a big disaster that occurred on April 8th when Windows XP was no longer supported. However, I’d hate to be your organization if you have Windows XP and get a HIPAA audit.

If you haven’t updated your HIPAA policies lately, you may want to do that along with updating Windows XP. This whitepaper called “HIPAA Compliance: Six Reality Checks” is a good place to start. Remember also that once an auditor finds one violation (like Windows XP), then they start digging for even more. It’s a bit like a shark that smells (or however they sense) blood in the water. They get hungry for more. I don’t know anyone that enjoys a HIPAA auditor, let alone one that really starts digging for problems.

HIPAA and ICD-10 Courses

Posted on October 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of the real telling things I learned this week as I traveled to the MGMA Annual Conference and then the CHIME Fall Forum was how unprepared organizations are for ICD-10 and HIPAA Omnibus. It was amazing the stories I heard and I’m sure these will be topics I write about much more in the future.

One of the stories I heard was a medical practice who was asked if they were ready for ICD-10. The practice said that they were ready. Then, they were asked what they’d done to prepare for ICD-10. Their response was that their vendor said that they were ready for ICD-10.

We could really dig in to reasons why that practice might want to verify that their EHR vendor is really ready, but we’ll save that for future posts. What was amazing to me was that this practice thought they didn’t need to do anything to train their doctors and coders on ICD-10 to be ready for the change. They’re in for a rude awakening.

At a minimum, these organizations should look at a course like the Certificate of ICD-10-CM Coding Proficiency (20% discount if you use that link and discount code). The course looks at the key changes in coding with the implementation of ICD-10. Plus, it’s a course that looks to bridge your ICD-9 knowledge to ICD-10. Once you start digging into this content, you realize why your organization better have some ICD-10 training or you’re organization will suffer.

The same applies to HIPAA. So many people don’t realize (or remember) that as part of HIPAA compliance you need to have regular HIPAA training for your staff. This is particularly true with all of the changes that came with HIPAA omnibus. How many in your organization know the details of the changes under HIPAA omnibus?

An online courses like the Certified HIPAA Security Professional are such a great option since you can work on them when you have time and come back to them later while helping to protect you against a HIPAA audit. Plus, the course linked above includes a HIPAA “Business Associate Agreement” downloadable template which I’m quite sure many organizations still need. I recently asked a doctor’s office I was working with for their EHR business associate agreement. They told me they didn’t have one (more on that in future posts). Really? Wow!

Certainly each of these courses and training take some commitment to complete. Although, when your colleagues ICD-10 reimbursement becomes an issue or the HIPAA auditor knocks on your door, you’ll sleep much better knowing you’ve made the investment. Those who don’t will likely pay for it later.

HIPAA Compliance Audits Underway

Posted on January 9, 2012 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

So the first round of the HIPAA compliance audit program is underway. Howard Anderson, writing in HealthcareInfoSecurity.com, has a great post on what’s going on:
– 20 organizations will be hosting auditors from KPMG in the next few weeks, followed by another 130 organizations in the second phase of the audits later this year.
– The focus this year is on covered entities, not on their business associates.
– OCR is not just going after the big fish. OCR is auditing “eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians’ offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy.”
– Adam Greene, the blogger who broke this news first on his blog has some interesting details about the organizations. It seems as if 6 of the 20 organizations chosen for the first audit are Level 4 entities, meaning “Small providers and community pharmacies with less than $50 million in revenue and/or assets.” This translates to 30% of the initial list.
– Notifications were sent to organizations on the 1st of December. Auditors are going out for field visits expected to last between 3-10 business days.

Having been in charge of Sarbanes Oxley audits at my last place of work, I know first hand what a flurry external audits can cause in any organization. I can only empathize with the first few organizations chosen. However, I also find OCR’s approach to the audit process to be quite wise – the post at HealthcareInfoSecurity quotes Leon Rodriguez, OCR head honcho as saying “Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve… Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.”

Which probably is some solace for the organizations that are currently being audited. Hopefully at the end of this exercise, OCR will have a good idea of where the major weaknesses are, where it wants organizations to be at, and help them get there.