All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
Keep up to date with Data Fast Solutions for your business.
Amazon has recently announced that a new system has been developed allowing identifying protected health information (PHI) listed on medical images to be automatically removed which prevent patients from being identified.
Medical images generally contain a patient’s protected health information (PHI) listed on the image, including name, birth date, age, and possibly additional information. Before the images can be used for research, written permission must be obtained from the patient or all identifying data must be permanently removed. Removing PHI from images requires a manual check and alteration of the image which can be an expensive and time-consuming to complete.
The new system is Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly remove any PHI in the images. The system works on PNG, JPEG, and DICOM images.
Amazon claims the system allows healthcare organizations to de-identify large quantities of images quickly and inexpensively. Amazon also states that the system can be used to batch process thousands or millions of images. Also, once an image has been processed and the location of PHI has been identified, it is possible to associate a Lambda function to automatically remove PHI from any new images when they are uploaded to an Amazon S3 bucket.
Excerpts taken from HIPAA JOURNAL 2019
Created by RIO
This article is ©2019 Data Fast Solutions • All Rights Reserved
According to the HIPAA Journal, two 100,000+ record data breaches were reported in April 2019. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.
The ransomware was initiated 7 months after the attacker had first gained access to its systems. Accessibility was gained via Remote Desktop Protocol (RDP).
The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that blocked patients from accessing their information. It has been found the attacker had been exploring the network prior to deploying the malicious software.
Data-Fast Solutions can prevent these malicious attacks with additional security measures.
Amazon has introduced six (6) new skills allowing Alexa to perform, whilst staying in compliance of protected health information rules, by using voice technology.
The Voice Technology use of Alexa permits patients and caregivers easier access and address their healthcare needs from home as well as interact with their health providers.
The (6) six new HIPAA compliant Alexa skills are as follows:
This enables the members of Express Scripts pharmacy service the capability to monitor the status and opt to receive notifications of when prescriptions will be complete and delivered.
Members of Cigna health plan can access this Alexa skill to check wellness program opportunities, receive health tips, and provide incentives.
Parents of children enrolled in Boston Children’s Hospital’s ERAS program can send updates to their medical providers on their child’s recovery progress as well as the Care teams can also send information on appointments and pre- and post-op guidance. At this time, it is only available regarding cardiac surgery patients, although the program will be expanded soon.
Anyone in the Livongo’s Diabetes Program can monitor their blood sugar levels and with the capability of procuring average readings as well as receiving personalized health information.
Providence St. Joseph Health patients can utilize Alexa to find a local urgent care center and schedule a same-day appointment.
Atrium Health customers can also access Alexa to acquire urgent care locations near them and schedule same-day appointments.
HIPAA and Voice Activated Virtual Assistants...
Data Fast Solutions’ News provides information on HIPAA compliance which covers everything from auditing business associates to ensuring technology in healthcare is secure. HIPAA IT compliance articles are written by many other IT and healthcare related companies as well and are easily accessed with a simple Google search. The U.S. Department of Health and Human Services has extensive data on HIPAA compliance and regulation and offers training resources. Yet, media coverage of HIPAA continues to relay stories about data breaches which have resulted in billions of dollars in fines due to the compromised personal information of millions of individuals.
In reviewing the U.S. Health and Human Services breach report for cases currently under investigation for the past month (November, 2018), most of the reported incidents were due to hacking and most of the individuals affected were through business associates. The information stolen was obtained from large and small companies alike and occurred across the country in many different states through email, network servers, laptops, desktops, portable devices and more. Whether your technology is hardware or software related, in the cloud or on a single device, hackers continue to profit from what has turned into a multi-billion dollar business. Malware, such as ransomware, has been, and continues to be, a concerning factor as are phishing attacks.
So, how are hackers stopped? What can help lessen the possibility for an attack on your company? Use Google to try to find the answers and you will get the same information that’s been available for decades such as ongoing training, backing up data, implementing effective policies and procedures, and testing. These are all excellent approaches and used collectively and consistently, they can help lessen an attack. Collectively means building a solid HIPAA compliance team.
As a patient, just as you would want a specialist, rather than a general practitioner, to thoroughly address a heart or neurological issue, you need a team made up of HIPAA compliance specialists to ensure your company’s well-being. Whether you employ 5 people or 5,000, your HIPAA compliance team should be made up of the following to effectively combat hackers:
The role of a HIPAA Privacy and Security Officer should be in-house and can be held by one person in smaller offices, but it is recommended that it be held by two or more individuals to ensure the integrity and manageability of the role in larger companies.
A HIPAA/HITECH certified IT professional can be in-house or outsourced.
Companies with these professionals in place have the ability to recognize potential HIPAA breach activity much sooner than those who are not well-versed in specific HIPAA rules and regulations. If all responsibilities assigned within these roles are carried out consistently and collectively, a hacker’s ability to obtain HIPAA data is drastically reduced.
For a technology consultation to ensure your company does not end up on the Health and Human Services Breach Report, contact Data Fast Solutions today!
This article is ©2018 Data Fast Solutions • All Rights Reserved
Since the inception of HIPAA in 1996, health information managers have been tasked with keeping the security of patient data in check. However, as technology continually progresses, this becomes more challenging for all healthcare professionals and their associates. This is especially true for remote and wearable technology used outside of a doctor’s office where personal health information (PHI) is much more difficult to control. HIPAA does have guidelines in place stating that patient information collected by a doctor provided wearable device will be covered under HIPAA.
Wearable technology includes commercial consumer products such as fitness trackers as well as products manufactured for remote healthcare monitoring by physicians and other healthcare personnel. Fitness trackers, such as the highly popular Fitbit, are not controlled by HIPAA unless that data is shared with a doctor’s office. Once shared, it falls under the restrictions of HIPAA, so health care providers must ensure that the data is not compromised. Outside of commercial products, remote data downloads occur daily for patients who may be under a physician’s care for any number of health related issues from diabetes to cardiac care to sleep apnea.
It is also not only the data which is at risk. Any remote transfer of healthcare data which is vulnerable can put a patient in physical danger as well. In 2016, a medical device researcher with Johnson & Johnson discovered that remote controlled insulin pumps were susceptible to an outside attack. This was because the communications between the wireless device and the insulin pump were not encrypted. However, a more malicious attack could have occured, according to the Johnson & Johnson researcher, due to the fact that the pairing between the remote devices was weak. Due to that, an outside attacker could access the patient’s remote device and administer additional, deadly, doses of insulin.
Technological advances in healthcare such as remote, real time monitoring of patient data, have gone far beyond what some would have imagined when HIPAA was enacted in 1996. As new technology evolves, healthcare I.T. developers and manufacturers have learned to work in conjunction with revised HIPAA regulations to ensure compliance prior to delivery. Most wearable devices are now manufactured with strict HIPAA compliance to ensure data is secure. Remote data is now shared much more securely with increased encryption in place.
As this type of technology continues to progress, it is the healthcare organization, and their covered entities, who are held responsible for keeping PHI secure. That does not mean that healthcare providers have to tackle all aspects of HIPAA compliance alone. Technology professionals can provide technical processes that can help. From implementing separate networks for shared data, to encryption, to multi-factor authentication, technology experts can help ensure remote and wearable technology data is never compromised. In addition to the technology itself, assistance with ongoing technology training can add an extra layer of protection against HIPAA breaches. No matter what technology is utilized, partnering with an I.T. company who is highly trained in HIPAA compliance can help ease the burden of making sure PHI is consistently kept safe.
Voice activated virtual assistants such as Apple’s Siri, Amazon’s Alexa and Google’s Assistant, are utilized more and more by people across the globe, but it’s important to know that virtual assistant technology used by healthcare professionals is not as simple as speaking into your smartphone. An article published last spring by Harvard Business Review states that “in a nationwide survey of pediatricians conducted by Boston Children’s Hospital (not yet published), 62% of respondents said they have used voice-assistant technology, and one-third own, and use, at least one smart speaker.” While voice dictation technology has been around for decades in the medical field, smart speakers and smartphones with virtual assistant software can obviously do much more. However, this technology has yet to become HIPAA compliant so attempting to use it in conjunction with sensitive patient information leaves oneself open for some serious violations.
As we have discussed in previous blogs, Ransomware hackers routinely target the medical field for private health information which can be lucrative for them. Increasingly, these hackers are focusing their attacks on smaller offices which do not always utilize the best I.T. services available to them. This makes vulnerable devices, such as those utilizing virtual assistant software more susceptible.
In addition to possible hacking, it’s common knowledge that voice activated software can be challenging when trying to utilize it for simple tasks such as a grocery lists. So, attempting to use the current technology to convey complicated medical terminology or relay the names of many pharmaceuticals just doesn’t make sense. Until there are safeguards in place which can guarantee healthcare related tasks are not vulnerable to mistakes, virtual assistant technology simply cannot be utilized effectively in a healthcare setting.
While virtual assistant software is not currently HIPAA compliant, there have been ways it has been able to offer general medical advice not bound by HIPAA. Amazon Alexa’s KidsMD, launched in 2016 in conjunction with Boston Children’s Hospital, and provides health advice to parents regarding their children’s fever and medication dosing. The app can be downloaded to any Alexa enabled device such as Amazon Echo, Echo Dot, Amazon Tap and Amazon Fire TV and gives parents the ability to ask about different symptoms that their child may be experiencing from fever and cough to shortness of breath or unusual fatigue. Parents or caregivers can also ask about weight and age guidelines as they relate to over-the-counter drug dosages.
Other ways VA’s are currently being utilized are through a patient’s own, personal device for medication reminders and finding out more about medical terms and definitions. So, the technology is useful for some patients.
According to the pediatricians surveyed by Harvard Business Review, only 16% stated that they would not try virtual assistant technology. However, many who would try it, said they were less likely to do so while treating their patients due to a patient’s possible reaction to what was recommended by the virtual assistant or the doctor overriding recommendations made by the technology. One way in which doctors thought voice assistants could be utilized in the future was in populating medical questionnaires prior to an office visit to help save time. In addition, 55% of doctors surveyed were not entirely confident about the reliability of answers provided by virtual assistant technology. 68% said that knowing the content came from a reliable source such as Boston Children’s Hospital would make them more confident in utilizing the information provided.
While physicians and other healthcare professionals may be tempted to use voice activated virtual assistants in some aspects of their jobs to save time, attempting to use them with HIPAA protected data can be detrimental. Until the technology is fully HIPAA compliant, it is recommended by HIPAA certified I.T. professionals, such as Data Fast Solutions, that virtual assistant technology be left for simpler tasks in a user’s day-to-day personal life.
According to HHS.gov, the use of encryption is not mandatory, it is “addressable” rather than “required”. However, a Health and Human Services administrative law judge (ALJ) recently ruled that the University of Texas M.D. Anderson Cancer Center must pay 4.3 million in fines for failure to safeguard patient information on unencrypted devices. According to Health Leaders Media, M.D. Anderson made the decision to encrypt all devices in 2008, but by 2013 had still not done so. The breaches were reported by M.D. Anderson to OCR in 2012 and 2013 and involved an unencrypted laptop, which was stolen, and two unencrypted thumb drives which were lost. The laptop contained electronic protected health information (ePHI) of more than 29,000 people while both thumb drives contained ePHI of 5,800 people combined. M.D. Anderson plans to appeal the decision.
This recent ruling is a reminder that implementing new ePHI policies in healthcare organizations and covered entities must be done expeditiously. A vital factor in securing ePHI is fully utilizing encryption. It is a crucial link in security which can thwart hackers and thieves, yet so many in healthcare have yet to adopt it. Why it is not used more extensively is not fully known. Affordable encryption technology has been available for quite some time. It can be complicated for those not well-trained in implementing it. However, it is now more apparent that an administrative law judge would not view any excuses for lack of encryption as viable for leaving ePHI vulnerable. So, putting together a plan for encryption and implementing that plan quickly is important to do before a breach can take place.
The National Institute of Standards and Technology (NIST) has published, Guide to Storage Encryption Technologies for End User Devices. This guide can give IT and security personnel at healthcare organizations, or their covered entities, excellent information on encryption. It can provide “real-world guidance for three classes of storage encryption techniques: full disk encryption, volume and virtual disk encryption, and file/folder encryption. It also discusses important security elements of a storage encryption deployment, including cryptographic key management and authentication.” While this guide only discusses the encryption of data at rest, not the encryption of data that is transmitted, it can be a good way to educate healthcare entities on how to plan, implement, and maintain storage encryption solutions.
Implementing encryption is not an easy task for small or large healthcare offices alike. Using guides like the one published by the NIST is a good start but making sure to utilize IT companies with encryption experts can make the process much easier. Those trained in encryption can make sure that if a HIPAA data breach occurs, no ePHI will be vulnerable. If M.D. Anderson would have fully implemented their decision to encrypt their devices in 2008, they would not be faced with a 4.3 million dollar fine.
From planning to implementation and on-going support, an IT company like Data Fast Solutions can make sure your encryption plan is rolled out effectively. Contact Data Fast Solutions for more information today!
In February 2017, we wrote about Healthcare System Configuration and Collaboration with the help of SAFER Guides, originally published in 2014, by the Office of the National Coordinator for Health (ONC). The SAFER Guides, or Safety Assurance Factors for EHR Resilience, were updated in 2017 and put together to assist healthcare organizations with electronic healthcare record (EHR) implementation and safety.
However, a recent study shows that many healthcare organizations do not adhere to the recommended safety practices contained in the SAFER Guides. The study found that healthcare companies do tend to follow more of the technical recommendations, but just 18%, or 25 of 140 SAFER recommendations, were fully implemented.
As we stated in our previous blog, using a SAFER Guide for EHR implementation is not mandatory, but they do provide useful tools to ensure EHR’s are not left vulnerable. The SAFER Guides, used along with a HIPAA Certified I.T. company, can ensure that the technical aspects of EHR implementation are covered, but not utilizing the guidelines, fully, can result in the safety of electronic health records being at risk.
“Of the 11 recommendations most likely to be ‘not Implemented,’ most (9 of 11) were from 3 guides: Test Results Reporting, Communication and CPOE/CDS, with 4 from the CPOE/CDS guide alone,” researchers wrote. “Conversely, all System Interfaces and Contingency Planning guide recommendations were implemented by at least one site.”
One of the most important findings in the study suggests that, according to researchers, “the guides may also assist in driving culture change regarding organizational learning related to evaluation and improvement of the EHR”. However, “this has historically been seen as the sole responsibility of the IT department rather than as shared responsibility among stakeholders across the entire organization in conjunction with EHR vendor.” This is important because EHR safety does not happen solely from within the technical department or team.
The SAFER Guides specifically state that a multi-disciplinary team should complete the self-assessments and evaluate potential health IT-related patient safety risks addressed by the specific SAFER Guide within the context of a particular healthcare organization. The checklists and worksheets are designed as simple tools to make sure all aspects of EHR are considered. Utilizing the guides, as they were intended, can increase the likelihood of implementing and utilizing EHRs safely and effectively.
Data Fast Solutions is HIPAA I.T. Certified and can assist your organization in utilizing the SAFER Guides effectively to ensure a safe EHR implementation and continued EHR safety. Contact Data Fast Solutions today!
General Data Protection Regulation, or GDPR, is due to take effect next month and many in healthcare in the U.S may wonder how it affects them. Per the GDPR portal, it “was designed to harmonize data privacy laws across Europe” and relates to those residing in the EU. However, it does have far reaching effects into the United States due to how personal data is collected, used, disclosed and processed by controllers and processors. Simply put, controllers determine the “purposes, conditions and means of processing personal data”, while processors are those who process “personal data on behalf of the controller”.
American healthcare organizations may think that GDPR is already completely addressed through U.S. HIPAA regulation, however, that is not necessarily the case. An article, published in February of this year, by The National Law Review, Does GDPR Regulate Clinical Care Delivery by US Health Care Providers?, helps address the specifics of GDPR as it relates to U.S. healthcare. Per the article, the GDPR does not have direct reach to personal data processing by a U.S. controller or processor if the business is:
· Not physically located in the EU
· Not offering goods and services through advertising or direct marketing to individuals in the EU
· Not monitoring the post care of individuals treated in the U.S.
With many smaller U.S. healthcare offices, all three of the criteria may not apply. However, post care of those located in the EU may occur, so GDPR would need to be strictly enforced to avoid stiff penalties.
The key in healthcare providers having to adhere to GDPR in the U.S. pertains to the location of an individual in the EU, not their EU citizenship. So, if you’re treating an EU citizen who resides in the U.S., HIPAA laws, not GDPR, would apply. If you are providing post care to an individual who resides in the EU, HIPAA and GDPR must be followed.
It’s important to understand that HIPAA relates to the privacy of protected health information (PHI) while GDPR, according to the article above, relates broadly to personal data, health related or otherwise, which is “any information relating to an identified or identifiable natural person who is in the EU, regardless of the individual’s EU citizenship status.”
The broader terms of GDPR, as opposed to HIPAA are outlined in the HIPAA Journal article, Understanding GDPR Compliance, published last January, which states:
Any body which collects, maintains or uses an individual´s personal data but neglects to first acquire the informed consent of those persons, or does not delete destroy their record of the data concerned after an individual has withdrawn their consent – breaches the GDPR. There are numerous other rights of individuals that must be taken into account by companies or organization[s] when they review their GDPR compliance. These rights of individuals include [but are not limited to]:
In addition, the IAPP (International Association of Privacy Professionals) gives a good side-by-side comparison of HIPAA and GDPR. If you are an American healthcare entity, it’s important to be informed about GDPR as it must be strictly adhered to beginning next month. Data Fast Solutions can assist you in making sure your healthcare I.T. services meet both GDPR and HIPAA regulations. Contact us today!
Some I.T. professionals simply provide a service and rely on the technology, itself, to work as it should. This approach may be okay for some industries, but it’s especially harmful if it’s done within healthcare and it can lead to increased breaches. As trained HIPAA I.T. professionals, Data Fast Solutions not only provides secure I.T. services, but stays informed on what’s working well to provide clients with the best, knowledgeable service.
Recent data suggests that while I.T. provides the healthcare sector with many advances in patient data and care, healthcare data breaches are still increasing. In analyzing the reasons behind the breaches, Verizon’s 2018 Protected Health Information Data Breach Report found that in almost 60 percent of 1,368 security incidents, occurring in 27 countries, breaches were due to insiders or employees. Almost three-quarters of the reported incidents were in the United States.
Researchers also found that insiders being the source of breaches is unique to healthcare and they are driven by:
The study also confirmed the research published by the American Journal of Managed Care which found that paper and film were the most common locations for data breaches. In the cases studied, it occurred in 27% of incidents.
Additionally, the report found the following categories in the breaches that they studied:
It’s obvious, by the report, that a reduction in paper data, along with more secure systems in place, can result in a reduction in the amount of security breaches. The authors of the report suggest full disk encryption (FDE) and routinely monitoring record access just as Data Fast Solutions has always recommended. However, the report also points to the need for more robust policies and procedures within a healthcare organization to combat error across all categories. How policies and procedures are changed to address the issues is unique to each organization but being proactive is key.
There are hundreds of cases in the news of breaches within healthcare that are occurring with an almost knee-jerk reaction of analysis after the fact. Just as the Verizon report shows, the approach to breaches is almost always the same. Focusing on securing ePHI and increasing training for employees is recommended and should not be taken lightly, but information provided by the media suggests that these recommendations are falling on deaf ears. That is not necessarily the case.
Perhaps, more importantly, is the need for analysis on what is working right. Data provided to healthcare I.T. professionals regarding organizations who have successfully thwarted attacks as a study in success, rather than failure, may not be newsworthy, but can possibly help more. While some healthcare companies may experience a breach, many more are using HIPAA trained I.T. professionals like Data Fast Solutions who have the knowledge and expertise to assist with I.T. policies that work. Technology, like people, is never perfect, but Data Fast Solutions learns from data breach analysis and focuses on what works well to keep PHI safe.