ClickCare Café

Your Hospital Will Have a HIPAA Data Breach in the Next 24 Months — Here’s Why.

Posted by Lawrence Kerr on Thu, Aug 03, 2017 @ 06:02 AM

mareks-steins-206836.jpg

We have all seen the movie scene:  

It is dark. The opposition is all around us; no one knows precisely where, how many, or how powerful. You are hunkered down.

It is silent. And then, a crack echoes out in the dark as one of your teammates steps on a branch.  Lights go on, flares fill the sky. We've unwittingly caused an attack.

Similarly, your data is encrypted. Your EHR requires two factor authentication. Your team is trying its best to get the work done. And then, crack! A well meaning provider sends a photo of a patient via text.

We're all too aware of what can happen when HIPAA is violated by something as simple as a doctor texting a picture of a patient. Fines for a single HIPAA violation have reached $5 million dollars. The Joint Commission completely rejects texting, even secure texting as safe for data. And the risks for individual providers as well as organizations are sky-high.

But our colleagues continue to text and email patient data and patient photos -- as if the rules (or the consequences) don't apply to them. Hospital administrators are taking dramatic and well-organized precautions against HIPAA breaches. But providers, many times, don't seem cognizant of the costs of their actions. 

So I was really appreciative of a well-researched study that came out recently, by the Ponemon Institute LLC, via their research sponsored by IBM Security. Their study looked at 419 companies in 13 country samples and measured the costs of data breaches. As the authors say, “We define a compromised record as one that identifies the natural person whose information has been lost or stolen in a data breach.” Their findings emphasize just how devastating a breach (including the kind caused by a doctor sending an "innocent" text about a patient) can be for an organization.

Their findings: the average cost of a data breach is $3.62 million. The US is, by far, the most expensive place to have a data breach. The costs are absolutely huge — almost twice the global average.

Screen Shot 2017-07-31 at 1.52.29 PM.png

 

Further, the cost of a data breach in the Health sector is dramatically higher than it is (almost twice) in any other sector:

Screen Shot 2017-07-31 at 1.54.17 PM.png

Of special interest to me is that the study used the data to predict the likelihood that an organization will have a data breach in the next 24 months. Based on the data set and the number of breaches that have occurred, the researchers find that organizations have a 27.7% chance of having a data breach in the next 24 months.

To me, that means that it's not a question of whether your organization will have a data breach -- but when it will have a data breach. And it's not a question of whether your texting of patient data can have a consequence, but simply when you will experience that consequence.

In fact, hackers and malicious attacks get a lot of press, but 28% of breaches are caused by human error.

Screen Shot 2017-07-31 at 1.54.35 PM.png

 

We certainly understand that the day-to-day of medical practice can be overwhelming enough, without having to worry about patient data. But the evidence that this problem is urgent and (in large part) in our hands is too weighty to ignore. 

There is technology that will let you share patient information and patient photos in a secure, HIPAA compliant way. iClickCare is a simple tool to let you do that, using your own smartphone. It's affordable, and it's fast -- and the consequences of doing anything else are simply too large.

 

If you're concerned about HIPAA data breaches in your organization, get the information to keep you safe. Download a free HIPAA checklist and toolkit here:

 

ClickCare Quick Guide to HIPAA Checklist and Toolkit

 

 

 

 

 

 

 

 

Top photo by Mareks Steins on Unsplash. Graph photos used courtesy of the Ponemon Institute LLC, via their research sponsored by IBM Security.

Tags: HIPAA, HIPAA secure images, telehealth and hipaa

HIPAA Security is a Concern for Collaborative Care, But What About For You?

Posted by Lawrence Kerr on Wed, Aug 17, 2016 @ 07:30 AM

negativespace1-27.jpgiClickCare has strong information security baked in, but what about the rest of your life? How are you handling your own desktop and mobile device?
The complex becomes simplified by the Federal Trade Commission in a recent Consumer Information post. We will summarize it here, but it is worth a look. First, the most feared situation is covered: how to recover if your email is hacked. Second, the FTC goes over three areas of personal online security with their extensive resources:
  • Online Security
  • Tips for Educators and Parents
  • Videos and Games

The FTC's recommendations for online security are especially interestng for healthcare providers, as our personal and professional realms can sometimes mix in ways that we don't anticipate. The FTC suggests that you:

  • Use security software that updates automatically.
  • Remember that Personal information is more valuable than cash.
  • Ignore phone calls that scare you by saying you have a virus or need technical repair.
  • Make sure that a website is secure before you transmit any financial information. Look at the “S”; for example with iClickCare the address looks like this - https://iclickcare.com/ … Do you see the “S” at the end of “http” and before the “:” ?
  • If you have a question about a company, then search for the company name and follow that with one of these words such as “review”, “complaint”, “scam”. Then look for contact information that seems credible and assess the risk.

And of course, always be backing up your files.

One important last note: let’s talk about your camera or smart phone. Back up those as well, but also realize that you may have information there that you may wish not to share. A hacker, kids' pictures, and kidnappers seem like bad elements in a disastrous recipe. Address books and notes are also sources of valuable information which could be abused.

What about clinical pictures? iClickCare separates them from your regular camera roll and they are protected inside the app. Beware that downloading patients photos to your desktop is also a HIPAA compliance risk unless you meet the extensive physical guidelines in the law such as a locked room, entry logs, separate servers, encrypted databases and the like.

But as we often say - take care of yourself. At first, the idea of personal IT security seems too hard. But some of these simple rules make it seem manageable enough to actually do.

If you're interested in taking secure photos in your medical practice, we put together a guide here:

Medical iPhone Photography

Tags: HIPAA, HIPAA secure images, regulatory issues

A New $5 Million Fine Set a HIPAA Record

Posted by Lawrence Kerr on Mon, Aug 15, 2016 @ 07:30 AM

moneyhipaazoomin.jpegThere has been a lot of inspiring news about Olympic records this month, but one record was set recently without such a happy ending. 

We were saddened to read that a new record was set for a HIPAA fine by an individual entity.

Advocate Health Care was part of a $5.55 million settlement with the Office of Human Rights (OCR), which is the Federal agency responsible for the enforcement of HIPAA.

Advocate Health Care has been a leader, growing as an integrated health care system since 1995 -- about the same time as ClickCare was starting. In 2014, they developed a respected and widely used patient portal. They also developed an eICU program with the Arizona Telemedicine Program.

Three HIPAA breaches, self reported, between August 23 and November 1, 2013 -- a mere 9 weeks -- prompted the investigation.

The OCR announcement highlights the intent of this new $5.55 million record fine:

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

The previous HIPAA fine record was $4.8 million -- and here are the top 10 HIPAA fines before Advocate Health Care's.

We get saddened and frustrated when we hear news of these fines, because we know that the fine money could be spent on innovation, helping patients, and improving care. 

And we know that most HIPAA fines and breaches are completely avoidable. 

For instance, a stolen, institution-provided, iPhone resulted in even a well meaning charity being fined this summer. Catholic Health Care Services of the Archdiocese of Philadelphia was fined $650,000 because the ePHI of 412 nursing home residents was compromised. 

The truth is that iPhones can be safe for ePHI if the correct software is used. Photos of patients should never be saved on your phone's camera roll, but that doesn't mean you can't use your iPhone to securely take and share patient photos. 

The bottom line? Take HIPAA seriously. But don't do it by isolating yourself or giving up on care coordination or medical collaboration. Stay HIPAA compliant even as you do the things you went into medicine to do -- it doesn't have to mean a fine.

We put together a guide to staying HIPAA safe -- download it here:

ClickCare Quick Guide to HIPAA Checklist and Toolkit

Tags: telemedicine, HIPAA, HIPAA secure images, care coordination, regulations, hippa,

Joint Commission Rejects Secure Texting for Healthcare Collaboration

Posted by Lawrence Kerr on Wed, Jul 27, 2016 @ 06:00 AM


iphone-5s-backside-picjumbo-com.jpgTexting is one of the easiest ways to communicate. 

That's why so many of our colleagues know texting is in direct violation of HIPAA but text about (and with) patients, anyway. 

At different points in time, The Joint Commission on Hospital Accreditation has looked like it was in support of "secure texting" -- but a recent decision reverses that stance and makes any texting a violation.

Initially, texting was not approved for healthcare collaboration by the Joint Commission. They issued this statement in 2011: "[It] is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting... This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.”

On May 1, 2016, the Joint Commission revised its position and stipulated components. It announced that health care organizations may allow orders to be transmitted with certain standards in place.

Then in June, it disallowed texting again, with a plan for more study. Standards will be developed by the Joint Commission and CMS.

To us, with the risks and consequences of running afoul of HIPAA, we believe that it's simply too risky to do any texting with Patient Health Information (PHI). 

When there are simple tools like iClickCare that meet criteria for electronic orders as well as healthcare collaboration -- and have never been disallowed -- it just doesn't make sense to risk it. iClickCare also uses texting, but only as a secure notification of a request for collaboration. The order follows once the collaboration is started.

As we have noted frequently, texting and emails are illegal. Secure texting helps to keep PHI secure, but does not help coordinate care or collaborate on behalf of he patient.

Be careful. HIPAA penalties don't take into account intentions -- only regulations. 

 

Our HIPAA checklist is free, and could help you protect yourself. Get it here:

 

ClickCare Quick Guide to HIPAA Checklist and Toolkit

Tags: medical collaboration, HIPAA, HIPAA secure images, healthcare collaboration, PA, telemedicine law

Cameras -- What Really Works for Long Term Care & Care Coordination?

Posted by Lawrence Kerr on Tue, May 17, 2016 @ 07:30 AM

camera.jpg

 

The early days of telemedicine and telehealth brought extensive discussion about images. When we started working with nurse practioners in school-based health setting, most people hadn't used a digital camera, much less thought about diagnosing something through a digital image.

To be fair, the quality of those early images was so dramatically far from the images we have now that some discussion was certainly justified. But most discussion was simply based on fear and knee-jerk reactions.

Even today, though, there are concerns about the quality of photos. As this study puts it, "Smartphone cameras are rapidly being introduced in medical practice, among other devices for image-based teleconsultation. Little is known, however, about the actual quality of the images taken."

The results of that study were clear, though.Three different platforms (Apple, Blackberry, Android) were compared to a Canon professional its a 35 mm lens. Assessment was by lay people and common pictures, thus reducing clinical bias. The iPhone exceeded the function of the professional camera. And when comparing digital cameras to in-person appearance, two conclusions were drawn:

  • The camera did just as well as viewing with the naked eye; or,
  • The camera was superior.

It's not hard to think about why this might be when you remember trying to see something in a squirming child or fidgety elder, for example. It is easier to have the subject “hold still” with a 1/100th of a second exposure and quiet unhurried study than struggling to pinpoint a small rash on a moving target.

Many studies documented the equivalency or superiority of digital images in the five years before and after the turn of the century. The obvious specialties were radiology (now exclusively digital), wound care, dermatology, plastic surgery and pathology.

Chase Jarvis said: “The best camera is the one with you." And we always say: The best camera is the one in your pocket. With the advent and advances of smartphones since 2010, we have made several design decisions. One of the major ones was the use of the iPhone and later, the iPad, as an input device -- for exactly this reason -- it is always with you and you already know how to use it.

Our one caveat is that you should never use the camera roll in your smartphone for medical photos. With iClickCare, the camera roll is within the application, password protected, and separate from the routine pictures of vacation and kids. And that, or something similar, is the only HIPAA secure way to take medical photos on a smartphone.


If you're using photos for medical collaboration or care coordination, you can get our ebook on medical iPhone photography here:

Buy Medical iPhone Photography

 

Tags: telemedicine, medical collaboration, iPhone photography, HIPAA, Telemedicine and HIPAA, HIPAA secure images, long term care, care coordination

Pro Tips For Individual Healthcare Providers To Stay HIPAA Safe

Posted by Lawrence Kerr on Thu, Nov 19, 2015 @ 07:30 AM

hippasafedevices

 

The truth is that HIPAA is a big deal if you're in the medical field, period. When we talk about healthcare collaboration and telemedicine, though, people can be even more concerened about cyber security dynamics.

There are concerns at the institutional level, of course. But  for individual healthcare providers, it can feel like we're burdened by the responsibility to protect PHI from HIPAA breaches, without the tools or information to do so effectively.

So we were interested to hear the insights offered recently by Michael Kaiser, executive director of the National Cyber Security Alliance. 

Here are some of his best tips for staying cyber-safe as an individual healthcare provider:

We encourage providers to innovate and care for patients, despite the bureaucratic deluges that sometimes feel as thought they'll drown us. But it doesn't have to be hard to stay HIPAA-safe, even when using a telemedicine tool -- and it is important. 

One thing many providers do is bring a smartphone or other device from home, into the medical context. You can download our white paper on staying HIPAA safe with BYOD (Bring Your Own Device) policies here:
iClickCare IS BYOD Secure

Tags: HIPAA, HIPAA Collaboration, Telemedicine and HIPAA, HIPAA secure images, healthcare collaboration, telemedicine law, workflow

Your Risk of a HIPAA Fine Just Increased - How To Protect Yourself

Posted by Lawrence Kerr on Tue, Oct 20, 2015 @ 07:30 AM

hipaasafe

 

Above all, I value medical providers who practice good medicine for their patients, and that often means ignoring everything -- politics, insurance, regulatory niggles -- outside the room.

But sometimes I hear fellow medical providers flaut HIPAA dangers in ways that, ultimately, put their ability to care for patients at risk. Doctors text patient questions to each other. They use their phone's built-in camera roll for patient photos. They email medical records or other info back and forth to each other.

It recently came to our attention that the first HIPAA noncompliance enforcement actions are likely to hit business associates in coming months. Business associates became directly liable for HIPAA in 2013, and actions take 2-3 years to settle -- so we should see those first fines soon. Since these rules can be confusing -- and because HIPAA fines can be catastrophic -- we wanted to bring a roundup of our best tips and and perspectives on staying HIPAA compliant. 

Tools for staying HIPAA compliant, even while doing healthcare collaboration and telemedicine: 

We know from watching our colleagues and customers that you can do healthcare collaboration and telemedicine in ways that are compliant with HIPAA. It just means doing what's right for the patient -- and knowing your boundaries as you do so.

 

Learn to avoid the "bring your own device" (BYOD) pitfall to staying HIPAA compliant. Get our free white paper:

iClickCare IS BYOD Secure

Tags: HIPAA, Telemedicine and HIPAA, HIPAA secure images, healthcare collaboration

Why VA Employees Chose The Worst Possible Healthcare Collaboration Tool

Posted by Lawrence Kerr on Wed, Aug 26, 2015 @ 07:00 AM

socialnetworkphoto

 

To do healthcare collaboration, you certainly don't need any fancy tools. All you need to do is talk with the medical providers around you. You ask, you answer, and you find the ways to incorporate each person's valuable perspectives.

Many medical providers find that iClickCare simply makes that process a little easier. You don't have to be available at the same time, you don't play phone tag, you don't need fancy hardware.

However, because medical collaboration is so simple, sometimes people make the mistake of thinking that any type of technology is fine to use to do it. Whether it's text messages, emails, or Facebook, we've pretty much heard all the "Why don't we just use…." ideas out there.

So when we heard a recent new story about how 50,000 VA employees were reprimanded recently for their use of the social networking site Yammer, we weren't shocked, but we were disappointed.

Sites like Yammer, tools like email or texts, are all great -- but they aren't great in the healthcare field or for healthcare collaboration. Of course, we certainly don't begrduge any individual employee their use of Yammer. Surely, most (if not all) were using it in ways that make sense -- and any attempt at connect in today's medical world may well be a good thing.

There are a few specific reasons that you shouldn't be using emails, texts, or social networks for healthcare collaboration, all of which came up in the context of the Yammer debacle at the VA: 

  1. They're not secure.
    Emails, texts, and social networks don't have the rigorous level of HIPAA security that iClickCare has, for instance. When you're doing healthcare collaboration, you have to assume that everything you send is under a security microscope. And unless you're confident that Personal Health Information is being protected at the highest levels, you shouldn't use these platforms to send anything about any patient or case, ever.

  2. Personal and medical issues are mixed.
    With Yammer, messages about kids' birthday party were mixed with messages about patients' issues. That means that  providers ran the risk of missing key messages about a patient's care, or making the innocent mistake of sharing something with the wrong person. Perhaps even more importantly, you're using the same phone and camera roll to record comments, photos, or videos about a case, which means that insecure PHI is being left on multiple devices, multiplying the risk. (Always confirm that a healthcare collaboration platform takes precautions to separate personal and medical data, like using its own camera roll.)

  3. They can waste a lot of resources.
    It's really fun to scroll through text messages and facebook, because you never know what you're going to come across. That same dynamic can make these tools especially inefficient for the medical context. In the Yammer case, administrators were concerned that providers were wasitng hospital time chatting about personal issues. We're less worried about that, since people don't usually have the time to waste, but we are worried when it becomes inefficient to sort through unordered, mixed messages. Look for tools that ping you about consults but let you respond on your own time. 

 

Hybrid Store-and-Forward Telemedicine is one option that can help you avoid the mistakes that the VA made. We've put together an at-a-glance guide so you can decide whether it could help your team with medical collaboration: 
ClickCare Quick Guide to Hybrid Store-and-Forward

Tags: medical collaboration, HIPAA, Telemedicine and HIPAA, HIPAA secure images, healthcare collaboration

11 Best Tips to Avoid Cybersecurity, HIPAA, or Audit Failures

Posted by Lawrence Kerr on Mon, Jun 01, 2015 @ 07:32 AM

cybersecurity.jpg


As we come off the Memorial Day holiday, there is some unhappy news for the US Department of Veterans Affairs: for the 16th consecutive year, it failed its Federal Information Security Management Act Audit. The report on the failures cited "Weaknesses in access and configuration management controls resulted from VA not fully implementing security standards on all servers, databases, and network devices,"

We've spoken to a lot of brave medical providers and administrators who are scared about running into HIPAA violations, failing cybersecurity audits, or even experiencing breaches. Of course, using telemedicine or telehealth platforms increase people's fear of these threats. But these kinds of healthcare collaboration programs do not have to increase risk. In fact, we've found that smart use of telemedicine can actually improve your security... as long as you're taking smart steps to not run afoul of regulations.

A roundup of our 11 most popular posts on HIPAA security and key things medical providers need to do to stay HIPAA secure:

Getting Started and Staying Secure

Tips for Cybersecurity in Medical Settings

Understanding Bring Your Own Device (BYOD) Policies

 

To avoid one of the most common HIPAA breaches, get our guide on staying safe with Bring Your Own Device Policies:

 

iClickCare IS BYOD Secure

Tags: telemedicine, HIPAA, Telemedicine and HIPAA, HIPAA secure images

The 5 Worst Ways to Protect Patient Data in Medical Collaboration

Posted by Lawrence Kerr on Tue, Jul 08, 2014 @ 12:17 PM

mistake resized 600

Most of the time, we're astounded by our our fellow medical providers' ingenuity, insight, and and intelligence.

However, new technologies bring new challenges. And new challenges can bring, well, not-so-smart ideas. As we've talked to doctors, nurses, aides, administrators, and lawyers in the medical field, we've heard some truly terrible ideas about how to protect patient data, photos, and information in HIPAA secure ways.

In service of helping you avoid these HIPAA mistakes and misunderstandings, we bring you the 5 worst ways we've seen of protecting Protected Health Information (PHI) in the medical field:

  1. Do nothing. We've heard a lot of providers say that they can't worry about HIPAA because they're "taking care of patients," and a lot of organizations say that the EHR implementation is their first (read: only) priority. These justifications lead to an approach of denial and neglect, neither of which help the patient, or the provider. The patient comes first -- of course -- but part of caring for them is caring for their data.
  2. Wait for the EMR to incorporate pictures. We've been hearing people say they're waiting for the coming of the pictures for 10 years. Along with the chance that your EMR provider will never effectively incorporate pictures, the focus on this misses the point. Collaboration that only happens through EMRs precludes the inclusion of any provider, anywhere, as part of the team. That means that providers at different points in the spectrum of care, less traditional providers, or providers in other places or institutions can't be part of care -- which is inefficient and ineffective.
  3. Never do anything that's not interoperable. Interoperability is important, and it's a fantastic priority to work toward. However, many fantastic, interoperable systems need to start with some systems that aren't interoperable -- but are the best tools for the job. Then, gradually, the organization can find ways to weave those tools together based on how the providers use them and their effect on patient care. And don't forget we need to educate ourselves and others. Comparison over time and visual trends are invaluable not only for education, but for delivering care as well.
  4. Only allow devices approved by the institution. In the same way that smart companies give employees the discretion to spend money if it's in service of the customer, smart institutions ensure their providers have the right tools to care for patients. Sometimes it's best if all providers use the same tools and devices. Other times, it makes more sense for providers to BYOD (Bring Your Own Device) and for a culture of trust and standards to be developed around HIPAA. Policies that help providers make the best choice around technology are most respectful of providers' -- and patients' -- lives, work, and roles.
  5. Prohibit any pictures or photos.  We heard the General Counsel for a major health organization say that "no photos" was their HIPAA policy, and it is something we hear frequently. However, it's really impossible to turn back the tide of smartphones and digital cameras. The fact is that people, families, and providers will use photos for medical care. (And this data can be an incredible boon to progress, medical education, and collaboration.) The only question is how to provide the tools and support to make these photos safe for PHI, for patients, and for providers.
     
Curious whether a BYOD (Bring Your Own Device) policy is good or bad for HIPAA? Get our BYOD guide here: 
iClickCare IS BYOD Secure

Image courtesy of stereoscopy on Flickr, used under Creative Commons rights.

Tags: medical collaboration, HIPAA, HITECH, Telemedicine and HIPAA, HIPAA secure images

Subscribe By Email

Recent Posts

Posts by Topic

see all