Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free). Go here to get your free training now! Want to learn more about Expresso, the Risk Assessment Express, click here. - See more at: http://www.lawtechtv.com/#sthash.dVYkTk3p.dpuf
In this new 24/7 365 digital universe that we all now inhabit there are three principal challenges that must be addressed when launching any new compliance initiative: 1) the people challenge; 2) the process challenge; and 3) the platform challenge. Although a successful HITECH/HIPAA compliance initiative certainly will have a well defined platform component, the success of the initiative depends mostly on meeting the people and process challenges. That is, the principal challenges are not technology centric, but rather have much more to do with how an organization thinks about compliance and hows its processes interact with the platform.
The first thing to recognize is that these are still uncharted waters, despite the volumes that have been written about the HITECH Act("HITECH"). The fact of the matter is that prior to HITECH, HIPAA was an unenforced paper tiger, and most industry insiders knew it. Now under HITECH, there is a generalized sense in the healthcare industry that something important is happening with respect to privacy and security, but not many (perceived) useful maps that will lead to the promised results. If, as is widely recognized, technology in and of itself is not the answer, then what is? Our compliance processes should be underpinned by a methodology that requires a change in your organization's HIPAA compliance mindset in order to be successful. Without a change in the organization's compliance DNA, full compliance with the regulations will remain elusive and (as is the case now) illusory.
Even if an organization clearly recognizes that it must change the way it thinks about compliance in order to achieve its compliance objective, it must also recognize the need to change how it implements the compliance processes that underpin its policies. That is, an effective compliance program requires a change in internal processes. All of us become extremely attached to our work processes and we all find it disconcerting when they change. It is important to recognize just how powerful our innate resistance to change is, because we cannot ignore it and hope to overcome it simultaneously. Resistance to change is how we are wired, and it often serves us well. There is more than a little wisdom in "if it's not broke then don't fix it."
However, our resistance often persists even when we know what we are doing is broken.Why is that? The answer to this question probably could fill a PhD dissertation (i.e. one which we are unqualified to deliver) and so we offer only a simple (thought hopefully not simplistic) response: we resist change even when we know our processes are broken because we have a hundred and one reasons why we believe that the new processes won't work. The truth is we are partly right. The processes that will work will only evolve over time, likely after some false starts, and therefore the compliance methodology that we select must be malleable. Any attempt to substitute one rigid set of processes with another has a low probability of success.
HIPAA regulatory compliance is by definition a wicked problem. There is simply no one right way to go about it, nor any one-size-fits-all off the shelf solution. Our products are prescriptive. They do in fact provide detailed compliance "how to" information, but with the understanding that each organization's implementation is likely to vary. Therefore, we provide a suite of products that are readily customizable to processes that will work within your organization.
Our use of the term “Platform” refers to the combination of hardware, software and other connectivity options that makeup the existing computing infrastructure within your organization. Obviously, some Platform components (e.g. Expresso) play a direct, conspicuous, role in your compliance initiative. Also, for example, the logging functionality included in your EHR application helps you meet one of the Security Rule's requirements. Likewise an EHR application's requirement that strong passwords be used does the same. Many examples can be found where this is the case. However, it is important to keep in mind that there is no such thing as a HIPAA compliant product or service. Only covered entities ("CEs") and business associates ("BAs") can be HIPAA compliant. There are no third party products, or set of products, that are magically going to solve your compliance challenges.
Platform considerations have become even more important now that knowledge workers are increasingly more “distributed” and mobile—requiring anywhere/anytime access. The Platform needs to be as reliable as the nation’s electric grid so that users (and patients) can “plug in” on demand. It needs to be securely available 24/7 and 365 days a year. It needs to do all of this while maintaining the confidentiality of the PHI contained within it. This is no small feat. CEs and BAs of all sizes continue to struggle mightily to meet their compliance objectives. However, despite real Platform challenges, technologies exists, and are becoming more economically accessible each day, that will help you meet your compliance objectives. And, as discussed above, you are far more likely to be out of compliance due to people and process challenges than due to a lack of affordable enabling technologies.
SO as most of you know, licensed professionals are required to take so many continuing education courses per year (actually for lawyers it runs every 2-3 years more or less). These are called Continuing Legal Education ("CLE") courses. I decided to take a course on HIPAA Breaches. The presenters were three individuals: (1) a corporate in-house counsel (I believe), otherwise it was a corporate compliance officer; (2) a HIPAA non-technical consultant (i.e. someone somewhat knowledgeable about the regulations); and (3) a HIPAA forensic technical consultant.
I really wasn't expecting to learn all that much that was new. I simply wanted to hear someone else's perspective. Wow, I was in for a rude awakening! Remember that these were people presenting to a live audience of lawyers to be recorded and used as a CLE course that could subsequently be purchased online (which is what I did). I was astonished by what I heard. The three proceeded to mangle the law, promulgate information that was just dead wrong, and otherwise mislead the audience (e.g. that ALL personal injury lawyers dealing with PHI are business associates=NOT). Now they were not purposely trying to mislead. I am quite sure that for the most part these were competent individuals in their respective fields.
However, it just served to illustrate one of the challenges that covered entities (CEs) and business associates (BAs) face when dealing with consultants. BTW, these were consultants that railed against "HIPAA Certifications" because in fact neither HHS/OCR, or any other government agency, provides one. Therefore vendors (like 3Lions' HCP) take it upon themselves to provide same. Now, to be honest, we always rail against product vendors that market their products as "HIPAA compliant" because only CEs and BAs can be compliant (more on this below). However, after railing against said certifications they proceeded to endorse their own HITRUST certifications. Somehow they did not manage to see the irony in that?
There is nothing wrong, per se, by vendors issuing their own certifications. In the tech world Microsoft et. al have been doing it for years and their "certifications" are widely accepted. Why? Well because Microsoft has the market clout to make their certification the de facto standard. Vendors in the HIPAA space hope to accomplish the same. However, certifications are not the gist of this post, misinformation is. If knowledgeable people can be so grossly misinformed about the legal aspects of HIPAA then CEs and BAs need to be especially careful when accepting legal advice from lay people.
First of all, legal advice from lay people amounts to the unauthorized practice of law on their part. Second caveat emptor. If you rely on non-lawyers for legal advice then that's not going to hold water when you get audited or sued. There is a "reliance on counsel" affirmative defense that can be used at times to mitigate damages, BUT that only has a snowball's chance in hell of working if it was counsel that you actually relied on. Relying on consultants to give you legal advice will get you laughed out of court! If you are in-house counsel this would NOT be good for you career! You get what you pay for. In this case, you are paying but not getting.
There are some really good HIPAA consultants in the marketplace. They deliver professional services that lawyers can't. However, do not confuse their knowledge of the regulations (and your lack thereof) for legal advice. That's you legal warning, do with it what you will.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting victims.
Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
For our purposes this definition captures what we believe is all the essential elements of Phishing. The $$ quote from the definition above is that "Phishing is an example of social engineering." A "hack" using social engineering is not carried out because the hacker possesses superior technical skills (although some obviously do) BUT rather because the hacker has insights into human nature and therefore possesses knowledge regarding the capacity for humans to be deceived by those things that look familiar but that upon closer inspection are not.
Phishing is an example of social
engineering...it works not because the
hacker possesses superior technical
skills, but rather because the hacker
has insights into human nature that can
readily be exploited by those with a
sophisticated understanding of human
nature & psychology...
You make think that mostly uneducated and unsophisticated users of information technology fall into these traps, but you would be wrong. For example, thousands of lawyers are targeted everyday with emails from Asia purporting to have some contractual business that they require legal assistance with. If you are a hungry lawyer (and given the disruption that is occurring in the legal industry there are LOTS of them) then your own pecuniary interest blind you to the fact that business people generally do not randomly select a lawyer from the Internet (that odds of that being legitimate approximate the odds of winning the lotto).
Is Phishing that targets the healthcare industry any different than say phishing that targets the financial services industry? Yes and no. It is different simply because the "bad guys" have figured out that healthcare is more vulnerable than financial services. Hackers, like all knowledge workers, are going to target the low hanging fruit that produces the most results per unit of time. Healthcare knowledge workers (i.e. clinicians) tend to work in a more phrenetic pace and therefore often do not have time to pay close attention to details that would identify a well executed Phishing scheme. Combining these two variables makes healthcare a "target rich" environment for Phishing schemes.
Otherwise, in general, the Phishing schemes that have worked elsewhere are simply repurposed for a healthcare environment. Think of it from the bad guy's perspective. He has already taking the time to craft a well thought out Phishing scheme (e.g. pretending to be the Pizza delivery guy to gain access to a building and then simply finding a "live" ethernet jack) to gain access to the network. In order for it to work it will need to be well crafted and sophisticated. The temptation on the part of hackers is to simply use what has worked elsewhere and apply it to healthcare. So you can "study" a number of well known and documented Phishing Patterns in order to help you educate your workforce pursuant to this type of threat. At the end of the day, preventing Phishing is all about education, education, education.
November Webinar: Exploring Risk Assessment Software. This webinar is not a commercial for Expresso. Rather it simply uses Expresso to compare and contrast what "must have features" Risk Assessment software should possess. Expresso Release 1.0 certainly does not contain ALL of the latter. Hopefully, this will fuel open conversation pursuant to the future direction of said software.
Description: The webinar explore various attributes of Risk Assessment Software.
Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free). Go here to get your free training now! Want to learn more about Expresso, the Risk Assessment Express, click here.