HIPAA in High Gear (Now it gets serious)

Leon Rodriguez, director of the Office for Civil Rights at the U.S. Department of Health & Human Services, is a serious looking guy. It would be no stretch to say intimidating, even, as the tall, broad-shouldered director represents the face of the more-stringent-than-ever HIPAA Omnibus Rule – compliance date of Sept. 23. The new rule promises to bring hefty fines, more audits and added enforcement pertaining to the issue of patients’ protected health information.

In reality, however, although Rodriguez has affirmed that organizations will indeed be held accountable for violating HIPAA privacy and security rules, he has also proved himself to be industry-conscious, practical and fair.

Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez pointed out in an interview with Healthcare IT News.

“It’s a relatively small part of what we do here,” he said. Most cases OCR handles involve corrective action rather than monetary fines.

Don’t let that cloud your judgment or start shirking your privacy and security obligations, however. Fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend, says Rodriguez, and that’s most likely going to continue.

“It’s going to continue to be a small but very important part of the story,” he said. “I think it’s important because it very powerfully articulates what our expectations are for covered entities, what risk analysis steps, what training steps, what disciplinary steps, what safeguard steps we expect of them.”

[See also: Behemoth breach sounds alarm for 4M and At $1.2M, photocopy breach proves costly.]

And although an official and permanent audit program is not yet fully established – and most likely won’t be until 2014 – breach investigations are, as some organizations can attest to, at full force.

Breach blunders

WellPoint, one of the nation’s largest health insurers, is one among 16 organizations thus far that has come to better understand what’s expected in regards to HIPAA privacy and security rules.

Just this July following an investigation, OCR ordered WellPoint to hand over $1.7 million after leaving the protected health information of 612,402 individuals accessible over the Internet. The data compromised included patient names, dates of birth, Social Security numbers, telephone numbers and health information.

According to the report, WellPoint established no safeguards verifying the person or entity seeking access to the electronic protected health information, and it failed to perform technical evaluation following an IT system software upgrade.

[See also: Another data breach for Sutter Health and Kaiser Permanente sends out breach letters after email gaffe.]


“I think all these cases really powerfully articulate those expectations and the fact that we will be holding people accountable,” Rodriguez said.

When asked where HIPAA-covered entities most often make their biggest misstep, Rodriguez pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis,” he said.

Based on the complaints OCR has received, risk analysis failures top the list for the biggest security issues.

Case in point is what transpired at Idaho State University’s Pocatello Family Medicine Clinic two years ago, when clinic officials notified the Department of Health and Human Services of a breach involving electronic protected health information for some 17,500 patients.

Following an investigation, OCR determined that the PHI of those 17,500 patients was left unsecure for 10 months due to the disabling of an ISU firewall.

Furthermore, the ISU clinic failed to conduct risk analysis of the confidentiality of the ePHI for more than five years. As a result, this May, ISU agreed to pay $400,000 to HHS to settle HIPAA breach allegations.

Ted KobusTed Kobus, New York-based attorney for BakerHostetler who specializes in privacy issues and data breaches, said another area where covered entities and business associates are failing in privacy and security arenas pertain to the issue of properly handling old data. The “forgotten data, old data that the organization hasn’t accounted for,” proves a frequent reason for a breach, says Kobus.

This reality resonates with New York-based Affinity Health Plan, which just this August agreed to pay OCR $1.2 million after failing to clean patient data from a photocopier hard drive. CBS News then purchased the photocopier, previously leased by Affinity, and discovered it contained the protected health information for 344,579 patients.

Following an investigation, OCR officials found Affinity neglected to include the electronic photocopier data in any of its risk analyses.

The HIPAA Security Rule requires CEs and BAs to clear, purge or destroy the devices containing ePHI before the devices are available for re-use, but that’s just not happening at the level it should, says Sean Magann, vice president of California-based Sims Recycling Solutions. “What’s happened over the past five or six years is that bad guys got really smart,” he told Healthcare IT News‘ Mike Miliard last month. “They realized there’s more value in the information than in the actual commodities. It’s a numbers game. You buy 100 hard drives, 99 of them will be erased and done properly. But the one that you do get contains a treasure trove of information: Social Security numbers, patient data, everything a bad guy needs.”

And this time around when a BA or CE break the rules, they’re going to be paying much heftier fines than what was originally set forth in the interim rule.

Whereas organizations only faced penalties up to $25,000 for identical violations per calendar year under the interim rule, the final rule increases that amount to $1.5 million for a repeating violation per year.

For willful neglect breaches – meaning the organization failed to correct the issue – each individual violation is pegged at $50,000. The smallest penalty amount organizations could face is $100 per violation.

What’s new?

One of the first changes to note in the final rules pertains to the very definition of breach. The interim rule originally stipulated that a breach compromised the security or privacy of protected health information and posed significant risk of financial, reputational or other harm to an individual – often called the harm standard.

In the Omnibus final rule, not only was the harm standard removed but also a breach is now defined as “impermissible use or disclosure of PHI is presumed to be breached unless an entity demonstrates and documents low probability PHI was compromised.”

“There are two changes there,” said Robert Belfort, healthcare attorney at Manatt, Phelps & Phillips, in an interview with Government Health IT earlier this year. “First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Also among the most significant changes in the final rule is that business associates are now accountable for violating specific privacy and security rules.

This should have come as no surprise to BAs, said Rodriguez. “We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations,” he said.

Despite this, many BAs are still lagging behind in many regards, said Kobus. From his line of work, he sees many business associates much less prepared than covered entities. “We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions,” he explained.

Kobus said that between 30 to 70 percent of privacy and security breaches involve a vendor, which gives the government tremendous pressure to also make BAs liable and follow up with investigations.

But, it’s not only that the BAs are often lagging behind. Many covered entities are assuming they’re more off the hook than before.

Kobus sees a lot of covered entities that have questions over whether or not they’re off the hook and don’t have to worry as much as they did in the past now that business associates will be held directly liable for violations. “The answer really is ‘no,’” said Kobus. “We still have to keep in mind the covered entities are still responsible for their own violations of the HIPAA privacy and security rules, and business associates are going to be responsible for their violations.”

The final Omnibus Rule also expands the definition of business associate to include; health information organizations, e-Prescribing Gateways, certain PHR providers, patient safety organizations, data transmission service providers with access to PHI and contractors involved with PHI.

Additionally, the rule also stipulates that a contract between BA and subcontractor is required and it must be as stringent as the contract between a CE and a BA.

As far as patient control goes, in many ways, the rule imposed tighter restrictions on what organizations can do with patient data without their consent. Patients can now insist their health data is not shared with other groups if they pay for the specific medical services out of pocket, and certain patient information cannot be sold without that patient’s consent.

BA Agreements

Lynn SessionsLynn Sessions, Houston-based healthcare and privacy attorney with Baker Hostetler, works with many healthcare providers as they’re updating their business associate agreements, primarily with the larger, more sophisticated BAs. What she’s seeing are protracted, lengthy negotiations around BA agreements, particularly with respect to limitations of liability and indemnification. “We’re encouraging our healthcare clients to include indemnification and perhaps even insurance requirements as part of their business associate agreements so they’ve got protection should a breach take place or if there is a regulatory inquiry,” said Sessions.

Some of the business associates are expecting it, she added, as they understand they’re doing business in the healthcare arena. Others, however, who are new to the party, such as providers who thought they were never BAs in the first place are playing catch up. “And so, what used to be in some instances, just kind of the cursory, ‘Sure I’ll sign your business associate agreement,’ has become a much more detailed negotiation where some covered entities have had to hire counsel,” said Sessions.

Now that this piece is more stringent, “I think OCR has gotten covered entities and now business associates’ attention with the fines that have been levied over the last several years,” she added.

Jeffrey Brown, chief information officer at the 178-bed Lawrence General Hospital in Lawrence, Mass., said the hospital’s contracts with BAs haven’t changed at this point, but they are in in the process of cataloguing all their third-party associates. “We’re going back, doing a detailed review and analysis of the verbiage within those BAAs,” he said. He estimates they have about 75 to 125 business associates at a minimum from an IS perspective. From an organizational perspective, that number is much higher, he says.

In many cases, however, he has noticed these third-party vendors are starting to be proactive, and so Brown is seeing addendums coming through.

Doing it right

Lawrence General Hospital has never experienced a HIPAA breach – for good reason.

“I wouldn’t say (we’re) lucky,” said Brown. “Privacy and security and compliance are something that is at the top of our priority list.”

Hospital employees are not allowed to bring their own devices to use for clinical purposes; rather, the hospital provides cellphones and laptops to specific employees. All devices are password protected and updated with the latest encryption technology.

If someone loses a cellphone or an employee is terminated, officials have the ability to go in and wipe that cellphone clean of any kind of data. And they do.

Moreover, Lawrence General brings in consulting firms to conduct regular risk analyses and assessments, and a hospital committee meets monthly to discuss the ever-changing nature of privacy and security issues.

This element proves crucial, he says, as the matter is far from static. “Privacy and security in the old days was kind of looked at as a once-and- done deal,” said Brown. “It was something that you did yearly or every two years. Risks and mitigations were presented to the organizations, and you kind of checked the box. And I think now what’s happened is it really is a program and a process that organizationally, and I think culturally, needs to become part of the fabric of what all healthcare entities need to practice,” he explained.

Brown admits there’s an upfront cost to comply with these rules, but views it as a real return on investment. “When you update kind of this triad of people, process and technology, it not only puts the consumer in a better place to be protected but also the organization.”

Kobus agrees. He says some of the biggest mistakes by CEs and BAs are lack of education and employee awareness, “people not understanding why it’s critical to protect this type of information,” he said.

But it’s not always a clear cut procedure, especially for larger institutions, added Sessions, who said healthcare organizations notoriously have a lot of policies and procedures in place. “What I can see is that policies and procedures get implemented, and there may be an area in the hospital that wasn’t thought about,” she explained. “There is so much information about patients that are used in healthcare organizations that to be able to ensure education to everybody, that they understand the policy and procedures that are in place and frankly that the drafters of the policy and procedures understand all the data out there can be difficult.”

Micky Tripathi, chief executive officer of the Massachusetts eHealth Collaborative, also offered insight into how to handle a breach properly when it occurs from the perspective of someone who has been through one.

Back in 2011, Tripathi reported that an unencrypted MAeHC laptop containing 14,475 patient medical records was stolen from an employee’s locked car. After going through the process of notifying patients, contacting attorneys, changing policies and working to rectify the situation transparently, Tripathi learned a few things.

No one, he said, is immune from data breaches. But, an organization can be immune from much of the aftermath depending on how it’s handled.

“We tried to be very transparent about everything we did,” he said at the HIMSSMedia and Healthcare IT News 2012 Privacy and Security Forum. In addition to the legal responsibilities, “we had a certain ethical responsibility,” said Tripathi. “We came clean with the whole thing…we were standing up for our mistake and we were going to do whatever we had to do to rectify the situation.”

Despite not getting slapped with state or federal fines, MAeHC did pay up. The total costs of the data breach reached $228,808, which is no nominal number for a nonprofit. Tripathi said $150,000 of that went to legal fees, and more than $6,000 went to credit monitoring for patients.

They could have paid a lot more, however, and Tripathi realized that. And the lesson that went along with the experience was invaluable. Encryption is key, and the failure to encrypt devices “was a big miss from a management perspective,” he said.

Kobus also explained the significance of notifying patients in the proper manner and without jumping the gun. BAs and CEs should only notify individuals affected and the public once they know exactly what happened, how it happened, what they’re doing to protect patients in the future and what they’re doing to prevent a breach like this from happening again.

“If you answer them, they’re not going to be happy about what happened, but they’re going to understand that you have control over the situation, you understand the seriousness of the situation and that you’re trying to make yourself better,” he said.

Omnibus Opinions

Overall industry reactions to the final rule have been decidedly mixed.

Brown, for one, thinks it’s a benefit for the industry, although he concedes that difficulties do exist.

“There are going to be some challenges organizationally, in terms of just wrapping your head around the complexities,” he said. “I’m always an advocate for the patient and the consumer, and I think what these updated rules are doing further protects (them)… this really should give them a greater level of confidence in the overall ecosystem around how their health information is going to be protected now and in the future.”

Russ Branzell, chief executive officer of CHIME, says naturally there are pros and cons. And the cons really pertain to the sheer amount of process and policies that CEs have to follow and implement, and that can really strap down CIOs who already have lengthy to do lists. “I think there are parts of the rule that I’m sure most CIOs would say were needed and required,” Branzell said to HealthInfoSecurity. “There are also parts in there that they would say, ‘Wow, there’s just so much more I’ve got to do.”

Many privacy advocates have also weighed in on the final rule. Deborah Peel, MD, chair of Patient Privacy Rights advocacy group, who bills herself as a “privacy warrior,” said there are privacy improvements, but the rule still didn’t go far enough.

Peel pointed to the example pertaining to patients who pay for services out of pocket who can request that their health information isn’t shared with other groups. “HHS did not require segmentation technologies so that (patient health information) can be protected and selectively shared. Instead, the information should be ‘flagged’ so only the ‘minimum necessary’ information is disclosed,” she said to amednews.

Peel went on to say that rules and contracts don’t guarantee they’ll be followed or enforced properly.

Others see considerable limitations to the final rule. Kobus, for example, thinks the language complicates things by eliminating the harm standard. “It makes things more subjective,” he said, taking “away the ability at least in some part for the organization to take a look at individualized harm and places the emphasis elsewhere, and I think that can be problematic because in reality, isn’t this about protecting patients and making sure patients can protect themselves if they’re at risk, and over notification does no one any good.”

From Sessions’ perspective, many BAs and CEs are actually going beyond what they are required to do by law in terms of reporting – clients who would rather be safe than sorry. “We think there’s going to be over-reporting with the final rule,” she said.

However, according to Rodriguez, overall, the number of entities over- reporting is nominal. “There’s a little bit of that, but mostly not,” he said, adding that the general pace of reporting has remained relatively consistent. “I think for the most part, we’re getting appropriate reports. You know, in other words, we’re not having folks reporting that don’t need to be reporting.”

Rodriguez says that the feedback he’s heard from industry officials is generally positive. “I would say for the most part, and certainly within the traditional covered entity community, I think this rule is very much welcome,” he said. “There have been questions about narrow, specific requirements in the new rule, and we’re certainly working with all the stakeholders to provide clarification, to provide training material, to provide guidance as these issues come up. But as a whole, my sense is that both industry and consumers are pretty comfortable with where we’ve gone in the final rule.”

Top HIPAA breaches of 2013

1.  Texas Health Harris Methodist Fort Worth – 277,014

In May, local residents found several hospital microfilms – that were supposed to be destroyed – in various public locations. The records on the microfiche contained patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance data and, in many cases, Social Security numbers.

2.  Indiana Family and Social Services Administration – 187,533

Officials announced in July that the HIPAA breach after an agency contractor, RCR Technology Corp., experienced a software glitch with a document management system, which resulted in clients receiving personal and private documents belonging to other clients. Patient clinical and financial data and, in some cases, Social Security numbers were compromised.

3.  Orthopedics & Adult Reconstructive Surgery – 22,000

The Texas-based center’s business associate AssuranceMD allegedly lost an unencrypted portable electronic device containing patient protected health information back in March.

4.  Our Lady of the Lake Regional Medical Center – 17,339

Back in March, an unencrypted hospital laptop containing the protected health information of intensive care unit patients went missing from a physician’s office. Patient names, ages, race, discharge data and treatment results were compromised.

5.  Raleigh Orthopedic Clinic – 17,300

The clinic provided patient X-rays to a third-party vendor, which sold the films to an Ohio-based recycling company that harvested the silver from the X-rays. Raleigh Ortho discovered the arrangement had been a scam.

6.  Henry Ford Hospital – 15,416

The five-hospital Henry Ford Health System notified 15,416 patients in July that their protected health information was compromised after hospital X-ray films stored in a warehouse were stolen. This is the health system’s fourth big HIPAA data breach within a three-year period. A warehouse employee has been arrested in connection with the theft, but the files remain missing.

7.  Delta Dental of Pennsylvania – 14,829

Mechanicsburg, Pa.-based Delta Dental contracted with ZDI, which announced March 20 that it lost patients’ paper records.

8.  United HomeCare Services – 13,617

Miami, Fla.-based UHCS notified patients in April of a HIPAA breach that occurred in January after an unencrypted company laptop was stolen from an employee’s car. The laptop contained patients’ names, addresses, Social Security numbers, health plan numbers and clinical data.

9.  Stanford University Lucile Packard Children’s Hospital – 12,900

LPCH officials announced their fifth HIPAA breach in June after notifying patients that their protected health information was compromised following the theft of an unencrypted hospital laptop. The laptop contained patient names, ages, medical record numbers, surgical procedures, names of physicians involved in the procedures and telephone numbers.

10.  Indiana University Health Arnett

IUH at Arnett began notifying patients in May after an unencrypted company laptop was stolen from an employee’s car back in April. Patient names, dates of birth, medical record number, physicians, dates of service and diagnoses data was contained on the laptop.


IRS seizes 60M records without warrant

SAN DIEGO – The Internal Revenue Service has found itself at the center of one of the largest healthcare privacy breaches in history, after allegedly stealing and improperly accessing the medical records of 10 million Americans, including health records of California state judges, members of the Screen Actors Guild and Major League Baseball players.


A California HIPAA-covered entity, identified as John Doe Company, filed a complaint with the Superior Court of California against the agency in March accusing 15 IRS agents of seizing 60 million medical records from 10 million patients. The protected health information taken by the agents included psychological and gynecological counseling data, sexual/drug treatment and other medical treatment data.


According to the filed complaint, “No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search.”

Fraudulent Support Call Scams Persist Despite FTC Crackdown

Computerworld has warned of ongoing scams in which criminals are fraudulently posing as support personnel, typically from Microsoft but also from security companies like Symantec and McAfee (or manufacturers like Dell).The alleged support personnel will typically call victims to inform them that their computer is infected or malfunctioning in order to sell them fraudulent and unnecessary software or services and/or gain remote access to their computer. In the latter case, the fraudsters will then steal sensitive data or install malware. These fraudsters can be fairly convincing, using a variety of tactics. For example, in some cases they have demonstrated supposed evidence by directing victims to open Windows system logs, and highlighted errors messages, which are, in fact, typical system errors that occur regularly.

Computerworld’s warning comes over a year after the FTC acknowledged and addressed this exact problem, eventually shuttering six firms responsible for these sorts support scams. However, these scams may be a fairly permanent fixture in the threat landscape.

Last week, our office received a call that fit Computerworld’s warning to a tee. The caller, who claimed to be calling from Microsoft, even provided step-by-step instructions for navigating to system logs, in order to demonstrate supposed evidence of infections and malfunctions. The caller ultimately sought to convince victims to install software, which would then allow him to remotely access and control their computer.

As Computerworld highlights, these scams persist because of “the difficulty regulators have in playing Whac-a-Mole, where for every suppressed fraudster, one or more new operators pop up.” Clearly, it is important that users be aware of these attacks, and follow the appropriate best practices. Most importantly, never give away personal information or control of your computer to any unsolicited caller. If a caller pressures you to purchase or pay for any goods or services, just hang up. If you believe you may need tech support, call the appropriate vendor directly using contact information from the vendor’s official website, or from a software package or receipt.

Is Texting PHI HIPAA Compliant?


The short answer is yes (maybe).

Compliance with the HIPAA Security Rule is not an attribute of a particular application or device, but rather of a system of physical, administrative and technology safeguards that support the HIPAA-compliant use of electronic communication. Texting can be a useful means of communication, but texting PHI presents a number of risks. Organizations must thoroughly analyze these risks and develop appropriate policies. Where an organization decides to permit texting, it is essential that the associated privacy and security risks are effectively managed.

Some examples of texting safeguards that may form part of a risk management plan:

Banning the texting of ePHI entirely, or limiting the texting of identifiers, diagnosis and other information

Requiring deletion of texts (policies also need to address circumstances where HIPAA requires ePHI in texts be included in the medical record to address individual patient rights)

Device Passcode protection

Device Encryption

Secure disposal of devices  Registration of devices, including personally‐owned devices

Use of a third-party secure messaging solution

Regular training on the CE’s policies and procedures is essential to promoting organizationwide compliance and minimizing risk.

As regards totexting, it is critical that a workforce clearly understands the organization’s policy and receives the training necessary for compliance. A substantial proportion of reported security breaches are due in part to insufficient training of workforce. It is also important that there be sanctions for noncompliance. Risk management is a process. To ensure continued compliance with security standards, organizations must conduct ongoing monitoring of their information security risk to determine whether it is being effectively managed by existing safeguards, or whether those safeguards need to be strengthened. Changes in the regulatory environment, such as enforcement actions or the issuance of additional guidance, also need to be monitored. Practices should also ensure the risk analysis is updated regularly as technology and health care delivery change.For example, in response to the greater care coordination required with accountable care. Conclusion Compliance with the HIPAA Security Rule is not an attribute of a particular application or device, but rather of a system of physical, administrative and technology safeguards that support the HIPAA compliant use of electronic communication. Texting can be a useful means of communication, but texting PHI presents a number of risks. Organizations must thoroughly analyze these risks and develop appropriate policies. Where an organization decides to permit texting, it is essential that the associated privacy and security risks are effectively managed. Resources for Encryption and Sanitation Requirements Encryption, which must be addressed as part of an organization’s HIPAA security compliance, can be used to secure data in transmission (such as PHI sent by a mobile device) and data at rest (such as PHI stored locally on a mobile device).

The risk analysis should identify threats and vulnerabilities to ePHI, assess the sufficiency of current security measures, determine the likelihood and potential impact of threat occurrence, assign levels of risk to these threats and identify and implement appropriate corrective actions.

With regard to texting, key risks include the risk of loss, theft or improper disposal of the mobile device containing unsecured PHI and the risk that individuals other than the intended recipient may gain access to PHI stored in texts as a result of lack of safeguards (for example, someone who steals the phone, or a family member who borrows the phone). Another possible risk is that, while in transit, PHI could be intercepted by unauthorized persons. Also, telecommunications vendors or wireless carriers that store texts containing PHI may need to execute business associate agreements.

The major wireless providers such as Verizon, Sprint, AT&T, Metro PCS, or T-Mobile all claim to not store text messages on their servers. However other locally contracted messaging services may not follow that model. If you are using a major carrier then interception and storage issues relating to texts becomes inconsequential to individual practices. Larger organizations such as hospitals, insurance companies, and health care systems may wish to execute HIPAA agreements. For smaller messaging service providers we suggest a HIPAA agreement relating to the security of the messaging system

Windows XP Now a Serious Security Risk

If you are hanging on to XP because you are afraid of moving to Windows 7 or 8 you should read the rest of this. It will change your mind.

Everyone complains about how hard it is to run Windows 8x on a non-touch screen computer. After using it for about 3 months I have to say that if a person takes the time to learn the system it is elegant, efficient, and, most importantly, secure.

It seems that all we want is to have another version of the operating system that we are using without having to learn anything new. I submit that it is not all that hard. Some things are not as compact as Windows 7, but on the whole Windows 8 does a great job once you learn it and customize it for your needs and tastes. It might even be more compact. If you have a touch screen computer and really want to do something productive it is the best thing out there.

After analyzing online security threats encountered across the globe from January to June 2013, on more than 1 billion systems, Microsoft’s Security Intelligence Report volume 15 is broken down into “in-depth perspectives” on vulnerabilities, exploits, malware, email threats, malicious websites, cloud security and best tips for mitigating risk.

New for this report, Microsoft talks about “encounter rates;” the total number of computers that encountered malware, compared to the total number of computers infected with malware and cleaned with Microsoft’s Malicious Software Removal Tool. Worldwide, 17 out of every 1,000 computers encountered malware, but only six out of every 1,000 were infected and cleaned. In the U.S., during the first half of the 2013, 11.51% of PCs encountered malware, but only 8 of every 1,000 were infected and cleaned.

The evils of still running Windows XP play nicely into this malware infection encounter rates theme. If you are still running XP, then Microsoft answers this conundrum with the need to update to Windows 8.

But, according to Tim Rains, director of Microsoft Trustworthy Computing, the data from this newest Security Intelligence report illustrates “the positive impact that security innovations in newer operating systems are having. Modern operating systems such as Windows 8 include advanced security technologies that are specifically designed to make it harder, more complex, more expensive and, therefore, less appealing for cybercriminals to exploit vulnerabilities.” In fact, a large portion of Rains’ post is devoted to the dangers of clinging to XP.

Cyber Security Order and Health Care

Obama cybersecurity executive order may have healthcare implications

Don Fluckinger, News Director
Published: 09 Apr 2013
  • At the State of the Union address earlier this year, President Obama announced a cybersecurity executive order, Improving Critical Infrastructure Cybersecurity, in the wake of failed efforts to pass cybersecurity legislation in 2012. If it hasn’t already been assumed to be a part of it, healthcare may soon be pulled into it, creating a new layer of compliance mandates and, possibly, grant funding to ease capital investments needed to comply, said speakers at the PHI Protection Network’s recent forum in Cambridge, Mass.
The executive order basically has the government getting its house in order; there are no regulations that have come out from it [yet].Josh Magri, ISA

In a nutshell, the order began by assigning the National Institute of Standards and Technology (NIST) the development of a cybersecurity framework, which involves working with leaders of various industries to develop common digital information security risk assessments and best practices. The key phrase for healthcare CIOs and compliance leaders to watch is “critical infrastructure,” Josh Magri, associate vice president of the Internet Security Alliance (ISA), told SearchHealthIT.

Magri pointed out that the executive order (in Section 2) does not specifically name hospitals and other healthcare providers when it declares that “critical infrastructure” systems or assets that, if taken offline, would have a “debilitating impact on … public health or safety.” But as federal agencies such as the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) sit down with NIST to develop the framework, they could easily declare healthcare providers subject to the order.

In discussions with the DHS, Magri said it’s likely healthcare providers “can look forward to more regulations coming down the line.” But incentives to adopt the common cybersecurity framework could very well be in the offing, too.

“The executive order basically has the government getting its house in order; there are no regulations that have come out from it [yet],” Magri said, adding that he encourages healthcare CIOs to adopt cybersecurity best practices as outlined in the SANS 20 and the Verizon Data Breach Investigations Report, not only in order to protect their patients and network infrastructure, but also to be in an early position for incentives.

Health IT leaders can help steer the process

Magri also encourages healthcare IT leaders to get involved in discussions with government officials developing the plan. Hospital leaders can potentially help steer the terms of the regulations as well as the incentive program parameters if they get involved now, suggesting they might possibly lower eventual compliance burdens.

“The timelines on the executive order for deliverables — such as incentives, such as identification [of who falls under critical infrastructure] — are all within 120 days or 150 days” from Feb. 14 when Obama issued the order, Magri said. “You really have got to get going.”

He added that deliverables will have to be completed 30 days prior to those deadlines, so the corresponding agencies in charge of them (HHS, DHS, NIST) have time to review the documents and sign off.

In a presentation at the conference, compliance expert and Santa Fe Group CEO Catherine Allen said she believes hospitals, ambulance services and medical communities already fall under the executive order.

“It will mean increased costs; it will mean increased regulatory oversight in some form, and I think within the next year we’ll see most of the new rules coming out,” Allen said.