Unified Communications Manager Cloud for Government (UCM) – Formerly Hosted Collaboration Solution for Government (HCS-G)

Iron Bow’s UCM (formerly HCS-G), powered by Cisco, is a FedRAMP Authorized cloud-based collaboration service built to help you improve communication capabilities, empower your mobile workforce, meet cloud-first mandates and maintain stringent security standards. Check out this video and see how we can help your agency overcome key IT and business challenges.

See what VDI can do for your agency.

The case for Virtual Desktop Infrastructure (VDI) has never been stronger. Agencies are looking for better approaches to securing and managing end-user devices. Check out this infographic and see what’s driving the interest in VDI solutions—and what concerns are slowing agencies down.

@Iron_Bow
About TechSource

Welcome to Iron Bow's TechSource, a blog about the issues facing the government and industry today and the technologies being adopted to help overcome them.

U.S. HHS Cracks Down on HIPAA Non-Compliance

TechSource Editor

February 12, 2015  |  Cyber Security  •  Telehealth


download (1)The healthcare industry is one of the most heavily regulated business types today. To secure electronic protected health information (ePHI), organizations look to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act. But they must also protect personal information, financial, and payment data in compliance with a variety of regulations including the Payment Card Industry (PCI) Data Security Standards (DSS).

Major 2014 fines

This past year, the U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) started fining and settling with healthcare organizations for HIPAA non-compliance. While the organizations had adopted HIPAA policies and procedures, they often failed to follow up with regular reviews of ePHI for risks, vulnerabilities, and unpatched software. For example, a community mental health service in Alaska was recently fined $150,000 for failure to patch software. And earlier in 2014, two New York hospitals settled fines totaling $4.8 million for protected data being made accessible through public search engines when servers were deactivated without appropriate technical safeguards.

The expansion of electronic medical records (EMR) and the use of portable devices, virtual systems, and cloud services are often outpacing the implementation of security technologies. Along with those trends comes the increased risk of unauthorized exposure of sensitive protected data. It’s true that the HIPAA Security Rule is largely non-prescriptive when it comes to specific security procedures, leaving organizations on their own to determine and implement best practices. But the HHS-OCR penalty fines should be a wake-up call to healthcare organizations to implement comprehensive and stringent security procedures and to make security a daily practice.

Challenges

One of the challenges in migrating to electronic records is overcoming attitudes developed over decades of reliance on paper records. While there was rarely much security around paper records, stealing them would have required physically entering healthcare facilities and gathering records individually. The connectivity that allows near-instant access to EMR for improved patient care can also expose those same records to near-instant mass theft from anywhere in the world.

In 2013, 43.8 percent of all major data breaches were healthcare data targets – the first time that healthcare was listed on the Identity Theft Resource Center’s list. And in 2014, that statistic held nearly steady at 42.5 percent. Organizations must have and enforce a comprehensive security policy, including a commitment to continuous monitoring for vulnerabilities and rapid remediation. It is no longer sufficient to just scan/audit/patch Windows targets for HIPAA compliance; there must be a more comprehensive approach across all computers, network devices, firewalls, databases, and mainframes.

In February 2014, Experian published the 6th Annual HIMSS (Healthcare Information and Management Systems Society) Security Survey of information technology and security professionals from U.S. healthcare organizations. The threat to ePHI is high; 56 percent of respondents were concerned about viruses, malware, and disruptive software; 51 percent said that device functionality was a concern; 56 percent were worried about hacking attacks, and 66 percent noted that software vulnerabilities or errors were a threat. Clearly the risk is increasing and security budgets are not necessarily keeping pace.

Multiple technologies

Ninety-nine percent of professionals surveyed in the Experian report said that they have at least one security tool tested and in place. Total security cannot be achieved by using just one technology such as a firewall or user access controls; stronger protection is required, and technologies must be combined to provide the maximum protection: technologies such as encryption of sensitive data, intrusion detection and prevention systems, continuous network monitoring, endpoint defenses, and two-factor authentication.

For more details on these Dashboards, see HIPAA Monitoring and HIPAA Monitoring Summary.

For more information on how Tenable can help with HIPPA monitoring and HITECH compliance, see the paper, Tenable Product Evaluations Application: HIPAA.


TechSource in your Inbox

Sign-up here to receive our latest posts by email.

  • This field is for validation purposes and should be left unchanged.