The task of migrating paper charts to electronic health records (EHR’s) may seem overwhelming for a busy physician’s office. Less than optimal results may occur if a specified plan for migration is not followed. In fact, it’s estimated that one-fifth of doctors across the U.S. are still using paper records in their practices despite incentives for electronic conversion. However, once the decision to migrate is made, a move to EHR does not have to be cumbersome. According to HealthIT.gov, following the steps outlined below can make the transition easier.

Make a Plan

When preparing for EHR implementation, you should develop a plan for migration of patient data from the paper chart to the EHR. You should make sure to conduct chart migration before your go-live date. You should work with your vendor to populate electronic charts with clinical data from existing paper charts, so that providers do not have to start with a clean slate during their first electronic visit with the patient.

Key Factors to Consider

Consider the following questions when developing a plan for chart migration.

Assessment and Planning

• What information from the paper chart is important to move to the EHR?
• Where and how will the information be stored in the EHR
• What is your go-live date? Will chart migration be initiated before the go-live date? Will your practice have a hybrid transitional plan where both paper and electronic charts will be used? What is the target timeframe for chart migration?
• How many people will be supporting the process? How many workstations will be available?

Goal-Setting

• What are your practice/hospital/health center goals? Do you want to become a paperless office? Or, do you plan to become an office with less paper?
• Do you aim to interface with other organizations, such as labs, hospitals, or radiology specialists?

Scanning Specifics

• What is your prioritization strategy (e.g. chronic patients, patients with upcoming appointments, alphabetical)? What data elements do you want to migrate?
• Which parts of charts will be scanned? Scanned documents typically cannot be mined for data; they will appear as a picture in the EHR.
• What is your indexing strategy and how will you maintain this strategy? You should define index terms and stick to your definitions when scanning documents.
• Which parts of the charts will be manually back loaded? Back loaded data can be mined, but must be entered manually into the EHR.

Process

• Who will oversee the scanning and manual back loading processes?
• Who will scan the documents/enter the data into the EHR? Remember, these two tasks may require different skill levels.
• What will be done with the paper charts once they have been migrated into the EHR? Will they be maintained on-site for a period of time in case a provider needs information that was not migrated?

In addition to these steps, using a HIPAA certified I.T. professional can help ease the transition further and ensure your migration goals are met effectively.  I.T. experts like Data Fast Solutions can help your organization make the best, informed decisions regarding EHR’s based on the platform used.

This article is ©2017 Data Fast Solutions • All Rights Reserved

A healthcare provider, or other health care entity, may be well-versed in HIPAA policies and procedures, but some are not as aware of the need to comply with the Federal Trade Commission (FTC) Act.  If you share health-related information,  your disclosures must adhere to the FTC Act. As many are aware, the FTC Act was designed to protect consumers from deceptive practices or unfair acts in commerce.

About two months ago, the Health and Human Services’ (HHS) Office of Civil Rights (OCR) put together some good guidelines that can help healthcare organizations make sure they are in compliance with the FTC Act.  They recommend the following:

• Review your entire user interface. Don’t bury key facts in links to a privacy policy, terms of use, or the HIPAA authorization. For example, if you’re claiming that a consumer is providing health information only to her doctor, don’t require her to click on a “patient authorization” link to learn that it is also going to be viewable by the public. And don’t promise to keep information confidential in large, boldface type, but then ask the consumer in a much less prominent manner to sign an authorization that says you will share it. Evaluate the size, color, and graphics of all of your disclosure statements to ensure they are clear and conspicuous.
• Take into account the various devices consumers may use to view your disclosure claims. If you are sharing consumer health information in unexpected ways, design your interface so that “scrolling” is not necessary to find that out. For example, you can’t promise not to share information prominently on a web page, only to require consumers to scroll down through several lines of a HIPAA authorization to get the full scoop.
• Tell consumers the full story before asking them to make a material decision – for example, before they decide to send or post information that may be shared publicly. Review your user interface for contradictions and get rid of them.
• The same requirements apply to paper disclosure statements. Don’t give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm.

In addition to the above guidelines, there is a thorough FTC Disclosures report, called “.com Disclosures - How to Make Effective Disclosures in Digital Advertising”. It gives straightforward advice about online disclosures, from making sure hyperlinks that lead to a disclosure are obvious, to using plain language. It goes on to provide detailed information not only on the actual placement and proximity of disclosures, but the technical limitations on how a disclosure may, or may not be, displayed in certain browsers.

As healthcare technology evolves, it’s always important to stay abreast of updated HIPAA and FTC rules and regulations to ensure your organization remains compliant. Data Fast Solutions has the experts and technology you need to be certain that you and your organization are always covered in the quickly changing healthcare I.T. environment.

This article is ©2016 Data Fast Solutions • All Rights Reserved

Phishing, the attempt to fraudulently gather personal and financial data, is an ongoing threat to hospitals and other health care facilities. One of the most recent cases of phishing, as reported by the HIPAA Journal in June of this year, was Verity Health Systems in Oregon. The phishing email was not in relation to patient data, but was requesting information on Verity employees themselves. The email appeared to come from within the company, so the unsuspecting receiver of the email complied with the request, sending employee names, addresses, social security numbers, and even the earnings and withholdings of Verity employees to the attacker.

Some feel certain that they would not become victim to such an attack, but phishing has become much more sophisticated with the IRS, and other organizations, issuing warnings to the public to stay alert. The HIPAA Journal article states that compromises via business email have been highly effective due to the fraudulent emails appearing to come from a CEO or other executive.

Microsoft provides some ways to recognize phishing which may include emails that contain:

• Bad spelling and grammar - Cyber attackers are generally not good spellers and their grammar is often bad.
  

• Links in an email - If a link in an email seems suspicious, do not click on it. Microsoft advises to rest your mouse over the link, but DO NOT click on it to see if the address that was typed for the link matches what is displayed.

• Threats - Phishing emails often contain threats of account closures or other urgent sounding verbiage stating that their request for information must be completed or consequences will follow.

But how would this have helped the Verity employees? Many people are already aware of certain ways to recognize phishing, so attackers are constantly attempting new ways to phish, as was seen in the Verity case. Therefore, thorough training and continued communication are key. In fact, prior to the Verity Health Systems attack, two other large healthcare companies, Magnolia Health Corporation of California and St. Joseph’s Healthcare in New Jersey had almost identical scams which resulted in data breaches in February of this year.

Training employees on the ways in which new attacks are occurring and then following up with employees on recent reported cases can help thwart future attacks. When cyber attackers see that their fraudulent efforts are working, they tend to continue in the same manner. If the Verity employees had been aware of the attacks on Magnolia and St. Joseph’s earlier in the year, they may have questioned the validity of the email they received.

Staying informed is one of the best defenses against phishing. Data Fast Solutions is your best I.T. partner to make sure that you stay informed about phishing and other cyber attacks. Data Fast Solutions has seasoned, skilled, professionals who are highly knowledgeable in cyber security as it relates to HIPAA and keeping your health care organization safe from cyber attacks.

This article is ©2016 Data Fast Solutions • All Rights Reserved

In a prior article, in August of this year, the conveniences of cloud computing in healthcare, as well as the security risks of using the cloud were highlighted. Recently, Health and Human Services (HHS) updated their guidelines on cloud computing in relation to HIPAA to comply with regulations to protect the privacy of and keep electronic protected health information (ePHI) secure. These new guidelines include cloud service providers (CSPs) and their role in HIPAA compliance.

Specifically, the guidelines state:

“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.  Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.  This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data.  Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules.   As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”

The HHS guidelines go on to answer questions such as:

“If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?”

“Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?”

“Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?”

Answers to these, and other questions, can be found on the HHS.gov website as:

http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

As a result of changing guidelines, it’s important that current Service Level Agreements (SLAs) between a CSP and their customer be updated to make sure that the SLA is consistent with updated HIPAA rules.

Just as cloud computing allows easier collaboration between healthcare professionals, it’s also important to collaborate with a good I.T. company like Data-Fast Solutions who is well-versed in HIPAA compliance. This will ensure updated HHS HIPAA guidelines are continually being met.

This article is ©2016 Data Fast Solutions • All Rights Reserved

Mobile devices such as laptops, smartphones, and tablets are used now, more than ever, in healthcare because of their convenience, ease of use, and ability to transmit data efficiently. In addition, apps on mobile devices have made previously arduous tasks more manageable by providing healthcare workers with the ability to complete their work in less time.

Time management apps and other apps such as those used for maintenance of health records, patient monitoring, and medical training have given health care professionals the ability to make informed, sometimes life saving, medical decisions much more quickly than in the past.

However, the convenience of using a mobile device can leave those in the healthcare industry vulnerable to cyber attacks if certain guidelines for protecting and securing information are not followed properly.

The Department of Health and Human Services (HHS) has put together a fact sheet to ensure your organization knows how to protect the private health information.

It includes:

• Installing and enabling encryption

• Use of a password (to lock a mobile device and to lock apps within a mobile device)

• Installing and activating wiping and/or remote disabling to have the ability to erase data on a mobile device if it’s lost or stolen

• Disabling file-sharing applications if they are installed

• Installing and enabling a firewall

• Installing and enabling security software and keeping security software up-to-date

• Researching mobile apps thoroughly before downloading (to ensure privacy and prevent hacking)

• Maintaining physical control of your mobile device

• Using adequate security to send or receive health information via secure Wi-Fi

• Properly deleting all stored health information on a mobile device prior to discarding it

A healthcare organization should have policies and procedures in place for the use of personal mobile devices versus those provided by the company for work use.

In addition to these guidelines, HHS has a web page dedicated to health information privacy and security on mobile devices. It includes helpful documentation as well as videos to watch to help train  staff on the use of mobile devices and HIPAA compliance. It also includes downloadable training materials for healthcare staff with postcards such as "10 Tips to Protect and Secure Health Information When Using a Mobile Device".

Technology safeguards can be put in place for mobile devices, but some of the biggest breaches have occurred when a person using a device is not well informed about how to prevent access to private information. Recent research by Arxan Technologies found that 84 percent of health related apps were open to hacking through code tampering and reverse-engineering. In addition, most app users are not fully aware of the privacy policies for apps and how the private information is used once the app is activated on their mobile device.  

Continually reviewing and updating technology and training is imperative to keeping mobile devices HIPAA compliant. Utilizing a certified and knowledgeable HIPAA I.T. professional such as Data Fast Solutions can ensure your mobile technology is well protected and your staff is up-to-date on how to prevent a cyber attack via a mobile device.

This article is ©2016 Data Fast Solutions • All Rights Reserved

Healthcare professionals are now well-versed in HIPAA policies and procedures and are well aware of the importance of HIPAA and the ramifications for non-compliance. However, some healthcare workers may not be as familiar with the HITECH Act. Per HHS.gov, “the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.”

HITECH was put in place to meet certain goals of the existing regulatory aspects of HIPAA which included improving quality of care through reduced costs and efficiency. Patient personal health information (PHI) in electronic health records (EHI) is of utmost importance in meeting HIPAA guidelines. Having a good information technology company who is well trained and certified in HIPAA/HITECH analysis and assessment can save your health care organization valuable time and money.

A thorough HIPAA/HITECH analysis should include a review of your PHI/ePHI policies and procedures as well as an examination of your network layout and infrastructure. The analysis can identify whether encrypted or unencrypted PHI is being used in portable devices such as laptops, phones, or thumb drives to lessen the risk of cyber attacks. Other areas of the analysis should include a review of the way fax machines are used, if any, and their potential for leaving PHI vulnerable. Rather than using a fax machine, a knowledgeable I.T. company can give you more convenient, secure, modes of transmitting PHI to lessen your organization’s risk of exposing sensitive information. In addition, the use of email and possibility for breaches in unsecured webmail systems, such as those used outside the office to send and receive email from home, should be reviewed. And, finally, an analysis of an area that is surprisingly often  overlooked is the way in which PHI is stored, purged or destroyed.

If breaches are found in an analysis, a HIPAA/HITECH assessment can determine the severity of the breach and an I.T. professional can take the steps necessary to secure your network as quickly as possible. As with the analysis, an assessment should be done by HIPAA/HITECH certified trained and knowledgeable I.T. expert to avoid costly mistakes.

In April, 2014, the FBI issued a warning to health care organizations that the highest volume of cyber threats are in the healthcare industry. “Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g., Virtual Private Networks (VPN), firewalls, and routers) were compromised.” Which is why a HIPAA/HITECH analysis and assessment is vitally important.

Also, the FBI reports that according to a Ponemon Institute report dated March 2013, “63% of the health care organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. The majority of each data breach resulted in the theft of information assets. Lastly, 45% reported that their organizations have not implemented security measures to protect patient information.”

Patient information can be much more sensitive than data in in other industries making it more appealing for cyber attacks. Yet, according to the FBI “the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”

Treating information technology in your healthcare practice as importantly as you do your patients, by relying on HIPAA/HITECH trained and certified professionals, will ensure your organization is not part of the FBI statistics.

This article is ©2016 Data Fast Solutions • All Rights Reserved

Cloud-based computing in healthcare has seen extensive growth in recent years due, in large part, to its flexibility in providing easy access to important data. No longer are healthcare professionals required to spend long hours at the office waiting for important documents or return to the office after hours for a record or file. Time is often critical and the cloud can simplify portability for most healthcare workers. It also offers easier collaboration as well as innovation, security, and efficiency, often at a lower cost than traditional servers hosted on-site.     

Collaboration and Empowerment

Patient records and emails have been readily available through the cloud for a few years, but it is now being used for physicians and patients to collaborate about care in real time. In many areas of medicine, records can be compared much more quickly for the benefit of patients who may be waiting anxiously for results. In addition, patients themselves are now empowered, more than ever before, to manage their own healthcare in efficient and meaningful ways. Diabetic patients can manage their glucose levels through the cloud on their desktops, smartphones, or laptops, and easily share that information with their physician who can then recommend any changes if necessary.

Innovation

With cloud technology, healthcare experts are no longer hindered by trying to decipher huge amounts of complex data in different areas of research. As advancements in technology are made, so too are advancements in life saving medicine. Recently, cloud-based platforms have allowed doctors and researchers the ability to conduct groundbreaking, complicated analysis in areas such as genomics, oncology, and neurology. 

Security

While the cloud provides healthcare professionals access to data anytime and anywhere with more flexibility and speed, a secure connection is paramount to thwart unwanted attacks. This is possible through highly encrypted software and ensuring that software is always up-to-date. Encryption must be HIPAA compliant, so it’s important that the guideline provided by The Department of Health and Human Services (HHS) be referenced frequently to ensure HIPAA guidelines are being met. This guide can be found at:  

http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

Used regularly, the guide will help healthcare organizations avoid breaches to their cloud based systems.     

Cost and Efficiency

Without the maintenance of expensive servers, and the need for software and hardware upgrades onsite, a smaller business can perform much like a larger organization, but without the added cost. Changes in the healthcare industry are occurring constantly and must be implemented rapidly. Cloud computing allows adjustments to be made quickly depending on the needs of the organization with little or no downtime. After adjustments are made, training can also be conducted through the cloud making it less cumbersome and time consuming for the end user.

Many factors may influence a healthcare organization’s need for technology and cloud computing may not always be the best choice for all. However, a good HIPAA knowledgeable company like Data-Fast Solutions can offer an onsite assessment to provide you with the best solutions to meet your needs.  

This article is ©2016 Data Fast Solutions • All Rights Reserved

Unfortunately, ransomware is a word that has become all too familiar to healthcare organizations in the past year. Unlike cyber attacks on financial and retail industries, which are often directed at sensitive information itself, ransomware is used by hackers to encrypt files and databases and hold them for ransom.

Recent examples of ransomware attacks include Methodist Hospital in Henderson, Kentucky which reportedly paid a ransom of $17,000 to restore their systems. In addition, two Prime Healthcare Management hospitals, in California, were forced to shut down their systems. That attack also affected several other hospitals and affiliates on a shared network. Their organization did not pay a ransom stating that their IT team was able to implement the procedures they had in place to address the attack and lessen disruptions.

As these attacks on the healthcare industry continue to rise, Data Fast Solutions offers these tips on how to help protect your organization from malicious ransomware attacks.

End User Education

As technology becomes more and more a part of our everyday lives, some organizations may take end user training for granted assuming that people may already know about cyber security. However, this couldn’t be further from the truth. Hackers bank on the end user being untrained in matters of cyber risk making it easier for them to implement their attacks.

The Symantec 2015 Internet Security Threat Report states that ransomware is often found in  email attachments that look like invoices or bills. The end user opens the attachment downloading and installing the ransomware unknowingly.  

In addition to email attachments, employees should be trained to never use hardware such as USB flash drives unless they are from trusted sources.

As companies become more mobile, training should also include information on attacks targeted at mobile devices. In the past, mobile technology was exempt from ransomware attacks, but this is no longer the case. Just as desktop computers and laptops can be affected, so too can mobile devices.

Data Fast Solutions recommends using real life scenarios in end-user training so the importance of cyber security in an employee’s day-to-day job may be retained more easily.

Backup Data

Paying a ransom for hijacked data is not necessary if systems have been backed up. It really can be as simple as that, yet many companies don’t bother to back up data or do so sporadically. Data Fast Solutions specializes in this process as a way to protect companies from ransomware and can quickly restore an organization’s data should an attack occur.

Effective Implementation of Policies and Procedures

Being prepared means knowing, in advance, what to do if and when a cyber attack occurs. This seems like common sense, yet many organizations in the healthcare industry are still in a reactive, instead of proactive, mode when such an attack occurs. Having well planned policies and procedures in place will lessen the impact of an attack. Well laid plans can seamlessly thwart an otherwise detrimental attack by lessening downtime and the costs associated with an incapacitated system.    

Test and Test Again

Training end-users, backing up data, and having solid policies and procedures in place are a good start, but testing is one of the most important aspects of  keeping a company well-protected from cyber attacks. If testing does not occur, there will be no way to determine if the efforts in place will work effectively.

Collaborate with External Cyber Security Professionals

Once a business has a good, well-tested plan in place to counter a ransomware attack, that plan must be reevaluated on an on-going basis. This will ensure any potential weak links are discovered as hackers up their game. Cyber security partners like Data Fast Solutions continually provide cyber security analysis to keep an organization safe. This is done by making sure there are security points in place throughout an entire network and alerts are responded to quickly if a breach is attempted.

This article is ©2016 Data Fast Solutions • All Rights Reserved

Electronic health records (EHR’s) are held in a complex system that must be configured properly to meet HIPAA rules and regulations. A good I.T. company such as Data-Fast Solutions can handle all aspects of your system configuration to ensure it not only meets, but exceeds the standards set forth by HIPAA guidelines. However, in order for a healthcare system to work optimally, healthcare professionals and I.T. developers should collaborate as a team before, during, and after the configuration.

To help with this implementation, the Office of the National Coordinator for Health Information Technology (ONC), has put together guidelines known as SAFER Guides which consist of nine guides to assist healthcare organizations with EHR safety. The SAFER Guides, used in conjunction with a highly reputable I.T. company such as Data-Fast Solutions, can ensure HIPAA guidelines are met.

Phase 1 - Safe Health I.T.

Part one of the checklist, Safe Health I.T., covers access points, hosting (physically and electronically), authentication mechanisms, system hardware and software testing, and ensures proper processes are in place to ensure data integrity throughout all phases of system configuration.

Phase 2 - Using Health I.T. Safely

Using Health I.T. Safely is part two of the checklist and looks at clinical content used, role based access systems, live production versus training and testing environments, system configuration settings that allow clinical practices to flow as intended, and computer interface usability.

Phase 3 - Monitoring Safety

The last part of the checklist, Monitoring Safety, ensures that the organization has processes and procedures in place to monitor configuration settings to determine if they’re working as intended.

The checklist also has corresponding worksheets, within the guide, that provide rationale for practice or risk assessment, suggested sources of input (clinicians, support staff, health I.T. support staff, etc.), and examples of useful scenarios.

While use of a SAFER Guide is not mandatory, it’s a useful tool to ensure your EHR’s are not compromised or left vulnerable to unwanted threats. In addition to the guide, it’s important to utilize an I.T. company, like Data-Fast Solutions, who is well-versed in HIPAA compliance.

The full guide for system configuration can be found at:

https://www.healthit.gov/sites/safer/files/guides/safer_systemconfiguration_sg004_form_0.pdf

This article is ©2016 Data Fast Solutions • All Rights Reserved

Electronic health information (EHI) has contributed greatly to streamlining patient records, allowing those in the medical field to have important, sometimes life saving, information at their fingertips. Devices for remote use such as laptops, personal (home) computers, Smart Phones, public computers (such as those in a library or hotel), Wireless Access Points (WAPs), USBs, and email are used more frequently now to conduct day-to-day business in the healthcare field than ever before.

However, convenient remote access can leave EHI vulnerable if certain safeguards are not in place. The Department of Health and Human Services (HHS) provides specific guidelines for those using remote access in the healthcare field. Technology such as Virtual Private Networks (VPNs) can help thwart unwanted access, but it takes much more to lessen the risk.

Along with technical safeguards, proper training is imperative to ensure sensitive information is not compromised. HHS states, “...it is important that a covered entity’s workforce awareness and training program specifically address any vulnerabilities associated with remote access to ePHI. Training should provide, at minimum, clear and concise instructions for accessing, storing and transmitting ePHI.”

Following are some important highlights for training:

Log-on and Passwords

Potential unauthorized or improper access, or modification of EHI is more probable, if a two-part authentication process is not used. Requiring an authorized user to answer additional security questions, prior to access, helps lessen the risk.

Rules for Authorized Access

Training should communicate that there are different levels of access based on job function and that improper access by unauthorized personnel  is strictly prohibited.

Off-Site Access

Procedures should be in place on how to terminate a session properly. Information about the default for automatic termination, if a system is left idle after a specific period of time, should also be communicated.

Risk for Viruses

Train personnel on the risks for contamination through viruses. Instruct them on personal firewall software and the importance of regular updates to virus protection software.

Proper Storage of Remote Devices

Communicate that the risk of losing, or the theft of, remote devices is a real possibility if proper steps are not taken to secure them. Ensure that strong encryption technology is used on remote devices to protect the EHI if lost or stolen.

Proper Disposal of Remote Devices

Procedures for how to dispose of remote devices that are no longer being used is critical to prevent EHI from being exposed to those not authorized.

Remote access can provide more flexibility and productivity, but should always be coupled with thorough training to ensure HIPAA guidelines are followed.   

This article is ©2016 Data Fast Solutions • All Rights Reserved