SAN FRANCISCO – Ali Pabrai said it best at this week’s fifth national HIPAA Summit West at the Grand Hyatt in downtown San Francisco.

Leading off Day 2 Wednesday, September 21, Pabrai, a data security expert, said 97% of chief information officers are concerned about data security.

“My question is, ‘Who are these other three percent?’” Pabrai asked to the loudest laughs of the week among the hundreds of attendees.

Pabrai, MSEE, CISSP (ISSMP, ISSAP), of HIPAA Academy and ecfirst out of Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those in healthcare charged with protecting the privacy of patient information, needs to be concerned about data security.

Numbers game

The numbers at the HIPAA Summit this week told the story:

* 1 in 4: Organizations reporting a data breach (Pabrai)
* 250,000 to 500,000: Medical identity thefts (Pabrai)
* 330: Organizations reporting a breach of unsecured protected health information (PHI) affecting 500 or more individuals since September 2009 (Office for Civil Rights, or OCR)
* 34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (OCR)

From how and from where the 500-or-more breaches are coming:

* HOW:
o Theft: 50%
o Unauthorized access disclosure: 20%
o Loss: 16%
o Hacking/IT: 7%
* WHERE:
o Paper records: 24%
o Laptop: 23%
o Desktop computer: 17%
o Portable electronic device: 16%
o Network server: 10%

In August, McAfee reported that hackers broke into the United Nations data system and hid there for two years unnoticed, Pabrai said.

“How do we know that someone isn’t hiding in our systems, and how long have they been there?” Pabrai asked the audience. “Do we have appropriate controls? What is the state of our information security?” Do you have intrusion protection and intrusion prevention in place?

“This is not just a compliance issue,” Pabrai said. “This will have significant risk to the organization and will impact your facility in the seven figures.”

Too many duties

So what are the struggles today for privacy and security officers?

In some cases, many in these roles are performing too many tasks. For example, the privacy officer is also the health information management director, the security officer is also the compliance officer, or the compliance officer handles privacy complaints.

These dual roles, if possible, should be avoided, said Phyllis A. Patrick, MBA, FACHE, CHC, president, Phyllis A. Patrick & Associates, LLC, Purchase, N.Y.

In many organizations, the compliance officers have been given the role of privacy officer, but Patrick said they’re different roles with different regulations.

“I don’t advocate that the compliance officer also be the privacy officer,” Patrick told the audience Wednesday, though she does recognize many smaller facilities have to do so.

Policy on policies

What suffers when privacy and security officers are doing too many things? Policies and procedures that don’t get updated or delivered and staff members who are not properly educated on them.

In some cases, like in the case with the Pittsburgh Pirates and social media, they were never written.

Angel Hoffman, RN, MSN, corporate quality/compliance officer, Kane Regional Medical Centers and principal, Advanced Partners in Health Care Compliance in Pittsburgh, told the audience Wednesday the Pittsburgh Pirates fired someone for inappropriate Facebook posts about the organization.

But the Pirates did not have a policy for social media use, and because of that, had to rehire the employee.

Hoffman said organizations must have a sanctions policy along with everything else because what good is a policy without enforcement, she asked?

Remind employees that when something’s written, it never goes away, Hoffman said. Organizations cannot ban social media use among its employees, but they must have a policy for it and educate employees on the consequences of inappropriate posts.

Even OCR says you need to have strong policies.

“Make those real,” Michael Leoz, OCR deputy regional manager in San Francisco, told the audience Tuesday, referring to HIPAA privacy and security policies and procedures. Don’t just have them sit on the shelf.

In the case involving a laptop left on a subway by a Massachusetts General Hospital in Boston employee, Leoz said OCR found the policies and procedures that were in place were not adequate for HIPAA privacy and security compliance. This led to a $1 million settlement and a corrective action plan.

Board support

And what good are a policy and an education plan if your senior management and board members aren’t behind you?

One such HIPAA privacy officer at the Summit said he does not have that problem. He told us a great story dispelling an accepted belief that hospital boards are not engaged in HIPAA compliance issues.

When the officer rolled out some online learning to his staff at his large healthcare system, he got his first notification of a completed quiz 20 minutes later.

From whom? The chairman of the board of the directors for the hospital system. And that’s the same chairman with whom this privacy officer meets monthly.

Disengaged? Hardly. At least not at this facility.

HIPAA audits coming

That’s a good thing because OCR – or least its contractor, KPMG, LLP — could come knocking starting this fall and into next year thanks to the $9.2 million auditing plan out of the HITECH Act.

Leoz of OCR said the audits will review covered entities’ approach to HIPAA compliance. He said the audits would lead to more preventative measures entities can take rather than creating a reactive culture. Leoz added there would be an increased potential for learning among covered entities because of these audits.

About 20 to 25 covered entities will be part of a testing phase.

“We’re going to try to look at different types of covered entities,” Leoz said. OCR’s contractor will look for what programs different kinds of covered entities have in place.

“We will give an advance notice of the audit,” Leoz said. “There will be a comprehensive data request and some on-site visits from OCR contractors who will interview covered entities’ staffs.”

2012 – and down the road

As for your organization’s HIPAA 2012 and beyond compliance efforts?

The important information security ventures for an organization in 2012 will be encryption, encryption and encryption, Pabrai said.

And right behind encryption? Authentication.

William R. Braithwaite, MD, PhD, “Doctor HIPAA,” chief medical officer, Anakam, Inc., said at the Summit the healthcare industry needs to have strong authentication. It needs to be multi-factor authentication for patients who want remote access to their records.

For instance, have patients enter a username/password, then send an alert from that log-in that goes to a cell phone to give the patient another code for access.

And as for tracking who’s looking at what, that can’t be a generic effort, Pabrai says.

“There are too many generic accounts across the industry where you cannot trace an action back to an individual,” Pabrai said. “The user has to be able to trace things back to individuals, and you just cannot do that with generic accounts.”

And don’t forget social media,  Pabrai said, because hospital employees can transmit information across a 3G or a 4G network and not through an organization’s firewall system.

“You may take a photograph now, and you’re transmitting that information about patients across a network structure that even the best organizations with the best security controls cannot” protect.

Social media, Pabrai said, is an “area of significant challenge.”

Hopefully it is for those three percent Pabrai mentioned as well.

Acquire the CSCS Credential Now – August 4-5, Newark/Fremont, CA
NEWPORT BEACH, CA, USA  – JULY 8, 2011: The Certified Security Compliance SpecialistTM (CSCSTM) is a unique program of its type in the compliance and information security industries – indeed the first of its type in the world. It is laser-beam focused on thoroughly examining compliance requirements and establishing best practices that can be applied in securing today’s digital business information infrastructure. The Certified Security Compliance Specialist (CSCS) credential is a job-role based designation.

Special Promotion
The CSCS training program fee has been reduced for the California class only to $795 (inclusive of exam fee of $495). Registration must be prepaid, completed by July 22 and is non-refundable. Register the second student for only $695. The CSCS training program is also available online.

About the CSCS Program
The CSCS program is designed to enable professionals to understand, prioritize and ultimately assist organizations achieve compliance with information security-based regulations both those in the United States as well as international standards. Compliance is big business. A key objective for organizations worldwide is to integrate security best practices and be in compliance. Skilled professionals who understand regulatory compliance requirements and information security are valued across several industries, especially healthcare, financial and the government.

Learning Objectives
From this compliance and security training program, you will:

* Step through the core requirements of the Payment Card Industry (PCI) Data Security Standard (DSS).
* Analyze the international security standard, ISO’s 27000 (ISO 27001 and ISO 27002).
* Examine California’s SB 1386, AB 1950 and the GLBA legislation requirements
* Understand the security authorization process for U.S. federal information systems. This is an important requirement for business associates worldwide.
* Step through processes for conducting a comprehensive risk analysis and vulnerability assessments.
* Review key contingency compliance requirements for developing the framework for disaster recovery and emergency mode operation plans.
* Examine the security aspects of the Sarbanes-Oxley (SOX) legislation with emphasis on key sections and critical compliance steps. Step through the COBIT security baseline.
* Learn about the Federal Information Security Management Act (FISMA), North American Electric Reliability Council (NERC) Cyber Security Standards, and the HIPAA Security Rule and the HITECH Act.

CSCS Program – Client Testimonials
“The training was comprehensive in covering the major legislations affecting several industries. Real world experiences was beneficial and relevant.”
Christine Kinyenje, CISSP, Lockheed Martin

“This was an excellent class. Finally, a program that encompasses all regulations an organization needs to be aware of and consider when conducting their business.”
Jeff Bontsas
Ascension Health

“The CSCS class provided a great overview of the requirements and definitions for many regulatory requirements. It is a must-do for every security professional to use as reference as their business/agencies grow.”
Kari Garland, Riverside County, California

“Pabrai is well versed in a multitude of laws, regulations and standards. If your organization must comply with information security requirements, you will do well to take the CSCS course.”
Tony Lewis, Intuit, Inc.

For hundreds of other client testimonials, please visit www.ecfirst.com.

Your Instructor – Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Ali Photo.jpgAli Pabrai, is CEO of ecfirst. A highly sought after information security and regulatory compliance expert, he has successfully delivered solutions on compliance and information security to healthcare organizations and business associates worldwide.

About ecfirst – Home of the CSCS Program
With over 1,600 clients since 1999 and recognized as an Inc. 500 firm – America’s fastest growing Top 500 privately held business in its 1st year of eligibility, ecfirst has enabled hundreds of organizations all across the United States and abroad, achieve and maintain compliance with regulations and standards that impact their business.
The ecfirst Regulatory Compliance Practice further delivers deep expertise with its full suite of services that include single sign-on, contingency planning/Business Impact Analysis (BIA), social engineering, risk analysis, vulnerability assessment, as well as managed compliance, security and IT infrastructure solutions. For more information, please visit http://www.ecfirst.com/.

FOR E-MAIL ADDRESS CHANGE, ADD OR DELETE REQUESTS:

For changes or additions, please email your request to: listmgr@HITHIPAAUpdateNewsService.com.

For removal of your e-mail address, please click the “SafeUnsubscribe” link located in the footer of this message below to automatically remove your address from the list.