Reuters news

Exclusive: Google’s jobs search draws antitrust complaints from rivals

BRUSSELS/SAN FRANCISCO (Reuters) - Google’s fast-growing tool for searching job listings has been a boon for employers and job boards starving for candidates, but several rival job-finding services contend anti-competitive behavior has fueled its rise and cost them users and profits. In a letter to
/
Tech Crunch

Huawei pushes back launch of 5G foldable, the Mate X

If you were desperately ripping days off of your calendar until you could get your hands on Huawei’s $2,600 5G foldable, the Mate X — which was originally slated to launch next month — it sounds like you’re going to have to wait a bit longer, per TechRadar which attended a
/

HIPAA Risk Assessment Guide for Smaller Practices

HIPAA Risk Assessment Guide

Disconcertingly, one in four practices (25%) are failing meaningful use audits by the Centers for Medicare and Medicaid Services (CMS). The #1 reason for failure is the absence of a full-spectrum healthcare risk assessment.

These assessments or analyses are important compliance measures, and you do have options in how to move forward. A risk assessment can be conducted in-house if you have that knowledge. You can also contract an outside provider. To see how you would proceed with healthcare-compliant risk analysis on your own, these are the key steps.

HIPAA Risk Assessment Guide

Step 1 – Use the ONC risk analysis tool.

A Security Risk Analysis (SRA) Tool is available from the Office of the National Coordinator for Health Information Technology (ONC). The ONC clarified that installing and going through this software is “not required by the HIPAA Security Rule [from the Health Insurance Portability and Accountability Act of 1996], but is meant to assist providers and professionals as they perform a risk assessment.”

While this tool is optional, walking through it is a good idea because it directs you through the concerns regulators wants you to have. Also, while government tools are not always user-friendly, and while the design of the SRA Tool is not entirely intuitive, its content is an assistance mechanism in completing these projects.

The Security Risk Assessment Tool is formatted as a questionnaire, with 156 questions. It essentially goes line by line through the regulations, turning each stipulation of healthcare law into a question of whether your organization is in the right position. As you reply to the questions, you reveal the action steps for you to achieve compliance.

Step 2 – Review the HIPAA Security Rule safeguards.

To better understand why risk assessment is critical and how it functions, it helps to review the three-pronged safeguards – administrative, physical, and technical – within the Security Rule. These safeguards are integrally connected with a risk analysis: the Department of Health and Human Services’ (HHS’s) Security Rule summary noted that “by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.”

In other words, the way that things look for your organization in terms of what can go wrong and how likely that problem is, you will know where and how to bolster your defenses the most. Also be aware that “reasonable and appropriate” should not be misunderstood: the recent ruling (June 2018) in favor of the OCR and against a Texas cancer center highlights the fact that regulatory flexibility does not mean requirements are optional (i.e., reasonable measures that fit the situation must be taken).

The essentials on the safeguards are as follows, as indicated by HHS (and again, the specific safeguards you use will be revealed as you perform the risk assessment)

  • Technical safeguards – These defenses include controls related to transmission of data; integrity controls, which protect against the destruction or modification of data; audit controls, mechanisms to log activity within ePHI-containing systems; and access controls, technologies and processes that keep unauthorized users from accessing confidential data.
  • Physical safeguards – These elements include device and workstation protections, including processes and policies for reuse, elimination, migration, and disposal of electronic media. They also include controls, access procedures, and policies that restrict building admittance.
  • Administrative safeguards – These protections include the need for internal assignment of a HIPAA security officer; the implementation of role-based access and other controls to prevent unauthorized exposure; assessment of the management process through which risks are regularly assessed and addressed; the existence of high-quality workforce training and management; and regular reassessment.

Step 3 – Follow advice from the HHS & MGMA.

The basic skeleton of a risk assessment is provided by the HHS in its Security Rule summary, and its parameters are interpreted and extended by the Medical Group Management Association (MGMA) in its 2017 report “Reducing Risk for Small Provider Practices,” published by the National Institute of Standards and Technology (NIST).

The HHS noted that it is important to gauge risks to health data in terms of how likely they will occur and what the effect would be. Small providers should use this same approach, noted the MGMA, focusing especially on its use of the internet and likelihood of the biggest online threats.

Another key of a risk assessment, per the HHS, is to implement protections (which could be in numerous forms, such as technologies, policies, and people) to meet the danger to ePHI that is posed by the risks you have revealed. The MGMA added that your concern is the extent to which you have the three types of HIPAA-mandated safeguards (technical, physical, and administrative) in place as described above. Another note from the MGMA is to prioritize. Center your efforts on the most problematic areas that often lead to breaches: remote access; email and texting; mobile access; and staff policies.

Also record the steps that you have taken to launch, maintain, and routinely review protections, said the HHS. As relevant (i.e., when you are not taking the standard approach), provide your reasoning.

Finally, said the HHS, the safeguards that you establish must be properly maintained over time (which is follow-through for the regular reassessment plans discussed above).

Another step you might want to take, from the MGMA, is to get verification from a standardized, independent assessment. “Encourage 3rd party security accreditation/certification,” said the association. One key way to do that is to go beyond expecting HIPAA certification to additional measures such as a Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) audit, which is a systematized review of your systems following a plan laid out by the American Institute of Certified Public Accountants (AICPA).

Step 4 – Ensure all your business associates complete risk assessments.

The HHS also noted specifically that risk assessments are needed by all organizations that handle ePHI, including covered entities and their business associates. That means all companies and agencies that must concern themselves with HIPAA compliance (i.e., ones that handle sensitive health data) must also, by default, perform risk assessments. As you determine your business associate, be certain that risk analysis policies are written into business associate agreements (BAAs) and that the organization meets (as advised by the MGMA) third-party certifications such as SSAE 18 compliance.

By Marty Puranik

Marty Puranik

Marty Puranik is the founder, president, and CEO of Atlantic.Net, a profitable and growing hosting solutions provider in Orlando. Marty’s strengths as a leader and visionary have helped him lead a successful business for over two decades. Atlantic.Net thrives thanks to Marty’s strategic acumen, technical prowess, and his valuable, old-fashioned habits of thrift, modesty, and discipline by world-class support.

View Website
10 Prototyping Tools To Help Build Your Startup

10 Prototyping Tools To Help Build Your Startup

Prototyping Tools We are continuing this week by focusing on startup tools, tips and tweaks that will help you build, design, manage and market your ...
6 Blockchain Applications That Any Small Business Owner Can Use

6 Blockchain Applications That Any Small Business Owner Can Use

6 Blockchain Applications Although associated with the virtual currency bitcoin, blockchain technology can be applied across multiple industries, and it could be particularly appealing to ...
Cloud Monitoring and Data Performance Services

Cloud Monitoring and Data Performance Services

CLOUD PERFORMANCE MONITORING Monitoring and evaluation in cloud computing are essential processes. They determine whether a company’s applications on the cloud are effective, safe, and efficient ...
Breached Data

New Data Breach Has Exposed Millions Of Fingerprint And Facial Recognition Records: Report

/
It has been coming for some time, but now the major breach of a biometric database has actually been reported—facial recognition records, fingerprints, log data and personal information has all ...
Brian Krebs

SEC Investigating Data Leak at First American Financial Corp

/
The U.S. Securities and Exchange Commission (SEC) is investigating a security failure on the Web site of real estate title insurance giant First American Financial Corp. that exposed more than ...
Kubernetes Penetration Test Report: Insights and Twistlock Response

Kubernetes Penetration Test Report: Insights and Twistlock Response

/
The Cloud Native Computing Foundation (CNCF) late last year commissioned a penetration test to identify unknown security vulnerabilities and design weaknesses in Kubernetes. The final report is posted in the ...