MAY 2013, VOL. 1, NO.

+pulse
Strategic insight for health IT leaders

COVER STORY:

MANAGING BYOD
AND SECURITY
Penn Medicine outlines its approach to
network security in the age of consumerization.

02 T
 he Tangled Web: BYOD and HIPAA

03 Health
 Care Ripe for Near Field
Communication Technology

11 C
 reating HIPAA Compliance in Stage 2

15 B
 uilding HIPAA Compliance, Patient
Privacy Investment Business Cases
Editors Letter
The Tangled Web:
BYOD and HIPAA
THE BRING-YOUR-OWN-DEVICE, also known as BYOD or con-
sumerization, era is upon us. CIOs familiar with BYOD
security weve interviewed at HIMSS and the PHI Pro-
tection Network tell us that theres no way to stop it, you
can only contain it. If youre lucky.
While presenting the risks of alloying BYOD to se-
nior hospital leadership dont forget the biggest risk of
+ HOME
all: Inaction or an outright ban. Employees will use their
smartphones to text each other about patient care mat-
+ EDITORS LETTER ters, which probably wont amount to HIPAA-compliant
practices. Theyll email patient data to each other. Phy-
+ HEALTH CARE RIPE
FOR NEAR FIELD sicians will set up rogue wireless access points to sup-
COMMUNICATION port devices they bring in, opening up your network to
TECHNOLOGY
unsavory outside entities who cannot believe their good
+ MANAGING BYOD fortune in finding a backdoor to financial and medical
AND SECURITY
identity theft.
+ CREATING HIPAA Without policies to enforce and security software to
COMPLIANCE IN monitor devices, lock down the network, encrypt data
STAGE 2
and remotely wipe lost or stolen devices, the cost of
+ BUILDING HIPAA inaction could very well be a data breach in your com-
COMPLIANCE, PATIENT panys near future. The costs of a data breach including
PRIVACY INVESTMENT
BUSINESS CASES detection, remediation, support for patients harmed and
investigative activities, federal fines, possible civil litiga-
tion and overall harm to a health care providers reputa-
tion are potentially staggering.
Thats becoming more and more evident as the HIPAA
omnibus rule goes into effect in late September. The new
regulation not only brings stronger, more specific pri-
vacy and security requirements to health care providers
and their business-associate partners, but it also trips
off a new system of audits. Even if your facility hasnt
experienced a data breach, HIPAA auditors may drop by
for an in-depth review of your patient data protection
strategies.
One piece of the HIPAA rule has yet to be established:
What percentage of the fines the patient who reported
HIPAA violations to federal government will receive,
sort of a whistleblower reward. Rest assured, that piece
of HIPAAs update for the digital age should be incentive
enough to get senior leadership buy-in for IT security
and a more HIPAA-compliant technology infrastruc-
ture. n
Don Fluckinger
News director, SearchHealthIT.com
PULSE MAY 2013 2
IT Essentials
News, trends and stats for the Health IT professional

Continua Health Alliance executive director, who is also

overseeing the SIG, because NFC could become the
standard channel for getting data out of devices and into
health IT data systems.

HEALTH IT TRENDS
NFCs Interoperability Play
Health Care Ripe The nonprofit Continuas stake in the technology stems
for Near Field from its mission to develop plug and play interopera-
bilityusing existing industry standards such as NFC
Communication Technology and HL7guidelines and certifications that enable med-
NEAR FIELD COMMUNICATION technology (NFC)a low- ical-grade and personal health devices to port data to
power, peer-to-peer data transport technology perhaps EHRs, personal health records and health information ex-
most famously illustrated in Samsung Galaxy smart- changes. Continua has been working on an interoperabil-
+ HOME
phone commercials where users tap phones together to ity certification using NFC for two years, Parker said, and
pass music playlists and videos to each otherhas much in April 2013 plans to issue guidelines for implementing
+ EDITORS LETTER potential in health cares future. At least thats what the its tenets in health care.
NFC Forum industry group is betting on, as smartphone Parker pointed out that NFC can not only be used to
+ HEALTH CARE RIPE
FOR NEAR FIELD tap-to-authenticate features could be part of mobile send small packets of data (53KB to 128 KB), but also can
COMMUNICATION health devices, as well as potentially part of validating be used to unlock Bluetooth channels for sending larger
TECHNOLOGY
health care providers when they interact with health IT quantities of data or even a stream over time, such as a
+ MANAGING BYOD systems. timed electrocardiogram strip.
AND SECURITY
A coalition of more than 170 manufacturers, app de- Looking at smartphones enabled with NFC, [we want
+ CREATING HIPAA velopers and other interested parties, the NFC Forum to] collect information with a tap-and-go architecture,
COMPLIANCE IN announced it will form several special interest groups Parker told SearchHealthIT. He used the example of an
STAGE 2
(SIGs) to promote NFC implementation in consumer NFC-enabled blood-pressure cuff: So I can take my
+ BUILDING HIPAA electronics, health care, the financial services and pay- blood pressure, tap the pressure monitor with my phone,
COMPLIANCE, PATIENT ment market, retail and transportation. collect that data and send it on to my personal health re-
PRIVACY INVESTMENT
BUSINESS CASES Health care is a target market, said Chuck Parker, cord or to, perhaps, my physician on the back end.

PULSE MARCH 2013 3

IT Essentials
NFC Technology Emerging in Coming Years
Blending together recent market research from Berg
Insight, Deloitte, Gartner Inc. and Juniper Research in
a webcast presentation, NFC Forum Director Debbie
Arnold said smartphone manufacturers sold more than
100 million NFC-enabled units in 2012, and analysts
project another 300 million will be sold this year. By
2015, 50% of smartphones will have NFC capability,
and by 2017, one in four U.S. consumers will use NFC
to pay for in-store retail purchases.
While integrating NFC into health care workflows
could be several years away, theres potential for help-
ing with meaningful uses 2014 standards requirement
for two-factor user authentication for EHRs. Fur-
+ HOME
thermore, depending on how the FDA determines its
regulatory effortsbasically, clarifying if or what part
+ EDITORS LETTER of a smartphone app is classified as a medical device
NFC could be a key interoperability technology in the
+ HEALTH CARE RIPE
FOR NEAR FIELD mHealth market.
COMMUNICATION Parkers group spoke before FDA regulators in 2010
TECHNOLOGY
as part of an industry symposium whose input led
+ MANAGING BYOD to the regulators mobile medical guide, and again in
AND SECURITY
2012. Technology stakeholders discussed technical as-
+ CREATING HIPAA pects of health data transport via NFC, as well as how
COMPLIANCE IN regulations would affect development of mHealth apps
STAGE 2
to interact with medical devices.
+ BUILDING HIPAA Ultimately, what we develop for the consumer
COMPLIANCE, PATIENT [devices] is easily migratable into the clinical environ-
PRIVACY INVESTMENT
BUSINESS CASES ment, Parker said. But for now, NFCs uses in clinical
T
 he Twitter Buzz from
the Health IT Social Media
Community
@VinceKuraitis4 Mar
#CommonWell Inevitable and needed. Potential to
become de facto industry platfor m for #HealthIT
and compete w/ Epic! http://bit.ly/15tKfDj
@MLMillenson3 Mar
How taxpayers bribed docs & hospitals to use #healthIT
& not kill patients, & why vendors are lousy. #HIMSS13.
http://bit.ly/XKMjVd
Jen Dyer MD, MPH@EndoGoddess3 Mar
@LindaP_MD To meet my patients needs in my local
system I must comply with old tech (pagers, faxes) even
though I wish it were different.
Greenway Medical@GreenwayMedical5 Feb
With so many healthcare professionals utilizing so-
cial media, should you and your physician be Facebook
friends? http://ow.ly/hra1x #HITsm
CHIME@CIOCHIME2h
Trip to NYC museum inspired #CIO Ed Martinez to
adopt Wi-Fi triangulation smartphone mapping app at
@MiamiChildrens http://tiny.cc/jbk8uwo n
PULSE MAY 2013 4
IT Essentials
environments might not progress as quickly as it does in technology is built into the hardware in recent models,
the consumer health space because the FDA has stated but hasnt been activatedand he suggested Apple could
that the phone, its operating system and the hardware switch it on, possibly through pushing an operating
become regulated as a class II network, which is not system update.
what we want, he said.
Reading the signals coming from the FDA mobile guid-
ance, though, Parker said it seems clear the regulators are While a rapidly expanding
moving toward putting the onus on the mHealth app de- number of smartphones
veloperthe class II certification requirements will stop
thereat some future date. running Googles Android
OS have NFC capabilities,
Key to NFCs Healthcare Penetration:
the iPhone doesnt.
the iPhone
+ HOME
If NFC were to be a player in the meaningful use world of Im not in the position to verify that by any stretch of
two-factor user authentication for physician electronic the imagination, but I could believe itparticularly with
+ EDITORS LETTER health records, its got one big challenge: the user base. the iPhone 5 series, Parker said. Its a potentially likely
While a rapidly expanding number of smartphones run- claimbut all I can say is that we dont see it in the ex-
+ HEALTH CARE RIPE
FOR NEAR FIELD ning Googles Android OS have NFC capabilities, the isting structure at this point. Personally, I hope thats
COMMUNICATION iPhone doesnt. Not officially, at least. true, because it does make it easier for us in the long
TECHNOLOGY
However, at least one industry leader, Brian Wink, term to hook devices to it. n
+ MANAGING BYOD vice-president for Oakbrook Terrace, Ill.-based mo-
AND SECURITY
bile payment platform provider C-SAM, suspects the DON FLUCKINGER is news director for SearchHealthIT.
+ CREATING HIPAA
COMPLIANCE IN
STAGE 2

+ BUILDING HIPAA
COMPLIANCE, PATIENT
PRIVACY INVESTMENT
BUSINESS CASES

PULSE MAY 2013 5

IT Essentials OVERHEARD
ON THE
CONFERENCE Some of its
CIRCUIT kind of dumb
stuff, but
for eighteen
Information Exchange When we rely on thousand Ill
administrative data do a lot of
to bring information dumb stuff.
I think analytics is going
back to clinicians JONATHAN BUSH, CEO of
to be a game-changer.
they will say their Athenahealth, discuss-
We have the data points, ing the meaningful
patients are not well
we just need to change use incentive program
represented. during a keynote
our mindsets. presentation at the
OSCAR MARROQUIN, M.D., director of
CHRIS BELMONT, system vice president companys 2013 user
provider analytics at the University
and CIO of Ochsner Health System, in an of Pittsburgh Medical Center, in an conference in Boston.
interview at HIMSS 2013 on the oppor- interview at HIMSS 2013 about how
tunity to extend analytics initiatives. He analytics initiatives will fail when
feels the hard work, which is collecting
the data for analysis, is already complete
they pull data from the wrong sources. Security is not
Analytics programs should rely on
+ HOME
at most hospitals. Providers just need to data from patient care records, not
an IT problem.
+ EDITORS LETTER
be open to using it in the delivery of care. administrative records. Its a business
+ HEALTH CARE RIPE
problem. ...
FOR NEAR FIELD Its a shift in
COMMUNICATION
TECHNOLOGY
I dont even know what we want yet [from an HIE vendor], culture.
to be honest with you. Its got to add value. We know the JAMES CHRISTIANSEN,
+ MANAGING BYOD
AND SECURITY money is going to get more competitive for us and were chief risk officer, Risky-

+ CREATING HIPAA
being forced to be more efficient as healthcare reform Data, speaking about
who is responsible for
COMPLIANCE IN goes on. I think this is going to be part of the answer. protecting patient data
STAGE 2
ED RICKS, vice president of information services and CIO of Beaufort Memorial Hospital, during a presentation
+ BUILDING HIPAA in an interview at HIMSS 2013 on why his hospital is holding off on partnering with an HIE. at the PHI Protection
COMPLIANCE, PATIENT
While he feels it will become an important piece of the IT puzzle soon, there are still too Network Forum in
PRIVACY INVESTMENT
BUSINESS CASES many unknowns to make a major investment. Cambridge, Mass.

PULSE MAY 2013 6

Managing BYOD
and Security
BY JOHN DONAHUE
BALANCING THE APPROPRIATE security and privacy require-
ments with the delivery of clinical care and research is
a fundamental need to consider in introducing certain
types of emerging technologies into an academic medical
center.
+ HOME
At Penn Medicine, the emerging trend of bring your
own device (BYOD) was not so much about the if as it
+ EDITORS LETTER was about the when. With almost 20,000 employees, This article focuses on the best practices used at Penn
the organization knew it would not be able to provision
+ HEALTH CARE RIPE
FOR NEAR FIELD enough Penn Medicine-funded cell phones for all es-
COMMUNICATION sential staff. Additionally, many of the key personnel,
TECHNOLOGY
particularly clinicians, began carrying their own devices
+ MANAGING BYOD and using them as necessary for several kinds of work
AND SECURITY
functions in addition to their personal use. Examples
+ CREATING HIPAA of this use included accessing Penn Medicine email and
COMPLIANCE IN using several of the organizations core clinical applica-
STAGE 2
tions. When information services started to get requests
+ BUILDING HIPAA to connect these devices to the clinical systems and email
COMPLIANCE, PATIENT messaging systems, it was clear that Penn Medicine had
PRIVACY INVESTMENT
BUSINESS CASES to find effective ways to secure them properly.
The main tenets associated with Penn Medicine for
security and privacy include IT controls, compliance,
identity management and user education. For clinical care
and research, the focus is on exceptional quality, patient
safety, innovative treatment, timely access, seamless care
transition, translational medicine and personalized care.
Enabling these capabilities in a secure environment is
challenging when it comes to introducing hundredsif
not thousandsof personally owned devices from the
employee base.
BYOD Management and Security
Medicine to implement and manage mobile devices,
specifically BYOD devices. Penn Medicine took a three-
pronged approach to enable mobile productivity while
managing potential mobile vulnerabilities.
The first part of the strategy focused on developing a
method to support a full range of mobile devices. While
the organization knew that enterprise standardization is
key to managing technology costs, being flexible and agile
in the BYOD space was going to be essentialparticu-
larly as the device landscape changed and the employees
sought out the most current devices available in the mar-
ket. Whenever the opportunity presents itself, employees
PULSE MAY 2013 7
 are encouraged to choose specific types of iOS devices
simply because a broader set of clinical applications is
MOBILE COMPUTING STRATEGYBYOD
available at Penn Medicine with this operating system.
As time goes on and the technology evolves, information
services may ultimately recommend additional kinds of
mobile devices.
The second part of the best practice strategy involved
developing policies to govern the appropriate corporate
use of the mobile devices. The policies and compliance
requirements are consistently the same for both BYOD
devices and devices provisioned by Penn Medicine, as
the organization wanted to ensure there is no confusion
regarding proper security when it comes to any device
that has access to Penn Medicines messaging systems,
clinical systems and the associated business-related or
patient data.
The implementation of these policies allowed Penn
Medicine to take the opportunity to conduct user aware-
ness and user education sessions. While users have
+ HOME
demonstrated the need for clarity to understand the
organizations requirements and ability to manage the
+ EDITORS LETTER BYOD devices, once the employee understood the intent
and the rationale, compliance was not an issue. Some of
+ HEALTH CARE RIPE
FOR NEAR FIELD the common misconceptions and concerns expressed
COMMUNICATION regarding policy included: tracking where the employee mobile device management (MDM) system that secured
TECHNOLOGY
was by using the device GPS services and accessing the both Penn Medicine devices and BYOD devices in the
+ MANAGING BYOD private pictures and documents on the device. In some same exact manner.
AND SECURITY
rare cases, Penn Medicine employees opted out from us- Several key requirements were formed, which were
+ CREATING HIPAA ing their BYOD devices for access to the Penn Medicine insisted upon when it came to selecting an external
COMPLIANCE IN systems. MDM system vendor. The system needed to be centrally
STAGE 2
The other complement to the BYOD management managed in order to control the entire mobile device en-
+ BUILDING HIPAA strategy addressed configuration standards designed to vironment from a single console. Penn Medicine wanted
COMPLIANCE, PATIENT secure the device and protect Penn Medicine informa- visibility into the entire environment to ensure protec-
PRIVACY INVESTMENT
BUSINESS CASES tion. It was decided that it was crucial to implement a tion against security vulnerabilities.

PULSE MAY 2013 8

 The MDM solution needed to be able to enforce a from inadvertently sharing files that could potentially
strict password policy and device encryption. It was crit- contain protected health information (PHI).
ical to have a tool that remotely managed these control Lastly, Penn Medicine required the MDM have an
features rather than allowing users to turn them off at agent that was non-invasive and did not impact perfor-
any time. Additionally, the MDM had to be capable of le- mance or battery life on the mobile device. Penn Medi-
veraging location services and enabling a remote wipe to cine required that a users mobile device that has access
to messaging systems or clinical applications must have
the MDM agent installed and running on the device. Ex-
Penn Medicine required that ception reports are monitored on a daily basis to ensure
the devices are secure and the MDM agent is working
a users mobile device that properly.
has access to messaging
systems or clinical applica- Device Management Targets HIPAA Omnibus
tions must have the MDM While information services designed this MDM initia-
agent installed and running tive as part of an overarching multi-year security and
privacy program, it is believed that it has positioned Penn
on the device. Medicine to address the requirements of the new HIPAA
omnibus privacy and security rule. One of the major con-
+ HOME
cerns among CIOs in health care these days is protect-
clean the device if it was either stolen or lost. The orga- ing data at rest, and more specifically, a potential breach
+ EDITORS LETTER nizations security best practices have demonstrated this associated with the loss or theft of a mobile device that
would be a key feature relative to supporting thousands contains PHI. As important as it is for the organization
+ HEALTH CARE RIPE
FOR NEAR FIELD of mobile devices (both provisioned and BYOD) in Penn to provide new technology and its emerging capabilities
COMMUNICATION Medicines environment. Penn Medicine also looked for at Penn Medicine, it is crucial to offer it in a measured
TECHNOLOGY
an MDM system that allowed information services to approach to minimize the potential for a breach. Infor-
+ MANAGING BYOD manage the applications on the device and prevent unau- mation services has conducted a security risk assess-
AND SECURITY
thorized and unlicensed software. ment, completed by a broad-based IS team lead by our
+ CREATING HIPAA Some requirements that were implemented from a chief information security officer. The findings are also
COMPLIANCE IN user perspective included routine scanning, which en- reviewed with the organizations chief compliance officer
STAGE 2
sures that the devices do not have any new software that and other key execs on a regular basis.
+ BUILDING HIPAA could make the device vulnerable to data security threats. Information services has remained dedicated to the
COMPLIANCE, PATIENT Penn Medicine also used the features of the MDM tool to successful rollout of the tool and has a full-time per-
PRIVACY INVESTMENT
BUSINESS CASES disable file sharing, which prevents mobile device users son that is monitoring the use of the MDM tool and

PULSE MAY 2013 9

 the associated compliance. All net new devices at Penn
Medicine are provisioned with the MDM agent already
installed. Additionally, information services enforces the
use of the MDM agent with all new requests for BYOD
devices that need access to the messaging systems or the
Penn Medicine clinical systems. The organization has
worked diligently on providing communication and user
education through emails and published website support
material. The intranet site includes frequently asked
questions and provides details about installation and us-
age guidelines. The compliance numbers have remained
high and information services has been able to count on
executive level support of this initiative.
Protecting patient data at rest on mobile devices is
both a challenge and an opportunity to safely provide us-
ers with new ways to access information. When you con-
sider that it must be done for both provisioned devices
as well as BYOD devices, the complexity increases as the
technical capabilities and environment expand.
+ HOME
Health care organizations must implement the right
tools to meet the demands of HIPAA compliance. Penn
+ EDITORS LETTER Medicine information services believes there are three
things that must be done now when it comes to being
+ HEALTH CARE RIPE
FOR NEAR FIELD compliant in time for BYOD devices with PHI data:
COMMUNICATION The first is conducting a formal security risk assess-
TECHNOLOGY
ment, which should include risks, existing controls and
+ MANAGING BYOD end state desired controls. Assigning risk scores and
AND SECURITY
dashboard colors that illuminate significant risks is a
+ CREATING HIPAA helpful approach to complement the assessment and
COMPLIANCE IN show progress of goals over time, as well as focus on the
STAGE 2
priorities and effectively communicate progress.
+ BUILDING HIPAA The second component is having a solid security
COMPLIANCE, PATIENT program in place that addresses access, monitoring
PRIVACY INVESTMENT
BUSINESS CASES and management. At the access layer, address user
permissions, role templates, data encryption and physical
controls. At the monitoring layer, address scanning, logs,
filters and access. Finally, at the management layer, ad-
dress device inventory, standards enforcement, individual
behavior (policies) and risk management. These three
layers are tightly integrated to provide a framework for
individual initiatives like MDM for BYOD devices.
Protecting patient data
at rest on mobile devices
is both a challenge and an
opportunity to safely pro-
vide users with new ways
to access information.
The last component is having an MDM tool in place to
lock down the BYOD devices that will have access to PHI
data. There are a number of good products in the mar-
ketplace. You must first decide whether you want to host
the solution yourself or select a service model for the
software. In either case, you want to look for a tool that
is scalable and will meet your basic requirements, such as
wiping the BYOD device clean if it is lost or stolen with
PHI data on it. The combination of the security risk as-
sessment, a formal security program and a reliable MDM
tool is a smart and efficient way to securely manage the
risks associated with BYOD devices in health care. n
JOHN DONOHUE is the associate chief information officer
at the University of Pennsylvania Health System.
PULSE MAY 2013 10
Creating HIPAA Compliance
in Stage 2
BY MICHAEL FREDERICK n  ligible hospitals and CAHs must conduct or review
E
a security risk analysis of [CEHRT], including ad-
dressing encryption/security of data, and implement
updates as necessary at least once prior to the end of
the EHR reporting period and attest to that conduct
or review.
THE WORDS meaningful and use are undoubtedly on the
lips of many a CIO as 2014 approaches and brings with it n Eligible hospitals and CAHs are not required to re-
stage 2 of the federal EHR incentive programs. Final re- port to CMS or the states on specific data encryption
quirements outlining criteria for the certification of EHR methods used. However, they are required to address
technology for stage 2 meaningful use were published in the encryption/security of data at rest in accordance
+ HOME
September 2012. Meaningful use under the stage 1 crite- with requirements under 45 CFR 164.312(a) (2)(iv)
ria, which focused on data capturing and sharing in 2011 and 45 CFR 164.306(d)(3).
+ EDITORS LETTER and 2012, must have been achieved before providers can
move on to stage 2. Other stage 2 encryption requirements include:
+ HEALTH CARE RIPE
FOR NEAR FIELD Among the stage 2 criteria is specific detail about data
COMMUNICATION encryption required for EHR certification. Core measure n  rotecting patient health information with at least a
P
TECHNOLOGY
7 of the stage 2 eligible hospital and critical access hospi- symmetric, 128-bit fixed-block cipher algorithm ca-
+ MANAGING BYOD tal (CAH) measures outlines several key areas: pable of using a 128-, 192-, or 256-bit encryption key
AND SECURITY
when furnishing electronic copies of patient health
+ CREATING HIPAA
n  onduct or review a security risk analysis in ac-
C information.
COMPLIANCE IN cordance with the requirements under 45 CFR
STAGE 2
164.308(a)(1), including addressing the encryption/ n Developing a username for each user.
+ BUILDING HIPAA security of data stored in [certified EHR technology]
COMPLIANCE, PATIENT CEHRT in accordance with requirements under 45 n  ncrypting and decrypting health information when
E
PRIVACY INVESTMENT
BUSINESS CASES CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3). using removable media.

PULSE MAY 2013 11

 Changes on the Horizon:
Omnibus HIPAA Rule
On Jan. 17, 2013, the Department of Health and Human
Services Office for Civil Rights announced the new om-
nibus HIPAA rule intended to improve privacy protec-
tions and security safeguards for consumer health data.
Four final rules covering a wide range of HIPAA-re-
lated issues are included in the omnibus rule, chief
among them being the increased compliance responsi-
bility placed on business associates in protecting health
information and reporting breaches. Previously, the rules
focused on health care providers and health plans.
The OCRs significant harm standard, in place since
2009, has been replaced with a low probability stan-
dard. This puts the onus on covered entities and busi-
ness associates to conduct formal risk assessments for
breach notifications even if they dont believe the breach
is significant. Penalties for noncompliance will be as-
sessed within a tiered structure based on the extent of
+ HOME
negligence, and can reach a maximum of $1.5 million per
violation.
+ EDITORS LETTER The HIPAA rule could mean significant changes to the
way contractors and subcontractors treat data encryp-
+ HEALTH CARE RIPE
FOR NEAR FIELD tion. EHR vendors only have to be able to show that they
COMMUNICATION encrypt the data that is stored on an endpoint device, or
TECHNOLOGY
show that they dont allow the saving of information to
+ MANAGING BYOD a device. However, the increased responsibility placed
AND SECURITY
on business associates includes contractors and subcon-
+ CREATING HIPAA tractors. Under the HITECH Act, incentive payments are
COMPLIANCE IN available to eligible health care professionals and hospi-
STAGE 2
tals that adopt certified EHR technology and demonstrate
+ BUILDING HIPAA meaningful use of certified technology. In effect, these
COMPLIANCE, PATIENT are reimbursement payments to help defrayor even
PRIVACY INVESTMENT
BUSINESS CASES cover in their entiretyproviders upfront costs to meet
EHR certification requirements. It must be noted that
providers are eligible for reimbursement only if they use
certified EHR systems.
Supporting EHR Encryption
CIOs will take different methods to achieve EHR compli-
ance depending on the size of the organization; the age of
the existing system to be updated, upgraded, or replaced
outright; and, of course, whether the objective is qualify-
ing for incentives.
When it comes to data encryption alone, there are a
number of questions CIOs need to consider:
n  an simple software updates be made to an existing
C
system, or is it necessary to start from scratch?
n Is patient data currently encrypted, and if so, does
encryption extend to backup storage and removable
media?
n What would be involved in a data migration strategy?
n Is current data being stored on on-site servers, and if
so, is it time to consider cloud-based storage?
n I s there an IT security resource that is already quali-
fied to do the work, or is it necessary to research new
resources?
n Can a new resource be leveraged for budget purposes
and integrated with other products?
n  hat is the cost involved in ongoing IT and/or train-
W
ing support after implementation?
PULSE MAY 2013 12
 The first step in figuring out how to proceed is to
perform an audit of your current system and processes
in combination with a risk analysis. Once you have
identified your objectives in the context of your current
circumstances, its time to consider how to move
forward.
But always remember this: The goal is not just EHR
certification and compliance. It is mitigated risk in a con-
tinually volatile environment, especially given the new
tiered breach-violation figures. Just consider a few recent
HIPAA breaches:
n  mory Healthcare in Atlanta misplaced 10 backup
E required.
disks containing information for more than 315,000
patients. Costs are expected to climb beyond $3
million.
n Californias Sutter Health had a computer stolen that
contained confidential information on 4.2 million
+ HOME
patients. A class action lawsuit was filed in late 2011
for $1 billion.
+ EDITORS LETTER
n  ricares data breach in 2011 affected 4.9 million pa-
T implementing new systems.
+ HEALTH CARE RIPE
FOR NEAR FIELD tients from the past 20 years. Unencrypted backup
COMMUNICATION tapes were stolen while in transit from one work site
TECHNOLOGY
to another. In addition to fines, a class action law-
+ MANAGING BYOD suit is asking $1,000 per patient, for a total of $4.9
AND SECURITY
billion.
+ CREATING HIPAA
COMPLIANCE IN
STAGE 2
The Office of the National Coordinator for Health In-
formation Technology (ONC) lists products certified for
meaningful use. Per the ONC, each complete EHR and
EHR module listed on the website has been tested and
certified by an ONC-Authorized Testing and Certifica-
tion Body.
Preparing for EHR Stage 2 and Beyond
By most accounts, implementing stage 1 requirements
and preparing for stage 2 is no easy undertaking, even
considering just the time involved and manpower
Add in the expense of new systems, the implementa-
tion of new security measures, and the training that will
be needed for new compliance protocols, and expenses
increase.
As expenses increase, so does anxiety. However, the
Medicare and Medicaid incentives that offset upfront
costs help, as does the enhanced security that can help
lower the probability of HIPAA breaches. Success is as
much in mitigating the opportunities for failure as it is
Preparation and continuity are critical elements to
successful EHR integration, which begins with ana-
lyzing what needs to be changed but doesnt end at
implementation.
Here are some tips for succeeding with EHRs:

+ BUILDING HIPAA
COMPLIANCE, PATIENT
The goal is not just EHR certification and compliance.
PRIVACY INVESTMENT
BUSINESS CASES
It is mitigated risk in a continually volatile environment.

PULSE MAY 2013 13

 n  o a gap analysis. Looking at where you are now versus
D n  stablish policies and procedures in concert with
E
where you need to be can provide a clear path. compliance.

n Identify and prioritize implementations.
n Research. Youll know the solution that works best for
you only by examining all the possibilities.
n  onsider the upsides of an upfront spend. No one
C
wants to pay fines and be faced with a lawsuit because a
backup disk or laptop was compromised.
n  rain the workforce on new security measures. Your
T
security is only as good as your least-informed team
member.
n Test and retest compliance procedures and readiness,
and tinker where necessary.
n I nvestigate customization opportunities that further
prepare your team for ongoing compliance.
Making your compliance team part of the solution
means they wont part of the problem. Consult them
early and often. n
MICHAEL FREDERICK is president and CEO of The Frederick
Group.

+ HOME

+ EDITORS LETTER

+ HEALTH CARE RIPE

FOR NEAR FIELD
COMMUNICATION
TECHNOLOGY

+ MANAGING BYOD
AND SECURITY

+ CREATING HIPAA
COMPLIANCE IN
STAGE 2

+ BUILDING HIPAA
COMPLIANCE, PATIENT
PRIVACY INVESTMENT
BUSINESS CASES

PULSE MAY 2013 14

Building Patient Privacy
Investment Cases
BY DON FLUCKINGER If your message is dollars, youre dead on arrival, said
James Anderson, principal at Risk Masters Inc. Theyll
just send you down to the morgue floorthats in the
basement. Furthermore, he added, do not confuse cost
savings with cost reduction; saving a hospital from data
breaches will cost more money.
IN THE FACEof generally declining reimbursements and
tightening budgets, its tough for healthcare IT leaders to nIf you can prove cost savings, be ready to be held
advocate for budget increases. That goes double for new accountable. Maybe you can find a tangible time-saving
capital investment in patient privacy and data security security implementation that gets practitioners logged in
initiatives, because its hard to prove the ROI on prevent- faster or a single sign-on that merges many current pass-
+ HOME
ing HIPAA compliance calamities. words into one. If you claim an investment will yield cost
But thats exactly what health IT professionals are reductions or increased productivity, assign someone
+ EDITORS LETTER going to have to do, in light of the new regulations going to monitor and document those savings, because youre
into effect later this year. Risk management experts of- likely going to be tested on it later. If not, network with
+ HEALTH CARE RIPE
FOR NEAR FIELD fered health IT leaders some strategies for pitching the senior leadership individually and share with them the
COMMUNICATION C-suite for more budgetary support to ramp up invest- benefits of their investment so it will be easier to renew
TECHNOLOGY
ments for the Sept. 23 HIPAA omnibus rule compliance or increase that investment when the time comes, An-
+ MANAGING BYOD deadline. Among their tips: derson said.
AND SECURITY

+ CREATING HIPAA
n Dont focus on financials. Patient care and the overall n Frame the argument well. Debunk logical fallacies that
COMPLIANCE IN mission statement of the hospital puts revenue lower senior leadership might believe, such as HIPAA is a cost
STAGE 2
on the totem pole than it would be in, for example, a fi- center by saying something like this: If it werent for
+ BUILDING HIPAA nancial institution. Focus on how privacy and security HIPAA, would we throw privacy investment in the trash
COMPLIANCE, PATIENT investments will improve patient care and build trust be- and forget about patient trust? Explain that information
PRIVACY INVESTMENT
BUSINESS CASES tween the community and your organization. velocity throughout the enterprise doesnt necessarily

PULSE MAY 2013 15

 lead to a reduction in privacy when its supported with cause about 28% of data breaches. Resources must be
proper security, said James Christiansen, chief risk offi- allocated to tighten up business associate agreements for
cer at RiskyData. the new HIPAA law because IT can protect the hospital
by developing and executing new BAAs to require more
n Show how HIPAA compliance helps insurance rates. security. That is, require business associates to follow
Controlling internal threatssuch as unsecure email, physical access controls for their buildings and carry data
dumpster diving, device theft, and intentional deletion or breach insurance, and call for specific data destruction
corruption of data by rogue employeescan help reduce practices. Also, make a prenuptial agreement that out-
liability rates. This is enabled by putting a plan in place lines how you will get your data back upon termination
to control them, executing on that plan and documenting of the contract, and implement a program to audit your
results. business associates for compliance with the agreement,
said Brian Selfridge, managing director at Meditology
Services.
Make a prenuptial agree-
ment that outlines how you n Make the case for data breach insurance. Many
hospitals are putting off these policies for economic
will get your data back upon reasons, according to Kimberly Holmes, deputy health
termination of the contract. care product manager at Chubb Specialty Insurance. She
expects that procrastination to end once HIPAA enforce-
+ HOME
ment picks up after the Sept. 23 omnibus rule compli-
In this plan, dont forget the human element, such as ance deadline and as awareness grows that data breaches
+ EDITORS LETTER policy enforcement and quickly cutting off terminated are more likely to happen in the bring your own device
employees from network access. A lot of folks think (BYOD) era of smartphones and tablet devices. Its unre-
+ HEALTH CARE RIPE
FOR NEAR FIELD technology is the answer to solving security and privacy alistic to believe you can stop BYOD, so adding layers of
COMMUNICATION [issues], and technology is absolutely a very import- security on data for those devices, as well as remote wip-
TECHNOLOGY
ant layer, said Chris Andrews, underwriting manager ing capabilities, can reduce the risk of data lossas op-
+ MANAGING BYOD at AIGs Lexington Professional Liability group. But I posed to ignoring BYOD and letting it happen organically
AND SECURITY
think sometimes we lose the importance of people and in your facility. That can mitigate risk, but data breach
+ CREATING HIPAA processes in the attempt to mitigate data privacy losses. insurance still is a smart buy, judging from the cases
COMPLIANCE IN Theyre just as important. shes worked on, she said.
STAGE 2

+ BUILDING HIPAA nExplain financial protections gained from new busi- nQuantify risk by showing what happened to other
COMPLIANCE, PATIENT ness associate agreements. Market research on data hospitals. Depending on whose research is cited, Holmes
PRIVACY INVESTMENT
BUSINESS CASES breaches from multiple firms shows business associates said, each data breach costs a hospital $200 to $250 per

PULSE MAY 2013 16

 patient record lost. Using the more conservative figure,
quick math says a 10,000-record breach will cost $2
millionand thats before crisis management costs, le-
gal fees, forensic tracking of the lost data and potential
federal penalties are factored in. Furthermore, that fig-
ure doesnt factor in the costs of possible civil suits and
settlements. Pulse is a SearchHealthIT.com e-publication.
Risk Masters Anderson cautioned that very little in-
Jean DerGurahian, Editorial Director
formation about reliable risk vs. protection costs exists
right now for healthcare data privacyif youre citing Don Fluckinger, News Director
data in a proposal, use the best you can find and annotate
Jennifer Laurello, Senior Community Manager
your sources in detail. But Michael Sullivan, Ashcroft
Law Firm partner and potential Massachusetts Republi- Ed Burns, News Writer
can U.S. Senate candidate, said it also doesnt hurt to cite
Alex DelVecchio, Assistant Editor
anecdotes from other healthcare providers experience.
Its okay every once in a while to share a horror story, Michael Frederick and John Donahue, Contributors
Sullivan said. Theres nothing like getting somebodys
attention when they can relate to the circumstances of Linda Koury, Director of Online Design

somebody elses consequences. Id tee them up, talk

Stephanie Corby, Publisher
+ HOME
about something they can easily connect with in terms of scorby@techtarget.com
the industry, a competitor, a colleague. n
+ EDITORS LETTER TechTarget, 275 Grove Street, Newton, MA 02466
DON FLUCKINGER is news director for SearchHealthIT. www.techtarget.com
+ HEALTH CARE RIPE
FOR NEAR FIELD
COMMUNICATION
2013 TechTarget Inc. No part of this publication may be transmitted or
TECHNOLOGY reproduced in any form or by any means without written permission from the
publisher. TechTarget reprints are available through The YGS Group.
+ MANAGING BYOD
AND SECURITY Stay Connected! About TechTarget: TechTarget publishes media for information technology
professionals. More than 100 focused websites enable quick access to a deep
store of news, advice and analysis about the technologies, products and pro-
+ CREATING HIPAA Follow @SearchHealthIT on Twitter
cesses crucial to your job. Our live and virtual events give you direct access
COMPLIANCE IN
to independent expert commentary and advice. At IT Knowledge Exchange,
STAGE 2 Follow @HITExchange on Twitter
our social community, you can get advice and share solutions with peers and
experts.
+ BUILDING HIPAA Join our LinkedIn group
COMPLIANCE, PATIENT COVER IMAGE: THOMAS TOLSTRUP/GETTY IMAGES
PRIVACY INVESTMENT
BUSINESS CASES

PULSE MAY 2013 17