The CURES Act Final Rule’s provision requiring healthcare providers to give access to the health information in their electronic medical records without delay is coming on April 5. This means that patients will be able to use their application of choice to access their medical records and store them on their devices. This also means that providers will have to open secured Application Programming Interfaces (APIs) for the applications to access this data. There are security requirements around these APIs, mainly the use of OAuth2 authentication and Transport Layer Security (TLS) version 1.2 or greater.  This can help ensure that the transfer of data to our patients is secured.

Given the environment that we are in, the consequences for having unencrypted info flying around due to HITECH, and the implicit encryption and security requirements in the CURES Act Final Rule, it’s time to revisit what’s unencrypted on our internal networks.

However, we also need to look internally to ensure that the provenance of patient data is protected from its point of origin to its ultimate destination on our patients’ devices. Most healthcare systems have been running numerous technologies since before HIPAA and the Security Rule were published as a Final Rule in 2003. The Security Rule was written and drafted long before encryption was pervasive. 45CFR 164.312( e)(1), Standard:  Transmission security, requires us to implement technical security measures to guard against unauthorized access to Electronic Protected Health Information (ePHI) that is being transmitted over an electronic communications network.

What this part of the rule means is that we must ensure the confidentiality, integrity, and availability (CIA) of ePHI as it is transmitted over a network. The implementation specifications for Transmission Security were marked as addressable. According to the Federal Register of February 20, 2003, addressable has three components:

• If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must implement it.
  
  
• If a given addressable implementation specification is determined to be an inappropriate and/or unreasonable security measure for the covered entity, the covered entity may implement an alternative measure that accomplishes the same end as the addressable implementation specification.
  
  
• A covered entity may decide that a given implementation specification is simply not applicable and that the standard can be met without the implementation of an alternative measure in place of the addressable implementation specification.

If the measure cannot be implemented, the risk mitigation steps taken must be documented. When the Security Rule was written, the use of secure channels was novel. While e-commerce sites utilized them, they were expensive and prohibitive to set up. Malware that exfiltrated patient data was also not prevalent. It was not difficult to make the argument that implementing encryption was not reasonable and appropriate, and that keeping data on an internal network was feasible.

With the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act (ARRA) of 2009, there was an expansion of the HIPAA compliance requirement set. According to Entrust, this requires the disclosure of data breaches of “unprotected”, aka unencrypted personal health records. This also includes those by business associates, vendors, and related entities. One of the interpretations of the HITECH Act has been that if the data could be seen by others between its source and destination, it could be considered breached.  Another is that if the data is unprotected at rest using encryption and algorithms approved by NIST, then the data is also considered breached. 

Also, given the time we are in, we have three alternatives. Microsoft and other vendors have made the use of secure channels pervasive, and only offer secure versions by default for their Application Programming interfaces. The use of Secure Shell (SSH) is also now pervasive and is now a default in Windows 10. You can use it to “tunnel” insecure traffic over an encrypted channel. Virtual Private Networks are also now common, and can be easily configured, even within your own virtual environments.

The use of legacy file transfer mechanisms such as older Health Level 7 implementations, File Transfer Protocol (FTP), Server Message Block, Network File System (NFS), internal e-mail, or older versions of Secure Shell don’t work well to protect patient data.  These protocols do not protect the confidentiality, integrity, or availability of data.  They also often force organizations to run older applications and services that cannot be configured to support newer services such as FHIR.  The old agage of “it ain’t broke, don’t fix it” does not apply to the protection of patient data from threats to confidentiality, integrity, or availability.  Upgrading these transfer mechanisms, applications, and services will put you in a better position to provide customers what they need as part of the CURES Act.

What you and your organizations need to do is to look at any unencrypted traffic you have with those legacy systems and find out how to encrypt it in transit using one of these three methods. Either you or your vendors need to address these for your applications. Given the environment that we are in, the consequences for having unencrypted info flying around due to HITECH, and the implicit encryption and security requirements in the CURES Act Final Rule, it’s time to revisit what’s unencrypted on our internal networks. Just Internal is just no longer the case.

The post “Just Internal” is No Longer the Case. What organizations need to do to protect themselves given the CURES Act. appeared first on HealthTech Magazines.

The implementation of a cyber security framework establishes a standard that allows for a structured approach to cyber security and a simplified, repeatable process to developing, managing, and maintaining the cyber security program. Standardizing on a framework allows an organization to be sure that all relevant categories of security are considered, and that strategy, direction, and status are clearly communicated with stakeholders. Many cyber security frameworks are available and whereas selecting one to standardize on and work with creating value for an organization, the particular one selected is of lesser import. This is because the categories and subcategories of each are similar and map neatly one to another. Some examples include:

• NIST CSF (National Institute of Standards Cyber Security Framework)
• ISO 27001/27002 (International Standards Organization)
• COSO/COBIT (The Committee of Sponsoring Organizations of the Treadway Commission / Control Objectives for IT)

Consider All Categories

Frameworks define categories that must be included as part of the program. The chosen framework, whether it be NIST, ISO, PCI, or COSO, is organized to create a structured risk-based approach to establishing and maintaining a cyber security strategy. By leveraging a framework, an organization can be assured that all categories are at least considered. All the frameworks seek to address risk management and asset management as cornerstone components. Other categories, such as vulnerability management, network security, and physical security are also identified. Basing a program on a framework provides an organization comfort in stating that their program and strategy has at least considered all categories (or areas) that need to be addressed.

Develop Logical Documentation

With the possible exceptions of the disciplines of asset management (you can’t protect what you don’t know about), and risk management (scarce resources, time, and budget must be allocated based on mitigating the greatest risks), cyber security documentation is probably the most difficult area to get “right.” A framework helps to define specific policies that must be created. Policies are written at a high-level, don’t change very often, and are standard across an organization. Policies define “what” that is – what is the description of the category, as such much of the policy statement is already defined by the framework and can be customized and edited for the organization Policies reference Processes. Processes define “Why” as in why are we doing this, why do we care about this. Processes build upon policies and establish an understanding of the importance of a particular direction. Processes reference detailed procedures. Procedures may change somewhat often based on the underlying technology and changes to the organization. Procedures define “how.” Within procedures, controls are identified. These controls provide the proof or validation that the procedures are effectively being followed.

Communicate Clearly

Basing communication of the strategy and status on a framework provides consistency and predictability in delivery of the message. Each project or set of projects is associated with a category defined by the framework. For example, projects related to multi-factor authentication or identity and access management can be associated with the category “Access Management.” Similarly, program and project status reporting follow the same model and are associated with the selected frameworks’ categories.

Conclusion

Utilizing a cyber security Framework will establish the completeness of a cyber security program and establish a consistent model for managing and communicating the program. Success is demonstrated by effectively managing risk and communicating progress by category based on the agreed upon framework.

The post Cyber Security Framework to Streamline the Information Security Program appeared first on HealthTech Magazines.

One can imagine early uses of the telephone involving discussions about patient care between hospitals or a small town contacting a doctor in the city about a patient.

Today, we view telemedicine as the digital exchange of medical information from one site to another with the intended purpose to improve patient care and access. This is achieved through a wide variety of applications, devices, and services. These include things like two-way video, smartphones, email, tablets, peripheral exam devices, and many other mobile tools. All of these tools create a continuum of telemedicine technology complexity.

By leveraging the appropriate telemedicine technology based upon the use case, all of these groups can potentially converge to achieve the quadruple aim by providing better outcomes at lower cost, while, at the same time, improving both the patient and clinician experience.

Telemedicine helps to improve access to care in a way that has the potential to revolutionize the healthcare industry. This is more important than ever as healthcare systems continue to expand their footprint. Enacting telemedicine programs makes location of both patient and facility less important, and allows healthcare providers to expand their reach in ways never previously thought possible. In this article, we will review various telemedicine technologies with regard to complexity and appropriate use in specific cases.

Show patients and providers the benefit these technologies can afford them

In assessing the appropriate technology for a specific telemedicine use case, one must consider budget, use case requirements, and workflow. For basic interactions between provider and patient, mobile devices such as smartphones or tablets work extremely well and are commonplace among both providers and healthcare consumers. These devices allow for secure real-time audiovisual communication from any location with an Internet connection (Wi-Fi, 4G, LTE, etc.). There are multiple mobile-based, HIPAA compliant telemedicine platforms for use on mobile devices that can meet the needs of solo practitioners all the way up to regional healthcare organizations. Secure mobile video carts can also be used in conjunction with mobile devices to allow for similar communications from a health care facility to external locations using stable Wi-Fi or Ethernet connection. These carts provide better quality video than mobile devices as they function over stable internet connections and have a mounted camera that helps to steady the video feed.

The next level of complexity in telemedicine technology is the addition of connected peripheral devices to the audio-visual stream to provide more information for the clinician on the receiving end. The most high-yield and commonly used connected device is the stethoscope, which allows for real-time or store and forward transmission of heart and lung sounds. There are many different types of connected stethoscopes that vary in terms of form, function, and obviously price. Despite variations in price, the costs to implement such a program are not prohibitive to smaller practices or even individual providers. These types of systems can provide large amounts of useful information for a relatively low overall cost. Other connected peripherals include spirometers, otoscopes, ophthalmoscopes, high-resolution cameras, real-time ultrasound probes, EEGs, and various other real-time scopes. Usage of these types of peripherals is dependent upon the needs of the use case.

Also in the category of low complexity telemedicine technology are home monitoring solutions, which includes devices such as blood pressure monitors, scales, glucometers, pulse oximeters, vital sign monitors, wearable fitness devices, and medication dispensers. These devices can provide instant feedback for patients, and allow them to feel more in control of their health while at the same time allowing clinicians to remotely monitor them. Data from these devices can be synched to software platforms with algorithms to alert for certain events or findings. This information can then be sent along to the native electronic health record to allow clinicians to view this information in-line with the comprehensive medical record. Included in home monitoring devices are also cardiac telemetry devices that allow for remote intermittent or continuous monitoring of cardiac status. Aside for providing comfort to the patient, these devices can reduce the need for in-hospital monitoring in stable cardiac patients. With the emergence of new mobile solutions within this market, cardiac telemetry devices are more accessible than ever as they have cut down on previously cumbersome remote options.

As we approach higher complexity telemedicine technology, we start to see more of an “all in one” approach with devices that have enhanced mobility and can perform multiple aspects of a physical exam via telepresence technology and connected peripheral devices. Peripheral integrated carts are often used in hospital settings as they offer reliable video quality and a robust suite of peripherals and add-ons. Some models can even be driven remotely so that providers can “round” from a remote location. On the other hand, mobile integrated telemedicine kits allow either patients or health care providers to perform remote physical exams using mobile devices that have a variety of add-on attachments that allow for capture of various physical exam elements. These units are becoming more commonly used as they are affordable, allow for flexibility, and are relatively easy to use. There are various offerings of these kits that are targeted to different use cases: rugged for field use (disasters, EMS, etc.), small and compact for consumers, and those with increased durability and higher quality parts for healthcare professionals.

Atop the mountain of telemedicine technology complexity are the emerging technologies of AR and VR. VR platforms allow for creation of a completely immersive auditory and visual environment to create a world that can be based in reality or devoid of physical laws governing space, time, mechanics, etc. VR’s ability to manipulate the user world can be helpful in post-stroke/rehab care, various psychiatric treatments, and simulative learning. It also holds promise for telemedicine application in surgical procedures, radiology, and neuropsychological assessments/rehab. AR functions differently in that it augments the real world with virtual computer-generated objects that appear to the user to coexist in the same space as the real world. This allows for natural movement in the physical world and interaction in the augmented world through gaze, gesture, and voice commands. While the applications of AR are similar to those of VR, it differs significantly in that it is a more natural fit for the clinical workflow as users can still interact with their surroundings.

In order to decide what technology is most appropriate, providers and organizations need to first assess the requirements of the specific use case and then work within their budgeted funds to find the best overall fit to meet the workflow. In doing so, it is vital to do the following when implementing telemedicine technologies:

1. Listen to your staff!
2. Focus on need first, and not simply what is available or cutting edge.
3. Don’t force technology.
4. Adapt to current workflows as closely as possible.
5. Involve staff early and often.

And perhaps most important is to minimize the pain of implementation, while maximizing the gain. Show patients and providers the benefit these technologies can afford them by meeting them somewhere within their comfort zone so that you can then take them out of it.

The post Technology and Telemedicine appeared first on HealthTech Magazines.