Home Forums Discussions General Discussion Putting together a HIPAA Risk Assessment and Plan set of documents -

HIPAA requires everyone to have a recovery or contingency plan for ePHI data loss like an emergency or theft of a laptop or power loss, etc.

For those of us out here with small physician practices, is there any example or set of example documents that a practice has created that would show you step by step how to compose your own flavor of document that outlines all your security procedures and protocols to ensure that patient health info is never breached at any point? I believe that September is the fed deadline to have a document or set of documents that a practice uses to make sure all data is safe and establishes a strict procedure to follow in any event of data loss.

Has anyone built their own document that covers this and satisfies the government requirement? The government seems to want to insist that everyone have these documents, but there's not a whole lot of material giving you examples of what something like that would actually look like for a real-world clinic situation.

Has someone out there already built this? It would help us establish our own...thnx..

I don't think there is any way we can ever meet all HiPAA requirements -- it's a moving target on an uneven playing field in the dark.

However, writing something -- almost anything --down and putting it in a notebook titled "recovery plan for ePHI data loss" will at least get us to first base. If there is ever an inspection, we can be faulted for being "inadequate" -- which goes without saying-- and get assessed hefty fines, but not for "failure to comply." Which could be jail.

THis is a link that explains a tool from California that is helpful:
https://providers.scmg.org/media/Fi...%20HIPAA%20Security%20Rule%20Toolkit.pdf

THis links to the page with the toolkit- go to bottom and click HIPAA Security Toolkit link.
http://www.ohii.ca.gov/calohi/content.aspx?id=140

This tool helps you easily to document your security assessment and plan- getting you at least to the inadequate level Tom mentions above.

Are Amazing Charts compliant with the new HIPAA encryption requirements introduced in the Final Omnibus Rule?

Are AC databases encrypted? What about imported items? They are not encrypted. How does it comply with HIPAA data encryption regulations?

I don't have all the answers but...
A) Don't Know (hopefully someone who has pored over the regulations can step in here...)
B) They are with the backup. They are also password protected. I would suspect they meet guidelines
C) They are with the backup, if you back them up with AC backup.
D) Don't know (hopefully someone who has pored over the regulations can step in here...)

E) How does Bitlocker encryption (which encrypts the entire hard drive) affect all of the answers above. It is available on Win7 ultimate, Win8 Pro and above and Server systems (I think from 2008 and above)

Any answer to the above questions?

hello,
according to CMS guidelines a hashing algorithm is a requirement
I spoke to tech support and apparently this will be present in the versions to be released later this year but is not present in earlier versions . I dont know if this applies only to MU 2 .
it is my understanding that bit locker will only help if the drive is physically removed and not against a network hacking attempt
Bala

Found these good links and in process of evaluating their "meaningful use" to the small practice

Hipaacow

Health IT.gov has a new tool to download
HealthIT

Maybe I can chime in on a few things.


There are some things that are outside the jurisdiction of Amazing Charts. While AC has not stated their official security procedures/protocol for Amazing Charts. It's best to break your system into components and analyze them. Every practice is different so make sure you conduct a thorough audit of your process. Or contact a professional, he or she should be able to do it remotely.

The underlying components of Amazing Charts are known. Having ventured into the database on occasion, AC relies on SQL Authentication. In SQL 2005, SQL authentication uses self-signed certificates (unless a SSL certificate is installed) to transmit data. So the network tunnel is encrypted to a degree (passwords are not sent over plain text), however there are still a variety of attack points such as MITM attacks, some applications cache passwords, etc. A better method would be to use Windows Authentication however that would require everyone use Active Directory/Server-Client Architecture. Amazing Charts elected to keep SQL Authentication to keep costs and complexity low for the end user.

However, the files contained in the AC folder are not encrypted. By default, the permissions are set to Everyone meaning everyone has network access. Anyone who can get onto the network can grab the files. This is probably the largest flaw that most users have present. Those using Active Directory/Servers are somewhat protected due to the domain requiring credentials for non-domain computers even when Everyone is specified. This mitigates the attack surface of network-based attacks. However, the proper way is to use security groups and permissions to truly limit attack vectors.

These same holes also exist on the cloud application as they operate using the same components.

I'll post back with more on drive-based encryption.

As an addendum to the previous post, I am going to clarify why securing the Imported Items is likely outside of AC's "jurisdiction". There's a good chance most users rely on sharing other folders outside of AC, maybe a spreadsheet or scans or faxes. It would logically follow that you would need to secure those shares in the same manner as the AC folder. It becomes apparent as to why they didn't encrypt the files. There needs to be a global change with respect to network security rather than a local one just for AC. If AC does encrypt the files, that doesn't help the other shares that you maybe using.

Also, there's a more technical reason as to why it would be a waste of time. There are people that can take a copy of the database and mount in SQL and pull all the data without needing to know any of your passwords. There are also built in back door accounts for administration created by Amazing Charts. For example, if AC or a partnered developer (e.g. UpDox) had a leak and the sa or one of the other built-in passwords was exposed, everyone would be at risk. So a global security policy would be more effective and sustainable solution regardless of the software used.

Well, what I know is this...I've been reading more and more about HHS being increasingly aggressive about going after organizations regarding HIPAA breaches. Just Google it and you'll see that they are becoming very aggressive about breaches that aren't even a result of someone being directly irresponsible (for instance, someone breaks into your office and steals your computer). For example:

Article about stolen equipment

This article is another good one, which also mentions the tool that Sunil mentions above:

No More Excuses

Anyway, before the original posting, I'd done a LOT of research to bring our office into compliance with HIPAA mandated privacy and security...but I honestly hadn't realized that a comprehensive security assessment and plan was also part of this. I suspect there are MANY other offices in this same situation. I know of one medical office that has *neither* data security (ie encryption) in place nor any policies or plans to do so. They are just completely oblivious.

It sounds like HHS is also now starting to fine people for not having an adequate security assessment and plan in place on top of the fines for the breach itself. I think that this is something that we're all going to have to come to terms with addressing. It is sure on my plan to do so as soon as I can get some time to get to it.

I purchased a new laptop with a self encrypting drive. I plan on adding the same SED to our server. My server doesn't support an "ATA Password" in the BIOS so i'm going to be getting an OPAL 2 compatible drive and enabling the encryption with software such as WinMagic SecureDoc or Softex SecureDrive. ANY data at my office containing PHI will be on an encrypted drive.

And regarding what Sandeep posted above...it seems true that there are very few options to protect "data in motion" on your network. So, as long as the server is up and running, in theory someone who can attach to the network can grab your SQL database (or your ImportedItems folder). You do the best you can there to prevent unauthorized access.

HOWEVER, under the current climate, I would say that you'd be crazy to keep any PHI...patient lists/data, documents/spreadsheets, your AC SQL database, your imported items, your incoming Fax documents folder, your BACKUPS, etc...on a drive that doesn't have encryption.

So, lets say someone breaks in and steals my server over the weekend. The MINUTE they unplug it to steal it, the data drive that contains all my sensitive data will NEVER reveal its contents. They have my computer but I have no breach. Same thing with my laptop, which I take home every night. All data containing PHI is on the encrypted drive, and if I lose it, it is an expensive paperweight for someone.

Finally, your backups must also be encrypted. If you aren't using an online backup, look at the Western Digital "My Passport" drives. Super cheap, and offer unbreakable encryption. So, my backups go initially to my encrypted server drive, and then I copy them to the external drive and take them offsite. DO NOT LOSE YOUR "OFFSITE" COPIES or it could cost you $$$$$ without encryption.

Scott makes a lot of great points. I just wanted to go into a little bit more detail on the network front.

Let's not forget that drive encryption is just protects physical theft. Network-based attacks are much more common and simpler to execute. You don't have to be there and you can execute them from anywhere in the world. One advantage of not running in the cloud is that network based attacks are more difficult due to decentralization of resources and lack of exposure. Also, vulnerabilities are likely to start popping as cloud is more heavily used. One thing I found interesting is that there was absolutely no mention of the Heartbleed bug that affects OpenSSL certificates. This affects about 66% of the web. Both Amazing Charts and Updox run affected servers (Apache and nginx, respectively). This affected major providers like facebook and Yahoo. Their security budgets are quite large, but they were still affected. Lots of companies are still doing audits to find out if they were as well. The vulnerability has been around for 2 years, but only discovered recently.


There's some very simple and affordable solutions such as using Active Directory to secure your network. Essentials streamlines the process for users. There is a common misconception that servers need to be expensive hardware. You can install a server OS on any hardware. If you previously deemed a desktop/off-the-shelf computer sufficient to run your practice, that same logic should apply to the server. AD authenticates on multiple levels. Even the machines themselves are authenticated against the domain. If the machine isn't part of it, it won't be allowed to authenticate. Protecting your network from a wide variety of threats.


For me the idea of having Everyone on the permissions list allowing unchecked network access to crucial patient data is crazier. I could get on your network and walk out with your entire practice no matter how much drive encryption or whatever physical safeguards you have. The scarier part is that you would never know I did.

Not really a paperweight since they reformat them and make 'em as good as new. But it's great that they won't be able to access your data protecting you against any major liability.

hi Sandeep,
can we use Active directory only on server software or can it be used on regular PCs acting as servers? if not what do you suggest for PCs
thanks
Bala

Active Directory is not a software component per se. It's a component of an operating system. Just like Windows 7 and Windows 8, there is Server 2008 and Server 2012. You would essentially replace Windows 7/Windows 8 with something like SBS 2011 Essentials (if you are still on AC 6.3) or Server 2012R2 Essentials. You can then join existing desktops to the domain/active directory. I did a video series on this for SBS 2011 Essentials.

Of course, you get tons of extras like Server Health Reports, Network health reports, backups of all desktops, Remote Web Access, and much more. It really streamlines things for a practice.

Why SBSE2011 for V6.3 but otherwise SBSE2012R2? Is it due to the version of SQL server? Can you use 2012R2 with V6.3 (since it uses a later version of SQL server but older AC use SQL 2005?) I know you can use 2011 with 6.6 because I do.

Yes, it's because of SQL. SQL 2005 isn't supported on Server 2012/2012R2. SBS 2011/WHS 2011/SBS 2011E are all Server 2008R2 which works fine with SQL 2005 and SQL 2012.