Protecting Patient Information - Feds Find Security Lapses in State and Local Government Systems

0 %
100 %
Information about Protecting Patient Information - Feds Find Security Lapses in State and...
News & Politics

Published on March 18, 2014

Author: pattonboggs

Source: slideshare.net

MARCH 18, 2014 This alert provides only general information and should not be relied upon as legal advice. This alert may be considered attorney advertising under court and bar rules in certain jurisdictions. For more information, contact your Patton Boggs LLP attorney or the authors listed below. STEPHEN NASH snash@pattonboggs.com KAREN THIEL kthiel@pattonboggs.com NORMA KRAYEM nkrayem@pattonboggs.com LU ZAWISTOWICH lzawistowich@pattonboggs.com TODD TUTEN ttuten@pattonboggs.com MEL GATES mgates@pattonboggs.com ABU DHABI ANCHORAGE DALLAS DENVER DOHA DUBAI NEW JERSEY NEW YORK RIYADH WASHINGTON DC PattonBoggs.com Client Alert: Protecting Patient Information – Feds Find Security Lapses in State and Local Government Systems 1 HEALTH CARE AND CYBERSECURITY CLIENT ALERT PROTECTING PATIENT INFORMATION – FEDS FIND SECURITY LAPSES IN STATE AND LOCAL GOVERNMENT SYSTEMS Taken together, two recent announcements from the U.S. Department of Health and Human Services (HHS) highlight the need for state and local governments (and others who collect and maintain patient information) to regularly review their policies, procedures and safeguards for protecting patient information under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. First, on March 5, 2014, the HHS Office of Inspector General (OIG) issued an audit report regarding High-Risk Security Vulnerabilities Identified During Reviews of Information Technology General Controls at State Medicaid Agencies that summarizes a series of serious cybersecurity lapses found during audits of 10 state Medicaid Management Information Systems (MMIS) performed between 2010 and 2012 (report at available at this link). Second, on March 7, 2014, the HHS Office for Civil Rights (OCR) announced that Skagit County, Washington, has agreed to a $215,000 monetary settlement and corrective action plan related to apparent lapses in protecting the privacy and security of patient information. The Skagit County Public Health Department provides essential health care services to needy individuals in the 118,000 person county. As OCR stated, this “case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size” (announcement and Resolution Agreement available at this link). Both these events reiterate the need for state and local government agencies that handle patient data – specifically, “protected health information (PHI)” under the HIPAA/HITECH regulations – to perform regular risk assessments and ensure that proper administrative, physical, and technical safeguards are in place

PattonBoggs.com Client Alert: Protecting Patient Information – Feds Find Security Lapses in State and Local Government Systems 2 and working. In the Skagit County case, an OCR investigation commenced after the county reported a data breach involving several individuals’ information that was inadvertently exposed on, and accessed from, a publicly (Internet) accessible server. The ensuing review found that information regarding some 1,581 individuals had been placed at risk, including sensitive data regarding testing and treatment for infectious diseases, and what OCR characterized as “widespread non-compliance” with the HIPAA Privacy, Security, and Breach Notification Rules. Returning to the OIG report, the agency’s audits focused on information system general controls, including those that provide structure, policies, and procedures for managing an organization’s information technology systems and cybersecurity posture. The report details a number of high risk security vulnerabilities across the 10 states reviewed, characterizing several of them as “systemic” and thus likely to be concerns for other states and their MMIS. In publishing its report, OIG emphasized that its objective was to “increase public awareness of these pervasive vulnerabilities” and hopefully lead the Centers for Medicare & Medicaid Services (CMS) and state agencies to meet the challenge and strengthen system security. The vulnerabilities were explained using three broad categories:  Entity-wide controls,  Access controls, and  Network operations controls. Examples of the vulnerabilities cited include lack of proper security plans, failure to encrypt laptops, and lack of formal disaster recovery plan testing. Additional deficiencies were seen in a variety of other areas, including asset inventory controls, risk assessments, user access controls, anti-virus procedures, and patch management. Such cybersecurity deficiencies place agencies, and patient information, at high risk of unauthorized disclosure or widespread system attacks. But, these unfortunate issues can be avoided with regular attention to safeguards, planning, documentation, and workforce training. As noted in the OIG report, resources such as technical standards and guidance are available from the National Institute of Standards and Technology (NIST). In addition, all health care organizations should be mindful of the growing momentum for adoption of the recently NIST-published Cybersecurity Framework, created under the direction of Executive Order 13636, and its support for building a proactive cybersecurity program (see EO 13636, the Framework, and supporting materials at this link). Patton Boggs has deep experience in assisting public and private sector organizations with their cybersecurity planning and HIPAA/HITECH compliance programs, including policy development, vendor governance, workforce training, and risk assessment.

Add a comment

Related presentations

Cfbp barometre octobre

Cfbp barometre octobre

November 10, 2014

VITOGAZ vous présente: CFBP baromètre gpl carburant

Ata Escrita da 16ª Sessão Ordinária realizada em 16/10/2014 pela Câmara de Vereado...

Ata Escrita da 10ª Sessão Extraordinária realizada em 16/10/2014 pela Câmara de Ve...

Rx1 nasil kullanilir

Rx1 nasil kullanilir

November 8, 2014

Rx1 zayiflama hapi, kullanimi nasildir, yan etkileri var mi? yan etkiler var ise h...

Esposto del MoVimento 5 Stelle sul Patto del Nazareno

Slide Servizi postali

Slide Servizi postali

November 7, 2014

Slides per i servizi postali presentati in occasione dell'incontro azienda e organ...

Related pages

Protecting Patient Information - Feds Find Security Lapses ...

Protecting Patient Information - Feds Find Security Lapses in State and Local Government Systems
Read more

Federal Employee Defense Services (FEDS)

Federal Court Security Officer PLI; ... WELCOME TO FEDS PROTECTION ... government contractors, ...
Read more

Patient - Symptom Checker, Health Information and ...

The same info as provided by GPs to patients during consultations,health/disease leaflets,patient support ... and find any plausible link to ...
Read more

WHO | Patients' rights

Patients' rights. Formalized in 1948 ... by physicians and by the state, ... The creation of effective patient protection laws relies on public knowledge ...
Read more

U.S. Government Services and Information | USA.gov

Find government information and ... U.S. Government Services and Information. Find ... Find contact information for federal, state, and local ...
Read more

Trojan Horse | Symantec - IT Security Threats | Symantec

Information Protection; Cyber Security ... Industrial Control Systems; Healthcare; Retail; State & Local; ... Trojan horse is a generic name given to all ...
Read more

Health Information Privacy | HHS.gov

HHS and NIST Release Crosswalk between the HIPAA Security Rule and the Cybersecurity Framework. ... Find information about the HIPAA Rules, ...
Read more

Contact Government by Topic | USA.gov - U.S. Government's ...

Find contact information for government programs, ... Contact Government by Topic; State, Local, ... Social Security ...
Read more

Privacy, Security, and Electronic Health Records - Health ...

Specific to protecting the information ... be a lapse in security) ... that will raid that system for all the patient information and it will ...
Read more

States | Health Information & the Law

Security of Health Information; ... to individual health information, most states have enacted their ... federal Patient Protection and ...
Read more