personal healthcare information

This Thursday, January 28th is Data Privacy Day (aka Data Protection Day in Europe).  The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. To honor Data Privacy Day, here are some ways you can protect personal healthcare information (PHI) in-motion, an area of focus for healthcare IT teams handling PHI.

Personal Healthcare Info is a Hacker’s Dream

PHI is considered to be the most sought after data by cyber criminals in 2016. Hackers are moving away from other forms of cyber crime such as that which targets bank accounts. Instead they are focusing more on PHI due to the amount of data contained within it. Valuable data within PHI includes social security numbers, insurance policy info, credit card info, and more.

The lack of a consistent approach to data security throughout the healthcare industry also makes healthcare data easier to obtain. The easier it is to steal, the more lucrative the data becomes to hackers. The healthcare industry has had less time than others to adapt to growing security vulnerabilities, and online criminals don’t take long to take notice.

GDPR and the End of Safe Harbor

It’s not news that governments around the globe are doing their part to promote data privacy. They are doing this by legislating data protection of personal data, and reinforcing with significant penalties for non-compliance.  Check out the recent agreement on the European Data Protection Regulation as the most recent example.

What is changing, however, is the rapid growth in data integration across the open Internet between hospitals, service providers like payment processors, insurance companies, government agencies, cloud applications and health information exchanges.  The borderless enterprise is a fact of life.

Using Encryption to Meet Data Privacy Regulations

It’s well known that a security strategy focused on perimeter defense is not good enough. For one reason, healthcare data must move outside its trusted network.  Encryption is the best means to limit access to protected data, since only those with the encryption key can read it. But there are other factors to look at when considering technology to protect data in motion, particularly when compliance with HIPAA or other governmental data privacy regulations is an issue.

Briefly when evaluating cyphers for file encryption, described in FIPS 197, its important to consider key size, eg 128, 192 or 256 bit, which affects security.   It’s also worth considering products with FIPS 140-2 certified cyphers accredited for use by the US government as an added measure of confidence.

Here are several other things to consider to protect data in motion and ensure compliance:

  • End-to-end encryption: Encrypting files while in-transit and at rest protects data from access on trusted servers via malware or malicious agents with secure access to trusted network
  • Visibility for audit: Reports and dashboards to provide centralized access to all transfer activity across the organization can reduce audit time and improve compliance
  • Integration with organizational user directories: LDAP or SAML 2 integration to user directories or identity provider solutions not only improves access control and reduces administrative tasks, but can also provide single sign-on capability and multi-factor authentication
  • Integration with other IT controls: While data integration extends beyond perimeter defense systems, consider integrate with data scanning systems. Antivirus protects your network from malware from incoming files and Data Loss Prevention (DLP) stops protected data from leaving.
  • End-point access to data integration services: There are more constituents than ever that participate in data exchange. Each has unique needs and likely require one or more of the following services:
    • Secure file transfer from any device or platform
    • Access status of data movement to manage Service Level Agreements (SLAs)
    • Schedule or monitor pre-defined automated transfer activities
  • Access control: With the growing number of participants including those outside the company it’s more important then ever to carefully manage access with role-based security.  Ensuring each have appropriate access to the required data and services.
  • File transfer automation: Automation can eliminate misdirected transfers by employees and external access to the trusted network.  Using a file transfer automation tool can also can significantly reduce IT administration time and backlog for business integration process enhancement requests.

Become Privacy Safe Starting with This Webinar

Protecting PHI within the healthcare system doesn’t have to be painful for hospital administrators or doctors to appropriately access PHI, but it does mean having the right technology and good training in place. And in honor of Data Privacy Day, don’t you want to tell your customers that their data is safe? You will be one step closer by signing up to tomorrow’s live webinar.

Learn how you can implement health data privacy controls to secure your healthcare data >> Register Here

For more on this topic register to hear David Lacey, former CISO, security expert, and who drafted original text behind ISO 27001, speak about implementing HIPAA and other healthcare security controls with a managed file transfer solution.

Secure file transfer has been a somewhat quiet revelation for modern IT. As digital data continues to drive your biggest projects, the ability to transmit meaningful data at the click of a button becomes a necessity. Why then are data-sensitive environments so hesitant to give up on the tried and true physical copy? Three words: continuous data protection.

Old and New

Have you ever overheard your coworkers complaining about how much faster and more convenient paper data transfer is? Neither have they. There really isn’t much justification for data to remain on such an inefficient media in such a fast-paced industry. In healthcare, for example, a recent study by Behavioral Healthcare found that 79% of healthcare companies polled were using electronic health records. With sensitive data already in electronic form, it only makes sense to utilize a system to digitally transfer this data. Still, many organizations that rely on sensitive information, like financial data and electronic health records, are forced to compromise on speed and efficiency for the perceived security benefits of physical file transfer.

The always-present concern of prying eyes on sensitive data in transit encourages firms to keep this data living in ink rather than a business account. Even with modern encryption advancements of late, government organizations, law enforcement and healthcare industries remain hesitant to make the switch. And the reason is actually twofold.

First, securing sensitive documents from end to end — also known as continuous data protection — can be a daunting task. Not only does your IT team need to stay current on the latest vulnerabilities and encryption practices for their own network, but they also have to find ways to ensure transmitted documents remain secure outside of their walls (however well-kept they are). Secondly, because these documents must remain secured from sender to recipient, both parties must participate in the process — be it encrypting or decrypting.

Reliable, Continuous Data Protection

It stands to reason that midsized organizations need an automated, reliable and simple system for transferring digital files if they are to make a smooth move to 21st-century security. It just so happens that modern managed file transfer (MFT) solutions fit this description perfectly.

With an MFT system in place, your sensitive data is continuously protected in three key areas:

  1. Access points on each end are restricted
  2. Data transactions are logged
  3. Sensitive information is fully encrypted throughout the transfer

By applying HTTPS, FTPS, SFTP and similar web-based layers of support, data in transit is rendered useless to anyone sniffing packets. Without the necessary keys and certificates, all that is visible to unauthorized eyes is, well, junk.

Outside of encryption layers, MFTs also offer improved visibility into each transaction. How? A centralized point of management. From a single portal, users can be managed, transfers audited and business processes integrated. For those still using paper transactions, this translates to improved efficiency and pervasive security covering regulations like PCI/DSS, HIPAA/HITECH, SOX, GDP, and BASEL I, II and III.

Those in data-sensitive environments ultimately don’t have anything to gain by sticking to a familiar system. With increased visibility, security and efficiency, MFTs can help bridge the gap for organizations struggling with even the most ubiquitous security concerns.

social-banner-FT-future-2od

mm

One night you find yourself watching the news and – surprise! – Another company has reported a data breach. The next day at Starbucks the cashier swipes your card, but the card doesn’t work. Now you have to take a detour to the bank. At the bank you find out that your card has been deactivated because the card number had been compromised in the data breach you just heard about the night prior. They apologize for the inconvenience and say that you’ll get a new card in the mail within 7 business days. They give you a temporary card in the meantime.

This is the average scenario of what a consumer goes through when affected by a data breach. The worst part is the annoying stares you get at places like Starbucks and the time wasted at the bank, so it’s really just an inconvenience. First world problems, nothing more.

But there is an extreme version of this that goes beyond our replenishing credit cards. This scenario is where your entire personal and private information is sold on the online black market and your identity is effectively stolen from you. Even worse is that they know everything about you: where you live, when you got that scar on your head, that embarrassing surgery you got when you were 12, and your social security number.

Cyber Crime and Your Healthcare Data

Medical data is more valuable to cyber criminals than credit card numbers because medical records have far more information. There is enough information on medical records to gain access to any account a cybercriminal sees fit. Information that can be found in your medical records are date of birth, social security number, address, birthplace, and even some of your parents’ information. This information can be used to access bank accounts, open new accounts, and even file insurance claims on your behalf. This information can be used to answer security questions to change passwords on your most important accounts.

But that isn’t even why your medical data is so lucrative to cyber criminals. The most important reason that cyber criminals would go after healthcare records instead of credit card numbers is that the healthcare industry is easier to hack. Criminals can spend less time attaining that information.

HIPAA and Healthcare Data Security

A recent report by BSIMM shows that the healthcare industry isn’t protecting data as well as it should be. Unfortunately, it’s not surprising. The healthcare industry is behind most other industries when it comes to data security. The Anthem breach earlier this year should have been a big indicator that our information isn’t being safeguarded as much as we like to believe.

Healthcare IT departments have been slower than other industries to adapt, but the blame cannot be placed solely on IT. In many cases, the issues lie within weak IT budgets and general lack of awareness from healthcare staff. What’s worse is that due to the lack of security measures in place, it is hard to detect data breaches if and when they do happen. In addition, when the breaches are detected, that business has a 2 month window to notify anyone who is affected by the breach as regulated by HIPAA.

A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. –HIPAA, Breach Notification Rule

Another reason that healthcare IT teams may be slow to adapt is that they may be taking a “good enough” approach. If covered entities are protecting themselves in accordance to the HIPAA regulatory guidelines then IT has done its job. Simply, HIPAA does not go far enough to hold the healthcare industry liable when data breaches are detected. Healthcare organizations get away with not implementing the proper security measures, and the patients are the ones to lose.

Healthcare IT Policies To Minimize Risk

Since budgets fall too short and businesses have no incentive to go beyond the data security measures required by HIPAA, IT can at least protect itself in creative ways. It would not be unreasonable to consider that most of the users in the healthcare industry are not diligent about data security. All that it takes to compromise an IT infrastructure is a simple phishing attack or a hacked personal device connected to the same network as millions of health records. Educating employees on the most common forms of cyberattacks will go a long way in ensuring that a data breach does not happen.

Creating stricter policies around personal device usage on healthcare networks may also be a strong step in the right direction, however being more strict means more time policing the policies that have been put in place. Expecting employees to follow these rules, more likely than not, will become an employee trust system.cartman

Of course there are several ways IT can be creative in keeping employees informed of the threats and asking them to be diligent, but at the end of the day healthcare IT departments need more cash to implement more secure infrastructure.  And unless HIPAA is changed to push for these stronger security measures, healthcare companies are not going to give IT the budget they need to keep their data safe.

secure-file-transferNathan Hays works for one of the largest insurance companies in the healthcare industry. The company electronically communicates with a huge number of customers, vendors and other partners. Along with having to meet stringent audit and compliance standards for those file transfers, the insurer must also have a streamlined processes to avoid wasting time.

As a Senior Microservices Analyst for the insurer, Nathan recognized that transferring files was slowing down operations. Different departments were each using their own solutions to send files – both internally and externally. Their methods were not secure or reliable, and caused problems that slowed business. Nathan needed to act.

Satisfying Different Secure Data Transfer Protocols

With more than 3,000 employees, the insurance company has complex needs for flexibility and scalability. Many employees transfer different types of files internally and externally, creating a need for a centralized system capable of satisfying the different transfer protocols, encryption levels and file formats used throughout the organization. To make things even more complex, their vendors demand they used different processes and security policies for sending and receiving files, creating new problems at every turn. Email and traditional FTP servers were not getting the job done. The insurer also needed to support multiple encryption and security protocols.

Secure Data Exchange Challenges

Tasked with creating simplified, managed and secure workflows for the transferring and monitoring of both internal and external files, Nathan started a search for a new solution by identifying the specific challenges in existing processes.

“Users really like email. They want to send files via email, they think it’s easy. They don’t realize that it’s not the most secure way to do things and not really the most desired way to do things either,” Nathan explained.

With employees transferring files in ways that Nathan and his colleagues couldn’t monitor or manage, he stepped back and jotted down the core challenges his company faced:

  • It was increasingly difficult to manage various FTP programs that were used to transfer different types of files.
  • Multiple workflows had to be created in order to address the different needs of vendors and partners.
  • All insecure methods of transferring files had to be eliminated.
  • Standard FTP solutions and third-party cloud services have restrictions on bandwidth and file size, along with added security concerns, creating unnecessary problems.

Once Nathan identified these challenges, he set out for a solution.

MOVEit Automated File Transfer System

Searching for a viable solution to any business problem can be a massive undertaking. The solution must be customizable to adequately address every pain point, not just some of them.

Nathan began by talking to his IT peers at his company’s customers to see how they were addressing their file transfer concerns, since they shared many of the same requirements. Lucky for him, one of the first suggestions he received directed him towards Ipswitch’s MOVEit. After learning more about MOVEit – an automated file transfer system – Nathan believed he had found the solution that allowed for centralized, secure and monitored file sharing.

With MOVEit in place, the insurance company was set up for success. Over time, each of the core challenges were resolved:

  • All file transfers now pass through one central location, MFT, which systematically blocks and eliminates insecure methods of transferring files.
  • Activity reports provided by MOVEit allow for a complete scope of files going in and out of the company. This benefits efficiency and network management and also simplifies preparations for audits and compliance reports.
  • Guaranteed 99.9% uptime allows the insurer to continually meet its service level agreements with vendors and partners and avoid detrimental issues.

MOVEit enabled the insurer to create more than 3,000 automated workflows to provide enhanced service to all departments. MOVEit exceeds all of the healthcare industry’s standards for compliance and reporting, directly helping the insurer to meet regulatory compliance and the never-ending technological demands of business.

“Something that may take several days or hours using a combination of [other] software, [MOVEit] allows us to turn around…in as little as 30-45 minutes. Users appreciate it and notice that you’re providing an excellent service,” Nathan said.

“…we’ve done so well that we’ve added a few employees [as we’ve expanded use, and] I’ve also gotten promoted,“ he added. “It really has brought some good praise and good attention to my area.”

Nathan provides examples of streamlined workflows and discusses how using MOVEit Central and MOVEit DMZ have enhanced company growth in his recorded talk at Ipswitch Innovate Summit 2015.

file folders with Patient Health Records label and Confidential stamp

Are you ready for the Ipswitch Innovate Virtual Summit? It kicks off tomorrow (Wednesday, Oct. 21.) and this post marks my final customer session preview. This sneak peak features Dylan Taft,  systems engineer at Rochester Regional Healthcare, who will present his tale from the front lines entitled “Transfer Regulated or Confidential Files” at 12:00pm ET on Thursday Oct. 22. 

Improved Email Management with the Bonus of Security

As with any other health care organization, Rochester Regional Healthcare needed to reliably exchange patient records and health care information with insurance companies and health plan providers.

It also had to ensure that the transfer of information closely hewed to HIPAA regulations on patient privacy.

But with no proper system to send and manage privileged information through file transfer, Dylan was ready to call a digital doctor. Rochester Regional Healthcare instead relied on a script utility and PGB encryption for emails.

Now, with MOVEit – Ipswitch’s automated file transfer system – Dylan feels good. He knows that MOVEit complies with HIPAA regulations by securely transferring confidential patient information. It also preserves a complete audit trail of all file transfer activity in its database, making email management easier.

Tune in at 12:00pm ET on Thursday, October 22 to hear Dylan chat about how MOVEit reduced Rochester Regional Healthcare’s costs and gave the organization a clean bill of email health.

Come see us at Ipswitch Innovate Virtual Summit

Come to Ipswitch Innovate 2015. It’s free to sign up and you’ll get three hours per day of live webcasts and a virtual exhibit hall where you can evaluate network monitoring and data transfer solutions like What’sUp Gold, WS_FTP and MOVEit. You can even navigate your way to the online Genius Bar for real-time answers to your product questions.
innovate-IT-pros-580x360

picstitch (7)
Click on the image to download your free copy of “Managed File Transfer for Dummies”!

Last week we explained how managed file transfer (MFT) transforms enterprise operations as part of our ongoing series around our new reference book, Managed File Transfer for Dummies. This week we’re diving into Chapter 4 and breaking down the real-world benefits of MFT.

Regardless of industry, MFT provides three critical dimensions of value: reducing costs, reducing risks, and improving IT agility, which increase the top line. Every company in today’s connected and competitive business environment needs to manage these three elements, and MFT offers a platform to do so. While Chapter 4 dives into different industry case studies, we will give you a snapshot of how MFT is applied in the healthcare sector.

A major U.S. health insurance provider believed outstanding customer service was its secret to success by not only exceeding its clients’ needs for timely, reliable, and secure exchange of data, but also maintaining compliance to the industry’s strict regulations. The firm was using a vendor solution that required the generation of a lot of scripts and code to automate its file transfer needs. So it started a project to understand all of its file transfer needs.

The company first recognized the importance of automation and a simple user-interface for operation by an entry-level administrator to free up senior security staff and coders for other work. It then realized the most crucial areas were compliance and audit. The business had to prove to the file recipients that the files arrived in a secure and timely manner. MFT provided the predictability and comprehensive reporting that were necessary to the business.

By implementing an MFT solution, the company realized numerous benefits, including:

  • Comprehensive visibility and control of the transfer and storage of all files between customers, employees, partners, and business systems
  • Enterprise-wide automation of almost all file transfers
  • Easy mechanism for employees to transfer large and sensitive files on an ad hoc basis
  • High availability and scalability from using redundant MFT servers

Finding an automated MFT system that supports many devices, strictly complies with a number of privacy and security standards, and is easily administered by an entry-level operator proved to be a great business decision.

>>> Check back next week for highlights from Chapter 5. In the meantime, download a free copy of Managed File Transfer for Dummies today!

 

Internet crime and electronic banking security

The already-infamous Anthem data breach has put personal information belonging to 80 million health insurance customers at risk after hackers gained access to their network. Customer names, birth dates, home addresses and Social Security numbers are reported to be stolen. The sheer reach is astounding. The breach at Anthem is the world’s largest within the healthcare industry. And it now ranks as America’s third largest after Heartland in 2009 (130M records stolen) and TJ Maxx in 2007 (94M records stolen).

There’s no such thing as perfect security and my heart goes out to the IT team at Anthem. They’re working 24/7 to  batten down the hatches. Hackers will always find vulnerabilities to get what they want. They’ve got plenty of motivation. The monetary value of the data stolen from Anthem could be worth hundreds of millions of dollars on the hacker black market.

Anthem responded quickly

A fast response is a good response when you are in crisis mode. Over the course of one day, Anthem:

  • Emailed customers to share the news, pledging support
  • Launched a site called AnthemFacts to address concerns
  • Published an open letter from CEO Joe Swedish apologizing for the incident
  • Offered free credit monitoring services

Anthem is getting praise for being proactive and transparent. But some of the company’s security practices have come under fire.  Security and compliance in healthcare is a journey, not a destination. IT teams need to do their best to manage and protect the high-volume of files related to Protected Health Information (PHI).

Managed file transfer helps healthcare organizations become more secure and compliant

Our healthcare customers have told us that a managed file transfer solution have helped them in the following ways:

  • Manage and control all file transfer activity from a central point of control; automate processes
  • Transfer patient files reliably and securely
  • Enable employees to easily send files using IT approved methods
  • Gain complete control over file transfer activity
  • Guarantee delivery (non-repudiation and file integrity)
  • Integrate with existing IT security systems
  • Reduce cost and time to achieve and maintain HIPAA compliance
  • Improved reliability and availability for data back-up

Additionally, a cloud-based MFT solution uniquely offers the additional benefit (since the facility and systems are directly managed) of being certified HIPAA compliant by a 3rd party auditor.  Always make sure a hosted solution has a signed HIPAA Business Associate Agreement with explicitly defined responsibilities to help achieve HIPAA compliance quickly.

Bottom line; don’t take chances when it comes to your IT security. Make sure your critical information is kept safe. Use tools and technology are put to use when data is on the move or stored within your network.

PS – Check out how our customer VIVA Health successfully and securely transfers healthcare data, demonstrates regulatory compliance, and automates manual tasks with Ipswitch MOVEit managed file transfer.

HealthIT According to a recent Ponemon Institute report, seventy-two percent of the 600 IT professionals surveyed believed their cloud service providers would fail to inform them of a data breach that involved the theft of confidential business data, and 71 percent believed the same for customer data.

Healthcare organizations have been hesitant to relinquish any perceived control over their information, and yet the investments and resources required to securely store and manage files “on-premise” has become a burden most facilities can no longer shoulder. IT teams lack the bandwidth and expertise to manage the growing volume and traffic of Protected Health Information (PHI). The move to the cloud has become inevitable because of the increasing complexity and burden of managing compliance processes.

Moreover, given the recent Omnibus ruling from September 2013, compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has never been more pervasive. With security breaches occurring at an alarming rate combined with the expansion of federal regulations, the push towards compliance has fueled businesses large and small to explore the necessary requirements – and options available – when it comes to achieving and maintaining HIPAA compliance.

Cloud-based solutions provide significant value for the healthcare industry, providing organizations with superior security and control when managing sensitive health data, especially PHI. In speaking with our customers in organizations required to adhere to HIPAA regulations, a cloud-based managed file transfer (MFT) solution offers numerous advantages: industrial-grade security, lower risk, reduced time and resources needed to achieve and maintain HIPAA compliance, higher reliability and availability backed up by service level agreements, and cost savings as IT staff is freed up to focus on other operational tasks.

The benefits of cloud provide a compelling reason for organizations to move to a managed cloud environment; here are a few best practices to keep in mind:

  • Invest in partners that are well-equipped to manage the breadth of HIPAA standards, and who are able to provide the tools needed to demonstrate compliance to your auditors;
  • Make sure to look for partners that provide a packaged HIPAA compliant environment that satisfies electronic protected health information (ePHI)-related legal obligations in HIPAA/HITECH legislation; and
  • Recognize from the start that your HIPAA compliance will usually involve a hybrid solution that combines both cloud and on-premise elements. A combination can provide the enabling “fabric” that will make it possible to do business moving forward.

To read more on this topic, check out my full article in HITECH Answers.

emr

Of course, in order to understand the challenges (and solutions) of healthcare file transfer, there are a few essential terms that you’ll need to know. Let’s take a closer look at a few in particular:

  • HIPAA – Health Insurance Portability and Accountability Act.  This act requires the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans and employers. Specifically, this act was put in place to improve the efficiency and effectiveness of the healthcare system. In many ways, HIPAA compliance is the number one file transfer priority for those in the healthcare space.
  • BAA – Business Associate Agreement. This document is essentially a promise that the people hired to handle the sensitive healthcare information are adhering to the same confidentiality agreement that the healthcare providers observe.
  • HIE – Health Information Exchanges. This system provides the capability to mobilize information electronically, across a designated region or healthcare information system.  The HIE is designed to provide a more timely, efficient and effective patient-care system.
  • HIO – Health Information Organization. An organization that brings together health care stakeholders within a defined geographical area. This group then exchanges health information among themselves, for the purpose of improving the health and care within that region.
  • HITECH – Health Information Technology for Economic and Clinical Health. An act that promotes the adoption and meaningful use of health information technology. In other words, facilitating healthcare providers with the technology in order to use electronic health records. This would allow physicians to provide better care to their patients because the health records would be undamaged and easily accessible.
  • PHI (ePHI) – Protected Health Information (electronic). This individually identifiable information relates to past, present and future physical or mental health conditions of an individual.
  • EMR – Electronic Medical Record. This record contains both the medical and treatment history of a patient in a given facility, for one practice. This record stays within said facility and is not easily accessed by any additional doctors who may also be treating the patient.
  • EHR – Electronic Health Record. This report focuses on the total health of an individual. It recaps a patient’s history in every facility, for every practice, that the patient has used.  Think of the EHR as combining the information from every individual EMR that the patient may have, and placing it into one, central location.
  • Managed File Transfer (MFT) – While EHR is the central location for patient data to reside, MFT systems provide a complimentary central system to manage the transfer of files & data (including sensitive and confidential patient information) to/from the healthcare organization to its extended ecosystem of partners, suppliers and payers. This includes integrating with other systems and vendors with multiple configurations and access controls. MFT systems are a key cog in enabling a healthcare organization with file transfer automation and auditing to support HIPAA compliance.
  • Unstructured Data – Also known as the “patient narrative,” unstructured data is text-heavy information that may be unorganized, have irregularities or be ambiguous. This type of information would require the “human touch” to read, capture and interpret properly.  Most of the information that would be needed to make a decision about a patient can be found here.  This data is also difficult to standardized, difficult for a healthcare provider to gain access to, and difficult to share between dissimilar computer systems.
  • EDI – Electronic Data Interchange. This electronic communications system provides a means for exchanging data. This interchange facilitates the exchange of information from one computer to another with zero human intervention.
  • Omnibus Rule – A rule that was put in place to implement statutory amendments under the HITECH Act. Some of the effects that this rule had were: strengthening the privacy and security protection for individuals’ PHI, modified HIPAA Privacy Rule to strengthen the privacy protections for genetic information, and set new limits for how information is used and disclosed for marketing and fundraising purposes. Basically, the Omnibus Rule set further requirements for holding all custodians of PHI the same security and privacy rule of covered entities under HIPAA.

The list goes on. If you’re looking for a way to simplify the file transfer process within your organization, be sure to check out some of our healthcare case studies or this resource page. If there are any other terms that you would like to be explained, please be sure to leave them in the comments section below.

For healthcare organization, NHS Wales, safeguarding healthcare data is of critical importance.
For healthcare organization NHS Wales, safeguarding healthcare data is of critical importance.

As many of you will know MOVEit Managed File Transfer System has been shortlisted for SC Magazine Europe’s Awards for the second straight year; but what you may not be aware of yet is that NHS Wales have also been nominated for the Best Security Team Award.

The team was nominated based on the team’s efforts to ensure authorised sharing agreements and tight controls were always adhered to when sharing confidential healthcare information with other Welsh Public Sector Organisations.

NHS Wales came to HANDD looking for a solution, and after our experts had evaluated the situation they decided that Ipswitch would be the perfect fit for them.

Needless to say everybody at Handd is extremely excited and proud of the entire team. We are also delighted to see NHS Wales be nominated as they have put in so much time, effort and hard work with us that has been duly noticed by SC Magazine.

The awards ceremony itself will occur on the 29th April during Infosecurity Europe, where I hope you will be able to come along and check out our stand. We also have a meeting room that is available if you would like to book a one-on-one meeting. If this is something you would be interested in, please contact us directly by telephone on +44 (0) 845 643 4063 or via email info@handd.co.uk.

HealthITYesterday, SC Magazine reported on promises by the Information Commissioner’s Office (ICO) to crack down on how NHS trusts handle patient data.  This follows plans outlined by Justice Minister Simon Hughes to grant the ICO the power to carry out “compulsory audits” on the NHS around the handling of confidential patient data.

Many of you will have read the recent headlines accusing NHS partners of data breaches.  Organisations including PA Consulting and Earthwear were heavily criticised, though both parties claim they respected both the law and people’s privacy, plus the data couldn’t be linked to any individuals. Yet this has, not surprisingly, unnerved the British public.  No-one wants to consider that their confidential and personal data is at any level of risk, not even a slight one.

The problem with news such as this is that it is can tar all parts of an organisation or its network with the same media brush.

We work closely with a number of NHS trusts and partners and have a deep understanding of the importance of security and privacy.  Specifically, we’ve worked closely with NHS Wales to address security challenges associated with the transfer of highly sensitive data. NHS Wales needed to ensure the security and control of high volumes of confidential and sensitive data whilst upholding ICO standards, internal practices and external regulations.  With MOVEit Managed File Transfer solution, NHS Wales Trust has remained fully-compliant with internal practices and industry regulations and has complete visibility of documents and data coming in and out of the business.  This allows the organisation to greatly reduce the time to securely share sensitive information, resulting in improving overall care and providing invaluable peace of mind to staff and patients alike.

While reported breaches highlight the need for businesses to sit up and pay attention to the visibility, control and sharing of confidential data, it’s also important to recognise the diligence and commitment to personal privacy and data security that many organisations already have in place.

You can read more about how we’ve helped NHS Wales to secure patient data here.  Alternatively, feel free to share your thoughts with us on Twitter.

healthcare file transferIf you’re a healthcare IT professional, you’re likely losing sleep when it comes to ensuring regulatory compliance. Having the right processes and tools in place to manage the transfer of information in and out of your organization, both via people and systems, is at the heart of this issue.

To understand the latest issues and trends affecting healthcare IT professionals, we sat down with Tim Dotson, a healthcare IT consultant from Durham, NC who is well versed in the issues facing healthcare IT groups. Tim’s wide-ranging healthcare job experiences include terms as an IT director for large health systems, an informatics pharmacist, and a healthcare IT newsletter editor. He shared his insights and advice around data security and file transfers.

Zak: What are some of the overall issues you are seeing affecting healthcare IT teams? 

Tim: Healthcare IT is in the midst of change, some related to government and regulatory requirements, and some just due to the constantly changing nature of healthcare. For example, both healthcare providers and vendors are struggling to get ready for upcoming changes to the ICD-10 Procedure Coding System. At the same time, they’re dealing with ongoing requirements associated with Meaningful Use programs. These programs incent doctors to use technology to assist patients, and to make that happen, changes are needed to IT systems within healthcare organizations as well as how they’re used within organizations. These initiatives are associated with immovable deadlines. And on top of these, those in healthcare IT need to address their hospitals’ own strategic agendas.

To further complicate matters, many healthcare organizations are undergoing consolidation, whether because of mergers or because they are trying to minimize the number of IT systems and vendors they deal with.

Zak: Yet at the same time, HIPAA standards are only getting stricter, and they are not optional.

Tim: Exactly. Hospitals continue to struggle with meeting HIPAA requirements, such as the new HIPAA Omnibus Rule, which among other things makes business associates of covered entities responsible for complying with some aspects of HIPAA, and increases the associated penalties for security breaches.

“Managed File Transfer takes compliance risk off the table, and just as importantly, saves valuable resources from having to manually manage the healthcare file transfer processes.”

Compliance is complicated in an era where everybody is used to storing data on personal devices and cloud-based services such as Google, posting personal and work-related information on Facebook, and sharing information with other organizations. Penalties for being involved in a patient information breach have increased, even if the exposure was unintentional and with no evidence that anyone used the patient information.

Hospitals have to evaluate their exposure, train thousands of employees regularly, and understand how the practices of their business partners could put them at risk. New government concerns have been raised about saving and monitoring computer audit logs, not just for possible privacy violations, but to detect behavior that might indicate healthcare fraud. Breaches, investigations, and audits are almost inevitable, so hospital executives have to prepare their large, complex organizations to avoid exposure and how to respond if one occurs. It’s yet another problem that often lands in the lap of the hospital CIO.

Any ways healthcare professionals can find to deliver compliance with less effort will have a significant payoff to the IT teams. And that’s where Managed File Transfer can come into play – it’s taking compliance risk off the table, and just as importantly, saving valuable resources from having to manually manage the healthcare file transfer process or spending countless hours troubleshooting file transfer related issues.

Zak: Can you share more about what specific pressures healthcare organizations are facing when it comes to HIPAA compliance? Clearly there are some external technology trends outside of the hospitals’ control making compliance more and more of a challenge.

Tim: Many hospitals are dealing with the proliferation of devices and people demanding the ability to use them. The question isn’t whether or not devices like tablets will be used, but how hospitals will support the Bring Your Own Device (BYOD) movement.

Hospitals can’t afford to give everyone a device. But hospitals like to standardize their technology. And they certainly need to make sure data is kept private and secure. Plus healthcare IT groups need to support remote physician offices as more mergers and acquisitions occur.

There’s also a movement toward Big Data. Now hospitals can tie patient encounter data in with information about patients’ activities and characteristics outside of their environment, such as prescriptions taken, exercise and eating habits, etc. By mining this data, they can identify opportunities for improvement and develop new risk models. As healthcare organizations look to analyze all this information, files must be exchanged on a more regular basis, not just at the end of each day.

Of course, this means data security is more of an issue than ever before. Some healthcare organizations are still using unsecured email to send files. And the penalty for data breaches can be huge. Plus, the organization can lose credibility.

Zak: So with that said, how challenging is it to monitor and respond to changing data protection requirements without compromising patient confidentiality?

Tim: This is always a challenge. Security crosses several domains – infrastructure, people, and processes. Hospitals do their best to be mindful of security. But they often don’t realize how vulnerable they are until something unfortunate happens. There are so many opportunities for data to fall into the wrong hands. Every data exchange presents a risk and because there are more demands to move information around, the risk just keeps increasing. And sometimes the data protection requirements are too complicated to keep track of, especially for smaller hospitals. While these organizations have good intentions, they are often at risk because they’re not sure what to prioritize.

Zak: What are considerations or issues around balancing security and efficient file transfer?

Tim: Most times, the challenge is around the reach of communications. Many hospitals employ a large number of staff and it’s tough to get the message out about secure file transfer when you need to communicate with everyone from brain surgeons to housekeeping employees.

Many organizations are turning to automation to get around this problem. For example, they’ll set a rule to secure data in an email if it seems the information could be of a confidential nature.

Like so many things in healthcare IT, there’s not usually an obvious upside to taking these measures. It’s more about avoiding the downside, such as a penalty or negative publicity. But with increased HIPAA requirements and penalties, healthcare IT groups are paying attention to secure file transfer. It’s moved from “nice-to-have” to “must-have”.

Zak: Tim, thank you. This has been extremely insightful. One thing that’s clear from your comments is that healthcare IT professionals have a lot on their plates. For those that haven’t yet explored Managed File Transfer, it’s a way to reduce the time spent achieving HIPAA compliance, while gaining more control and visibility into the file transfer process across systems, processes and people.

To learn more about Managed File Transfer in Healthcare, visit the Healthcare section of our web site discussing Managed File Transfer Solutions for HIPAA Compliance or view one of our case studies for healthcare customers such as Rochester Hospital, VIVA Health or NHS Wales.