Each year the National HIPAA Summit 2021 is a regular event for us. It was held last year just before the shutdown. The event this year was loaded with discussions about what had happened in the previous 12 months and the massive list of things happening in the next 12 months. That is A LOT of HIPAA! Today we cover part 2 of news of note from the conference.
In this episode:
HIPAA Summit 2021 News Part 2 – Ep 299
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Summit 2021 News Part 2
[08:29] ince there was so much information we covered in Part 1 from the HIPAA Summit 2021, you would think that there wouldn’t be much left to discuss about Part 2. There really was so much more that it took a while to decide for sure what to include vs having a 3rd episode. We just don’t have time to do 3 episodes, so here are the best picks from what hasn’t been covered.Lessons Learned About Remote Workforce
There was a very interesting session titled Overview of Risks and Controls for Securing PHI with a Remote Workforce which was one of my top sessions of the entire event. A group of CISO’s discussed how things happened and how they managed the events as they happened last year and since. So, of course, there were many great comments and thoughts gleaned from this session. I have already watched it again just to get more out of it.
Here are some key points and highlights from that session:
[09:09] The edge as we know it is gone. And the new edge is the home and the home router and where the traffic flows through the home router. So now your concerns are the Amazon Echo, 12 year old wanna be hacker, game consoles, etc endpoints potentially getting through.For example, Sutter Health in California reported that prior to the shutdown, they had a couple hundred folks working from home. And in no time that number went to close to 15k in March of last year. But wait! There’s more! They also said at the same time they went from doing 400-500 telemed visits per day to 200K a day. That’s a complete revamp of traffic just in that one health system.
[11:31] Cyber attacks tripled. Affiliate sites furloughed people and some individuals were approached to sell their credentials for $20k including their multi factor authentication. It’s lucky that most people have integrity. It could definitely have been worse. [14:22] Cybersecurity is a patient safety issue. The only way they kept up was IT wasn’t cut because the organization believes in that core principle and didn’t cut the team. Managing all the staff role changes as people were needing access to help out in other areas that they didn’t have access to prior. They needed to be changed and then be put back once the crisis surge was over.Italian CISOs were telling CHIME (College of Healthcare Information Management Executives) what was happening and days later it started happening in the U.S. Everything was moving faster than anyone even thought was possible prior to this happening. All of those alternate sites we heard about and saw being set up to help with the pandemic, they needed access to technology and wifi and had to secure them too.
[18:32] Great levels of collaboration is happening that never happened before across the cybersecurity leaders of international health systems. People are sharing what is coming, what is happening, how they handled it, what worked, etc. Best practices sharing has been a bright spot.Numbers as high as 10x the number of cyber attacks across a vast number of vectors were seen. The attacks started happening immediately for most. Every home connecting is now a potential threat. Any device anywhere in the world now must be provided real time access and in realtime be secured – that isn’t just feasible in the world of cybersecurity. The extortionists are not letting up. No one expected this to be as big and as bad as it has become.
Everyone is worried about how smaller organizations can handle these challenges. Many times it’s a struggle with smaller organizations to just realize that IT should be consulted at the beginning of the conversations to purchase new equipment or acquire another practice or open a new location or even upgrade your office copier. You can’t effectively manage security if IT is an afterthought.
Managing Business Associates
[24:32] No matter how you try to spin it, the supply chain is in the cross hairs. The only question is do they know it?The SolarWinds and other successful supply chain attacks mean the criminal world is looking for new ways to attack at various levels and see where it takes them. On the flip side, all the upstreams that are paying attention are asking more questions and worried about the questions you ask your vendors and they ask their vendors.
If you are a BA and haven’t started seeing these questions from your clients, give yourself a second to be thankful and start getting ready for these questions to come at you from every single client. There are a lot of issues when you consider this on both sides. Why do I have to ask my vendors first, followed by why do I have to answer these questions? We should be wwwwaaaayyyy past this BS but here we are talking about it again.
More Remote Workers
[38:23] Many mentions of permanent remote workers, hybrid workers allowing them to convert office space to patient services space. A lot is happening in the commercial real estate market these days. A lot of health systems and hospitals have extra office space they may be able to convert to other uses. What about all the surrounding office complexes that built up to house those other businesses. There are a couple of things I worry about a lot on the post COVID list. Long lasting effects of the disease is a major one, second only to the impact WFH will have on how we work in our new world.Stark and AKS Changes for Cybersecurity Donations
[39:06] We’ve talked about the CMS rule changes that allow certain cybersecurity funding from health systems and hospitals to their local community entities. The exciting part is that it opens up the ability for the big guy on the block to fund cybersecurity improvements for local practices regardless of their affiliation with the hospitals or health systems.We discussed this briefly with Eric Decker who works on the big guy side of the equation. There are a lot of legal specifics that must be addressed but large health systems like the idea of being able to provide some basic security controls for local practices to access their network. We get that but…. The discussions at the Summit continued to bring out the very careful consideration of options that must be included and addressed in order to take advantage of the new rules.
It is very important to note that there are specific requirements to prove that what is offered falls under the exemptions added. This is not something that you just do without working to clearly define the boundaries when it is used.
If you are the provider, making any assumptions at all can be very bad for you. Understand clearly what your local hospitals or systems intend to do, or not, related to these new options. Only certain things are covered and they must be directly related to the cybersecurity needs of the practices.
For example, if you need a business class firewall that is allowed but who takes control of configuration and management of the device is not clear. Some services are included but they must be directly connected to the cybersecurity needs, not others. So, if you offer help desk services they must only include the cybersecurity part of help desk services. Password resets… not included. Is this malware?… may be included but it depends on what happens next. If you are a local MSP you have to understand these options as well, or better, than the local health system to protect your business and theirs. The main concern I have is there is no clarification that anything they are allowed to offer under these new rules covers the fact that it does not address all their HIPAA requirements nor does it make it clear how internal or outsourced IT at the practices should coordinate their efforts.
Here’s a key element that concerns me. The allowable “donations” would not include current subscriptions or licenses to Microsoft Office. Those are not primarily used for cybersecurity. However, the number one attachment that carries malware is Office files targeting out of date Office software. Office software’s primary use is not related to cybersecurity so it would not be covered.
This can rapidly go downhill if no one is setting clear expectations and boundaries.
We covered A LOT of territory in these two episodes on sessions from the National HIPAA Summit 2021. We covered everything from information blocking to the right of access enforcement to breach trends to WFH challenges to business associates to the Stark Law. Whew! That was a lot. But guess what? There was much more that was covered at the Summit. Don’t worry though…. we’ll weave more from the Summit into upcoming episodes of the Help Me With HIPAA podcast. So, keep listening!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
