NIST OCR Security Conference part 2This is the second episode covering the things David has to share from the NIST OCR Security conference: Safeguarding Health Information. There are many great points he picked up. As we review them, we keep coming back to the reminder that HIPAA is about patient care now.  Join us as we discuss everything from ransomware requirements to security for a small practice all in one episode.


In this episode:

NIST OCR Security Conference Part Deux – Ep 122

Where to meet us

  • GA AAP Pediatric Practice Managers Association. October 13, Cobb Energy Centre
  • North Metro MGMA – Oct 17, 2017, Kennesaw, GA
  • GA HFMA Fall Institue – Nov 8, 2017 – Reynolds Plantation at Lake Oconee, GA
  • Georgia Association of Orthopedic Executives – Nov 10, 2017 – Callaway Gardens, GA
  • GA HFMA CARE Forum – Nov 13, 2017, Sandy Springs, GA

Topic for today: NIST and OCR Security Conference Part Deux [5:33]

Expand or collapse the extended show notes


Today’s topic

NIST and OCR Security Conference Part Deux

Cybersecurity is not just an IT responsibility.  Everyone must participate in security for it to be successful. [7:10]

Ransomware must be treated as a potential breach and requires LoProCo just like any other security incident.  [10:43]

Breaches of 500 plus patients this year are keeping OCR busy.  [12:28]

OCR watches the news – if you are on the news it is likely that you should have reported it to HHS. They will be very unhappy if they learn about a major issue they expect to be hearing from you about it. [14:58]

Encryption is not a be-all-end-all solution to security.  Yes, you should be encrypting your devices.  Definitely, encrypt anything that moves and has data or access details on it.  However, there is a misconception that encryption protects against all types of security incidents.  If you are logged into a computer working the encryption is essentially turned off so that you can work. [19:45]

HIPAA certified is not a thing. OCR reiterated that fact. The FTC may investigate claims of being HIPAA certified or guarantees of HIPAA compliance.  Notify OCR or the FTC if you feel someone is making these claims in a fraudulent manner.  [21:26]

OCR made it clear that there is not a model security risk analysis. They do not offer them because everyone should be different.  Each organization looks and works differently.  Therefore, the security risk analysis will not be exactly the same for each one.  [24:20]

A self-audit is not a security risk analysis.  A security risk analysis looks at more than just a checklist of what you are supposed to do under the HIPAA security rule.  It also covers more than the technical safeguard requirements.  Evaluate all the places that PHI is created, received, maintained, or transmitted and work from there.  [25:57]

Managing top risks in healthcare.  [26:50]

It is not about compliance it is about patient care.  We say it but there were points that reiterated that in this conference.  [33:59]

Deceptive vendors beware – the FTC is coming for you.  After the findings in the eClinicalWorks investigation, the FTC is very aware and interested in what these vendors have been doing and claiming.  [37:13]

HIPAA is not a goal with an ending it is an ongoing process.  There is no destination point where the process ends.  It is not a once a year activity.  HIPAA is an everyday process.  That is what makes it so hard when you get asked how much is this going to cost me from beginning to end.  There really isn’t an end. Just by asking the question you know you need to do a lot of education with this group. [39:24]

Reducing risk for small practices was a specific session at the conference.  A major point of that discussion is that they stated clearly that awareness and education are the most cost-effective measures for protecting your valuable assets. [40:48]

Phishing training is a great way to help protect yourself.  Many major breaches involved some phishing email that lit the fuse. [43:45]


Finally, we reach the end of our reverse hosting episodes.  OCR NIST Security conferences are always very informative and help us learn about the trends and activities of those setting direction for HIPAA and cybersecurity in general.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

 

 

Remember, HIPAA is not about compliance, it’s about patient care.
Share This
HIPAA Boot Camp