.st0{fill:#FFFFFF;}

Podcast

OCR NIST Part 2 – Ep 484 

 November 15, 2024

By  Donna Grindle

Share0
Tweet0
Share0

Buckle up for Part 2 of our breakdown on the HHS OCR NIST healthcare security conference – because, yes, 16 hours of deep dives into AI, HIPAA compliance, and cybersecurity priorities can’t be tackled in just one episode! From wild projections about AI’s future in healthcare to OCR’s “tough love” on compliance standards, this episode peels back the curtain on the big decisions shaping healthcare data security. It’s a whirlwind tour through risks, regulations, and the occasional debate on why “just doing it the old way” won’t cut it anymore. Let’s get into it!

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

OCR NIST Conference Part 2 – Ep 484

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

OCR NIST Conference Part 2

[02:33]

We definitely covered a lot last week but there are more important things to make sure we share with you. These topics were what we didn’t get to last week and you need to know these things are happening!

AI Strategic Plan

There is a task force working on AI management across all of HHS. They shared the current plan they developed and expect to release it in Jan 2025.

This is all new territory for everyone. Truly requiring everyone to figure out what we need and how we set standards and requirements for real world use. Up until recently it was all being done in theory and academic research. Now we have gone live in real world use but now we need standards. Public private partnerships are essential to build these things. FDA doesn’t set standards for these things and needs industry to work with orgs like NIST to build them.

AI allows us to get actual signals from noise because of the vast amount and type of information that exists in healthcare. We have so much information we need AI to help us understand it and know what the information can actually tell us and narrow down to what we need to know.

AI’s need for data is the challenge we must meet.

FDA regulations are an inch wide and a mile deep. Only devices qualify but there is a lot required if it meets the definition of a device.

ONC is a mile wide and an inch deep. It applies to a lot of health IT but requires visibility into what it does and make sure the metrics are met.

Regs are 40-50 years old. They were put in place when we never dreamed of the things AI is already capable of doing today.

AI is a black box but it is still your responsibility to make sure it isn’t discriminatory in its use and data.

TPO AI use falls under HIPAA but research AI use requires auth from patients. Plus, we have all the tools that live outside HIPAA

We need not just standards for how they work but also evaluation standards. Gen AI means a whole new ballgame since it is coming up with things on its own.

“We want to ensure that AI is working “for us” not “on us”.”

CMS – Thinking about both internal use and guidance and regulations are required for the regulated entities for participation and reimbursement. CMS has massive amounts of data. How can it be used responsibly and effectively? Limited use cases so far like pattern detection and fraud detection and all with humans in the loop of the analysis.

Outwardly the requirements must address the fact that it can make changes to decision making in so many ways.

You should understand the AI you are using to make sure your PHI being used has appropriate BAAs and access controls.

AI presentation panel describing different processes for marketing and building AI tools into solutions. The overriding theme of speed to market which doesn’t include security. Our customers will let us know if regulatory requirements are needed to be addressed on the back end.

The AI-Empowered Patient – it may be the most transformative thing happening right now. Patients get all their info and use the AI to get insights on their own to participate in their own care. Patients are able to get all the data now and that wouldn’t necessarily happen as quickly or easily between all the providers PLUS they have all the consumer apps and data they provide. Put all that information together into even ChatGPT and it can analyze it in a manner that never existed before

OCR Dir Message

[33:05] A significant amount of her discussion was about what has been happening in the sector related to the threats, attacks, and efforts to secure the entire HPH ecosystem. The number of major breaches and number of exposed individuals in 2023 is a huge number. 745 large breaches reported including 165,807,187 individuals. In comparison 2018 had 369 reported for 15,236,139 people. There were only 25 more cases year over year 2022 to 2023 but about 3 times the individuals involved.

Not that big of a deal though, we already know that thanks to the UHC Change Healthcare attack, 2024 will say “hold my beer” to 2023! Change alone is well over half of that 2023 total impacted individuals.

With numbers like these we can’t expect them to just say “oh well everyone is trying”.

These numbers are primarily coming from email compromises, Hacking/IT incidents and Ransomware attacks. We saw the change in late 2019 where they started exfiltrating the data in a ransomware attack before they encrypted everything. As was mentioned in the threat briefing we discussed last episode there are a growing number of cases where they just steal the data and don’t encrypt. The ransom is to prevent them from selling the data.

HIPAA Priorities

[37:08]
  • Prioritizing investigations that follow HIPAA complaint and breach trends:
    • Hacking
    • Ransomware
    • Right of Access Enforcement Initiative (emphasis by OCR) (just announced the 50th one since 2019)
    • Risk Analysis Enforcement Initiative (emphasis by OCR) (just announced the first one after this conference – more on that later or next episode)
  • Engaging with Health Care Industry on Cybersecurity
    • Increased presence regionally across the country
    • Videos/Guidance/Newsletters
    • Webinars/Technical Assistance
  • Review and Update HIPAA Security Rule

OCR Enforcement Review

[40:17]

It was fun to see our friend Emily Crabbe present this section. Back in the early days of our Boot Camp Emily was the Southeastern Region OCR Investigator that came and did our Q&A sessions. She is now Sr Advisor for Privacy and Security Enforcement. We can say we knew her when.

She shared a lot of information on the things you should be doing and what they are doing to assist in guidance and enforcement areas.

Recurring HIPAA Compliance Issues

  • Individual Right of Access
  • Risk Analysis
  • BAAs
  • Access Controls
  • Audit Controls
  • Information System Activity Review

Lack of SRA existing and something that is only of EHR system and nothing else. If one is done properly it could have prevented attacks. Others, got notice of problems in the SRA and didn’t address them.

They expect to see risks when they review the reports and want to see you are managing.

Failure to have contingency plans means it could take an unreasonable amount of time to recover and provide patient care.

The best practices slide has a normal list but points out the training should be specific to organization and job responsibility on a regular basis. Reinforce staff’s critical role in protecting privacy and security.

[50:08]

Then we get to the big thing – the SRA enforcement initiative.

They are publishing resources to help the best they can.

One more time on the SRAs

Can not stress the importance of getting your SRA reviewed and properly done now – not later – not next year. All it will take is one click and whatever you have done so far is what they will see in the investigation.

7 Crucial Steps to a Comprehensive SRA – Ep 462 – Help Me With HIPAA

We don’t have to review the first SRA enforcement action that just came out – saving that for another episode!

Go to top

And that’s a wrap on Part 2 of our HHS OCR NIST healthcare security conference coverage! From the AI strategic plan and evolving HIPAA security rule changes to OCR’s growing focus on risk analysis and right of access enforcement, it’s clear big changes are coming. They’ll affect everyone from small practices to massive healthcare systems. With AI’s potential to transform patient care (and its need for strict oversight) and new pressures to get cybersecurity right, this isn’t just an update – it’s a call to action. So, will your healthcare organization be ready for the next big test, or will you be left scrambling to catch up?

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: