Physicians and Security OfficersPhysicians and Security Officers aren’t usually in the same episode but today we have done it. The American Medical Association (AMA) did a survey of physicians and their thoughts about privacy and security practices. It was interesting to hear their responses. Also, when a group of Security Officers gets together for a chat some people glaze over.  For nerds like us, it is an exciting discussion. Today we are going to discuss the Security Officer panel topics and the AMA report presentation from the National HIPAA Summit.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Physicians and Security Officers  – Ep 151

Today’s Episode is brought to you by:

Kardon and HIPAA for MSPs / Security First IT

Where to meet us

Learn more about our Live HIPAA Boot Camp and request one in your area:

Want to be part of Help Me With HIPAA? Donate to the cause at

HMWH App now has more features.  You can now access a PDF with the show notes ready for your HIPAA training documentation!  Find it under the bonus feature in the app for both the Apple and Android versions.  It is a little gift box on the app bar.

Like us and leave a review on our Facebook page:


Physicians and Security Officers

Today we are completing a review of the topics covered during the National HIPAA Summit.  Interestingly enough we are able to connect physicians and security officers in one single episode.  Who would have ever thought it!

Physicians part of Physicians and Security Officers

Laura G. Hoffman,  Assistant Director of Federal Affairs, American Medical Association did a presentation at the National HIPAA Summit about a study they conducted.  I found it very interesting.

The study Medical Cybersecurity: A Patient Safety Issue involved a survey of over 1,300 physician practices.  The details findings are here.

Of the many things discussed in the findings the funny thing to me was when she mentioned that if you ask physicians a security risk analysis, they said no.  But, if you asked only asked them about the steps and didn’t call it an SRA they thought it should be done.

The reason for that misperception could be due to many things.  I think an important point it makes is that people don’t know what is involved in doing an SRA.  Of course, you also have those who hear it and think it is HIPAA and therefore shouldn’t be done because of HIPAA.  As we always say: Presentation is everything!

The report did stick to the common themes of the Summit, though.  The importance of vendors and the fact that HIPAA is about patient safety.  Other interesting points it brought up though included the need to simplify the language between IT and physicians.  Getting everyone on the same page is still a problem and until we have some common vocabulary it won’t get much easier.  That is one more point in favor of using cybersecurity frameworks.

Physician practices are now worried about cyber attacks and the problems they cause for the practice and their patients.  They need help and they know it.  How we help them?  Call Kardon for help, of course!

pasted image 0 8

Source: Hoffman presentation slides, National HIPAA Summit 2018

Security Officers part of Physicians and Security Officers

A panel of security officers had a very lengthy discussion at the end of the day during the Summit.  I found it very comforting, scary and interesting all at the same time.  Some of the highlights from that discussion include points to reiterate what we have been saying for some time now.

SOC2 is not enough

One discussion was the use of SOC2 reports to vet vendors.  One panel member said their auditors were telling them they needed to read them.  He doesn’t see the point.  There isn’t anything in there helpful for vetting except the list of things they were supposed to fix after the SOC2 report was done.  We discussed this at length in a previous episode SOC2 certification is not HIPAA compliance – Ep 131.  Those certifications are an indication that the organization can complete a checklist and have someone come by and confirm the checklist was done.

Many vendors have tried to tell us that their SOC2 means they are certainly HIPAA compliant and to be trusted.  In reality, it just means proceed with caution.

Medical device security concerns grow

Medical device security is a big concern across the panel.  The topics were scary like the example of a hacker changing test results.  A few other examples:

  • Make an MRI use too much radiation
  • Make and MRI stop moving but put out the same radiation constantly in one spot
  • Lock up a specific medical device and hold it ransom in an area where that is the only one of those devices for miles and miles.

There is so much concern about radiology systems, NIST is starting a project to develop best practices guidance specifically on PACS systems.

Performing a proper complete and thorough security risk analysis was discussed extensively.  In all planning and evaluations, all PHI in all forms and at all locations should be considered.  If you don’t worry about the paper you are just opening yourself up to another problem.  Check them while you are at it and make a plan.

Another point in the security analysis was to never stop at just worrying about the computers and network equipment.  Worry about every device that connects to your network.  Every device, every single device, don’t leave out a device in your review.  They brought up an interesting point about worrying about HVAC systems.

Everyone remembers the Target breach involved an HVAC vendor.  In that case, they were connecting to send invoices.  The issue here was much bigger.  If an HVAC system is hacked they could make computers overheat or impact patient care with the of heat or cold air being pumped into any given area.  That is another reason to get off of flat networks.  Segment your networks.

As a final part of that topic, the discussion turned to having to make the tough decisions on where to spend your limited budget for protecting all the things we find.  It was the same issue for the huge organizations as it was for the smaller ones.  It is just on a bigger scale.  They can’t pick all of the $500,000 contracts submitted, they have to limit them.

Do the best you can with what you have to work with to manage your risk.   Document your decision making for the options you choose in your risk management plan.  You will never be able to afford everything you need.  But, when someone asks why didn’t you do X you can explain it is because you DID do Y.

Should cloud EHR and RCM vendors really be CEs not BAs?

Finally, a very interesting discussion took place about cloud EHR vendors. They asked: “Why aren’t cloud EHR vendors and RCM vendors considered Covered Entities like clearinghouses?”  When you think about it the question does make sense.

  • Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:
    • (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
    • (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

That is exactly what some of these vendors do for their clients right now.  The amount of discussion on the topic and the varied people who had thoughts on it means the idea isn’t just something someone brought up out of the blue.  People are thinking about this a lot out there in the industry.

After the Allscripts ransomware attack earlier this year we should definitely keep an eye on it.  That will take time to filter down to the rest of us but it wouldn’t be a smart bet to think nothing will change after it happened.

When you realize that all that has to happen to make that change is for HHS to release guidance that says they believe x, y, and z makes an EHR and RCM businesses meet the definition of a clearinghouse and boom they are CEs.

Things are definitely changing but still too slow to protect data right now.  Health care is notoriously bad at policing itself which is why there are so many regulations.  (CAQH CORE and HITRUST are examples of that happening).  HIPAA was voluntary – remember.  Even then the industry as a whole didn’t adhere to the programs.  Many still don’t meet their HIPAA obligations even now.  In some cases, it is even done by design, not by accident.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care.