Hackers and malware are routine threats for most healthcare organizations, but this year saw criminals add a devastating tool to their arsenal: ransomware.
Although the dramatic increase in ransomware attacks against healthcare organizations is largely a recent phenomenon, ransomware itself is not new. According to the FBI, it's been around for several years, but the agency began to see an uptick in ransomware attacks in 2015, particularly against organizations. Early this year, the Department of Defense specifically warned healthcare organizations that they are a top target for ransomware. As ransomware continued to grab headlines and lawmakers called for official action, HHS released ransomware response and prevention guidance for healthcare organizations (www.aha.org/content/16/160620cybersecransomware.pdf).
State and federal lawmakers took notice as well. At a March 22 joint hearing of the House of Representatives subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules, some lawmakers suggested HIPAA should be modified to specifically require covered entities and business associates to report ransomware attacks.
Security officers must act now to protect their organizations, and in turn, organizations must be prepared to invest in security and carefully follow related policies. The price for failing to do so could be high.
One of the more challenging aspects of a case manager's job is helping to ensure a patient successfully transfers from the hospital to the next level of care. Under a set of proposed revisions to Medicare's Conditions of Participation (CoP) announced in November 2015.
Assigning the correct patient status is important not only to ensure that the hospital gets accurate payment for a patient stay, but also to ensure that the patient receives access to the postacute benefits to which he or she is entitled.
PHI is a bankable commodity. Hackers steal data and sell it to fraudsters. Individuals borrow or trade health information to fraudulently obtain coverage for services. Medical identity theft is a highly personal crime that can impact the victim's finances, personal and professional life, and health. Protecting this data is a tall order and involves staff in diverse departments, from front desk registration to information security.
"It doesn't take much to steal a credit card and use it for a hit-and-run buying spree, but healthcare data includes far more personal information," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. PHI often includes the individual's name, address, and Social Security number, along with medical record numbers and insurance identification number.
Understanding how to detect medical identity theft and how to mitigate its effects can help organizations reduce the prevalence of such crime.
Medical identity theft can be difficult to detect, says Chris Apgar, CISSP, founder of Apgar and Associates, LLC, in Portland, Oregon.
"There is no national tracking system in place like there is with, say, theft of credit card data. I could perpetrate Medicaid fraud using the same data in multiple states, and unlike with credit cards, there is no national system to detect and shut down medical identity theft," he says.
Q: If my medical waste includes PHI, do I need a BAA with our waste management vendor?
A: Yes. For example, clinics and hospitals contracting with bio-waste disposal vendors that dispose of IV bags execute a BAA with the bio-waste disposal vendors. It's no different than the requirement to execute a BAA with a document shredding vendor. If the vendor will come in contact with PHI, a BAA is in order.
Editor's note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
