Health Information Technology

Healthcare CIOs Face Cyber Risk: Internet Explorer Gives Hackers Total Access (Microsoft Issues Patch)

Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology , , ,

Microsoft's IE browser allows hackers to get keys for total access to otherwise secured data

Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security.  While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here).  As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs.  Microsoft quickly confirmed the flaw on its Security TechCenter webpage.   Today, May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft IE, including XP, which have the vulnerable flaw.  This patch, which fixes the vulnerability discussed further in this article, should be immediately installed.

IE’s Vulnerability Dubbed “Operation Clandestine Fox.”  FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons.  One is that hackers are already exploiting the vulnerability in an active “campaign.”  Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.

With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code.  This allows the hacker to download the malicious software to the user’s computer.  Once downloaded, the hacker gains access to the user’s computer and can then gather the information needed to access other programs and networks accessed by the user.  Such access can include otherwise secure servers, databases and networks.  The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage.  Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) in developing a responsive action plan.

HIPAA Security Rule Compliance: Develop An Action Plan. CIOs should immediately assess newly identified cyber security vulnerabilities posed to its networks and develop an action plan to address them.  The risk assessment should include an evaluation of how confidential electronic data is accessed by others such as employees, medical staff, patients, and third-party vendors.  Ensuring security is especially critical for those who can remotely access your organization’s electronic health record system. Continue reading

Stage 2 “Meaningful Use”: Counting Patients Who Access Their Online Information Before Discharge

Kathie McDonald-McClure Electronic Health Records, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use

Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement during Medicare’s 2015 fiscal year (which begins October 1, 2014).  One of the many Stage 2 requirements includes the following one related to patient on-line access to health records:

Accessing Online Health Records
MU Measure Requires 5% of Discharged Patients to Access Health Information Online

Meaningful Use Core Measures, Measure 6 of 16

“More than 5 percent of all unique patients (or their authorized representatives) who are discharged from the inpatient or emergency department (POS 21 or 23) of an eligible hospital or CAH [must] view, download or transmit to a third party their [online] information during the EHR reporting period.” (Emphasis added.)

A literal reading of this measure prompted hospitals to frequently ask whether a patient who accesses their online health information before they are “discharged” will count towards this meaningful use objective.  The Centers for Medicare and Medicaid Services (CMS) posted an answer to this question that we like and think hospitals will like as well.  CMS says “yes”.   Continue reading

Healthcare CIOs: Check for vulnerability of OpenSSL servers to Heartbleed

Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , , ,

HeartbleedBugUpdated April 13, 2014 at 6:30 pm

CYBER RISK ALERT!  Just when we thought we were safe online while using websites that display the key security “https” in the URL, we learn that nothing could be further from reality.  On April 7, 2014, security researchers at Codenomicon announced the discovery of a flaw in the OpenSSL (security socket layer) that is used in an estimated two-thirds of the servers that support websites displaying the “https” letters that we have come to trust.  Based on the back-end technology of OpenSSL, which involves what is called a “heartbeat” extension and a leakage of data from the server, this new cyber liability threat has been dubbed Heartbleed.

Vulnerability of HIT and Compliance with HIPAA.  Although the OpenSSL flaw’s name has no direct connection to health information technology (HIT), it ironically could be a pain for health care providers. Continue reading

AHIMA Issues Guidance on Appropriate Use of Copy and Paste in EHRs

Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law, Meaningful Use , , , , , ,

16354859As we have written about in previous posts, the Office of Inspector General (OIG) for the United States Department of Health and Human Services (HHS) has been critical of the copy/paste function that is available in electronic health record (EHR) technology developed by software vendors.  (See “Electronic Health Records in OIG’s Sights for 2013“, October 20, 2012; “OIG recommends fraud safeguards in hospital EHR technology“, December 11, 2013; “OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated“, February 11, 2014)  As our February 11, 2014 post concludes, while turning off the copy/paste functionalities are not the immediate solution to preventing a misuse of the function, health care providers should implement standards for its use.  The American Health Information Management Association (AHIMA) recently issued guidance, “Appropriate Use of the Copy and Paste Functionality in Electronic Health Records,” dated March 17, 2014, discussing the availability and appropriate use of the copy and paste function.

AHIMA supports maintaining the copy/paste functionality in ONC’s EHR certification standards and allowing for its use in CMS Conditions of Participation.  AHIMA encourages CMS to augment provider education and training materials on the appropriate use of copy/paste in order to reduce the risk that it may pose to quality of care, patient safety and fraudulent documentation.  Importantly, AHIMA recommends that health care providers implement policies and procedures to guide users of EHRs on the proper use of copy/paste functionalities.  To read the AHIMA guidance, click here.

March 31st Attestation Deadline for Eligible Professionals

Margaret Young Levi Electronic Health Records, Health Information Technology, Meaningful Use , , , , ,

strike before midnightReminder:  The deadline for Medicare eligible professionals to attest to meaningful use of certified electronic health record technology for the 2013 program year is just two weeks away.  Attestations are due on March 31, 2014 at 11:59 pm EST.  Click here for addition information about the EHR incentive program as well as to register or attest to meaningful use.