Free EHR, EHR and Healthcare IT Newsletter Want to receive the latest updates on EHR, EMR and Healthcare IT news sent straight to your email? Get all the latest EHR News for FREE!

EHNAC Executive Director Addresses Recent Cyberattacks and the Implications to Healthcare

FARMINGTON, Conn. – October 31, 2017 – The Equifax data security breach that exposed the personal information of 143 million Americans was just one story in a year full of hackers making headlines as they continue to expose the security vulnerabilities of some of our nation’s most trusted financial and healthcare institutions. With the ramifications of these cyberattacks weighing heavily on the minds of many healthcare industry stakeholders, Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC) and a member of the HHS Cybersecurity Task Force, tackled several questions to better help the industry both understand and strengthen its defense against these attacks.

Q. What can the healthcare industry learn from the Equifax breach and other cyberattacks like the ones that affected the US Securities and Exchange Commission and the Big Four Accounting Firm Deloitte?

Barrett: The Equifax breach impacted more than 143M Americans as a trove of information was breached. It’s no surprise that 2 out of 3 Americans are affected by a breach or cyberattack. That’s an increase from 1 and 3 Americans in years past. In 2017 alone, the top three health data breaches have impacted 1.5 million people. The Office for Civil Rights (OCR) has reported a record number of HIPAA settlements and fines this year as well. These headline-making data breaches are a vivid reminder that it’s clearly not a matter of if a breach can happen but when.

Hospitals and healthcare systems now need to keep their focus on strategies and tactics to mitigate risk and ensure business continuity once a cyberattack occurs. Today’s cybercriminal has evolved into a dangerous entity, capable of bringing an organization’s enterprise and  business operation to a halt, compounded by long-term financial and reputational hardships – the WannaCry and Petya ransomware attacks from earlier this year are clear examples of the impact this can have on healthcare. On average, it costs a healthcare organization more than $2.2 million and its business associates more than $1 million for a data breach. Is it worth risking that by taking an “it-can’t-happen-to-us” attitude?

Q. What can healthcare organizations do to adjust to the continuously shifting cybercrime landscape and reduce their risks of becoming another statistic on the U.S. Department of Health & Human Services (HHS) website due to breach or attack?

Barrett: Protecting patient data should be a top priority for all healthcare stakeholders. Every organization handling protected health information (PHI) needs to conduct a risk assessment and asset inventory of their organization and map the data flow within their enterprise in order to determine their risk in the event of a breach or cyberattack. Hospitals and healthcare systems need to build security frameworks and risk sharing into their infrastructure by implementing risk-mitigation strategies, preparedness planning, as well as adhering to the regulations created by the Office of the National Coordinator for Health IT (ONC) and the National Institute for Standards and Technology (NIST).

But it’s not just the security of internal systems that are of concern in this increasingly interconnected healthcare ecosystem. The security and IT risk management protocols of business associates and other vendors and partners must also be ready for the potential negative consequences of an incident, breach or attack as their risk mitigation preparedness can impact a health system’s operations. The failure to do so can bring devastating consequences. At a bare minimum, a system should have sufficient rigor and meet industry standards for adhering to HIPAA requirements, mitigating cybersecurity risks, and assuring that all portal and exchange connection points are secured.

Q. As we look ahead to 2018, what areas should healthcare leaders take a hard look at in terms of enhancing their cybersecurity frameworks?

Barrett: The Internet of Things (IoT) has undoubtedly helped healthcare organizations deliver high-quality, more patient-centric and affordable care. However, by introducing these various internet-connected devices into a healthcare environment, you’ve exponentially increased the level of connection points, which in turn raises the level of exposure and heightens risk of compromise or breach. As a result, hospitals and healthcare systems need to evaluate their medical devices and BYOD protocols within their security frameworks as they present a whole set of data security challenges. Cybercriminals can strike when hospital employees, through their cell phones or tablets, connect into an EMR system, informatics or data exchange, unintentionally or intentionally infecting the hospital’s enterprise infrastructure with malware. In fact, more than 1M healthcare apps are developed worldwide on an annual basis. Unfortunately, only a small percentage of those new applications go through a security type review before being launched to the consumer or other stakeholder.

Finally, think of the impact a cybercriminal could have if they were to control medical devices. Last year, Johnson & Johnson warned patients about a potential hacking risk to their insulin pumps. And just recently, we learned of a security risk in a Boston Scientific medical device  that communicates with implanted pacemakers and defibrillators. These are real instances of medical devices being compromised by the ever-evolving cybercriminal. Our industry needs to make protecting these devices and the patients they serve a priority in 2018. The Federal Drug Administration (FDA) has recently developed some medical device guidelines which are a start but we still have a significant delta to continue to develop further policies, procedures, controls and industry guidance.

About EHNAC

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, data registries, electronic health networks, EPCS vendors, e-prescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors and third-party administrators. The Commission is an authorized HITRUST CSF Assessor, making it the only organization with the ability to provide both EHNAC accreditation and HITRUST CSF certification.

EHNAC was founded in 1993 and is a tax-exempt 501(c)(6) nonprofit organization. Guided by peer evaluation, the EHNAC accreditation process promotes quality service, innovation, cooperation and open competition in healthcare. To learn more, visit www.ehnac.org, contact info@ehnac.org, or follow us on TwitterLinkedIn and YouTube.

 

October 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

NATE, DirectTrust and EHNAC Agree That Consumer Access to Data is Critical Next Step in the Future of Interoperable Health IT

WASHINGTON, D.C. (April 14, 2016) – On Sunday, April 10, 2016, theNational Association for Trusted Exchange (NATE), DirectTrust and the Electronic Healthcare Network Accreditation Commission (EHNAC) – all organizations with a focus on the success of Direct secure messaging – joined together to talk about interoperability in healthcare.  In a pre-conference workshop affiliated with the 13thAnnual World Health Care Congress, the three organizations presented from three very different perspectives on “The Demand for Secure Interoperable Health Information Exchange: Options and Opportunities 2016,” creating a dynamic that echoed the recurring theme of the complementary nature of the organizations’ work.

Dr. David Kibbe, President and CEO of DirectTrust, led the day with a discussion of the factors and players involved in interoperability in healthcare, including some predictions on the future expansion and contraction of various networks.  Lee Barrett, Executive Director of EHNAC, focused his comments on the potential security risks involved in interoperability and the importance of maintaining a risk management strategy.  Aaron Seib, CEO of NATE, talked about the critical role of the patient in any interoperable exchange of personal health data.  Renee Smith, Global Director of IT Enterprise Planning and Portfolio Management, Walgreens Boots Alliance, ably facilitated the discussion, and Paul Uhrig, EVP, Chief Administrative, Legal & Privacy Officer, Surescripts, provided insightful wrap-up commentary.

By the end of the day, much had been discussed about how to measure interoperability, the degree to which security should be a deciding factor in sharing health data, and the role of providers and others in educating patients about their rights to their own information and the various methods available to them to get that information electronically.  While all three organizations brought very different outlooks and offerings to the discussion, the day signaled a renewed sense of collaboration and understanding that the organizations each have a complementary role to play in the success of Direct as a method of securely transporting confidential information.  Further, it was clear that all three organizations see patient involvement as critical to the path forward.

Some quotes from the day:

Paul Uhrig, EVP, Chief Administrative, Legal & Privacy Officer, Surescripts: “The Federal investment in HIT has certainly been a driver of demand of the technologies that many providers are using, but in the future it is likely we’ll see increased consumer engagement and demand, and that very much will drive different and increased demand for interoperability.”

Lee Barrett, Executive Director, EHNAC: “Today’s patients are much more informed and are a lot smarter on the existing capabilities available for managing their own health. As these consumer tools continue to advance, resolving interoperability challenges across healthcare stakeholders and their products will need to remain a top priority.”

Aaron Seib, CEO, NATE: “Ultimately, the consumer is the only person who is a part of every encounter that they have.  And if they are going to have 100% information awareness to share with their next provider and to participate and actually partner with all their caregivers, not just the ones that are in the HIEs, not just the ones that are using a particular EMR, but every provider that they’re going to get care from , we have to enable them to get data in the app of their choice…”

David Kibbe, MD, MBA, President and CEO, DirectTrust: “I do think there is great potential, and things might happen very fast. This idea of a shared medical record, that is in the control of the individual, that literally drives patients in a different way through the medical system, could emerge almost overnight.”

Renee Smith, Global Director of IT Enterprise Planning and Portfolio Management, Walgreens Boots Alliance: “I look forward to the day, and the day is coming, when the patient or consumer has that empowerment and that technology and the appropriate security… If that’s not why we’re all here, then we’re in the wrong place at the wrong time, because that is what success will look like.”

Aaron Seib: “I think we as a nation have been working on the right priorities, in the right order: make this work for doctors, make the data available to consumers, let the consumers decide how to use that data. I believe that three years from now, we’ll see the portion of the population that is most burdened by disease using tools to better manage their care and better partner with their doctors.  The key to get from here to there is not to wait for the perfect solution that satisfies everyone that may never come.”

April 14, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

MedAllies Achieves Direct Trusted Agent Re-Accreditation from EHNAC and DirectTrust

Direct Trusted Agent accreditation ensures adherence to data processing standards and compliance with security infrastructure, integrity and trusted identity requirements

Fishkill, NY – January 11, 2016 – MedAllies, announced today it has achieved full re-accreditation with the Direct Trusted Agent Accreditation Program (DTAAP) for HISP, RA, and CA from DirectTrust and the Electronic Healthcare Network Accreditation Commission (EHNAC). Direct Trusted Agent accreditation recognizes excellence in health data processing and transactions, and ensures compliance with industry-established standards, HIPAA regulations and the Direct Project.

Through the consultative review process, EHNAC evaluated MedAllies in areas of privacy, security and confidentiality; technical performance; business practices and organizational resources as it relates to Directed exchange participants. In addition, EHNAC reviewed the organization’s process of managing and transferring protected health information and determined that the organization meets or exceeds all EHNAC criteria and industry standards. Through completion of the rigorous accreditation process, the organization demonstrates to its constituents, adherence to strict standards and participation in the comprehensive, objective evaluation of its business.

“Endorsed by the Office of the National Coordinator for Health Information Technology (ONC), the Direct Trusted Agent Accreditation Program ensures that organizations like MedAllies establish and uphold a superior level of trust for their stakeholders,” said Lee Barrett, executive director of EHNAC. “The need in the marketplace for guidance and accountability in health information exchange is undeniable, and we applaud MedAllies’ commitment to the highest standards in privacy, security and confidentiality.”

“MedAllies provides Direct services and is an ONC Direct Reference Implementation vendor in the Direct Project. MedAllies focuses on interoperability and the improvement of clinical care. Direct Trusted Agent accreditations recognize excellence in health data transactions and ensure compliance with industry-established standards, HIPAA/HITECH regulations, and the Direct Project. These accreditations signal to vendors and providers alike that MedAllies Direct provides the highest standard of privacy and security,” said Dr. A John Blair, CEO of MedAllies.

About MedAllies

MedAllies, founded in 2001, has extensive experience with EHR implementations and workflow redesign to improve clinical care. It provides unmatched expertise in interoperability, health information exchange and Direct services. As one of the ONC Direct Reference Implementation vendors, MedAllies has provided Direct services since the Direct Project’s inception. MedAllies Direct Solutions™ builds on existing technology to achieve interoperability. It focuses on provider adoption and use of EHRs for clinical workflow integration beyond the walls of their organizations over the MedAllies Direct Network. Physicians use their current EHR systems, allowing information to flow across disparate EHR systems in a manner consistent with provider workflows. MedAllies Direct Solutions is a tool to advance primary care models that emphasize care coordination and improved care transitions, and support patient-centered care. For more information please go to www.medallies.com

About DirectTrust.org

DirectTrust.org is a non-profit, competitively neutral, self-regulatory entity created by and for participants in the Direct community, including HISPs, CAs and RAs, doctors, patients, and vendors, and supports both provider-to-provider as well as patient-to-provider Direct exchange. The goal of DirectTrust.org is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct community, consistent with the HITECH Act and the governance rules for the NwHIN established by ONC.

DirectTrust.org is committed to fostering widespread public confidence in the Direct exchange of health information. To learn more, visit www.directtrust.org.

About EHNAC

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, electronic health networks, EPCS vendors, eprescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors and third-party administrators.

EHNAC was founded in 1993 and is a tax-exempt 501(c)(6) nonprofit organization. Guided by peer evaluation, the EHNAC accreditation process promotes quality service, innovation, cooperation and open competition in healthcare. To learn more, visit www.ehnac.org, contact info@ehnac.org, or follow us on Twitter, LinkedIn and YouTube.

January 13, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.