Jessica Davis

HITRUST launched a security program to help start-up companies bolster their privacy and security foundations, including the adoption of the most comprehensive risk management, compliance and security services. WHY IT MATTERS The goal is to support startups in adopting best practices as they grow. HITRUST is working closely with those small businesses to ensure these security features are baked into their products from the beginning. To accomplish this, HITRUST is bundling and pricing its programs to align with small businesses that have been in business for less than three years, have fewer than 50 employees and less than $10 million in annual revenue. The program will streamline HITRUST adoption. ON THE RECORD “Navigating risk management and compliance requirements can be costly and a strain on internal resources and can be daunting for any company, but it can be compounded in start-ups that are focusing on bringing their vision to market,” Mike Parisi, HITRUST’s vice president of assurance strategy and community development, said in a statement. THE TREND HITRUST was formed in 2007 and is seen as one of the industry’s gold standards for security. In May, it launched a certification program for the NIST Cybersecurity Framework for hospitals and health systems to ensure security compliance. The RightStart Program will ensure these startups embed these security standards into “their evolving business models,” Parisi added. HITRUST officials stressed that often these types of security measures are seen as a barrier to adoption. And as a result, companies will add programs in an ad hoc way, which leads to a loss of time and money, without a guaranteed improved risk posture. To Hoala Greevy, Paubox CEO, the hope is that the program will give the company the ability to adopt a security framework that will scale with the organization. “HITRUST provides us with the tools for secure, compliant growth needed to increase our bottom line,” Greevy said in a statement. “Our customer focus demands we have security, compliance, and risk management in place by design and not as an afterthought.” .jumbotron{ background-image: url("http://www.healthcareitnews.com/sites/default/files/u2231/cybersecurity-jumbotron-712.jpg"); background-size: cover; color: white; } .jumbotron h2{ color: white; } Focus on Cybersecurity In October, we take a deep dive into security strategy and pressing threats. Twitter: @JF_Davis_ Email the writer: jessica.davis@himssmedia.com

A researcher discovered the North Carolina-based tech vendor is leaking protected patient data through its Amazon S3 bucket twice in a month.

A hacker obtained access to an employee email account of California-based Gold Coast Health Plan, attempting to fraudulently move funds to their account.

Part two of our cyber insurance series highlights the need for healthcare organizations to compare prices and find a carrier willing to partner on cybersecurity.

What if the challenge to overcome with data sharing was the policies common among hospitals? A new study published in JAMA Network Open found just that: Patients are facing many hurdles when they request to receive their records from hospitals. Conducted by Yale University School of Medicine, the study evaluated medical records processing at 83 top-ranked U.S. hospitals in 29 states and researchers found serious 'discrepancies' in the information given to patients during medical release processes. THE TREND What's more concerning is that there is serious noncompliance with federal regulations at some of these organizations. HIPAA not only allows patient access to their records in a timely manner: it guarantees it. Not only that but access must be in the patient's preferred format, with a reasonable processing fee. Despite those laws, only 53 percent of the surveyed hospitals provide an option for patients to obtain their medical records. There were also inconsistencies in the data provided over the phone from a hospital, and the request forms with the types of formats patients could use for the release of their records. Even worse: More than half of the hospitals charged patients well-above the federal recommendation of $6.50 to release an electronic record to the patient. One hospital even charged a whopping $541 for a 200-page medical record. And 43 percent didn't disclose their fees on authorization forms. The researchers also discovered that two out of the three hospitals that could not be reached didn't provide an option to speak with a department representative nor a voicemail alternative. This "impedes patients from gathering information that they may need to understand the medical records request process." And for those hospitals with those options, the automated voice response systems were hard to navigate and complicated before the researchers were able to reach a department representative. WHY IT MATTERS The report echoes sentiments that former ONC Privacy Chief and Omada Health Chief Privacy and Regulatory Officer Lucia Savage recently shared with Healthcare IT News. Data sharing has long been problematic for the industry, and her team made sure the industry was aware this was not a HIPAA issue. To Savage, it's the policies that are hindering data sharing: "We have these highfalutin rules. But what's happening at the registration desk? What's happening in the billing office? What's happening in the office that actually handles the manila folder, or actual X-ray films? Are we, as people who are leaders in our institutions, walking the walk or talking the talk?" Overall, the researchers shared these sentiments, stating that requesting both paper and electronic patient records is overly complicated – despite the clear mandates for patient access in state and federal regulations. ON THE RECORD "Although some hospitals were unwilling to release both paper and electronic records to patients, there are legal requirements under HIPAA to do so," the report authors wrote. "The lack of a uniform procedure for requesting medical records across U.S. hospitals highlights a systemic problem in complying with the right of access under HIPAA." "Because every institution creates its own process and implements its own regulations, variability in what and how records can be received occurs," they added. While the 21st Century Cures Act and other government initiatives are working to improve the process, attention to "the most obvious barriers should be paramount." Twitter: @JF_Davis_ Email the writer: jessica.davis@himssmedia.com

The healthcare sector is well-aware that medical devices are vulnerable, but it’s hard to obtain the extra resources to fix the issue.

Former ONC Privacy Chief and Omada Health Chief Privacy and Regulatory Officer Lucia Savage shares both her concerns and her hope for the industry when it comes to the dreaded data sharing.

The EHR giant released the team of health IT vendors in addition to Accenture and Leidos that will help support Veterans Affairs’ transition from its legacy VistA EHR to the $16 billion Cerner platform.

Simulated attacks on a healthcare organization can help infosec leaders assess their security posture, but not all pen testers are created equal and not every provider is ready to be tested.

Part one of our cyber insurance series focuses on cyber policies and how organizations need to do their homework to ensure they’re covered after a breach.