Three weeks ago Internet users were notified en masse that a security vulnerability had been discovered in OpenSSL, a widely-used piece of open-source software that helps securely transport information around the web. The so-called Heartbleed bug forced healthcare IT vendors across the industry to perform internal forensic analyses to check whether they were sending vulnerable PHI across various internal and external networks.
Just one week later Microsoft announced that it had discovered a serious security vulnerability in its Internet Explorer browser. The issue was so severe that it prompted the federal government to tell citizens to use another browser until the flaw had been corrected. Once again, health IT vendors had to perform HIPAA-mandated security risk assessments to measure the severity and scope of the security incident.
Keeping the April security flaw theme going, just last week yet another vulnerability was discovered in a tool that many people use every day. The “Covert Redirect” vulnerability in OAuth, an open-source log-in tool used by such Internet titans as Facebook and Google, allows hackers to steal user data and gain access to secure websites. Again, vendors in the healthcare space with user-facing portals had to perform the same assessments to determine if their customer PHI had been compromised.
It was certainly an April to remember for health IT security professionals. Aside from countless hours of remediation and forensic efforts, these events should serve as a reminder of the risks associated with allowing a Business Associate to take custody of you patients’ PHI. Business Associate Agreements can be signed, and vendor assessments can be performed, but at the end of the day, you are placing yourself at the mercy of your provider’s security controls. And as the April security incidents have shown us, not even the vendors with the most
painstaking security checks will be 100% secure.Sometimes abstinence is the only means of prevention. Passing through the cloud avoids the Business Associate conundrum by never allowing your PHI to be stored or even passed through a vendor’s environment. How many assurance emails can you get from your IT vendors before it’s enough?
A lifelong communicator, this Tennessee native got his start in broadcast news before branching out into public media, corporate, communications, digital advertising, and integrated marketing. Prior to joining QliqSOFT as the company's first marketing team member, Ben shared his talents with organizations that include the University of Alabama, iHeartMedia, and The Kroger Company.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Prior to the pandemic, telehealth visits ─ delivering patient-provider visits virtually ─ was an afterthought in the care continuum — ill-regarded and little-used beyond patients in rural areas who had few care choices. Virtual visits comprised less than 1% of all outpatient visits. Private insurers generally follow guidelines from the Centers for Medicare & Medicaid Services (CMS), which allowed telehealth in only limited circumstances and paid at 30% below in-office reimbursement rates.