Category Archives: Asset Mngmt Compliance Requirements

Maxxum Insured by Downstream Data Coverage

March 8, 2016

Downstream Data Coverage

Maxxum has always taken our responsibilities as a secure data destruction service provider very seriously. It’s why we’re proud to be AAA NAID certified—a program that establishes standards for secure data and equipment destruction processes.

These NAID (National Association for Information Destruction) standards include:

  • Operational Security
  • Employee Hiring and Screening
  • Audited by Independent 3rd Party
  • Documented Process
  • Data Destruction Insurance (best practices)

Maxxum passed a strict audit to become NAID AAA certified and has agreed to not only be recertified every year, but must pass random audits during the course of the year.

Working with an asset disposal company that is NAID AAA certified should first and foremost bring peace of mind to an organization. With data breaches and information theft making headlines far too often, it’s a HUGE relief for companies to partner with an organization like Maxxum, who will make sure they receive documented transfer of custody and indemnification from their technology assets.

Ensuring Data Security One Step Further with Downstream Data Coverage

Maxxum is now taking that piece of mind one step further for their customers as a “best practices” initiative. We’re now insured by Downstream Data Coverage, the only professional liability coverage developed specifically by NAID for data destruction services.

From the Downstream Data Coverage website:

“Data-related service providers obtain professional liability insurance to protect themselves and to ensure they can cover their financial liabilities to their clients.  When a service provider purchases an inadequate professional liability policy, they not only put themselves at risk, they also leave their customer exposed.  Downstream Data Coverage seeks to make sure that doesn’t happen.”

This specialized policy addresses many of the shortcomings of standard professional liability coverage that leave service providers and their customers at risk.

Downstream Data Coverage is only available to service providers that are subject to the routine announced and unannounced audits of NAID AAA certification. This means that not only is the service protecting the customer with quality professional liability insurance, the service provider is also operating under the scrutiny of outside auditors trained specifically for that purpose.

Too many technology asset destruction service providers rely on off-the-shelf professional liability coverage because they had no other alternatives. Many times that coverage still leaves companies without the full coverage they seek.

Many customers remain at risk, because their service provider would not be able to effectively cover their liability. At Maxxum, we are proud to ensure our processes meet the high standards needed for proper technology asset disposal and data destruction; with Downstream Data Coverage, we’ve just taken it one step further.

4 Questions to Ask Your Technology Disposal Company

November 3, 2015

technology disposal company

When you’re ready to dispose of your old technology assets, do so with the support and guidance of people whose job it is to stay on top of the ever-evolving regulatory and security requirements: a certified compliant and dependable technology disposal company.

4 Things You Need to Know About Your Technology Disposal Company

We’ve outlined a few questions to ask your technology disposal company:

1. Are they certified for data destruction and environmental compliance?

With so many stories about data breaches and information leaks dominating the news over the last few years, most organizations are a little spooked about how they’re disposing of their used technology assets.

You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If your sensitive data leaks, you’ll have to answer to the law and your customers. Financial penalties can be quite harsh, and a tarnished reputation can have long-term ramifications.

Environmental compliance laws have become far more strict over the last decade, and getting hit with environmental penalties is a bad “look” for any organization. Now more than ever, it’s important to vet a technology asset disposal company to ensure they have industry certifications for both security and environmental compliance.

2. Do they understand the resale market?

Your technology asset disposal company should know the resale market inside and out in order for your organization to get the best return on the equipment it’s retiring.

PCs, laptops, and servers that are less than three to four years old retain value, even if they’re no longer of use to your company. If you’re ready to dispose of your technology assets, why not recover that value? Remarketing your technology assets is an opportunity to recoup some of the initial investment or cover some or all of the disposal costs.

Your technology asset disposal company should understand price trends on the resale market and help your organization plan ahead and determine when your assets will turn from revenue generators to cost creators. They should help you plan to refresh your technology cycles to ensure that you get the optimum value on your old equipment.

3. How do they document data destruction and disposal?

Find out from any potential provider how they document their full process. There are too many factors along the way during the disposal process that could find your organization liable for mistakes made by your provider.

Disposing of data can have security, financial, and software asset management implications. Proper documentation can shield your company from financial and legal penalties. You should be provided with a Certificate of Data Destruction and a detailed inventory report, as well as a report to show the environmental impact that your responsible recycling is having.

4. Can they serve all of your locations?

Technology asset disposal can be a pretty complicated matter. From drive sanitization to environmental compliance, there are numerous reasons to rely on a proven and trusted technology disposal company.

Don’t forget to ask about logistics. Your vendor has to have experience that allows them to serve all of your sites and the logistical capability to properly handle all of your assets.

If you have multiple locations, make sure you hire a disposal company that can handle your work load and that understands the different regulations that might be in play in each of your locations.

 

Where Does Your E-Waste End Up?

October 8, 2015

e-waste

50 million tons of e-waste is dumped into landfills worldwide every year.

That’s a huge number, but it only represents two percent of what is dumped each year. That two percent of e-waste, however, makes up 70 percent of the toxic waste in landfills. According to Popular Science, when electronics start to break down, they release the metals and chemicals inside them, including lead, which has been linked to a myriad of health issues.

E-Waste: What You Can Do About It

It’s obvious that more and more organizations are in need of a technology asset disposal company that responsibly recycles their technology. Maxxum is an industry leader in technology asset disposal because we won’t let our clients be compromised.

In fact, Maxxum has a zero landfill policy. We’re committed to responsible, domestic recycling of technology assets — in the best interest of the environment and your business.

At Maxxum, we believe that retiring technology assets shouldn’t mean risking an environmental breach. We’re committed to smart, strategic partnerships with our clients. We stay up-to-date on laws and regulations regarding environmental responsibility. We develop and support industry best practices in compliance, recycling and reporting.

In order to track what happens to your recycled technology from start to finish, Maxxum executes the following for every client:

  • Provides a Certificate of Electronic Equipment Destruction (CEED) that includes serial number, type, date, and our downstream recycle partner
  • Thoroughly vets our downstream recycling partners for compliance with our strict standards
  • Provides current copies of EPA licenses for all recycling partners
  • Reduces end-of-life assets to their smallest component parts and material types
  • Engages domestic recycling partners who utilize the most eco-friendly processes

It’s this attention to detail and accountability that makes Maxxum a leader in the field.

CFO Gets Prison Time for HITECH Fraud

June 22, 2015

Hospital Executive Falsified ‘Meaningful Use’ Attestation

By , June 19, 2015.

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.

In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.

Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.

White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice (see CFO Pleads Guilty to HITECH Act Fraud).

To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAA security risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, “The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program.”

According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.

The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.

Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.

White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.

As a result of White’s false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.

A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, “restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996,” she explains, citing 18 USC 3663A(a)(1), which says, “Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to…any other penalty authorized by law, that the defendant make restitution to the victim of the offense. …”

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid. “My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate,” he says. “That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement.”

Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. “The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program,” he says.

Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.

“The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years,” he says. “An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments.”

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to “meaningful use” of EHRs.

Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple’s HIPAA security risk assessment, he says.

“You can’t skimp on the risk assessment. That’s the first and foremost item that they look for,” he says. “And it can’t be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours.”

HIPAA Compliance Audits Remain on Hold

April 16, 2015

OCR Official Describes New Guidance in the Works

By , April 15, 2015.

HIPAA Compliance Audits Remain on Hold

After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA compliance audits will begin. But a variety of new HIPAA-related guidance is in the works, a government official says.

During an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from the Department of Health and Human Services’ Office for Civil Rights told attendees the next phase of the random HIPAA audit program “is under development.” Attorney Alessandra Swanson, an OCR team leader from the agency’s Chicago office, declined to say whether there’s a potential timeline for when OCR expects to kick off the next round of HIPAA audits, or what the program might look like.

OCR, which enforces HIPAA, had hoped to kick off phase two of its compliance audit program last fall, but officials last September revealed the program was being delayed. The culprit blamed at the time: technology that the agency said was still being rolled out at the agency that will allow OCR to collect audit-related documentation from covered entities and business associate via a Web portal (see HIPAA Compliance: What’s Next?).

OCR also had a change in leadership last year. In July, Jocelyn Samuels was named the office’s new director. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

Privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine, told Information Security Media Group in an interview at the HIMSS Conference that he believes the delay in various OCR enforcement activities, including the audit rollout, could be related to tight OCR resources, as well as the new leadership settling in.

But OCR appears to be staffing up for the audit program. In an announcement posted last week by HHS, the agency said it had open a “compliance specialist – auditing” position available within its Washington headquarters.

“This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules,” the job posting said.

OCR officials in recent months have said the agency also is working on updating its audit protocol for covered entities and creating a new audit protocol for business associates. BAs became directly liable for compliance under the HIPAA Omnibus Rule last year and are subject to OCR enforcement actions, including financial penalties that range up to $1.5 million per HIPAA violation.

Other Activities

In addition to preparing for resuming the random HIPAA compliance audit program, OCR is working on new guidance, including material relating to business associates; the breach notification rule as well as a breach assessment tool; the use of protected health information for marketing; the “minimum necessary” standard for data; and HIPAA Security Rule compliance updates, Swanson says.

In addition, OCR is continuing breach investigations and rule-making.

“Our goal is, and has always been to get entities into compliance,” Swanson says. “I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you’ll see that we always try to go the compliance route first. “We’re interested in getting everyone into compliance; we’re not out there trolling for enforcement cases.”

OCR is anticipating receiving 15,000 to 17,000 HIPAA complaints in 2015, she says. All health data breaches affecting more than 500 individuals are investigated by the agency, she says. Although there have been no enforcement actions involving monetary settlements with business associates, Swanson says the agency is current investigating a number of breaches involving BAs.

Read full article…

N.J. Law Requires Insurers to Encrypt

January 13, 2015

New Requirement Goes Beyond HIPAA

By , January 12, 2015.

N.J. Law Requires Insurers to Encrypt

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers – a stronger requirement than what’s included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: “Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to “end user computer systems” and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual’s first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver’s license number or State identification card number; address; and identifiable health information.

Different than HIPAA

“The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption,” privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

“If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”

Greene points out that because the new state law is tougher than HIPAA, “A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law.”

– Healthcare Info Security

Go to original article…

 

Optical Care Chain Loses a Server, Again

December 5, 2014

Missing Computer Contained PHI for 48,000 Customers

By , December 2, 2014. Follow Marianne @HealthInfoSec

For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.

In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing “partially unencrypted protected health information” belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.

Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.

Preventive Steps

The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. “Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months,” he says.

While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, “Server hard-drive encryption in an optometrist store is very rare,” notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.

Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.

“In our experience doing HIPAA risk assessments, we often see storerooms or locked ‘cages’ of older used equipment,” says Dan Berger, CEO of security services firm Redspin. “We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation,” he says. “That sets the stage for an inadvertent discarding of a device that contains lots of confidential data.”

Berger stresses that having policies safeguarding PHI even when it’s no longer needed is mandated under HIPAA.

“We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored,” he says.

Read full article…

A Lost Server: What Went Wrong?

Inventory Management, Data Disposal Practices in the Spotlight

By , November 14, 2014. Follow Marianne @HealthInfoSec

The loss of a server at an optical wear retail store in Maryland offers a reminder not only of the importance of encryption but also the value of good inventory management and data disposal practices.See Also: Healthcare Data Breaches: Have We Learned Anything?Visionworks Inc., a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., says the problems began when the server was being replaced in June during a remodeling project at its store in Annapolis, Md. “We believe that the server was accidentally removed with trash from recent renovations and taken to a local landfill” along with other materials, a Highmark spokesman tells Information Security Media Group.

The server held protected health information for as many as 75,000 of the store’s customers, according to a Visionworks statement. “All credit card information housed on the server was encrypted, and therefore should not be at risk,” the company says.

Besides the encrypted credit card data, however, the server also contained unencrypted data, including customer names and addresses and some information related to optometrist visits and lens prescriptions, the spokesman explains.

Server Security

While lost and stolen unencrypted computers and storage media, especially mobile devices, are the most common culprits in breaches that appear on HHS’ “wall of shame”, which lists breaches affecting 500 or more individuals, some security experts say the Visionworks server incident is somewhat unusual.

“It’s highly unlikely to lose a server since they typically don’t move around once they get ‘racked and stacked’ in a data center,” says Brian Evans, senior managing consultant at IBM Security Services.

Also, while encryption of all data contained on the lost server would have protected against a data breach, “it’s not commonplace in healthcare to encrypt servers for a variety of reasons,” he says. “Most organizations think they’re safe because their data is secure within a data center environment where access is physically restricted,” he says – unlike the retail setting where the Visionworks server was located.

“Visionworks could have benefitted from a formal media disposal and asset inventory process,” Evans says. “As a result, the server operating system could’ve been wiped or destroyed while tracking and accounting for this asset.”

Lessons Learned


All healthcare organizations should have policies that spell out how computing devices need to be handled if moved or relocated, says Tom Walsh, president of the independent security consultancy Tom Walsh Consulting.

He suggests that such a policy should state: “Any media, equipment, or device containing memory and possibly storing confidential information needs to be sanitized or erased before the media or equipment is reused, sent to a vendor for repair, sold, or prepared for donation or disposal.”

Additionally, he says relocation policies often prescribe that, “hard disk drives are removed from servers, workstations, laptops and other devices – including multifunction printers – and kept temporarily in a secure holding area, such as a locked office/cage/room/cabinet, until the hard drives are physically destroyed by the IT department staff or electronics recycling vendor. The inventory tracking database also needs to be updated when equipment is removed from service.”

Read full article…

After HIPAA Omnibus, Breach Tally Spikes

October 20, 2014

Huge Increase in Incidents Under New Notification Guidance

By , September 23, 2014. Follow Marianne @HealthInfoSec

In the year since federal regulators began enforcing the HIPAA Omnibus Rule, there’s been a significant spike in the number of major breaches posted on the Department of Health and Human Service’s “wall of shame” tally of incidents affecting 500 or more individuals.

Since HIPAA Omnibus enforcement began last September, the tally has grown by a whopping 67 percent to include 1,126 major incidents, up from 674. The number of individuals affected grew from a total of about 27 million individuals as of late September 2013 to about 38.7 million as of this week, a 43 percent increase (see Wall of Shame: Four Years Later).

Experts say a number of factors contributed to the spike in reported incidents. In addition to the growing mindfulness of HIPAA compliance requirements among many covered entities and business associates – and ramped up regulatory enforcement activities – a significant factor is the HIPAA Omnibus Rule’s much more detailed breach notification guidance. In a nutshell, security incidents are now presumed to be reportable unless healthcare organizations demonstrate through the four-factor assessment that risks are low.

Read more…

At $1.2M, photocopy breach proves costly

August 14, 2013

The U.S. Department of Health and Human Services has settled with Affinity Health Plan, a New York-based managed care plan, for HIPAA violations to the tune of $1,215,780 after a photocopier containing patient information was compromised.

Affinity filed a breach report with the HHS Office for Civil Rights on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act, say HHS officials. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.

Affinity officials were informed by CBS Evening News that, as part of an investigatory report, the television network had purchased a photocopier, previously leased by Affinity, that contained confidential medical information on its hard drive. Affinity estimated that up to 344,579 individuals may have been affected by this breach.

An HHS Office for Civil Rights investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.

Moreover, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.” In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all PHI.