Issue: Second Quarter of 2009

Nobody Ever Said Data Security is Easy or Convenient

by Dan Voss, Product Manager

Part of the American Recovery and Reinvestment Act of 2009, signed by President Obama in February, focused on increased data security for PHI covered by HIPAA. While the initial legislation provided broad definitions for the security of the data, it also designated that the Department of Health and Human Services (HHS) would publish additional guidance on data security requirements which would supersede the broad definitions published in the law.

On April 27, the required guidance was published in the Federal Register. The guidance creates a 'safe harbor' from the 'notification of breach' requirements if the data is protected in accordance with this guidance. HHS is accepting public comment on the published guidance until May 21.

Attempting to decipher exactly what the guidance means requires reading a series of documents created by the National Institute of Standards and Technology (NIST). My study of these documents isn't complete yet, but here is the condensed version so far.

The guidance calls for protection of 'data at rest' and 'data in motion.’ It also provides guidance on 'media sanitization.'

'Data at rest' is essentially the data that is stored on your hard drive or on backup media.This data is at risk if you lose control of your hard drive or backup media. If you lose control of this data, and you want the protection of the 'safe harbor' from the breach notification rules, then the PHI must be encrypted. The guidance states that the data must be protected in accordance with the NIST publication, "Guide to Storage Encryption Technologies for End User Devices." This publication states that Federal agencies must use FIPS (Federal Information Processing Standards) approved encryption modules. Since most EMS providers are not Federal agencies, there is some question as to whether HHS intended for a FIPS-approved encryption module to be used to be protected by the safe harbor. Hopefully, this question will be cleared up when the comment period on the proposed rule is finished.

'Data in Motion' is typically active data that is being digitally transmitted from one location to another. This includes, but is not limited, to data that is being transmitted across the internet. Technically, data transmitted on your local area network is 'data in motion;' however the risk of data interception on your network is much lower than the risk of interception on the internet. There are several NIST documents that address protection of data in motion: "Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations," "Guide to IPsec VPNs," and "Guide to SSL VPNs." The short version of these documents is that at-risk 'data in motion' should be encrypted with a FIPS 140-2 solution.

Finally, HHS has provided guidance on media sanitization. The NIST document is "Guidelines for Media Sanitization." This document addresses the disposition of media that was used to process PHI. This includes paper, jump drives, CDs, Disk drives, tapes, etc. According to this document, sanitization of paper requires destruction via cross cut shredders with product particles that are 1 x 5 millimeters in size. In general, hard drives and jump drives can be cleared by an appropriate overwriting utility. Magnetic tapes can be overwritten, degaussed or shredded. Optical disks (CDs or DVDs) should be destroyed by grinding, shredding or incineration.

Data Security FAQ

Q: Is encryption required by the revised HIPAA laws?
A: No. The law does not 'require' encryption; however data that is secured with an appropriately recognized encryption technology is not subject to the 'breach' notification requirements.

Q: What is encryption?
A: Encryption is the usage of technology that renders protected information unusable, unreadable or indecipherable to unauthorized individuals.

Q: Are there different types of encryption?
A: Yes, there are different types of encryption for securing data in files and securing data being used/transmitted. The type of encryption used is largely determined by the risk to be mitigated.

Q: Is encryption the best solution for data security?
A: Encryption is the best solution for data that is in significant danger of being breached. As an example, assuming appropriate physical and network safeguards are in place, it is not likely that the data that is stored on your server is going to be breached while it is on your server. The cost of encryption to server based applications in terms of performance degradation makes selective encryption of data an undesirable security choice. If encryption is desired for server based data, then whole disk, or volume encryption are suitable solutions. However, when backups of data are made and taken off site, the backup media is at risk of being lost or stolen, so those backup files should be encrypted.

Q: Is the claim file produced by my ECM module encrypted?
A: No, neither the ANSI 4010A nor the upcoming X12 5010 file specifications support encryption. The receiving systems would be unable to read an encrypted file. Since the data in the file is not encrypted, then these files should only be transmitted via secure means. Direct-dial modem connections to a payer are generally considered secure. Transfers to payers or carriers over the internet may be secure http (https:), secure ftp (ftps), or may use other encrypting transmission programs. If there is question about whether the method being used to transfer your data is secure, you will need to ask the payer/clearinghouse about the security of their transfer methods. CLAIM FILES SHOULD NOT BE SENT VIA E-MAIL OR ON REMOVABLE MEDIA SUCH AS USB DRIVES, CD-ROM, OR DVD.

Q: Is my runsheet file encrypted?
A: No, the NEMSIS file specification does not support encryption. The receiving systems would be unable to read an encrypted file. Since the data in the file is not encrypted, then these files should only be transmitted via secure means. Direct-dial modem connections to a recipient are generally considered secure. Transfers over the internet may be secure http (https:), secure ftp (ftps), or may use other encrypting transmission programs. If there is question about whether the method being used to transfer your data is secure, you will need to ask your state data collection manager about the security of their transfer methods. RUNSHEET FILES SHOULD NOT BE SENT VIA E-MAIL OR ON REMOVABLE MEDIA SUCH AS USB DRIVES, CD-ROM, OR DVD.

Q: Is the patient data in Sweet-Field Data encrypted?
A: No, the data in Sweet-Field Data is not encrypted. We recognize that the intended usage of Sweet-Field Data does place the data carried in Sweet-Field Data at risk of breach. However, the information in Ortivus' new Fusion ePCR is encrypted.

Q: Is the patient data in Sweet-Billing encrypted?
A: No. Due to the nature of Sweet-Billing being a server-based application with all data stored on the server, the data on the server is not at significant risk of breach. Implementation of encryption at the application level of Sweet-Billing would be devastating to the performance of the system. The risk of breach can be minimized by following our Sweet-Billing Recommended Data Security Practices. If encryption protection of the data is required, then a disk or volume encryption technology is appropriate.

Q: Is the patient data in Sweet-CAD encrypted?
A: No. Due to the nature of Sweet-CAD being a server-based application with all data stored on the server, the data on the server is not at significant risk of breach. Implementation of encryption at the application level of Sweet-CAD would be devastating to the performance of the system. The risk of breach can be minimized by following our Sweet-CAD Recommended Data Security Practices. If encryption protection of the data is required, then a disk or volume encryption technology is appropriate.

Q: Is there a security risk when we allow a support technician to connect to us via PcAnywhere?
A: PcAnywhere supports encryption of sessions. We are implementing a policy requiring all PcAnywhere sessions to require the use of 128 bit AES encryption. The 128 bit AES encryption available in PcAnywhere versions 11.5 and greater uses a validated FIPS 140-2 cryptographic module.

Q: Is there a security risk when we allow a support technician to connect to us via GoToMeeting?
A: GoToMeeting sessions incorporate a variety of security protocols, including 128 bit AES encryption. With these safeguards in place, there is minimal security risk.

Q: Is there a security risk when we allow a support technician to connect to us via VNC?
A: VNC does not provide any native encryption. Effective immediately, Ortivus will no longer make remote connections via VNC.

Q: Is there a security risk when I datalink Sweet-Field Data remote units across the internet?
A: There is minimal security risk when datalinking remote units across the internet. Before the datalink can begin, you connect the Field Data computer to your internal network using Virtual Private Network (VPN) technology. The VPN creates an encrypted data path through the internet for the data being transmitted; this path provides secure transmission of the data to your network. In accordance with the guidance issued by HHS, VPN technology implemented should be FIPS 140-2 compliant.

Q: Is there a security risk for Sweet-Online Billing?
A: The Citrix technology used to support Sweet-Online Billing encrypts the data transmission between clients and the Citrix server using 128-bit encryption technology. There is minimal security risk for Sweet-Online Billing.

“Individualized Training and Networking” Tops Comments at Hosted User Group Education in Michigan and Oregon

by Cheri Lane, Communication Manager

Two recent Ortivus Sweet Software hosted trainings took place on April 21-22 at Star EMS in Pontiac, Michigan, and on April 28-29 at Redmond Ambulance, in Redmond, Oregon. In addition to the staff that participated in the training, an additional 15 Sweet software users traveled into Pontiac, Michigan to take part in the trainings, and an additional 14 traveled into Redmond, Oregon for training. When asked what the participants liked most about the training, they responded with answer such as:

• “I got so many individual questions answered because of the small group setting”
• “The informal setting was relaxing and was a great networking opportunity”
• “I learned new things that will save me eight hours or more per week”

In a Hosted User Group Education scenario, a trainer will come to the host EMS service (like Star EMS and Redmond Ambulance) and go through a comprehensive training, as well as field questions from the participating services. Normally, the program content covers the same material that would be presented in a national user group training and lasts for a period of two days.

The host service helps with certain parts of the training, but also receives benefits in return. “They [Oregon hosts] loved having the training at Redmond Ambulance, and are thinking about doing one again next year,” said Beth Hollar, who was the Ortivus trainer in Oregon. Patti Clifton, who was the host contact for Redmond Ambulance, also noted, “We can have anyone here at the department attend as opposed to only one or two.”

View photos of the Oregon Group Training.

Kim Boyd, the host for Star EMS, commented on the April 21-22 training, which was the second user group that their service has hosted. She said, “Our entire billing staff was able to enjoy the training. Hosting a user group has many benefits with minimal work. A big thank you to Kelly for the excellent training provided and also to all of our attendees who signed up. We had a great group and were so pleased to meet everyone!”

Topics covered during the two-day training events included: codes, system setup, data entry review, paper and electronic billing, payment data entry, balancing from month to month, reports and a sneak peak at optional modules and the new Fusion ePCR product. “I came back to work after the Michigan User Group re-educated, refreshed and excited to do my job!” said Sondra Gallentine, a participant in the Star EMS-hosted training. “The recent Michigan User Group was exactly the education I have been waiting for. After using the Sweet-Billing and Sweet-Field Data applications for over three years it was time to gain more knowledge of the nuts and bolts of my database. After being disappointed by another company’s seminar, I was relieved to walk away from these two days with a binder full of notes to apply to my service and several business cards from other billers. The knowledge and customer service demonstrated in Sweet User Groups is second to none.”

In a hosted User Group setting, Ortivus handles the promotions and payment, and the host site is responsible for the on-site meeting room and amenities. Hosting an Ortivus user group training is a very economical way to train the entire billing staff on improved use of the Sweet software. With the cost advantages of more training locations across the country at hosted user sites, both attendees and the host benefit from lower travel expenses and time. If Ortivus users are interested in either hosting a user group training, or finding out where the closest training locations are, contact your Ortivus account manager at 800-537-3927 or sales@ortivusna.com.