1 In partnership with MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series WEBINAR 3 MEANINGFUL USE REQUIREMENTS FOR FQHCS FROM A SECURITY RISK ASPECT March 6, 2014 Presented by: Jay Trinckes, CISO Karen Dalton, QI Coordinator
2 2 Table of Contents Table of Contents... 2 About MPCA... 3 About OSIS... 3 Services... 3 Presenter Bio... 4 Co-Presenter Bio... 4 Webinar Objectives... 5 Meaningful Use Requirements... 5 Security Management Process... 6 Risk Analysis... 7 Risk Management... 7 Performing a Risk Assessment... 7 Definitions... 8 OCR Guidance... 9 Formal Analysis... 9 Levels of Risks Risk Chart Steps to an Assessment Evaluation OSIS Risk Assessment Summary Services References/Sources... 14
3 About MPCA Michigan Primary Care Association (MPCA) Has been the voice for Health Centers and other community-based providers in Michigan since It is a leader in building a healthy society in which all residents have convenient and affordable access to quality health care. MPCA s mission is to promote, support, and develop comprehensive, accessible, and affordable quality community-based primary care services to everyone in Michigan About OSIS Ohio Shared Information Services, Inc. (OSIS) We are a 501(c)3 non-profit organization that partners with Federally Qualified Health Centers (FQHCs) to provide IT and security related services to improve the quality of care delivered to the underserved population. Our security division has professionals on staff dedicated to providing information security services to transform healthcare. OSIS started in December 2000 when three (3) Federally Qualified Health Centers came together to share their medical IT initiatives. They received a grant from the Health Resources and Services Administration (HRSA) to launch OSIS. OSIS has since grown to become one of the few full-service Health Center Controlled Networks in the country. OSIS has a staff of sixty-eight (68) highly experienced professionals dedicated to serving FQHCs, Community Behavioral Health Organizations, and other healthcare centers. OSIS is headquartered in Cincinnati, OH, but has employees located in eleven (11) different states and counting. OSIS currently has a satellite office in Salt Lake City and will be opening up another office in the greater Chicago metropolitan area. Services Some of the services that OSIS provides to its partner clients are the following: Implementation support; Training; Upgrades; Hosting; Custom Development; Security/Risk Analysis; Patient Portal; Meaningful Use Assistance; PCMH Assistance; Reporting UDS I2I; Governance Development; IT Support; Helpdesk; IMO Care Sentry x1223 3
4 Presenter Bio Jay Trinckes is Chief Information Security Officer at OSIS, a 501c(3) non-profit organization that assists Federally Qualified Health Centers (FQHC) with IT and security related services to improve the quality of care delivered to the underserved population. Mr. Trinckes is the author of The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules, (CRC Press, 2012) and The Executive MBA in Information Security, (CRC Press, 2010). Recently, Mr. Trinckes has presented on the topic of HIPAA and other related Information Security topics across the country through RAC Monitor, NWRPCA-CHAMPS Conference, NACHC-FOM-IT Conference, and locally through HRSA regional group. Mr. Trinckes is scheduled to present on HIPAA at the Practice Management Institute s National Conference held in Chicago, IL this May. Mr. Trinckes holds a Bachelor s Degree in Business Administration/MIS along with several certifications such as the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), National Security Agency (NSA) INFOSEC Assessment Methodology (IAM), and INFOSEC Evaluation Methodology (IEM). Mr. Trinckes brings a wealth of knowledge in information security through his hands-on experience performing risk assessments, vulnerability/penetration tests, developing information security management programs, and from his experiences as a former law enforcement officer. 4 Co-Presenter Bio Karen Dalton, RNC, MSN, MHA, PCMH CCE, is the Quality Improvement Coordinator at OSIS. Karen is a registered nurse with experience in both inpatient and ambulatory settings, as both administrator and clinician, and currently serving as a consultant for the OSIS HCCN grant. Karen is NCC Certified as women s health nurse practitioner and NCQA PCMH Certified Content Expert.
5 Webinar 3 As healthcare organizations are incentivized to move towards electronic health records, the requirements for protecting this information in a digital form increases. As most federally qualified health centers obtain money from the federal government to implement their electronic health record solutions, meaningful use requires several reporting activities to be maintained. This seminar is designed to provide a details of the Core and Menu Objectives of the Meaningful Use requirements with an emphasis on performing an acceptable Risk Analysis/Risk Assessment. Objectives Attendees will learn: Overview of meaningful use intentions/goals. Discussion of the seventeen (17) Core Objectives for Stage 2. Detail analysis of the Risk Analysis Requirements. How to perform a Risk Assessment to meet meaningful use and Security Requirements. Discuss the Menu Objectives for Stage 2. Tools to assist in reporting of meaningful use objectives. Meaningful Use Requirements To achieve health and efficiency goals, the Centers for Medicare and Medicaid Services (CMS) has implemented an Electronic Health Records (EHR) Incentive Program. This incentive program provides a monetary incentive to comply with the HIPAA/HITECH regulations, but will also create payment adjustments in Medicare reimbursements for eligible entities that do not successfully demonstrate meaningful use by the year Since January 2011, nearly $19 billion has been paid out for meaningful use incentives. There are three (3) main components of Meaningful Use. These include the use of certified EHR technology in a meaningful manner, for electronic health information exchanges, and for clinical quality submissions. Meaningful use will be implemented in three (3) stages. Stage 1 required the providers to meet 15 core objectives. I like to point out Core 15 objective that deals with a security risk analysis required to be conducted or reviewed under 45 CFR (a)(1). Furthermore, security updates were required to be implemented. Stage 2 still requires eligible professionals to ensure adequate privacy and security protection for personal health information (same as Core 15 above). It adds another requirement to address encryption/security of data stored within the EHR software. Stage 2 also addresses using secure electronic messaging to communicate with patients on relevant health information. Here is a good info-graphic that describes the cost benefits to implement an electronic health record over traditional paper records. Some of the big items here are the 45% reduction in documentation time with electronic health records, a net savings of $142 billion over 15 years for outpatient and $371 billion for inpatient services, and for safety purposes to better track adverse drug events. It is all about time, environment, financial, and health benefits that technology can provide. 5
6 Security Management Process Under 45 CFR (a)(1), a health center must implement policies and procedures to prevent, detect, contain, and correct security violations. One of the first policies and procedures to be implemented involves conducting a risk assessment. A health center should develop and disseminate risk assessment policies and procedures so that all workforce members have an idea of this process. These risk assessment policies and procedures should be reviewed and updated as necessary. In addition, workforce members that are affected or responsible for risk assessment activities should be trained accordingly. At a minimum, the risk assessment policy should address the following: the purpose of the policy; the scope of the policy; high level overview of the different roles and responsibilities of the workforce members; the commitment that management has towards the importance of a risk assessment; coordination between different department or units within the health center; how workforce members are trained in risk assessment procedures; and how the health center will come into compliance with the risk assessment policies and procedures. The health center s risk assessment policy should also define the frequency that the risk assessment is reviewed and updated. In conducting the risk assessment, the health center should make sure to identify the types and uses of the information it creates, maintains, processes, stores, or transmits. This information should be classified based on its sensitivity levels. All information 6
7 housing electronic protected health information should be identified. This inventory should be complete with all hardware including removable media, remote access, and mobile devices. Inventory should account for software including any types of reports, spreadsheets, databases, etc. that may contain electronic protected health information. This inventory should also include all business functions of the health center along with verification of control over information systems. Inventory should be kept updated, current, and reviewed on a periodic basis to make sure that all information systems containing electronic protected health information is appropriately accounted for. Configurations for these information systems should also be documented including any connections to other systems within the internal network and external network. 7 Risk Analysis The health center is required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the health center. An entire section of this book was devoted to discuss the process of conducting a risk analysis. For the sake of simplification, a risk analysis must identify potential security risks. These risks can come from many different areas. The risk analysis must also determine the probability of an event will occur and the magnitude of damage or loss of information that may occur from such an event if it were to occur. A security categorization should be determined for each information system along with the rationale behind such a ranking to be included in the health center s security plan. These security categorization decisions should be reviewed and approved by an official or delegated representative of the health center. Risk Management A health center is required to implement security measures [that are] sufficient to reduce risks [to] vulnerabilities to a reasonable and appropriate level. A covered should have policies and procedures in place for security as part of their risk management process. To conduct proper risk management, the health center should identify the security measures or safeguards that are already in place to secure protected electronic health information. These safeguards should ensure the confidentiality, integrity, and availability of electronic protected health information. These safeguards should also protect against any reasonably anticipated threat or hazard to the unauthorized use or disclosure of electronic protected health information or not permitted under the HIPAA Privacy Rule. Performing a Risk Assessment Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as covered entities' organizations and technologies change. The security standards in HIPAA were developed for two primary purposes. First, and foremost, the implementation of appropriate security safeguards protects certain electronic health care information that may be at risk.
8 Second, protecting an individual s health information, while permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the industry an important goal of HIPAA. The assessment takes into consideration three fundamental security parameters: confidentiality, integrity, and availability. The assessment reviews the accessibility of Electronically Protected Health Information (EPHI) to verify that it is not altered or destroyed in an unauthorized manner and that it is available as needed by authorized individuals. This assessment reviews, but is not limited to, the following implementation standards and provides recommendations on how to comply with these standards, if required, or strengthen the security posture of the client: 8 Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements Organizational Requirements (if applicable) Business Associate Contracts or Other Arrangements Requirements for Group Health Plans Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Technical Safeguards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Policies and Procedures and Documentation Requirements Definitions Audit Controls Technical and non-technical policies, procedures, practices, and/or standards of operation that aid the institution in protecting non-public information and other valued electronic and physical assets from unauthorized access, corruption, deletion, manipulation, or theft. Availability - EPHI can be accessed as needed by an authorized person Confidentiality - EPHI is accessible only by authorized people and processes Electronic Form - means: using electronic media, electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Findings Audit Controls that are not being practiced or are not adequate to protect non-public information and other valued assets from unauthorized access or disclosure. Group Health Plan is an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and selfinsured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to workforce members or their dependents directly or through insurance, reimbursement, or otherwise, that: (1) has 50 or more participants (see endnote 12); or
9 (2) is administered by an entity other than the employer that established and maintains the plan. See 45 C.F.R Health Care - means care, services, or supplies related to the health of an individual. It includes, but is not limited to, the following: (1) Preventive, diagnostic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. See 45 C.F.R Health Care Clearing House - is a public or private entity... that performs either of the following functions: (1) Processes or facilitates the processing of health information... in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction... and processes or facilitates the processing of health information [in the standard transaction] into nonstandard format or nonstandard data content for the receiving entity. See 45 C.F.R Health Information - is defined to broadly include any information, whether oral or recorded, in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Integrity - EPHI is not altered or destroyed in an unauthorized manner Medical Care - means amounts paid for: (A) diagnosis, cure, mitigation, treatment or prevention of disease, or amounts paid for the purpose of affecting any structure or function of the body; (B) amounts paid for transportation primarily for and essential to medical care referred to in (A); and (C) amounts paid for insurance covering medical care referred to in (A) and (B). See 42 U.S.C. 300gg-91(a) (2). Risk - is the function of the likelihood of a threat being triggered and the resulting impact to an organization. Standard Transaction - is a transaction that complies with the standard for that transaction that the Secretary adopted in 45 CFR Part 162. See 45 C.F.R Threat - is defined as the potential for a person or thing to accidentally trigger or intentionally exploit a specific vulnerability. Vulnerability - is defined as a weakness in a system, procedure, or control that if triggered accidentally or intentionally could result in a security breach or violation of policy. 9 OCR Guidance The Office for Civil Rights (OCR) issued Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, This guidance was not a standard or one-size-fits-all blueprint, but rather clarifies some expectations that the Department of Health and Human Services expected as part of the Risk Analysis requirement. Formal Analysis Again, there is no specific criteria or set procedure in performing a Risk Analysis; however, a formal analysis should include at least the following items: Scope of analysis to include all potential risks to the confidentiality, availability, and integrity of protected health information that an organization creates, receives, maintains, or transmits in all of its form such as paper and electronic media. Data collection to identify all relevant data on electronic protected health information. Identify and document potential threats and vulnerabilities. Assess current mitigating controls and security measures implemented. Determine the likelihood of a threat.
10 Determine the potential impact of a threat occurring. Determine the level of risk as a function of the likelihood and impact. Formal documentation. Periodic review and update. Levels of Risks OSIS divides risk into five (5) levels of priority. These priority levels are primarily utilized in the Security portion of this assessment: Critical Priority Exploiting these vulnerabilities will immediately lead to administrative or root level access on a network or provide unauthenticated or unauthorized access to EPHI. There are no policies/procedures in place or implemented to satisfy requirements. High Priority Exploiting these vulnerabilities will immediately lead to compromise of EPHI or a system on a network that contains EPHI. There may be policies/procedures in place; however, they may not fully be implemented. Medium Priority Exploiting these vulnerabilities will immediately lead to compromise of non-public Covered Entity data or has the potential to lead to the compromise of EPHI through further exploit. There are policies/procedures in place that are implemented, but there may be some contradictions or discrepancies in place. Low Priority Exploiting these vulnerabilities could provide information to be used in future attempts to compromise any non-public data or any finding that does not pose any immediate threat. There are policies/procedures in place that are implemented, but could be strengthened slightly. Informational Observations that OSIS assessors made while onsite. Observations usually accompany suggestions for improvement of the Covered Entity s overall security posture. Note: The priority levels, or risk levels, take into consideration the probability of occurrence and the impact that a finding could have on the covered entity if the vulnerability was exploited to the fullest extent. Other mitigating controls are factored into the rating levels. 10 Risk Chart Extreme/Catastrophic Low Medium High High Critical Major Low Medium Medium High High IMPACT Moderate Low Low Medium Medium High Minor Informational Low Low Medium Medium Nominal Informational Informational Low Low Low 0 0 Remote Unlikely Credible Likely LIKELIHOOD - CRITICALITY Almost Certain
11 Steps to an Assessment This assessment takes all of the above into consideration along with following these steps: Determine System Characterization to include hardware, software, system interfaces, data/information, people, and system mission Identify vulnerabilities or weaknesses in procedures, controls, or safeguards. Identify events that could cause a negative impact. Identify the current controls in place. Identify the potential impact of exploiting a threat in terms of loss of confidentiality, integrity, and availability. Recommend mitigating security controls. Determine the residual risk after implementing controls. Document the outcomes of the risk assessment. Reference: NIST Special Publication : An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. 11 Evaluation One of the most important requirements of the HIPAA Security Rule is reflected in 45 CFR (a)(8) that states a health center is required to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule [the HIPAA Security Rule] and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity s security policies and procedures meet the requirements [of the HIPAA Security Rule]. This should also be part of the Meaningful Use requirement mentioned earlier. The only way to prove that solutions implemented as part of policies and procedures is meeting the requirements of the HIPAA Security Rule standards is to perform testing on these measures. It is recommended that an annual technical and nontechnical evaluation is performed on the health center. This should be performed by an experienced and reputable third party provider to maintain independence. Although there may be a lot of highly skilled resources on staff, the unfortunate part to an evaluation is that they may not have enough separation of duties or be independent enough to provide value to the review. Normalcy or the possibility of being short sighted in conducting these types of evaluations points to the support of getting an outside party to conduct such reviews. Furthermore, internal staff may not have the appropriate experience or training necessary to conduct a thorough technical and nontechnical evaluation. To conduct the appropriate technical evaluation, you need to consider a vulnerability/penetration test. What is the difference between a vulnerability test and a penetration test? I use an analogy of a burglar checking a neighborhood for a house to break into. A vulnerability test is synonymous with the burglar checking doors and windows to make sure they are locked. A penetration test actually starts when the burglar finds an open door or window and gains entry into the house. (It could also start when the burglar decides to break a window and enter the house.) Be aware that not all service
12 providers that perform these types of services are qualified to conduct such services. You should make sure to utilize qualified and experienced assessors to perform these services. The difference between a good and a great evaluation is the quality of the analysis, the ability to interpret the findings into business talk, and the rationale for justifying expenditures to mitigate risks. 12 OSIS Risk Assessment OSIS divides the HISSRA Report into five (5) facets. Each facet contains many Audit Controls that OSIS s assessors have reviewed during the course of the engagement. Research is conducted through a combination of questionnaire, staff interviews, direct observation, internal and external penetration testing. Administrative Safeguards (45 CFR ) The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical Safeguards (45 CFR ) The Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. The standards are another line of defense (adding to the Security Rule s administrative and technical safeguards) for protecting EPHI. Technical Safeguards (45 CFR ) The Security Rule defines technical safeguards in as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Organizational Requirements (45 CFR ) The Business Associate Contracts and Other Arrangements standard found at (b)(1) requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity s electronic protected health information (EPHI). The standard, at (a)(1), provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates. In general, a business associate is a person or entity other than a member of the covered entity s workforce that performs functions or activities on the covered entity s behalf, or provides specified services to the covered entity, that involve the use or disclosure of protected health information. A business associate may also be a covered entity. Policies/Procedures/Documentation Requirements (45 CFR ) The Security Rule, sets forth specific requirements for all policies, procedures and documentation required by the Rule. Specifically, it requires that covered entities: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in (b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
13 The Documentation standard requires covered entities to: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. Summary In summary, health centers should assume that an audit will happen; it is the question of when, not if. Health centers should be prepared for an audit. If internal resources are not available, they should seek assistance from professional and experienced third party service providers to assist. Staff members responsible for compliance need to take ownership of the process and health centers, themselves, need to have a security/compliance mind-set. The information security management program begins from the risk assessment. Risk assessments should be on-going. It cannot be stressed enough how valuable training, educating, and making staff members aware of security/compliance related matters along with defining the health center s expectations appropriately for their staff. Consistently evaluate and adjust efforts to make sure they meet objectives. Finally, document everything the health center does when it comes to information security and compliance efforts. Services HIPAA Compliance Program HIPAA/HITECH Information Systems Security Risk Assessment Administrative Safeguards Physical Safeguards Technical Safeguards Internal/External Vulnerability/Penetration Test Organizational Requirements Policies, Procedures, & Documentation Requirements Policies/Procedures Security Awareness Training Mitigation Management Vendor Due Diligence Security Incident Response Handling Business Continuity/Disaster Recovery Planning Subject Matter Expertise 13
14 References/Sources Anderson, Howard. "Breach Tally Surpasses 19 Million." Healthcare Info Security. January 23, (accessed January 24, 2012).. "Computer Theft Affects 4.2 Million." Healthcare Info Security. November 16, (accessed January 24, 2012).. "Health Information Privacy." HHS.gov. February 14, (accessed January 20, 2012).. "Interview: The New HIPAA Enforcer." HealthcareInfoSecurity.com. October 3, (accessed October 10, 2011).. "McAndrew Explains HIPAA Audits." HealthcareInfoSecurity.com. July 15, (accessed October 10, 2011).. "More Breach Class Action Lawsuits Fuiled." Healthcare Info Security. November 23, (accessed January 24, 2012). ANSI. "PHI." The Financial Impact of Breached Protected Health Information. February 14, (accessed March 8, 2012). b, P. "Biggest security threats in 2012 are cyber espionage, privacy violations." CXOtoday. January 2, (accessed january 12, 2012). Bowman, Dan. "91% of small healthcare organizations suffered a data breach in the last year." FierceHealthIT. February 17, (accessed February 19, 2012). Cotta, Amy. Six Weeks to Skinny Jeans: Balst Fast, Firm Your Butt, and Lose Two Jean Sizes. Rodale, Eisenberg, Carol. "Theft of Digital health Data More Often Inside Job, Report Finds." BusinessWeek.com. September 22, (accessed October 10, 2011). Fox News. "Cyber-threats will become top worry, FBI director says." Fox News. March 2, (accessed March 3, 2012). Fox News. "Cyber-threats will become top worry, FBI director says." Fox News. March 2, (accessed March 3, 2012). Goedert, Joseph. "Huge Breach at TRICARE." HealthData management. September 29, tricare-notification-hipaa-privacy html?et=healthdatamanagement:e2013:144085a:&st= &utm_source=editorial&utm_medium= &utm_campaign=hdm_daily_ (accessed October 11, 2011). Help Net Security. "48% of enterprises targeted by social engineering attacks." Help Net Security. September 21, https://www.netsecurity.org/secworld.php?id=11665 (accessed October 10, 2011). HHS Press Office. "HHS imposes a $4.3 million civil money penalty for violations of the HIPAA Privacy Rule." U.S. Department of Health and Human Services. February 22, (accessed February 20, 2012). Kennedy, Tony. "Minnesota sues consulting firm over lost health data." StarTribune. January 19, (accessed January 21, 2012). Kingsley-Hughes, Adrian. "DigiNotar files for bankruptcy following hack attack." Hardware 2.0 Blog. September 20, (accessed October 10, 2011). Menn, Joseph. "They're watching. And they can bring you down." FT Magazine. September 23, bb feabdc0.html#axzz1yxxlftob (accessed October 10, 2011). Millard, Mike. "Medical identity theft on the rise." HealthcareIT News. March 15, (accessed January 11, 2012). OCR. "Are we required to "Certify" our organization's compliance with the standards of the Security Rule?" Health Information Privacy - HHS.gov. (accessed March 4, 2012). Painter, Mark. "Healthcare organizations not ready for new security standards." The HP Security Laboratory Blog. September (accessed October 10, 2011). Ponemon Institute. "Ponemon Study Shows the Cost of a Data Breach Continues to Increase." Ponemon Institute. January 25, (accessed October 10, 2011). Proskauer Rose LLP. "New HIPAA Cop: First AG Settlement for HIPAA Violations." Proskauer. July 14, (accessed January 3, 2012). PRWEB. "NetClarity Announces Top Ten Cybercrime and Cyberwar Predictions for 2012." PRWeb. February 14, (accessed February 18, 2012). Report on Patient Privacy. "'Monetary Enforcement' Is the New Aim of OCR, Following $1.5M BCBST Settlement." AISHEALTH. April (accessed April 15, 2012). Sells, Toby. "BlueCorss BlueShield of Tennessee to pay $1.5M penalty for data loss." The Commercial Appeal. March 14, (accessed March 18, 2012). Siciliano, Robert. "15 Tips To Better Password Security." McAfee. June 29, (accessed March 7, 2012). The Department of Health and Human Services. "Remote Use." HIPAA Security Guidance. December 28, (accessed February 16, 2012). Tripathi, Micky. "First-Hand Experience with a Patient Data Security Breach 12/3/11." HISTalk Practice. December 3, (accessed January 20, 2012). Weigel, Jen. "Cybercrime: A billion-dollar industry." Chicago Tribune. September 20, (accessed October 10, 2011). Wikipedia. Hippocratic Oath. January (accessed January 12, 2012). Wilson, Tim. "IT Security Employment Rising Rapidly, Study Says." Dark Reading. January 10, (accessed January 13, 2012). 14