Archive for the ‘Health Security’ Category

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has recently submitted a document on Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. 

The revision will modify the HIPAA Rules to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008. HIPAA.com has a good overview of what these changes will mean.

The final rules are expected to be published in the Federal Register soon. Expect that, with the final rules, there will be new data breach enforcement and penalty requirements. Additional provisions could govern the use and resale of patient data, the “harm threshold” for data breaches, basic encryption of data, and establish firmer rules regarding associates and subcontractors. 

Given the increased enforcement of HIPAA, and the dire predictions for healthcare data in 2012, we’ll keep you apprised of any further developments with these HIPAA rules and enforcement changes.

InformationWeek has an interesting article today looking at the intersection of two areas we talk about frequently here on the blog: the bring-your-own-device (BYOD) movement and the growing concerns over healthcare security. This particular article references the challenges specific to healthcare in terms of implementing a BYOD policy. In particular, issues with BYOD for physicians and hospitals are: poor screen layout and security.

It appears, from the article, that physicians face challenges in using existing healthcare management systems that are not made to be viewed on mobile devices (tablets, iPads, mobile phones). Physicians are left having to scroll around and that could lead to missed data in diagnostics, experts worry. It appears, in this instance, that software vendors in the healthcare industry have not yet kept pace with customer demands for mobile viewing – hopefully future iterations of products will solve this issue.

The article cites one of the fears over security is the inability to track BYOD devices, which need not be a problem. A comprehensive mobile security policy / BYOD policy can incorporate the management of BYOD devices alongside corporate-owned devices, all within the same system (as our own software provides). Although this does require some adherence to a strict BYOD policy, we contend that healthcare can benefit from the incorporation of the BYOD movement.

Absolute Software is currently on hand at HIMSS12, the Health IT Conference and Exhibition in Las Vegas. We are set up at booth #7913 talking about mobile health, electronic health information and how to manage it all.

Absolute Software has been providing healthcare organizations with solutions to manage and secure their IT endpoints (and the data they contain) since 1993. We’ve continued to evolve our products and services to meet the changing demands of new technology and protecting patient healthcare information.

If you’re not in Las Vegas for HIMSS12, you can catch us tweeting some of our coverage @absolutecorp.

This year marks the first formal HIPAA enforcement action against a business associate. We’ve been talking about the increase in Health Insurance Portability and Accountability Act (HIPAA) enforcements and planned audits for 2012, and it seems that enforcement is now extending to business associates.

Minnesota Attorney General Lori Swanson has filed a lawsuit against Accretive Health, a debt collection agency, for “failing to protect the confidentiality of patient health care records and not disclosing to patients its extensive involvement in their health care through its role in managing the revenue and health care delivery systems at two Minnesota hospital systems.”

The lawsuit follows the theft of an unencrypted laptop computer containing approximately 23,500 patient records.

As discussed by Davis Wright Tremaine, state attorney generals are not bound by the US Department of Health and Human Services (HHS) decision to not enforce HITECH (and HIPAA) violations against business associates. Given this new lawsuit, businesses should review whether they are complying with current requirements of the HITECH Act and HIPAA.

Absolute Software has been providing healthcare organizations with solutions for HIPAA compliance for many years – learn more here.

The theft of health records is a growing issue. Not only does the healthcare industry lag in security, impacting both the industry and breach victims, but there can be difficult outcomes following the loss of medical information.

As we’ve previously discussed, when breach victims have had their health information used for medical care, benefits or insurance, they’ve been the victim of medical identity theft. The outcome of this type of theft can be wide-reaching, from credit issues to incorrect health assessments. Medical identity theft can take years to resolve, if at all possible.

As recently reported, “for every dollar a stolen Social Security number is worth, your stolen medical information — a partial medical history, your insurance number — is worth $50.” Leon Rodriguez, Director of the Office for Civicl Rights of the Department of Health and Human Services, says it’s time to get tough on enforcement of health privacy laws: “enforcement promotes compliance.”

Pam Dixon, founder of World Privacy Forum, is also quoted about the issues of detection:

“The banking industry has set up safeguards to detect ID theft and financial fraud so, for example, consumers get a call if there are unusual, out-of-country spending sprees. But there are few similar safeguards for medical ID theft.”

With breaches still being mostly the cause of human error, versus malicious hacking incidents, and with the increased consumerization of IT within healthcare, it’s time the healthcare industry step up to update their security measures.

Absolute has always advocated a layer approach to data security of any kind. Do you have questions about your healthcare security? Check out our brochure on security for the healthcare industry.

Image: CC licensed by jfcherry

As we shared earlier this month, healthcare breaches in the US are on the rise: up 32% over the previous year. Larry Ponemon, chairman of the Ponemon Institute, discussed these findings with Government HealthIT, alongside Rick Kam of ID Experts, saying that a “data spill” in healthcare could be more damaging than what BP faced after the oil spill in the Gulf.

According to Dr. Ponemon, the street value of health information is 50 times greater than other types of data. Given that data has shown that the healthcare industry is the weakest at protecting its information, this is troubling.

Dr. Ponemon and Rick Kam both believe the industry is ‘ripe’, given all the risks and increased attacks, for a big data heist, a “data spill”. The industry currently spends $6.5 billion on data breaches. That same amount of money could, for example, pay for the yearly salaries for more than 81,000 nurses.

The article discusses some of the reasons that data breaches are growing – in general as well as in healthcare – and some of the nefarious uses that healthcare data can be put to. Perhaps more importantly, the article looks at why healthcare information breaches are so damaging – and impossible to recover from. It’s an insightful read for anyone, particularly those working in healthcare.

If you’re in the healthcare field, you can expect that 2012 will bring more complications when it comes to data security: increased risks, increased regulatory expectations and greater reputation fallout for breaches.

According to these predictions for 2012 in healthcare data, healthcare data breaches could reach “epidemic proportions” unless action is taken.

Here is a summary of some of the predictions:

• Mobile device risks on the rise in healthcare
• Class-action litigation on the rise in healthcare
• Social media risks on the rise in healthcare
• Cloud computing agreements will increase liability risks
• Reliance on partners will increase, carrying new data risks
• Increased enforcement of HIPAA

For more on these predictions and others, read here.

According to a new Ponemon study sponsored by ID Experts, the Second Annual Benchmark Study on Patient Privacy and Data Security, healthcare breaches continue to rise. The frequency of data breaches was up 32% over the previous year, averaging four data breaches per healthcare organization. To further complicate matters, 55% of healthcare organizations say they have little or no confidence they are able to detect all privacy incidents

According to the survey, 41% of healthcare data breaches of protected health information (PHI) are caused by ‘sloppy employee mistakes’. Other areas causing increased risk of breaches include not knowing where patient data is located, third-party mistakes, and lost or stolen data devices (49%).

As we saw with the previous study, healthcare organizations are doing little to protect mobile devices that are a source of many breaches. With so many devices being stolen, accounting for nearly half of all PHI data breaches, it is surprising that so few organizations are proactively protecting their mobile devices.

“Healthcare data beaches are an epidemic,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “These problems are a direct result of our national economy. Healthcare organizations—especially not-for-profit hospitals and small clinics—have thin margins, are trimming staff and resources and are lacking sufficient security and privacy budgets needed to adequately protect patients. I don’t see this getting better anytime soon.”

The data from the study suggests that data breaches could be costing the US healthcare industry $4.2 billion – $8.1 billion annually. In addition to costs, 29% believe their data breaches lead to cases of medical identity theft, a large increase over 2010 figures.

Are you in the healthcare field? See how we can help.

According to a new report by the mobile health division of the Health Information and Management Systems Society (mHIMSS), the 2011 mHIMSS Mobile Technology Survey, many healthcare organizations lack mobile security policies.

Mobile devices are being used on a widespread basis to access health information; 97% of healthcare organizations access data on mobile devices. Despite this nearly universal access, only 38% have a mobile technology policy in place. Of those without a plan in place, half are developing their policies.

There are many ways that healthcare organizations are using their mobile devices, including:

• Using apps to look up non-personal health information
• Using apps to view patient information compared to recorded patient data
• Accessing data from remote locations

Our own Tim Williams shared with Beckers Hospital Review some best practices for managing mobile devices in healthcare organizations:

1. Define permissible mobile devices
2. Develop policies
3. Manage apps
4. Integrate mobile devices into the overall network

Learn more about these best practices here or contact us to see how we can help.

In a recent hearing of Senate Judiciary Committee‘s panel on privacy, technology and the law entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World“, experts called for stronger federal enforcement of health data breach violations.

Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, gave testimony about the benefits and risks of a networked healthcare system, particularly noting that electronic health data breaches are “far too common” and that security measures like encryption lag industry-wide.

Protecting privacy is important not just to avoid harm, but because good health care depends on accurate and reliable information. 7 Without appropriate protections for privacy and security in the healthcare system, people will engage in “privacy- protective” behaviors to avoid having their personal health information used inappropriately.

Deven McGraw, and other experts testifying on the panel, called for many changes to regulations including changes to HIPAA, greater transparency about enforcement, limits for uses of health information by contractors or associates, accountability for strong security measures and more. A great discussion takes place about how enforcement of penalties has increased security precautions.

You can watch a webcast of the hearing from the link here.