Health Security - Laptop Security Blog

HIPAA Examined

Related entries in Health Security, Privacy & Security Laws

Tech News World has done a 2-part series about HIPAA. Part 1: Privacy vs. Portability and Part 2: Seeking Balance. It’s a very well-done examination of the state of the Health Insurance Portability and Accountability Act (HIPAA), some of which I will synthesize below. Given that HIPAA is often misunderstood in basics and in application, it’s a great refresher series.

HIPAA Concerns:

  • There is a push for health information to become more liquid, but the privacy and security framework does not exist yet
  • The technologies being designed now will have a huge impact on how health information is accessed, stored and shared
  • Post-HIPAA privacy and security protections need to be adopted in law and in best practices
  • HIPAA compliance was a heavy burden at initial inception, but there has been no proof that HIPAA has in any way had negative effects on patient care
  • Staff training and education must be ongoing for new, and old, employees
  • Continue reading about the concerns here.

HIPAA Myths:

  • That it weakened, rather than strengthened, rights to health information privacy
  • HIPAA is all we need in the digital age
  • HIPAA “covered entities” cover every use of personal health information
  • Check out the full examination of these myths here.

Logo: ; Tags: , , , , , , ,

Posted by Arieanna | June 17, 2008 | 0 Comments

OIPC Investigates Data Breach

Related entries in Data Breach, Government Security, Health Security

The Office of the Information & Privacy Commissioner (OIPC) of British Columbia published an investigation report concerning the Ministry of Health earlier this month.

On October 3, 2007 an employee of X-Wave, a contractor for health insurance billing in New Brunswick, packaged four unencrypted computer tapes into an envelope. The tapes, which contained personal information of residents of British Columbia and New Brunswick, were being sent to Health Insurance BC (HIBC). These tapes did not arrive.

The investigation reveals that this method of transferring personal information did not meet the security measures required under the Freedom of Information and Protection of Privacy Act. In addition to this, the existing policies at the Ministry of Health delayed the timely detection of the lost data tapes. Notification to affected individuals and to the OIPC was also delayed by nearly two months.

OIPC reports that the Ministry breached the Act in the following ways:

  • Sending data on unencrypted magnetic tapes
  • Not requiring the sender to notify the receiver of when the package would be received
  • Not requiring the sender to use a courier with a tracking service
  • Not instructing the sender to refrain from sending more unencrypted tapes while the issue was under investigation
  • Taking 41 days to notify affected individuals of the breach

New Ministry procedures are aimed to counter these issues, and to ensure that personal information is no longer transferred in this way. You can read more here.

Via Dan Michaluk image: wikipedia ; Tags: , , , , , ,

Posted by Arieanna | May 30, 2008 | 0 Comments

Google Health Launches

Related entries in Health Security

Google Health, which gives users instant electronic access to their health histories, launched this week. The service allows users to link information from pharmacies and care providers, with plans for more health information access.

Partnerships with Google Health have already been announced with Walgreen’s, CVS, Longs Drugs Stores, AllScripts, Quest Diagnostics, and the Cleveland Clinic.

Users sign up to allow Google Health access to health information, giving users opportunities to customize their profile with information on prescriptions and doctors. Users can also search for doctors from within the system. Google has been receiving millions of search requests from people trying to find information about injuries, illnesses and treatments, and Google Health was their solution.

In general, privacy watchdogs feel Google already has access to too much information about its users, and this merely adds to that. Google Health services are not covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires that anyone seeking your medical records subpoena you and give you a chance to deny access.

By providing access to your health records to Google Health, HIPAA rules no longer apply. The Google privacy policy may not be enough to protect your medical records as strongly as it should be. Google representatives say that health information is stored on the most secure computers at Google, but the Google TOS gives some pause. Unless you actively disable it, you are giving Google access to give your data to third parties:

If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

The privacy policy says that a copy of your data may still be retained after you disable such access:

If you share your information with others, you can view a list of who has access to your information and you can revoke sharing privileges at any time. When you revoke someone’s ability to read your health information, that party will no longer be able to read your information, but may have already seen or may retain a copy of the information.

Google explains the difference between their policies and HIPAA in this blog post and in this very handy comparison chart. It does help to answer questions about security, although I still think the “access by default” approach is a dangerous one. In the end, you must decide if you trust Google enough to have access to your information. And you must take an active role in determining what third parties, if any, you wish to access that information.

What do you think of Google Health? Will you sign up?

Via ZDNet, AP, Technology Review Tags: , , , , , , , , ,

Posted by Arieanna | May 21, 2008 | 0 Comments

Genetic Privacy Compromised?

Related entries in Health Security, Privacy & Security Laws

The Genetic Information Nondiscrimination Act of 2008 (HR 493), recently passed by Congress, has inadvertently legalized the sharing of genetic information without patient consent.

Sue Blevins, President of the Institute for Health Freedom, notes that the new bill applies the Health Insurance Portability and Accountability Act (HIPAA) regulations to genetic data. HIPAA regulations permit data sharing without consent with in connection with treatment, payment, or oversight of health-care operations.

The intent of the HIPAA regulations is to protect medical records in the digital age, but many HIPAA critics argue that it opens up privacy issues as a result of the routine sharing of personal health information. Regardless of the validity of this argument, qualifying genetic test results as health information can be problematic. Genetic information can be used to determine rates for health plans, and as the new bill provides this data to health care companies, it could be cause for discrimination.

This is a controversial topic, to say the least. HIPAA has its critics, though its intentions are great. Health information, in and of itself, is controversial, and in particular genetic information is about as personal as information gets. Some advocates are fighting for personal ownership of genetic information, in order to avoid genetic privacy issues such as those presented here.

Via FOX Business ; Image: clarita @ morguefile Tags: , , , , , , ,

Posted by Arieanna | May 14, 2008 | 0 Comments

Data Breaches Undermine EHR Adoption

Related entries in Data Breach, Health Security, Security Policy, Surveys & Reports

The number of data breaches in the health care sector could undermine the health care industry’s efforts to promote widespread adoption of Electronic Health Record Systems (EHRs).

The latest Wall Street Journal reports that the number of people who can quickly access EHRs has raised privacy concerns, but many hospitals have been reluctant to restrict access that would create barriers to care delivery.

"The internal [hospital] mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system." - Jill Dennis, Senior VP, American Health Information Management Association

In order to increase security, while balancing the needs for fast and widespread access to information, many hospitals are encrypting their computers and increasing employee education about privacy. Other hospitals may limit the kinds of information that can be accessed by employees. As more information is available to more employees, time will tell how successful these efforts have been.

Some recent medical data breaches:

Via iHealthBeat, Wall Street Journal (4/29), Attrition.org ; image: wax115 @morguefile ; Tags: , , , , , , , ,

Posted by Arieanna | April 29, 2008 | 0 Comments

UK Patient Security Needs Improvement

Related entries in Health Security

The UK government has admitted that the current state of patient security and confidentiality is in need of improvement. Despite the number of data breaches, the UK government has still been pursuing initiatives to revamp the health system to have centralized, and more accessible, health data.

The problems about protecting patient data are not going away - indeed, they are only getting more complicated with the centralized National Health Service (NHS) system on the way. Those concerns are compounded with the decision to allow pharmacists access to patient Summary Care Records (SCRs), which contain patient and treatment details.

The [Department for Health] admitted that maintaining the security and confidentiality of this data could be a challenge. “The NHS Care Record Guarantee [which promises careful and secure patient data handling] has been drawn up and agreed by key parties as to what patients have a right to expect about how any information about them in the Care Record Service may be stored, used, shared and transmitted.

“However, there have been specific concerns about the use of the Care Record Service in community pharmacies, also often thought of as a retail setting.”

As of yet, the government is saying that more discussions and assessments (read: red tape) need to take place in order for a decision to be made about how to protect patient data. So, it would seem that actually protecting that data is a long way off.

The new push to allow pharmacists access to SCRs has been a part of a UK$12.4 billion investment into the Connecting for Health program. This program could play a part in the push to enable patients to consult with pharmacists for non-serious issues, lifting some weight off the GPs’ shoulders. But, it may open the door for more data breach incidents. Only time will tell.

Via intergovworld Tags: , , , , , , , ,

Posted by Arieanna | April 21, 2008 | 0 Comments

Saskatchewan Finds Second Set of Abandoned Medical Files

Related entries in Data Breach, Health Security, Real Theft Reports, Security Breach

Who Breached: Various doctors in Saskatchewan
Number Affected: Unknown
Information breached: Medical records
How: Abandoned Files

79 boxes of personal medical files were found in a vacant, unlocked office in the city of Moose Jaw in Saskatchewan. The files were found from a telephone tip left after a breach of medical files in Yorkton was made public at the end of March. Officials believe there is a connection between the two finds.

In late March, five boxes of abandoned medical files for as many as 900 patients were found in a vacant office. The boxes were found via an anonymous tip in the city of Yorkton in a building that was not associated with any past medical offices.

Saskatchewan’s Information and Privacy Commissioner Gary Dickson said the announcement of the first breach generated telephone tip, one of which led to the second find. Details about the second find are still coming to light:

“It appears to involve a number of different physicians,” Dickson said. “We think some of these physicians may in fact still be practicing in the province.”

Physicians and licensed professionals are required by provincial law to safeguard personal health information. Violations come with a hefty price tag up to $50,000 per person or $500,000 per organization. Such fines have never been issued in Saskatchewan. The College of Physicians and Surgeons of Saskatchewan will participate in the privacy commission’s inquiry.

Via upi, upi2 Tags: , , , , , , , , , ,

Posted by Arieanna | April 14, 2008 | 0 Comments

NIH Data Breach Triggers Compliance

Related entries in Data Breach, Government Security, Health Security, Real Theft Reports

Who Breached: National Institutes of Health
Number Affected: 2500
Information breached: clinical trial information
How: laptop stolen

A laptop containing medical information for 2500 people enrolled in a National Institutes of Health (NIH) clinical trial has been stolen, putting these patients at risk for medical identity fraud. The laptop was stolen from the trunk of a car on February 23rd.

The laptop contained clinical trial data going back 7 years, including names, medical diagnoses, and heart scans. The data was not encrypted, despite government policies that require this precaution. According to the NIH, the first attempt to encrypt the laptop failed, and the laboratory chief named Andrew Arai, who used the laptop, did not follow-up with IT.

You can spot here several errors in procedure: that IT released the laptop despite a failed encryption procedure, that IT records did not trigger a new encryption attempt (this should not be the responsibility of any outside employee to remind the IT personnel to do), and that the security policy failed to train the laboratory chief about proper data handling procedures, such as taking data offsite, and storing it responsibly.

This is particularly surprising in this example, given the added security and privacy precautions put in place to protect the patients who participate in clinical trials:

“The shocking part here is we now have personally identifiable information — name and age — linked to clinical data,” said Leslie Harris, executive director of the Center for Democracy & Technology. “If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”

Patients were notified of the breach last Thursday, almost a month after the laptop went missing (reportedly to minimize ‘undue alarm’).

Here again, a flaw in the security policy becomes apparent. The reporting chain for the incident was incredibly inefficient. After the laptop was reported as stolen (within 3 days), officials in charge of information security at the NIH did not relay the breach to the NHLBI Institutional Review Board (who oversee the well-being of patients in research) until 6 days after the theft. The next step was to review the matter at a board meeting, which was several days later. After voting at said board meeting to send a letter to patients, the matter was not approved until the next board meeting 2 weeks later.

Unfortunately, it has taken a data breach for the NIH to state they will encrypt all computers, require staff security training and no longer store personal information on portable data devices. All of which are existing security policies that the NIH was not compliant with, so their forward-looking statements are not quite as comforting.

Via washington post Tags: , , , , , , , , , , ,

Posted by Arieanna | March 25, 2008 | 0 Comments

Top 5 Computer Security Risks for Healthcare

Related entries in Case Studies, Health Security, Security Breach, Surveys & Reports

Absolute Software, after an analysis of the 42 data breaches affecting the healthcare industry in 2007 affecting nearly 5 million records, have put together the Top Five Healthcare Computer Security Risks. They are:

  1. Failure to Protect Sensitive Data Beyond Encryption - 72% of IT managers believe employees are responsible for data breaches (despite encryption)
  2. Inability to Accurately Manage Mobile Computer Assets - how many computers do you have, where are they, who has access to them, and what is installed on them?
  3. Sensitive Information on Public Terminals - public terminals can breach private data
  4. Difficulty Implementing a Comprehensive Data Security Plan - from cable locks and encryption to asset tracking and recovery. The plan should be reviewed and updated consistently.
  5. Reluctance to Create a Data Breach Policy - many companies fear creating a ‘nightmare scenario’, but a simple series of procedures must be in place for effective reaction and notification to incidents

You can read further details - and solutions - here.

Tags: , , , , , , , , ,

Posted by Arieanna | March 24, 2008 | 0 Comments

Blue-Cross Breach from November affects 40,000

Related entries in Data Breach, Health Security, Real Theft Reports

Who Breached: Blue-Cross Blue-Shield of Western New York
Number Affected: 40,000
Information breached: “Vital Information”
How: laptop missing since November

Blue-Cross Blue-Shield of Western New York is notifying 40,000 of its members that they are at risk for identity theft after a company laptop went missing in November of 2007.

You have read that correctly: a laptop went missing in November. And Blue-Cross Blue-Shield is notifying members now, in March. That is quite the lag time. And it remains unexplained. Personal information, simply stated as ‘vital information’, was contained on the laptop. No further details have been provided.

Blue-Cross Blue-Shield of Western New York is offering credit checks for those members affected by the breach. The company has not posted any information to its website.

Via wivb Tags: , , , , , , ,

 

Posted by Arieanna | March 16, 2008 | 0 Comments
Next in category