Archive for the ‘Health Security’ Category

A Blue Cross and Blue Shield Association employee broke protocol by transferring the names, addresses, Social Security numbers and provider identification numbers of about 800,000 doctors to his personal laptop.

Unfortunately, his computer was stolen from his car this past August but, as of yet, there haven’t been any signs of identity theft.

The affected physicians have been informed and, thankfully, no patient information was included in the database.

A representative for the health insurance company was quoted in the Chicago Tribune as saying: “At this point, we have no evidence that the data was misused.  We think this was a random criminal act. Regardless, we take these kinds of breaches extremely seriously and so we are alerting all doctors in the database.”

In an attempt to offset any negative consequences associated with the theft of the laptop, the Blue Cross association is offering crediting monitoring services to the individuals whose Social Security information was exposed.

It goes without saying that this is really a worst-case scenario, since so many could be affected by this breach and the laptop hasn’t been recovered.  This is an unfortunate example of how the mistakes of a single person could after thousands of people. 

In a situation like this, using a program like Computrace would be helpful since sensitive data can be deleted remotely and the Theft Recovery Team will work with local police to try to find the stolen laptop – and the thief who stole it. And once the they have the laptop back, Computrace can be used to help determine if files were accessed post-theft. While it would still be important to be vigilant for signs of identity theft, the risk would be considerably lower.

There are many types of information that people don’t want to share with the world but someone’s personal medical history is probably at the top of that list.  The reasons we visit the doctor’s office can vary from mundane to downright embarrassing (or even scary), so it’s no surprise that many patients really depend on the rules surrounding confidentiality to protect this very private information.

Unfortunately, medical students may not realize the importance of patient privacy, which is evidenced by the fact that we’ve started seeing disclosures more and more through the use of social networking tools and modern technology.  For example, one surgeon found the fact that his patient had the words “hot rod” tattooed on his genitals so funny that he took a picture and shared it with his colleagues. 

As CNN reports, 60% of medical schools “have had students post inappropriate or unprofessional information on the Web.”  While most of this information pertained to their own behavior, 13% of them shared content that violated patient privacy.  Incredibly, there were even instances when some students were so descriptive that their patients were identifiable. 

Incredibly, only 38% of the affected schools had policies in effect to deal with inappropriate sharing on the internet but, at least, 11% of the remaining schools were working on creating guidelines. 

This illustrates the fact that many professions have not had to deal with internet security issues on this level but, while some are trying to actively address the issues, the public is at risk in the meantime. 

image: sxu.hu

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

The National Health Care Anti-Fraud Association (NHCAA) estimates that 3% of all healthcare spending – about $68 billion – is lost to fraud each year in the United States. The FBI / CDC estimate that figure could be as high as 10%, or $226 billion.

In the past, we’ve talked a great deal about the impact that fraud has on businesses and on consumers, including those affected by medical fraud. But we have yet to talk about the cost – the billions of dollars – this fraud is costing all of us in other ways.

Whether you have employer-sponsored health insurance or you purchase your own insurance policy, health care fraud inevitably translates into higher premiums and out-of-pocket expenses for consumers, as well as reduced benefits or coverage. For employers—private and government alike—health care fraud increases the cost of providing insurance benefits to employees and, in turn, increases the overall cost of doing business.

The NHCAA estimated in 2007 that $2.26 trillion was spent on health care and the 4 billion health insurance claims processed in the US. They conservatively estimated that $68 billion of this was lost to fraud, quite an astounding figure. The majority of health care fraud was found to be committed by a small number of dishonest health care providers submitting false claims to insurers and to public programs. Other types of provider-initiated fraud can be found here.

This abuse of claims can have damaging effects on patients who may find themselves victims of medical identity theft, with their insurance benefits affected by misuse. In addition to providers, organized criminal groups and individuals also perpetrate health care fraud. The report includes examples of crime rings that shifted from illegal drug trafficking to medical fraud schemes, resulting in millions of dollars in fraud.

If you want to learn more about health care fraud, read here.

Hat tip to I’ve been mugged ; Via dotmed ; Image: clipart

Absolute Software has released a list of the Top Five Healthcare Practices for Keeping Data Secure. These best practices will be valuable as healthcare moves forward with technology, particularly since the American Recovery and REinvestment Act (ARRA) was signed in February.

1. Know the consequences of a data breach
2. Assess your organization’s situation
3. Implement a comprehensive data security plan
4. Secure data on mobile computers
5. Create a data breach policy

Learn more about these 5 steps and ARRA here.

Considering the most recent hospital data breach in Miami has affected 200,000, and that data breaches in healthcare data breaches are more costly than breaches in other sectors, it’s a good idea to take all the steps you can to protect the data of your patients, clients and employees in this sector. A data breach is costly in any sector, but it’s important you understand how a data breach can impact, and be prevented, in yours.

Image: clipart

Dartmouth College’s Center for Digital Strategies recently released a study about “Data Hemorrhages in the Health-Care Sector“. The study examines the consequences of data breaches, from privacy violations to medical fraud to identity theft (financial and medical). The analysis demonstrates substantial vulnerability for the healthcare sector.

The report indicates that data breaches are coming from all sides of the healthcare sector: hospitals, physicians, laboratories, and outsourced service providers. The paper looks in particular at medical identity theft, a dangerous outcome we’ve discussed previously.

The report pays special attention to inadvertent data losses over peer-to-peer (P2P) networks. The analysis uncovered thousands of files containing medical information on publicly available file sharing networks. That data may have gotten there inadvertently – from malware or from a bad filesystem that had confidential files with music files.

“We found multiple files from major health-care firms that contained private employee and patient information for literally tens of thousands of individuals, including addresses, Social Security Numbers, birth dates, and treatment billing information. Disturbingly, we also found private patient information including medical diagnoses and psychiatric evaluations.”

The report indicates that the risk of patient information disclosures on P2P networks is higher than if a laptop or data device is lost. The report found that tracking and stopping medical data breaches is more complex given the fragmented nature of the US healthcare system.

This report reminds us of the importance of a strong data access policy. Who can access what data and where – can data be transfered to other devices? Computrace can help in that, with our Secure Asset Tracking® telling you where your devices are and what software/hardware is installed on them. Like with other aspects of data security, choose a layered process containing the right technology, processes and policies to help protect confidential information.

Hat tip to the privacy commissioner, SC Magazine ; Image: Clipart

A group of over 60 companies in the health care industry have came together last year to create a set of security & privacy best practices that will go above and beyond those laid out in the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Trust Alliance (HITRUST) consortium this week released a Common Security Framework (CSF) “for industry in commitment to greater electronic health information protection and growing regulatory compliance.”

“Until now, the lack of widely accepted information security standards has kept many providers on the health care IT sidelines, and has been a source of apprehension for many patients when it came to electronically sharing their medical information… the HITRUST framework should help accelerate the adoption of technologies that will dramatically improve the safety and efficiency of America’s health care system.” – Randall N. Spratt, Chief Information Officer and Executive Vice President, McKesson

The CSF is a certifiable framework that will provide organizations with structure and clarity related to information security for the healthcare industry, something more and more important as health information moves online and as data becomes more portable.

The framework is based upon recognized standards such as COBIT, NIST and ISO 270001. The framework is meant to scale according to the type, size and complexity of the organization and follows a risk-based approach that can evolve based on needs and changes in the industry and regulatory environment.

The stimulus bill that was passed in January in the U.S. called for the computerization of health care records within 5 years. The legislation contained stringent privacy and security controls above and beyond HIPAA, just like the new HITRUST CSF does.

Via SC Magazine

Health Care Compliance Strategies (HCCS) announced this week three new versions of its online compliance courses.

HCCS is a provider of online healthcare compliance and competency training. The three courses they provide are:

• HCCS Professional Compliance
• Corporate Compliance
• HIPAA for Health Plans

The courses are aimed at physicians, billing staff and other employees. They teach fraud awareness, coding and documentation, risk areas, how to build a compliance program, provider relationships, HIPAA awareness, electronic transactions and enforcement.

The courses change whenever rules, regulations, laws or other information is updated. Given that employees form one of the largest “issues” in any security program, online and interactive courses are a great way to enhance your training program. Also visit Absolute Software’s website to learn how we can help with healthcare computer security.

—-

And in other news, Absolute Software has added another conference to its schedule – the ASIS 2008 conference in Atlanta, Georgia.

Meet Absolute at the Booth

Location: Booth 2425
Dates: Monday – Wednesday, September 15-17, 2008
Time: 9:00 am – 4:30 pm

A group of over 60 voting companies in the health care industry have come together to create a set of security & privacy best practices that will go above and beyond those laid out in the Health Insurance Portability and Accountability Act (HIPAA). The new consortium that will create these best practices is called the Health Information Trust Alliance (HITRUST).

The HIPAA standards are aimed to protect the privacy of personal health information by giving patients more control over their information and setting boundaries on the use and release of health records. HIPAA requires that companies adopt privacy procedures and to ensure they’re followed, but many in the health care industry feel that more can be done to secure the privacy of patient information.

According to a survey HITRUST commissioned earlier this year, 96% of health information technology executives think it’s important to have a uniform way to verify the security of sensitive healthcare information. 85% of those surveyed think the health industry should pull together to create the comprehensive framework, which is exactly what HITRUST is now doing.

The new consortium, HITRUST, aims to develop a Common Security Framework (CSF) – a set of tools to aid organizations in protecting information and managing the risks, costs and complexities in managing these assets. They have published an overview of the framework and its components here [PDF].

The issues surrounding the protection of health information are complex and diverse but critical to the broad adoption, utilization of and confidence in health information systems, medical technologies and electronic exchanges.

Standardizing a higher level of information security will build greater trust and efficiencies in the electronic flow of information through the healthcare system and will instill confidence within regulators, business partners and consumers.

The document outlines challenges faced in protecting electronic health information including: risk and liability from data breaches, confusion about implementation and baseline security controls, complexities involved with inconsistent standards and varying interpretations, and outside scrutiny from regulators, auditors, partners and customers.

The HITRUST CSF is aimed to help organizations that create, store, access or exchange electronic health information. The CSF framework includes three parts: an Information Security Implementation Manual, a Standards and Regulations Cross-Reference Matrix and a Readiness Assessment Toolkit. You can view a sample of the Security Implementation Manual, one part of CSF, here [PDF]. The CSF is expected to be released January 2009.

Via information week Tags: hitrust, hipaa, health information, health industry, health privacy, healthcare, private information, csf, common security framework, security framework, data security

Tech News World has done a 2-part series about HIPAA. Part 1: Privacy vs. Portability and Part 2: Seeking Balance. It’s a very well-done examination of the state of the Health Insurance Portability and Accountability Act (HIPAA), some of which I will synthesize below. Given that HIPAA is often misunderstood in basics and in application, it’s a great refresher series.

HIPAA Concerns:

• There is a push for health information to become more liquid, but the privacy and security framework does not exist yet
• The technologies being designed now will have a huge impact on how health information is accessed, stored and shared
• Post-HIPAA privacy and security protections need to be adopted in law and in best practices
• HIPAA compliance was a heavy burden at initial inception, but there has been no proof that HIPAA has in any way had negative effects on patient care
• Staff training and education must be ongoing for new, and old, employees
• Continue reading about the concerns here.

HIPAA Myths:

• That it weakened, rather than strengthened, rights to health information privacy
• HIPAA is all we need in the digital age
• HIPAA “covered entities” cover every use of personal health information
• Check out the full examination of these myths here.

Logo: ; Tags: hipaa, health privacy, privacy information, health information, information, legislation, law, security