Posts Tagged ‘Health Security’

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

Absolute Software has released a list of the Top Five Healthcare Practices for Keeping Data Secure. These best practices will be valuable as healthcare moves forward with technology, particularly since the American Recovery and REinvestment Act (ARRA) was signed in February.

1. Know the consequences of a data breach
2. Assess your organization’s situation
3. Implement a comprehensive data security plan
4. Secure data on mobile computers
5. Create a data breach policy

Learn more about these 5 steps and ARRA here.

Considering the most recent hospital data breach in Miami has affected 200,000, and that data breaches in healthcare data breaches are more costly than breaches in other sectors, it’s a good idea to take all the steps you can to protect the data of your patients, clients and employees in this sector. A data breach is costly in any sector, but it’s important you understand how a data breach can impact, and be prevented, in yours.

Image: clipart

Dartmouth College’s Center for Digital Strategies recently released a study about “Data Hemorrhages in the Health-Care Sector“. The study examines the consequences of data breaches, from privacy violations to medical fraud to identity theft (financial and medical). The analysis demonstrates substantial vulnerability for the healthcare sector.

The report indicates that data breaches are coming from all sides of the healthcare sector: hospitals, physicians, laboratories, and outsourced service providers. The paper looks in particular at medical identity theft, a dangerous outcome we’ve discussed previously.

The report pays special attention to inadvertent data losses over peer-to-peer (P2P) networks. The analysis uncovered thousands of files containing medical information on publicly available file sharing networks. That data may have gotten there inadvertently – from malware or from a bad filesystem that had confidential files with music files.

“We found multiple files from major health-care firms that contained private employee and patient information for literally tens of thousands of individuals, including addresses, Social Security Numbers, birth dates, and treatment billing information. Disturbingly, we also found private patient information including medical diagnoses and psychiatric evaluations.”

The report indicates that the risk of patient information disclosures on P2P networks is higher than if a laptop or data device is lost. The report found that tracking and stopping medical data breaches is more complex given the fragmented nature of the US healthcare system.

This report reminds us of the importance of a strong data access policy. Who can access what data and where – can data be transfered to other devices? Computrace can help in that, with our Secure Asset Tracking® telling you where your devices are and what software/hardware is installed on them. Like with other aspects of data security, choose a layered process containing the right technology, processes and policies to help protect confidential information.

Hat tip to the privacy commissioner, SC Magazine ; Image: Clipart

A group of over 60 companies in the health care industry have came together last year to create a set of security & privacy best practices that will go above and beyond those laid out in the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Trust Alliance (HITRUST) consortium this week released a Common Security Framework (CSF) “for industry in commitment to greater electronic health information protection and growing regulatory compliance.”

“Until now, the lack of widely accepted information security standards has kept many providers on the health care IT sidelines, and has been a source of apprehension for many patients when it came to electronically sharing their medical information… the HITRUST framework should help accelerate the adoption of technologies that will dramatically improve the safety and efficiency of America’s health care system.” – Randall N. Spratt, Chief Information Officer and Executive Vice President, McKesson

The CSF is a certifiable framework that will provide organizations with structure and clarity related to information security for the healthcare industry, something more and more important as health information moves online and as data becomes more portable.

The framework is based upon recognized standards such as COBIT, NIST and ISO 270001. The framework is meant to scale according to the type, size and complexity of the organization and follows a risk-based approach that can evolve based on needs and changes in the industry and regulatory environment.

The stimulus bill that was passed in January in the U.S. called for the computerization of health care records within 5 years. The legislation contained stringent privacy and security controls above and beyond HIPAA, just like the new HITRUST CSF does.

Via SC Magazine