On December 3rd, laptops containing the private information (names, address, social insurance numbers) of about 8.600 Ontario teachers was stolen from the Waterloo offices of the Ontario Teachers Insurance Plan. Those affected were notified of the breach in mid-January.

The theft is characterized by police as a “smash and grab” with the laptops being one item among those stolen. This theft comes one month after a USB key containing some personal health information of 80,000 people was lost in Ontario.

It is not clear what security precautions, if any, were on the stolen laptops. We do know the laptops were unencrypted, so likely other security precautions were also not taken.

Act now to protect your own assets and the information on those assets by having a strong mobile data security policy and calling Absolute to ask about our laptop security solutions. For those in the healthcare field, please refer to our Healthcare Resources page.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

In the past, we’ve talked a great deal about the impact that fraud has on businesses and on consumers, including those affected by medical fraud. But we have yet to talk about the cost – the billions of dollars – this fraud is costing all of us in other ways.

Whether you have employer-sponsored health insurance or you purchase your own insurance policy, health care fraud inevitably translates into higher premiums and out-of-pocket expenses for consumers, as well as reduced benefits or coverage. For employers—private and government alike—health care fraud increases the cost of providing insurance benefits to employees and, in turn, increases the overall cost of doing business.

The NHCAA estimated in 2007 that $2.26 trillion was spent on health care and the 4 billion health insurance claims processed in the US. They conservatively estimated that $68 billion of this was lost to fraud, quite an astounding figure. The majority of health care fraud was found to be committed by a small number of dishonest health care providers submitting false claims to insurers and to public programs. Other types of provider-initiated fraud can be found here.

This abuse of claims can have damaging effects on patients who may find themselves victims of medical identity theft, with their insurance benefits affected by misuse. In addition to providers, organized criminal groups and individuals also perpetrate health care fraud. The report includes examples of crime rings that shifted from illegal drug trafficking to medical fraud schemes, resulting in millions of dollars in fraud.

If you want to learn more about health care fraud, read here.

Hat tip to I’ve been mugged ; Via dotmed ; Image: clipart

1. Know the consequences of a data breach
2. Assess your organization’s situation
3. Implement a comprehensive data security plan
4. Secure data on mobile computers
5. Create a data breach policy

Learn more about these 5 steps and ARRA here.

Considering the most recent hospital data breach in Miami has affected 200,000, and that data breaches in healthcare data breaches are more costly than breaches in other sectors, it’s a good idea to take all the steps you can to protect the data of your patients, clients and employees in this sector. A data breach is costly in any sector, but it’s important you understand how a data breach can impact, and be prevented, in yours.

Image: clipart

The report indicates that data breaches are coming from all sides of the healthcare sector: hospitals, physicians, laboratories, and outsourced service providers. The paper looks in particular at medical identity theft, a dangerous outcome we’ve discussed previously.

The report pays special attention to inadvertent data losses over peer-to-peer (P2P) networks. The analysis uncovered thousands of files containing medical information on publicly available file sharing networks. That data may have gotten there inadvertently – from malware or from a bad filesystem that had confidential files with music files.

“We found multiple files from major health-care firms that contained private employee and patient information for literally tens of thousands of individuals, including addresses, Social Security Numbers, birth dates, and treatment billing information. Disturbingly, we also found private patient information including medical diagnoses and psychiatric evaluations.”

The report indicates that the risk of patient information disclosures on P2P networks is higher than if a laptop or data device is lost. The report found that tracking and stopping medical data breaches is more complex given the fragmented nature of the US healthcare system.

This report reminds us of the importance of a strong data access policy. Who can access what data and where – can data be transfered to other devices? Computrace can help in that, with our Secure Asset Tracking® telling you where your devices are and what software/hardware is installed on them. Like with other aspects of data security, choose a layered process containing the right technology, processes and policies to help protect confidential information.

Hat tip to the privacy commissioner, SC Magazine ; Image: Clipart

HCCS is a provider of online healthcare compliance and competency training. The three courses they provide are:

• HCCS Professional Compliance
• Corporate Compliance
• HIPAA for Health Plans

The courses are aimed at physicians, billing staff and other employees. They teach fraud awareness, coding and documentation, risk areas, how to build a compliance program, provider relationships, HIPAA awareness, electronic transactions and enforcement.

The courses change whenever rules, regulations, laws or other information is updated. Given that employees form one of the largest “issues” in any security program, online and interactive courses are a great way to enhance your training program. Also visit Absolute Software’s website to learn how we can help with healthcare computer security.

—-

And in other news, Absolute Software has added another conference to its schedule – the ASIS 2008 conference in Atlanta, Georgia.

Meet Absolute at the Booth

Location: Booth 2425
Dates: Monday – Wednesday, September 15-17, 2008
Time: 9:00 am – 4:30 pm