Friday, July 30, 2010

Gartner Creates New Category in Identity and Access Mgmt:
Identity and Access Intelligence (IAI)

Gartner has created a new category - "Identity and Access Intelligence" - in their July report "Hype Cycle for Identity and Access Management Technologies, 2010".

Identity and Access Intelligence is the technologies and processes that are applied to identity and access data to produce actionable, context-specific insight for business and technical decision making.

Access compliance reporting for users and applications remain a key requirement in information security, privacy, and risk management programs, and there is a need for products to address these requirements.

IAI addresses these regulatory compliance requirements and IAI activities can be performed weekly, bi-weekly, monthly, quarterly or yearly, as security officers and IT auditors require.
Click here for more on the Veriphyr Identity and Access Intelligence service. Learn about this on-demand, pay-per-use IAI service that requires no hardware and no on-site software.
(a) "Hype Cycle for Identity and Access Management Technologies, 2010" - Gartner, July 2010

Tuesday, July 27, 2010

Material Weakness Reported by KPMG in Internal Controls for User Access

KPMG recently reported “access controls contribute to a … significant deficiency that is considered a material weakness in IT controls” at the Federal Emergency Management Agency (FEMA). (a)
CFOs lost their jobs within 3 months of reporting a material weakness in more than 60% of such cases. - A.R.C. Morgan (b)
Specific weaknesses highlighted by KPMG include:
  • Application, database, and network accounts were not periodically reviewed for appropriateness and resulted in inappropriate authorizations and excessive access rights.
  • Application, network, and remote user accounts were not disabled upon personnel termination.
The importance placed on weaknesses in internal controls for user access is understandable in light of IDC reporting that “Out-of-date and/or excessive privileges and access control rights for users are viewed as having the most financial impact on organizations.”(c)
"Deficiencies identified in FEMA's access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities. – KPMG FEMA Report (a)
Material weaknesses at FEMA are estimated to take several years to remediate using conventional methods, but the Veriphyr Identity and Access Intelligence Service can put a sustainable internal controls in place in days, not months. Moreover, this can be done with zero hardware, zero software, and no work.

The Veriphyr identity and access intelligence service applies analytics to data you already have and eliminates the grunt work of identifying user access policy violations. Plus the Veriphyr identity and access intelligence service delivers actionable remediations and monitors the resolution of the remediations.

If you want to avoid a material weakness of internal controls in your next audit be sure to view a video demonstration of the Veriphyr identity and access intelligence service.

(a) Information Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2009 DHS Integrated Audit
(b) A.R.C. Morgan: More than 60 Percent of CFOs Resign or are Pushed when a Material Weakness is Disclosed
(c) Insider Risk Management: A Framework Approach to Internal Security” by IDC

Tuesday, July 20, 2010

Jail Time Due to HIPAA Patient Privacy Violation

A former UCLA Healthcare System employee was fined and sentenced to four months in federal prison plus one year of supervised release.

His crime? He had been terminated from his job (but retained his access to the medical systems) and accessed the records of Drew Barrymore, Tom Hanks, Arnold Schwarzenegger, Barbara Walters, and others.(a) 
“In his plea agreement, Zhou admitted that he obtained and read private patient health and medical information on four specific occasions after he was formally terminated from the UCLA Healthcare System.” (b) 

The Challenge of Meaningful Use and the Security Rule
The HIPAA security rule requires that healthcare organizations “Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.” (c) But the problem of employees retaining access after termination has been shown to be especially difficult to prevent using conventional methods that depend on managers informing IT or HR systems informing IT.

Conventional Methods are Not Sustainable Controls
There have been reports of firing managers not informing HR or IT for weeks after a termination because they are too busy to complete the paperwork. In at least one firm the HR systems did not inform IT for several months after the terminated because the terminated employee’s severance agreement involved payments for several months after terminate, and therefore he was classified as an employee for HR regulatory purposes so no notification was sent to IT.
Learn how the Veriphyr Identity and Access Intelligence service supports meaningful use by identifing terminated users, as well as, detecting inappropriate access to patient medical records
Identity and Access Intelligence (IAI) Discovers Terminated Users
Fortunately, there are more sustainable controls for identifying terminated employees and notifying IT to terminate access. Identity and access intelligence eliminates the dependency on people and automatically identifies terminated employees based on their on-line activity. Several firms claim to provide identity and access intelligence, but only Veriphyr offers an on-demand Identity and Access Intelligence service that can be up and running in 24 hours and requires zero zero capital expenditures (CAPEX).
HIPAA’s criminal privacy provisions protect not only celebrities, but all of us from curious neighbors, disgruntled co-workers, and other snoopers.” - Acting United States Attorney George S. Cardona(d)
(b) United States Attorney's Office
(c) “Security Standards for the Protection of Electronic Protected Health Information,” - 45 CFR Part 164.308(a)(3)(ii)(C)
(d) Department of Justice

Tuesday, July 13, 2010

Can Patient Privacy be Secured when Non-Employees are Given Access to a Hospital's EHR?

A Colorado Springs hospital claims a city employee accessed 2,500 electronic medical records in violation of the HIPAA/HITECH privacy rule.

How can a hospital maintain patient data privacy when it is required to allow non-employees access to the hospital's medical records? Given the drive toward health information exchanges (HIE) how can hospitals protect their patients' data privacy? Your thoughts?
"From my understanding, she was accessing the [electronic medical] records when she wasn’t at work. She wasn’t doing it as part of her job." - Hospital Spokesman
The city employee had worked as an occupational health nurse for eight years. As part of her job she was authorized to access the hospital's medical records related to her patients.

The nurse had signed forms agreeing to abide by HIPAA/HITECH privacy requirements, but according to a reporter at The Gazette, a local newspaper, the nurse did admit to accessing the electronic medical records for personal reasons, such as looking up the phone number of a friend that she had lost.
"“I guarantee that accessing the [medical records] database for stuff like that is rampant in the medical community. If you talked to other medical people, you’d find out that it’s pretty damn common." - Nurse accused of unauthorized access
The Hospital only learned of the 2,500 privacy breaches when it was notified by the city. The nurse's supervisor raised a concern because of unusual patient access activity by the nurse, including a high frequency of access and access from unusual locations.

The nurse claims her supervisor was fishing for an excuse to fire her after the nurse's 'psychic' abilities revealed her supervisor had a life-threatening condition. The nurse admits to looking at the supervisor's medical records to see if the supervisor heeded her advice and sought treatment.

As a results the hospital is looking into a software service to more quickly alert hospital officials to unusual activity surrounding electronic medical records.

(a) Memorial Patient Records Improperly Accessed - Memorial Health System, July 11, 2011
(b) 'Psychic' nurse says she is unfairly targeted in hospital records case - The Gazette, July 11, 2011

Thursday, July 1, 2010

Will Your Employees Be Bribed to Steal Patient Data?

A hospital was victimized by a trusted employee who was enticed into stealing patient data by the promise of a few thousand dollars.

What are you doing to help your employees avoid the lures of organized crime? Do your employees feel they are certain to be caught if they steal patient data?

Corrupted by the promise of $4,000, a surgical instrument technician at a Pittsburgh hospital stole patient names and Social Security numbers. The criminals who recruited him used the patient data to file unauthorized tax returns to claim $84,190 in tax refunds.
""He did not know that these numbers were going to be used for fraudulent tax returns. He's ... almost a victim himself." - Attorney Anthony Bittner, who represents the defendant
The hospital technician, who said he never received the promised cash, plead guilty to unauthorized disclosure of personal medical information in violation of the HIPAA federal law. He faces up to one year in prison and a fine of $50,000. The people who corrupted him escaped prosecution by fleeing the country.

The crime was detected when patients of the hospital discovered that their tax returns already had been filed, they alerted the U.S. Postal Service, IRS and U.S. Secret Service. Those organizations conducted an investigation that led to the indictment in this case.

Download a white paper on medical records privacy breach detection as a service. Veripyr delivers a credible detective control that discourages employees from violating patient privacy - with no hardware and no on-site software.
(a) Zambian man pleads guilty to identity theft of hospital patients - Pittsburgh Post-Gazette, July 1, 2011
(b) Former UPMC Shadyside Hospital Employee Pleads Guilty to HIPAA Violation - US Attorney's Office, Western District of Pennsylvania, June 30, 2011

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at