Saturday, December 31, 2011
Jane Doe sued three doctors over a newspaper article about the doctors which contained information that violated her medical privacy
Her suit resulted in an award of $100,000 but her follow up suit claimed that the court erred in excluding testimony that would have resulted on a larger judgement.
In a split decision this week, a three-judge panel of the 8th Circuit agreed with Doe.
For more see the Courthouse News Service http://ow.ly/1CYX6O
Friday, December 30, 2011
Regular audit of access to confidential data — even by employees with approved access — is a necessary component of effective defense against privacy breaches. Download a white paper on privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of privacy and security, even by authorized users — with no hardware and no on-site software.
Saturday, December 24, 2011
The five employees admitted breaching the government's strict privacy code. As a condition of employment they had signed the Code of Conduct and a declaration acknowledging their responsibility to protect privacy.
"There is never any excuse for accessing a client's file without a legitimate work-related reason." - Janet Grossman, Work and IncomeThe Privacy Commisionaer has been informed and each client whose privacy has been breached is being contacted individually.
The government said it has a zero tolerance for staff who breach the privacy of clients. To insure this the government's Integrity Unit regularly conducts time consuming reviews the logs of user access and activity to identify violations.
Are you auditing violations of privacy by your employees? Download a white paper on privacy breach audits. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) WINZ staff under fire - Stuff.co.nz, December 24, 2011
Friday, December 23, 2011
It seems that many health care providers would find themselves financially exposed in the event of a serious data breach. HealthLeaders.com cites a survey indicating most healthcare organizations are not ready for a privacy and security audit:
"HCPro's survey results show that only 17% of responding organizations said they are fully prepared for an OCR privacy and security compliance audit. "It is very hard to get your staff to understand how important this is," one compliance officer said. "
- effective training in privacy standards
- explicitly communicating the sanctions for misbehavior
- ensuring staff know that the means of audit and detection are reliable
Sources:Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
(a) First-Hand Experience with a Patient Data Security Breach - HIStalkPractice.com, December 3, 2011
(b) Most Providers Unprepared for HIPAA Audit - HealthLeaders Media
Friday, December 16, 2011
"…insiders use technical means to steal IP, but most theft is discovered by non-technical employees. The majority of subjects (54 percent) used a network—email, a remote network access channel or network file transfer to remove their stolen data. However, most insider IP theft was discovered by non-technical versus technical employees… Sometimes the company involved was unaware of the theft until law enforcement notified them after discovering it during a related investigation."
Sunday, December 11, 2011
One reason for the high value is that a person cannot cancel their own medical history, where as they can always cancel a stolen credit card number. This makes it much harder to prevent stolen medical data from being used by criminals.
Medical record data is worth $50 on the black market. Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6).
Stolen medical data -- such as electronic health records or insurance information -- is lucrative because thieves use it to submit false or inflated medical claims, buy prescription medication, or pay for treatment - all at the victim's expense.
The panel of experts pointed out that impermissible use ofr patient privacy at healthcare and insurance companies are an increasing source of stolen medical data - this includes data lost or stolen by insiders such as healthcare or insurance workers.
The panelists explained how impermissible use of medical data is detectable by analyzing activity in electronic health record applications and other clinical and financial computer systems.
Learn how Veriphyr uses Structural Analytics to detect "impermissible use" of patient data in clinical and business applications by employees, contractors, and third parties.
(b) Digital Health Conference - Digital Health Conference, December 1-2, 2011
(a) DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/2011
Friday, December 9, 2011
Download a white paper on data breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Saturday, December 3, 2011
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.Sources: (a) http://www.govinfosecurity.com/articles.php?art_id=4332 - SOURCE_NAME_AND_DATE
Monday, November 28, 2011
“I was really upset when I read the e-mail,” she said. “I didn’t know who he was, what he was capable of, or whether he also knew my address and telephone number. I didn’t know if he was just going to turn up at the house. It’s just wrong in so many ways.”
If you're required to investigate a breach of patient privacy, how long will your personnel be tied up doing the work? Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Friday, November 18, 2011
Regular audits of access to sensitive information deter employee misuse of access. Learn how Veriphyr identity and access intelligence services streamline detection of insider abuse of access rights and deter data snooping and theft by insiders.
Thursday, November 17, 2011
Veriphyr Identity and Access Intelligence is a SaaS application that automates the review of user access activity with rights without the need to deploy hardware or software on-premises. We take uploads of raw, unfiltered, and unmapped exports of your directory rights, access control lists, and system and application activity logs to automatically correlate identities, rights, and activity to detect violations of access policy.Veriphyr delivers reports on policy violations that are quickly and easily grasped by non-technical business leaders.
Friday, November 11, 2011
"When I speak with business leaders about data security, many tell me that protecting sensitive data is a top priority but can't say how it's being done." - Ozzie Fonseca, Director, Experian DBR
- 63% - improving regulatory compliance
- 49% - preventing and decting internal breaches
- 46% - investing in and improving audit logging
Wednesday, November 9, 2011
As expected, OCR announced today that it will begin pilot audits, including site visits, this month at 20 covered entities to test compliance with HIPAA compliance and security rules, and that testing would expand to include 150 entities by the end of 2012. Any covered entity, regardless of size, is eligible for inclusion in these audits (business associates will be covered in future audits).
"Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem." - Department of Health and Human Services.
If you've been putting off a review of your security and compliance posture with respect to HIPAA, now is a good time to consider your response to an audit notification. Some steps to include in a review may include:
- Taking an inventory of PHI wherever it resides -- all applications, systems, and devices, including end-user devices such as iPhones and iPads.
- Reviewing access control policies to ensure that access to applications and systems holding PHI meet the standard of least privilege. Is access limited only to users with a need to know and only as necessary for their job function?
- Auditing not only access to PHI, but also modifications and deletions. Do applications and systems log the information necessary to conduct an audit? Can you retrieve logged data in a timely manner?
- Encrypting data at rest and in transit.
Of all the internal controls over PHI, auditing may be the among the most important yet usually receives short shrift. The sheer number of applications, systems, employees, and medical records may prove daunting. Most providers only have the headcount to audit a small portion of activity: access to records of VIPs, employees, friends or relatives, and a small sample of the rest of the patient record population. Compliance and privacy personnel may need to manage an audit console for each individual application or system, and event logging may be incomplete or misconfigured.
Demands on compliance and privacy personnel to prove their organizations' compliance with HIPAA privacy and security requirements will only increase. There is a need to provide auditing and reporting on access to systems holding PHI in a way that business managers and executives can quickly understand and that does not tax an already overworked compliance staff. The verification process should be made more effective and more efficient by making better use of data the organization already collects. The process should be improved without adding more hardware or software and by replacing manual activity whenever possible.
Veriphyr is a new SaaS Identity and Access Intelligence service that improves the use of data that you're already capturing. There's no need for new on- premise equipment or software and no burden on your IT, compliance, and privacy staff. Veriphyr accepts raw identity, privilege, activity, and business data from any source, in any format (including EMR/EHR formats), even if the data is incomplete or damaged.
Veriphyr's analytics technology correlates user activity with user identities and rights to give you a complete picture of access both to patient records and to any application, database, or network in your IT environment.
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Did you like this article? Subscribe to our RSS feed, and click below to share!
Tuesday, October 25, 2011
Want updates on patient privacy issues? Subscribe to our newsfeed and follow us on Twitter (@Veriphyr)!
Wednesday, October 19, 2011
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
- Risks related to cyber incidents that may remain undetected for an extended period
- Description of relevant insurance coverage
Click below to share this article and subscribe to our newsfeed!
Tuesday, October 4, 2011
Gartner's Earl Perkins has an insightful posting today on the adoption of Identity and Access Intelligence in the enterprise. His thesis is that enterprises are moving to adopt a "formal security and IAM ‘intelligence’ practice" as a product or service.
He points out that "as larger and more sophisticated IAM shops evolved their practice, they realized that without having a continuous stream of intelligence available to them from the processes IAM was involved in, they would be unable to answer important questions regarding matters related to forensics (e.g. detecting and preventing fraud during the access process) or compliance (e.g. providing detailed reports on meeting regulatory requirements as required by government and policy)."
"The real value that IAM can provide to the business is in the intelligence it generates and owns about identity and access activities and events, not in the control it provides for access." - Earl Perkins, Gartner VPHe concludes that it "wasn't enough to store identities and attributes, or to log authentication events– some method and tool was also needed to make sense of what was happening, to understand through correlation and analysis of data from a number of different sources the true picture end to end of those activities in identity and access management that occur every day to get work done."
To read the entire blog click here.
Learn how Veriphyr's Identity and Access Intelligence as a service delivers business insights on compliance, privacy, and security- with no hardware and no on-site software.Sources:
(a) IBM Buys Q1 Labs: Identity and Access Intelligence Comes Into Its Own - Gartner Blog, October 4, 2011
Shana Springer filed the complaint on behalf of herself and other patients treated at by San Francisco Bay Area hospital's emergency department between March 1, 2009, and Aug. 31, 2009
Suit alleges the hospital violated the Confidentiality of Medical Information Act, a California state law requiring healthcare providers safeguard patient data privacy..The patient data that was breached included patient names, medical records numbers, diagnosis codes, billing charges, and dates of emergency room admissions and discharges. No credit card or Social Security numbers were part of the breach.
According to the hospital there is no evidence that the information was improperly used it for fraudulent or any other improper purpose. But in at least one case, a patient's psychiatric diagnosis was made public.
"SHC intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit." - Hospital spokesman.The suit seeks compensation of $1,000 per patient, plus penalties, damages and attorneys’ fees. Los Angeles-based lawyers Brian S. Kabateck, Richard L. Kellner, Karen Liao, Byron T. Ball and Bradley I. Kramer are said to be representing the person bringing the suit, as well as, the proposed class.
Download a white paper on patient privacy audits as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.Sources:
(a) Statement from Stanford Hospital & Clinics - Stanford Hospital & Clinics Website, October 3, 2011
(b) Stanford Hospital & Clinics vows to fight $20M class action - MercuryNews.com, October 4, 2011
Thursday, September 15, 2011
90,000 Healthcare Providers Signed Up for Incentive Payments for Migrating to Electronic Medical Records Systems
"When we launched in April, we had a trickle, and that trickle is turning into a faucet opening up a little more. If this trend holds, we’ll have the faucet fully going,." - Robert Anthony, CMS’ Office of e-Health Standards and Services.CMS issued a total of $264 million in payments in August, twice as much as paid out in July, and $652 million for the year to date.
Download a white paper on EHR privacy auditing service. Proactively discover violations of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.Sources:
(a) EHR incentive program ramps up to 90,000 providers - Government Health IT, September 15, 2011
Friday, September 9, 2011
A highlight of the report is the summary of complaints received by HHS/OCR of alleged violations of the HIPAA privacy and security rules.
The most frequently investigated Security Rule compliance issues are:
- impermissible uses and disclosures of PHI
- lack of safeguards of PHI
- denial of individuals’ access to their PHI
- uses or disclosures of more than the minimum necessary PHI
- inability of individuals to file complaints with covered entities
Download a white paper on HIPAA Privacy Rule breach detection as a service. Learn about a service that proactively identifies impermissible uses and disclosures of PHI, even by authorized users - with no hardware and no on-site software.Security Rule
The most frequently investigated Security Rule compliance issues are:
- failure to demonstrate adequate policies and procedures or safeguards to address: response and reporting of security incidents
- security awareness and training
- access controls
- information access management
- workstation security
The most common types of covered entities that have been required to take corrective action, are:
- private practices
- general hospitals
- outpatient facilities
- health plans
(a) Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 - U.S. Department of Health and Human Services' Office for Civil Rights, September, 2011
Thursday, September 8, 2011
A nurse was fired for 5,800 violations of patient data privacy dating as far back as 2004. The nurse's snooping was discovered in 2011 by a privacy audit at the hospital where she worked in North Bay, Ontario.
The nurse looked at visit histories, prescribed drugs, lab results, and other information a nurse typically uses to perform her job. But the nurse was not part of the "circle of care" for these patients, and therefore had no legitimate reason to access the medical records.
"This person was looking at information out of curiosity." - Marc Bouchard, hospital CIO and Chief Privacy OfficerOnce the massive privacy breach was discovered the nurse was interviewed. She is said to have admitted she had no legitimate reason to be looking at the records. Afterwards she was dismissed.
Further investigation lead the hospital to believe that the information inappropriately accessed by this employee was not released to other staff or beyond the hospital and that patient care was never negatively affected.
"It is the health centre’s goal to ensure that necessary health information is readily available to appropriate caregivers to ensure patient safety and quality of care, but that it is not disclosed beyond the circle of care‐givers.." - Pat Stephens, hospital spokespersonAs required by the Personal Health Information Protection Act, the hospital has contacted each affected patient to inform them of the breach of their personal health information as well as reporting the inciden to the Information and Privacy Commission of Ontario. In addition the hospital plans to implement more rigorous audits to detect attempts to inappropriately access health care information.
While that situatoin is, hopefully, an extreme example, it raises the question of how frequently patient data privacy audits should be performed. Not how often your current resources allow you to perform audits, but if you could magically receive an audit of suspicious access to patient data across all patients what would be your prefered frequency?
Your thoughts? Feel free to post your comments anonymously.
Download a white paper on patient privacy audits as an automated service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.Sources:
(a) Breach of Privacy Occurs at North Bay Regional Health Centre Affecting 5,800 Patients - North Bay Regional Health Centre, September 6, 2011
(b) Nurse fired after breach of privacy at hospital, 5,800 patients affected - The Nugget, September 6, 2011
Wednesday, August 31, 2011
Veriphyr announces the results of new survey on Protected Health Information (PHI) privacy breaches. According to the findings, more than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months.
Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.
The report, entitled “Veriphyr’s 2011 Survey of Patient Privacy Breaches,” summarizes the findings of a survey of compliance and privacy officers at mid to large sized hospitals and healthcare service providers. A complimentary copy is available here (registration required).
Respondents were queried on their perceptions of privacy and compliance initiatives within their organization, adequacy of tools to monitor unauthorized access to PHI, and the number and type of breaches sustained in the past year.
“Given that data breaches of patient information cost healthcare organizations nearly $6 billion annually, we were not very surprised to discover that more than 70 percent of the organizations surveyed were victimized last year,” said Alan Norquist, CEO of Veriphyr.Some of the report’s key findings include:
“However, we did not expect the prevalence of insider abuse reported, and that nearly 80 percent of the respondents feel they lack adequate controls to detect PHI breaches in a timely fashion.”
- Top breaches in the past 12 months by type:
- Snooping into medical records of fellow employees (35%)
- Snooping into records of friends and relatives (27%)
- Loss /theft of physical records (25%)
- Loss/theft of equipment holding PHI (20%)
- When a breach occurred, it was detected in:
- One to three days (30%)
- One week (12%)
- Two to four weeks (17%)
- Once a breach was detected, it was resolved in:
- One to three days (16%)
- One week (18%)
- Two to Four weeks (25%)
- 79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI
- 52% stated they did not have adequate tools for monitoring inappropriate access to PHI
Learn about a medical records abuse detection service that proactively identifies patient data privacy abuse, even by authorized users - with no hardware and no on-site software.Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.
Sunday, August 28, 2011
In just the last 3 years, 84 police officers and 22 support staff in the Metropolitan Police Service have been disciplined for misusing government databases that contain sensitive information on millions of people and their property.
"Half of the offences uncovered, including some accused of passing information to criminals, took place in the last three years - suggesting the abuse of the system is on the increase." - Jason Lewis, Investigations Editor for The Telegraph.Over the past 10 years, 142 police officers and 66 staff in the Metropolitan Police have been disciplined, resulting in 29 firings and 16 prosecutions. When the entire UK is taken into account, a total of 400 police officers and staff had been disciplined for similar abuse across the entire UK.
"A survey of senior police officers found most believed abuse of police systems occurred 'frequently' and called for greater audit and controls on police computer resources." - Jason Lewis, Investigations Editor for The Telegraph.Police National Computer Databases
- Names File - People who have been convicted, cautioned or recently arrested
- Vehicle File - Registered keeper of a motor vehicle
- Property File - Certain types of stolen and found property including Trailers, Plant, Engines, Animals, Marine and Firearms
- Drivers File - 48 million people who either hold a driving licence or are disqualified from holding one
Learn about a privacy breach detection service that proactively identifies unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) Hundreds of police officers caught illegally accessing criminal records computer - The Telegraph, August 20, 2011
(b) Police National Computer - Wikipedia as of August 28, 2011
Now you can help support this worthy charity by voting for it to become a Subaru "Share the Love" charity. This event raised $5 million for five charities last year. For every new vehicle sold or leased, Subaru donates $250 to the customer's charity of choice.
Here is how you can help CMN Hospitals become a Subaru charity:
- Go to the Subaru Facebook page (www.facebook.com/subaruofamerica)
- Click on the button "Vote Now"
- Select 'Children's Miracle Network Hospitals' under "Share the Love Charities: Vote for your Favorite"
Amazon Web Services (AWS) GovCloud, Microsoft's Azure GovCloud, and CSRA's ARC-P IaaS have U.S. government authorization allowing fe...
Steve Katz, the worlds first Chief Information Security Officer, offers valuable insights on addressing impermissible use of patient data by...
A respiratory therapist was convicted for inappropriate access of patient health information while working at an Oregon, Ohio hospital. Over...
A total of 48 healthcare workers in Canada are allegedly involved in privacy breaches of patient medical records and are facing disciplina...
Approximately 2,000 employees of a UK supermarket are suing over an insider data breach that involved the theft and posting online of the ...
A single patient's medical record is worth $50 on the black market, according to a panel of cyber security specialists at the Digital ...
An employee at a Texas heart clinic argued with a patient, who is a pilot, and in retaliation, and without the patient's permission, sh...
VC funding has set yet another record in Q2 - $623M for 168 deals this quarter, compared to 104 in Q1. According to Raj Prabhu, CEO of Mer...
The crime was discovered when the man contacted a government confidential informant (CI) and offered to sell names, dates of birth, and soci...
A Florida hospital has paid the Department of Health and Human Services (HHS) a $5.5 million settlement for "protected health inform...