Wednesday, August 31, 2011

Over 70% of Healthcare Providers Suffered Privacy Breaches

Survey Reveals Leading Source is Employees Snooping into Medical Records
Veriphyr announces the results of new survey on Protected Health Information (PHI) privacy breaches. According to the findings, more than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months.

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

The report, entitled “Veriphyr’s 2011 Survey of Patient Privacy Breaches,” summarizes the findings of a survey of compliance and privacy officers at mid to large sized hospitals and healthcare service providers. A complimentary copy is available here (registration required).

Respondents were queried on their perceptions of privacy and compliance initiatives within their organization, adequacy of tools to monitor unauthorized access to PHI, and the number and type of breaches sustained in the past year.
Given that data breaches of patient information cost healthcare organizations nearly $6 billion annually, we were not very surprised to discover that more than 70 percent of the organizations surveyed were victimized last year,” said Alan Norquist, CEO of Veriphyr.

However, we did not expect the prevalence of insider abuse reported, and that nearly 80 percent of the respondents feel they lack adequate controls to detect PHI breaches in a timely fashion.”
Some of the report’s key findings include:
  • Top breaches in the past 12 months by type:
    • Snooping into medical records of fellow employees (35%)
    • Snooping into records of friends and relatives (27%)
    • Loss /theft of physical records (25%)
    • Loss/theft of equipment holding PHI (20%)
  • When a breach occurred, it was detected in:
    • One to three days (30%)
    • One week (12%)
    • Two to four weeks (17%)
  • Once a breach was detected, it was resolved in:
    • One to three days (16%)
    • One week (18%)
    • Two to Four weeks (25%)
  • 79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI
  • 52% stated they did not have adequate tools for monitoring inappropriate access to PHI
Editorial Contact: Marc Gendron, Marc Gendron PR, #781-237-0341,
Learn about a medical records abuse detection service that proactively identifies patient data privacy abuse, even by authorized users - with no hardware and no on-site software.
Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Sunday, August 28, 2011

UK Police Caught Abusing Access to Criminal Records on Police National Computer (PNC)

The number of UK police caught abusing their access to the Police National Computer databases now exceeds 200, according to a Freedom of Information request cited by The Telegraph.

In just the last 3 years, 84 police officers and 22 support staff in the Metropolitan Police Service have been disciplined for misusing government databases that contain sensitive information on millions of people and their property.
"Half of the offences uncovered, including some accused of passing information to criminals, took place in the last three years - suggesting the abuse of the system is on the increase." - Jason Lewis, Investigations Editor for The Telegraph.
Over the past 10 years, 142 police officers and 66 staff in the Metropolitan Police have been disciplined, resulting in 29 firings and 16 prosecutions. When the entire UK is taken into account, a total of 400 police officers and staff had been disciplined for similar abuse across the entire UK.
"A survey of senior police officers found most believed abuse of police systems occurred 'frequently' and called for greater audit and controls on police computer resources." - Jason Lewis, Investigations Editor for The Telegraph.
Police National Computer Databases
  • Names File - People who have been convicted, cautioned or recently arrested
  • Vehicle File - Registered keeper of a motor vehicle
  • Property File - Certain types of stolen and found property including Trailers, Plant, Engines, Animals, Marine and Firearms
  • Drivers File - 48 million people who either hold a driving licence or are disqualified from holding one
Learn about a privacy breach detection service that proactively identifies unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
(a) Hundreds of police officers caught illegally accessing criminal records computer - The Telegraph, August 20, 2011
(b) Police National Computer - Wikipedia as of August 28, 2011

Share the Love with Children's Miracle Network

Veriphyr is proud to sponsor Children’s Miracle Network (CMN) Hospitals - a charity that raises funds for more than 170 children's hospitals.

Now you can help support this worthy charity by voting for it to become a Subaru "Share the Love" charity. This event raised $5 million for five charities last year. For every new vehicle sold or leased, Subaru donates $250 to the customer's charity of choice.

Here is how you can help CMN Hospitals become a Subaru charity: You can continue to vote each and every day from Thursday, August 25, 2011 until Thursday, September 15, 2011. Please spread the word. And thanks for sharing the love!

Monday, August 22, 2011

Special Reports on Customer and Employee Privacy by Gartner

Gartner has posted a special report centralizing their videos and papers on enterprise privacy.

The page includes free access to their recent report "Social Media: Identity, Privacy, and Security Considerations". It also has a 2 minute video where Gartner Analyst Richard Hunter discusses enterprise privacy and regulation.

Learn how Veriphyr's Identity and Access Intelligence service discovers abuses of customer and employee privacy- with no hardware and no on-site software.
(a) Gartner Privacy Special Report - Gartner, August 2011

Sunday, August 21, 2011

Hospital Balances Patient Privacy Rights and Victim's Rights

I am interested in your reaction to a thought provoking article on the conflict between patient privacy and law enforcement written by Amanda Milkovits.

What are your thoughts? I summarized the key points in this blog and am especially interested in the reaction of health and law professionals from states where patient privacy regulations go beyond HIPAA.
A Rhode Island hospital rejected a court order for the medical records of a woman whose husband was charged with murdering her.
The hospital's SVP for medical affairs says the hospital wants to work with the police, but by breaking confidentiality “we break the law.” What seems like a simple question, he says, can put the hospital in an impossible situation if the person has requested confidentiality.
In another case, the hospital rejected a request for a murder victim's medical records even though it included signed releases from the man’s father and adult son.
While HIPAA allows the release of this sort of information to law enforcement, Rhode Island’s Health Care Confidentiality Law, is more restrictive.

Rhode Island requires health-care providers to provide information to law enforcement about specific kinds of cases - such as the abuse of children — but otherwise; the consent of the patient or family is needed to release any information.
"There’s patients’ rights and victims’ rights, and we’re trying to exercise all of their rights." - Providence Rhode Island Police Major.
Police could seek a warrant to secure the information from the hospital, says Andy Horwitz, president of the Rhode Island Criminal Defense Lawyers Association and associate dean of academic affairs at Roger Williams University.

“Yeah, we could subpoena everybody to the grand jury, but that takes time,” a Providence Police Major said in response. “If I’m outside the ER and I want to get a description [of a suspect] from the victim, just to talk to the victim, or get information if the victim can’t talk themselves that will help solve the crime –– this is the balancing act."

The hospital has recently agreed to share the identities of patients with violent injuries. It has also provided the police with contact information for the senior on-call administrator and the personal cell-phone number of the SVP for medical affairs.

What are your thoughts on this conflict? Feel free to share anonymously in the comments by clicking on the "comments" link below.

Learn about a medical records abuse detection service that proactively identifies patient data privacy abuse, even by authorized users - with no hardware and no on-site software.
(a) Providence police, hospitals at odds in medical privacy debate - The Providence Journal, August 21, 2011

Cyber Crime by Insiders Discovered at 30% of Organizations - Ponemon 2011 Study

30% of organizations experienced cyber crime by malicious insiders according to "Cost of Cyber Crime Study Benchmark" for 2011 by the Ponemon Institute. Malicious insiders are the 4th most costly category of cyber crime and account for 17% of all cyber crime costs.
$105,352 is the average annual cost of insider crime - Ponemon Institute, August 2011

Information Theft is Highest External Cost
On an annualized basis, information loss accounts for 40% of total external cost of cyber crime. This is significantly higher than the other three categories - business disruption or loss of productivity (28%), revenue loss (18%) and equipment damages (9%).

Detection and Recovery are Highest Internal Costs
The internal costs of cyber crime are driven by the labor required by each stage of incident response. Given that malicious insider attacks can take more than 45 days on average to contain, there is great potential for cost savings due to automation and use of pay-per-use services.

Reducing the Cost of Insider Crime
Reduce the incidence and cost of insider crime by using identity and access intelligence (IAI) technology to detect excessive access rights that provide the opportunity for financial fraud and data theft by insiders. Further reduce your costs by using an on-demand IAI service with a pay-per-use model which is far more cost effective than traditional licensed software.
Learn how the Veriphyr Identity and Access Intelligence service effectively deters or automatically detects data loss or theft by insiders - with no hardware and no on-site software.
NOTE: In the report cyber crimes includes any criminal activity conducted via the Internet and includes viruses and worms, malicious insiders, web-based attacks, malicious code, phishing, botnet, denial of service, and malware.

(a) "Second Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies" by Ponemon Institute released August of 2011

Thursday, August 18, 2011

Smart Grid Privacy - Protecting Customer Energy Usage Data

Can private details about your sleep, work, and travel behavior be revealed by your energy usage?

This may sound like science fiction, but today's smart meters could provide sufficient energy usage data to make it science fact. To address this emerging privacy concern the California Public Utilities Commission recently adopted privacy and security rules for Smart Grid energy usage data.
"The availability of Smart Grid data can help make the energy industry more service oriented. However, we must ensure that consumers and their data are protected from abuse." - Mark J. Ferron, California Public Utilities Commission (CPUC)
The challenge is to both protect the privacy of customer usage data while simultaneously enabling data sharing between customers, utilities, and authorized third parties allow them to improve energy management and conservation.
Managing the privacy of customer energy has many characteristics in common with managing the privacy of medical data. Both types of data when shared with the appropriate parties are invaluable for improving process and results. But both sets of data can be abused in a way that violates the norms of personal privacy.
The Key Sections of the Rule
The key section of the rule prohibit electrical corporations (covered entities) from sharing or disclosing a customer’s energy consumption data (covered information), except as specified, and require such utilities to protect a customer’s unencrypted energy consumption data from unauthorized access, destruction, use, modification, or disclosure.

Moreover, electrical corporation must notify the utility commission within two weeks of any breaches affecting 1,000 or more customers. All breaches, regardless of size, must be reported annually.

Who is Covered by the Rule
These privacy rules apply to Pacific Gas and Electric Company (PG&E), Southern California Edison Company (SCE), and San Diego Gas & Electric Company (SDG&E), companies working with the utilities, and other companies that have access to customer usage data directly from the utility.

Your Thoughts
What are your thoughts on this rule? What lessons learned from healthcare privacy should be considered in energy consumption privacy?
Learn how an online service proactively detects breaches of energy data privacy, even by authorized insiders- with no hardware and no on-site software.
(a) CPUC adopts rules to protect the privacy and security of customer electricity usage data - Public Utilities Commission of the State of California, July, 2011
(b) Order Instituting Rulemaking to Consider Smart Grid Technologies Pursuant to Federal Legislation and on the Commission's own Motion to Actively Guide Policy in California's Development of a Smart Grid System (pdf) - Public Utilities Commission of the State of California, July, 2011
(c) Attachments to the Order Instituting Rulemaking to Consider Smart Grid Technologies Pursuant to Federal Legislation and on the Commission's own Motion to Actively Guide Policy in California's Development of a Smart Grid System (pdf) - Public Utilities Commission of the State of California, July, 2011

Healthcare Privacy Report by Deloitte

Deloitte put out an informative whitepaper on "Privacy and Security in Health Care: A fresh look". Here a quick summary and a link to the whitepaper.

"Healthcare industry stakeholders should act now to prevent compromising sensitive patient data, preserve brand value and avoid substantial financial penalties for violations by building in technology to prevent, monitor and remedy data breaches." - Paul Keckley, Ph.D., and executive director of the Deloitte Center for Health Solutions
Learn about a medical records abuse detection service that proactively identifies breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
(a) Privacy and Security in Health Care: A fresh look - Deloitte Center for Health Solutions, February, 2011
(b) Press release on "Privacy and Security in Health Care: A fresh look" - Deloitte Center for Health Solutions, February, 2011

Tuesday, August 16, 2011

Not Enough Health IT Professionals - Today & Tomorrow

Pay Rises for Healthcare IT Professionals as Demand Exceeds Supply

Healthcare information technology (IT) hiring and salaries are experiencing rapid growth. And future demand will outpace supply unless significant changes occur in the delivery of healthcare IT.

The average pay for healthcare IT job has increased about 7% since 2009 while other industries have seen no change or pay cuts, according to Alice Hill managing director at career site

Job openings will outstrip the supply of healthcare IT workers by 50,000 positions over the next five years. - U.S. Dept of Health and Human Services and Bureau of Labor Statistics
The key driver of healthcare IT job growth is the transformation of healthcare from paper-based records to electronic patient health information (ePHI), along with the associated patient Web portals and health information exchange (HIE) networks.
Total cash compensation, including bonuses, for healthcare IT staff increased at nearly double the raises of all other industries - InformationWeek 2011 U.S. IT salary Survey
The government hopes that new graduates and people crossing over from other industries will meet the demand. But industry experts say employers are seeking professionals with previous experience in healthcare.

With all the healthcare organizations that need help deploying electronic health records (EHR), the number of IT professionals with years of experience in healthcare is just too small.

What is your own experience? Are you seeing rising salaries and positions going unfilled? Feel free to share your thougths and experience in our comments.

Download a whitepaper on a medical records breach detection service delivers what healthcare privacy officers require - with no hardware and no on-site software.

(a) 2011 Salary Survey - InformationWeek, April, 2011
(b) Where The IT Jobs Are: Healthcare - InformationWeek, July 26, 2011
(c) Health IT Pros Are The New Cinderella - InformationWeek, May 25, 2011
(d) Health IT Tops Jobs List For College Grads - InformationWeek, May 23, 2011
(e) The Workforce Challenge - InformationWeek, December 11, 2010

Monday, August 8, 2011

Managed Services and Cloud Computing Fastest Growing Area of Healthcare Spending in Telecom

Managed services and cloud computing are the fasting growing component of healthcare telecom spending in 2011 according to the market research firm In-Stat
  • Public cloud computing spending to surpass $1 billion for healthcare in 2013.
  • Healthcare to spend $518 million on IaaS (Infrastructure as a Service) in 2015.
"The healthcare vertical segment, across all sizes of business, and across nearly all product groups, is fast becoming the most robust business vertical segment in US business markets." - Greg Potter, In-Stat analyst
The analyst firm defines the healthcare and social services vertical as the firms providing healthcare and social assistance for individuals, including ambulatory healthcare services, hospitals, nursing and residential care facilities, and social assistance.
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
(a) Healthcare and Social Services Spending on Telecom Services: Wireline Voice, Wireline Data, Wireless, Cloud Computing, and VoIP by Size of Business - In-Stat, August 1, 2011

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at