Thursday, March 31, 2011

Medical Identity Theft is a Growing Threat

George V. Hulme in CSO magazine suggests that criminals may be turning their focus to medical identity theft. He cites experts who claim there are a rising number of incidents where criminals steal medical credentials to obtain medical care, fraudulently bill for services, or sell to other criminals.
"While credit card data will earn a few dollars on the black market, medical and medical insurance account information can sell for hundreds." - Robbie Higgins, VP, security services, GlassHouse Technologies
For the complete article see - Medical identity theft a rising and significant threat
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively detect the theft of a patient's medical credentials - with no hardware and no on-site software.
Sources:
(a) Medical identity theft a rising and significant threat - CSO, March 2011

Wednesday, March 30, 2011

Over 29,000 Breaches of Patient Medical Information Reported to HHS/OCR

Between September 2009 and February 2011, HIPAA covered entities have reported breaches of unsecured protected health information to the HHS Office for Civil Rights, totaling:
  • Over 29,000 breach of medical privacy impacting fewer than 500 individuals.
  • 241 breach of medical privacy impacting more than 500 individuals.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
A few recent medical privacy breaches include: Sources:
(a) Federal Update on HIPAA/HITECH Privacy - 19th HIPAA Summit, March 2011

Tuesday, March 29, 2011

Radiology and the HIPAA/HITECH Privacy and Security Rule

An instructive article on Radiology and the HIPAA privacy rule was recently published by The American Roentgen Ray Society.

“There is an unchallenged view that patient privacy is extremely important," says Garry Choy, MD, radiologist at Massachusetts General Hospital in Boston. So, radiologists must understand the implications of the HIPAA privacy rules for their practices even though IT administrators have primary responsibility.
"Our duty is to serve our patients, and in addition to our role in using our diagnostic skills to help our patients, we must also protect their best interests, as well as their medical history, diagnoses, and other clinical data." - Garry Choy, MD, radiologist, Massachusetts General Hospital
According to Choy, protecting electronics health records was accomplished by making sure “All our systems have information technology features such as password protection, firewalls, audit trails, and record-access tracking.” Janice Honeyman-Buck, PhD, editor-in-chief of the Journal of Digital Imaging, adds that these healthcare it security measures are also critical for identifying breaches in electronic health records.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
“The main reason we need to protect patient privacy is that it’s the law,” says Honeyman-Buck. Violations of health care compliance can result in civil, criminal, and malpractice lawsuits, as well as regulatory fines.
If I were caught doing something I wasn’t supposed to do, I would be fired in minutes,” - Janice Honeyman-Buck, Imaging Informatics Consultant
About the American Roentgen Ray Society (ARRA)
The American Roentgen Ray Society, founded in 1900, is the first and oldest radiology society in the United States. The society is dedicated to the goal of the advancement of medicine through the science of radiology and its allied sciences. The ARRS publishes the American Journal of Roentgenology and the quarterly ARRS InPractice magazine.

Sources:
(a) Who’s Guarding the Data? Radiologists must properly protect patient images—or risk losing their jobs. - InPractice - Quarterly Publication of the American Roentgen Ray Society, Winter 2011 • Volume 5 Issue 1

Monday, March 28, 2011

The High Cost of Medical Identity Theft

Almost 1.5 million Americans are victims of medical identity theft at an average cost of $20,663 per incident. And when it asked who should ensure the privacy of medical records, 80% of respondents puts the responsibility on the shoulders of health care organizations.

These findings are from the recently released second annual "National Study on Medical Identity Theft" by the Ponemon Institute.
"these results put an even greater onus on healthcare organizations to make the security of sensitive personal health information a priority in order to protect patient privacy." - Dr. Larry Ponemon, Ponemon Institute
Medical identity theft is someone else using your name, address, SS # and insurance credentials to secure medication or medical services. Alternatively the thief could use your information to bill for medical services you never received.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively detect the theft of a patient's medical credentials - with no hardware and no on-site software.
Other report findings of relevance to readers of this blog, include:
  • 46% learned of the medical identity theft from a collection letter.
  • 37% of victims fear embarrassment if their medical information was stolen.
  • 21% of victims fear the loss of medical coverage.
  • 18% of victims fear a diminished credit score.
Sources:
(a) Medical Identity Theft: The Growing Cost of Indifference - ProtectMyID Blog, March 2011

Sunday, March 27, 2011

Employee Breaches Privacy of 2,250 Patients at Southern California Hospital

The hospital announced it notified 2,250 patients who may have been impacted by a privacy breach in 2009 and 2010 by a former employee working in the central business office.
The hospital "takes this incident seriously and has reviewed computer security procedures and determined that network security was not breached. It will continue to thoroughly review and strengthen its procedures to ensure the highest level of patient privacy possible and take all necessary steps to safeguard personal information." - Hospital statement
The information that was accessed was said to include the patient's name, Social Security number, date of birth, home address, phone number, account number and reason for admittance.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
Sources:
(a) MemorialCare Health System (Memorial Health Services) notified 2,250 patients of privacy breach - PHIPrivacy.net, March 2011

Saturday, March 26, 2011

Government Plans to Inspire Confidence and Trust in Health IT

The "Federal Health IT Strategic Plan: 2011-2015" has been released by the Office of the National Coordinator for Health Information Technology (ONC) under the leadership of David Blumenthal, M.D.

Of particular interest to readers of this blog is Goal III - “Inspire Confidence and Trust in Health IT”. This section focuses on efforts to update the health care industries approach to IT privacy and security issues.
"The digitization of health records will create a new set of challenges for protecting the privacy and security of health information, but it will also open new opportunities for improving safeguards." - "Federal Health Information Technology Strategic Plan, 2011 – 2015"
One of the key points of Goal III is that the "ONC is engaged in an ongoing effort to disseminate best practice resources to providers to help equip them with the latest information, so as to avoid common challenges to safe and effective implementation and use of EHRs and other health IT.

Click here to download the reports - the Federal Health IT Strategic Plan: 2011-2015.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
The Plan was first published in 2008 and is being updated to reflect the significant changes in health care over the past 2 years. The public is encouraged to provide comments on the plan through April 22, 2011. David Blumenthal's successor at the ONC will oversee efforts to incorporate the comments and issuing a final version of the plan.

Sources:
(a) ONC Seeks Public Comment on the Federal Health IT Strategic Plan: 2011-2015 - http://www.healthit.gov/buzz-blog/from-the-onc-desk, March 2011

Friday, March 25, 2011

Cost of Patient Privacy Breaches to be Examined by the American National Standards Institute (ANSI)

ANSI has announced a project to examine the financial impact of patient information breaches. Veriphyr's Nicole Borner will be participating on the project team.

The project will identify existing legal protections related to protected health information (PHI), define the parts of the healthcare ecosystem with the highest risk of compromise, and assess the financial impacts of the disclosure of PHI.
Download a white paper on patient privacy breach detection as a service. Learn how a service can cost effectively audit users accessing electronic protected health information - with no hardware and no on-site software.
The American National Standards Institute (ANSI) is leading the project via its Identity Theft Prevention and Identity Management Standards Panel (IDSP) and working in partnership with the Shared Assessments Program and its Healthcare Working Group.
"Organizations that are custodians of healthcare data are grappling with how to calculate their risk exposure when PHI is lost or stolen. The ANSI/Shared Assessments PHI Project will inform their investment decisions to protect PHI." - Rick Kam, Chair of ANSI/Shared Assessments PHI Project
Professionals from across the industry will be part of this initiative, including representatives from data security companies, identity theft protection providers and research organizations, legal experts on privacy and security, standards developers, and others.

For those interested in participating there will a two hour conference call on April 7, 2011, from 12:00 p.m.– 2:00 p.m. Eastern. Send an email to idsp@ansi.org to join in the work effort over the next few months.

Sources:
(a) ANSI and Shared Assessments Launch Initiative to Examine Financial Impact and Harm of Breached Patient Information - American National Standards Institute (ANSI), March 2011
(b) American National Standards Institute (ANSI)
(c) Identity Theft Prevention and Identity Management Standards Panel (IDSP)
(d) Shared Assessments Program


Thursday, March 24, 2011

Identity and Access Management Must Do More than Just "Control, It Must Also "Observe" and "Inform"

Gartner Group analyst Earl Perkins has a thoughtful blog discussing how Identity and Access Management (IAM) is about more than just "control". He points out that "observing" and "informing" are equally important if IAM is to successfully deliver value to the business.
"It is necessary to inform key stakeholders and participants in IAM on what exactly is happening, whether the purpose is to improve the IAM process itself, or to inform the business with key identity-indexed knowledge to make good decisions." - Earl Perkins, Research VP, Gartner Group
This is a critical point given the controversy stirred up by Gartner's UK conference regarding Identity and Access Intelligence (IAI). Many classic "control-oriented" IAM suite vendors argued that "control" is the be all and end all of IAM, that the "observe" and "inform" function of IAI were somehow illegitimate siblings.
"Control, observe, and inform. Keep these themes in mind when you’re striving to create an optimum IAM experience in your organization. That way you will be able to see the entire forest, rather than just the trees." - Earl Perkins, Research VP, Gartner Group
Earl nicely lays out the case that IAM and IAI are complements. That is what the industry needs to focus on, not choosing between IAM and IAI, but working to deliver both and enabling more successful IAM implementations.
Learn how an Identity and Access Intelligence Service can cost effectively improve the effectiveness of IAM and deliver business intelligence- with no hardware and no on-site software.
Sources:
(a) IAM: To Control, Observe, and Inform - Earl Perkins, Gartner Group, March 2011

Wednesday, March 23, 2011

Deceased Patient Records - What is Appropriate Access?

Even after death patients retain a right to medical records privacy. The laws defining appropriate and inappropriate access to medical records of the deceased can be confusing and frustrating. The American Health Information Management Association (AHIMA) had a recent article covering the key questions about appropriate access.
If it is your medical information or your mother’s, and something happens to you or her, do you want everybody in your family poking around in that stuff?” “If the answer to that question is no, then you can’t be mad at HIPAA for making a person go and become the personal representative of a deceased patient’s estate. Because that is precisely what it is intended to do-to stop people from poking around in your stuff.” - Barry Herrin, JD, Smith Moore Leatherwood LLP
For more on this topic see: journal.ahima.org/2011/03/23/accessing-deceased-patient-health-records-faq
Sources:
(a) Accessing Deceased Patient Records—FAQ - Journal of AHIMA, March 2011
(b) Who Has Rights to a Deceased Patient’s Records? - Journal of AHIMA, April 2009

Tuesday, March 22, 2011

Medical technician snoops on the electronic personal health information (ePHI) of her ex-husband's girlfriend

Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital's failure to comply with the Personal Health Information Protection Act (PHIPA).
"The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective." - Information and Privacy Commissioner Ann Cavoukian
The problem began when one of the hospital's diagnostic imaging technologists accessed the medical records of her ex-husband's girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.
Download a white paper on patient privacy breach detection as a service. Learn how a service can cost effectively address PHIPA - with no hardware and no on-site software.
Commissioner Cavoukian faulted the hospital for:
  • Failing to inform the victim of any disciplinary action against the perpetrator.
  • Not reporting the breach to the appropriate professional regulatory college.
  • Not following up with an investigation to determine if policy changes were required.
"The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure ... unless all the details of the investigation have been disclosed." - Information and Privacy Commissioner Ann Cavoukian
It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim's medical files six times over 10 months.
The information inapprorpriately accessed included "doctors' and nurses' notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details ... and scheduled medical appointments." - Information and Privacy Commissioner Report
Sources:
(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information (Now behind paywall) - Ottawa Citizen, January, 2011
(a) Victim of privacy breach wants hospital to explain - phiprivacy.net November, 2010

Health Information Breaches Involving More than 500 People Affect Nearly 8.3 Million

The list of health information breaches affecting over patients maintained by the Office for Civil Rights (OCR) has reached over 249 incidents affecting nearly 8.3 million individuals between September 2009 and March 2011.

Go here to view the incident reports - List of breaches of unsecured protected health information
Download a white paper on patient privacy breach detection as a service. Learn how a service can cost effectively audit users accessing electronic protected health information - with no hardware and no on-site software.
Sources:
(a) Health Information Privacy - U.S. Department of Health & Human Services, March 2011

Monday, March 21, 2011

Patient Privacy Breaches — A Growing Crisis?

Here is an interesting podcast on Healthcare Business Network. The podcast discusses HIPAA privacy breaches, the number reported over the past few years, and the difference between small and high breach cases.

To hear the podcast click www.hbnradioshow.com

Download a white paper on medical records privacy breach auditing as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy rules - with no hardware and no on-site software.
Sources:
(a) Patient Privacy Breaches — A Growing Crisis? - Healthcare Business Network, March, 2011

Sunday, March 20, 2011

Bigger Budget to Increase Enforcement of HIPAA/HITECH Privacy and Security Rules

In order to increase enforcement of HIPAA privacy and security rules, the HHS/OCR has requested a budget increase of 13.5%. Many expect this to survive congress on the belief that increased HIPAA fines could "easily offset" the $5.6 million budget increase.
OCR's recent actions "should be seen as foreshadowing much more enforcement activities to come." - Rebecca Herold, privacy & security specialist
The increased funding requests from the office, headed by Georgina Verdugo include:
  • $1.3 million to expand investigation of healthcare information breaches of small breaches.
  • $1 million to expand enforcement of HIPAA security and privacy rules..
  • $2.3 million for 10 regional privacy advisers.
  • $1 million to create a "compliance review program"
The OCR's $46.7 million budget request is separate from its HITECH Act-mandated HIPAA compliance audit program as that is funded by the economic stimulus package.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
Sources:
(a) More HIPAA Enforcement Funding Sought - HealthcareInfoSecurity.com, March, 2011

Personal Data from Texas Hospital Used in ID Theft

A Texas resident was arraigned for using Social Security numbers taken from a Texas hospital to open more than 100 fradulent accounts.
The stolen identities appears to have been taken from the accounts payable division of the hospital, but how the thief acquired them is still under investigation.
According to the hospital, which has been working with authorities for months on the investigation, 49 people were affected by the identity thefts, all doctors or vendors. No patient data was involved in the identify theft.

The hospital has contact the 14,000 people whose identities may have been accessed and is offering two years of credit monitoring services.

Sources:
(a) Pearland man accused of ID theft - Data of Texas Children's doctors used in scam - Houston Chronicle, March, 2011

Friday, March 18, 2011

Gartner: IAM Data + Business Data = Intelligence

Here is more commentary on the 2011 Gartner Summit on Identity and Access Management (IAM).

An article in Computer Weekly asks if "IAM may be headed for a renaissance as organizations find ways to get more value out of these systems by viewing them as an information asset."

That would certainly seem the message of the Gartner analysts quoted in the article.
Joining together data in IAM systems and security logs with other data could be massively valuable to both IT and the business. - James Richardson, BI research director at Gartner
At Veriphyr we agree and our Identity and Access Intelligence Service delivers business intelligence by applying advanced analytics to a combination of data from IAM and core business systems.
"By linking up the wealth of data stored in IAM systems with business data, IT can justify investment in IAM by helping create real business benefit through enabling better decisions based on a wider spread of data." - Earl Perkins, research vice-president at Gartner
Perkins gives the example of how IAM data can connect seemingly anonymous processes to specific individuals and ensure everyone is accountable for their action. This also allows the "business to know 'who is doing what and when' to help understand behaviors and decision-making processes."

Today companies in healthcare, banking, brokerage, gaming, and utilities are enhancing their operations by combining data from IAM and business system to gain insights on their business challenges.

Learn more about Veriphyr Identity and Access Intelligence Service. Learn how an on-demand, pay-per-use service can cost effectively deliver business intelligence - with no hardware and no on-site software.
Gartner predicts that by 2014 more than 80% of successful IAM projects will be process-driven to achieve IAM intelligence.

Sources:
(a) Has IAM reached the end of the road, or is it about to turn a corner? - Computer Weekly, March, 2011
(b) IAM failures will shift focus to intelligence by 2014, says Gartner - Computer Weekly, March, 2011

Monday, March 14, 2011

HHS/OCR Gets Serious About Enforcing HIPAA Privacy Rule

Government Information Security has an educational interview with Susan McAndrew, the person responsibile for implementing and enforcing the HIPAA privacy rule. Her overall message was "there will be enforcement consequences for failure to comply with HIPAA privacy and security obligations." Here are some of the most interesting quotes from the deputy director of the Department of Health and Human Services' Office for Civil Rights.

On the recent fines for violations of the privacy rule:
"we will be vigorously enforcing these requirements, and, with the increased penalties that are available to use under the HITECH Act, covered entities need to pay attention and take whatever steps they can to prevent complaints in the first place by meeting their obligations to the fullest." - Susan McAndrew deputy director of the HHS/OCR
On plans to train state attorneys general on how to file federal HIPAA civil lawsuits.
"It is always the hope that once they fully appreciate what the HIPAA privacy and security rules are all about that they will be anxious to add them to the general privacy protections that already exist in their state." - Susan McAndrew deputy director of the HHS/OCR
On the OCRs investigations into the more than 240 major health information breaches reported under the HITECH Act breach notification rule.
"To the extent that there is a need to enter into a long-term resolution agreement and corrective action plan with the covered entity to properly remedy what happened, we will do so." - Susan McAndrew deputy director of the HHS/OCR
Learn how to effectively adddress medical snooping by downloading a white paper on patient privacy auditing as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy rules - with no hardware and no on-site software.

Sources:
(a) OCR's McAndrew on Enforcing HIPAA - www.govinfosecurity.com, March, 2011

Saturday, March 12, 2011

Gartner IAM Summit in UK - Identity and Access Intelligence

A hot topic at the Gartner IAM Summit in the UK was Identity and Access Intelligence. Travis Spencer had some interesting commentary on the topic that I quote here.
"One of the first keynotes which James Richardson delivered was about transforming IAM by coupling it w/ BI." "This notion of marrying IAM w/ BI was picked up by other Gartner analysts like Earl Perkins who discussed how the value of IAM is increased through identity and access intelligence." "Perry Carpenter's...said that he thinks the focus of the IAM industry will shift to intelligence through the end of 2013. Talking to other attendees in the evening, however, some thought it was just something new to say to make Gartner sound forward-thinking and insightful. Others found the juxtaposition spot on."
For more see: travisspencer.com/blog/2011/03/gartner-iam-summit-2011----day.html

Friday, March 11, 2011

HIPAA Civil Lawsuit Training Offered by Federal Government for State Attorneys Generals

There is a new emphasis on HIPAA enforcement at the Department of Health and Human Services' Office for Civil Rights (HHS/OCR). The latest example is a program to train state attorneys generals in how to file a HIPAA federal civil lawsuit.
"State attorneys general will be better prepared to carry out their new authority under the HITECH Act in enforcing HIPAA." - Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights.
The training for the attorneys generals and their staffs will be offered in Dallas, Atlanta, Washington, and San Francisco. OCR will pay all expenses for two members of each state's attorney general's office to attend the training. "Once those meetings are completed, we'll have computer-based training available as well," said Susan McAndrew at the HHS/OCR.
Download a white paper on patient privacy auditing as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy rules - with no hardware and no on-site software.
The training was announced at the National HIPAA Summit in Washington. Also announced was that the planning for the long-delayed HIPAA compliance audit program, mandated under the HITECH Act, is continuing, with a pilot of one or more audit models likely to take place later this year. McAndrew, however, declined to say whether the actual audit program could be launched by year's end.
"We are serious about HIPAA enforcement." - Valerie Morgan-Alston, HHS/OCR deputy director for enforcement and regional operations
Sources:
(a) State AGs to Get HIPAA Lawsuit Training - govinfosecurity.com, March, 2011

Wednesday, March 2, 2011

Hospital Agrees to $1 Million Fine for Violation of HIPAA Privacy Rule

Massachusetts General Hospital (MGH) and its physicians organization have agreed to pay the federal government $1,000,000 in fines for violation of the HIPAA privacy rule.

In addition, an outside organization will conduct assessments of MGH and submit semi-annual compliance reports to the U.S. Department of Health and Human Services (HHS) for the next three years.

In addition, MGH agreed to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules.
"To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules." - Georgina Verdugo, Director of U.S. Department of Health and Human Services Office of Civil Rights
The OCR opened an investigation after a 2009 complaint from a patient whose personal health information (PHI) was compromised. The investigation discovered that 192 patients from Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, had their ePHI compromised.

Sources:
(a) Massachusetts General Hospital settles potential HIPAA violations - HHS Press Office, February 2011
(b) HHS Resolution Agreement and Corrective Action Plan - U.S. Department of Health and Human Services, February 2011
(c) Mass. General to pay $1M to settle privacy claim - Boston Business Journal, February 2011

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.