Tuesday, May 31, 2011

Breaches Lead to Push to Protect Medical Data

The New York Times reports that the Obama administration is concerned that widely publicized data breaches in health care organizations will hamper its efforts to promote the adoption of electronic health records (EHR) technology.

This opinion follows a report from the Office of the Inspector General of the Department of Health and Human Services, which recently examined hospitals in seven states and issued a report highlighting numerous severe vulnerabilities in systems responsible for safeguarding patient privacy. OIG auditing teams will expand their investigation to include eight more hospitals suspected of weaknesses in controls over security and privacy of protected health information.
Researchers at Carnegie Mellon University have shown that at least 30 people and organizations have access to the health data of a typical person with private insurance through an employer. - New York Times
The administration's likely response will be in the form of increased enforcement activity and more stringent fines for health care organizations that have failed to fully implement controls required by the HIPAA privacy and security rules.

The problem is compounded by the nature of the information itself, which needs to be accessible in order to provide effective and timely health care. As a result, health care information systems are typically designed to “fail open," to allow medical personnel less restricted access to patient data and enable necessary treatment to proceed.

To mitigate access control weaknesses without impeding patient care, health care organizations are looking to review access to electronic medical records using technology based on identity and access intelligence (IAI). IAI analyzes patterns of medical records access via stores of user identities, application and system rights, and user activity. By comparing what information was accessed, when, and by whom, with user privileges, IAI systems indicate whether access to patient data was valid or whether a policy exception (such as medical records snooping) has occurred.
Learn how Veriphyr's Identity and Access Intelligence deters snooping into medical records and other violations of HIPAA security and privacy rules.
Sources:
Breaches Lead to Push to Protect Medical Data - The New York Times, May 30, 2011


Podcast: Veriphyr Identity and Access Intelligence


Mike D'Agostino of BankInfoSecurity.com interviews Veriphyr CEO Alan Norquist about the problems of compliance and security over user access to confidential information, medical records snooping, and how Veriphyr's SaaS Identity and Access Intelligence delivers increased security against insider threats - with no hardware and no on-site software. 

Sunday, May 22, 2011

More Hospital Audits to Find HIPAA Security Rule Violations

Recommendation of Report by Inspector General for Health and Human Services

More government audits of hospitals and increased enforcement the HIPAA Security Rule were the chief recommendation of the Office of the Inspector General (OIG) in his report on the Department of Health and Human Services' Office for Civil Rights (HHS/OCR).

According to the OIG report, HHS/OCR oversight and enforcement actions were insufficient to ensure hospitals effectively implement the HIPAA Security Rule. As a result, the government had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise.
"Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.." - Daniel R. Levinson, Inspector General of HHS
The report is based on seven audits of hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. These audits focused primarily on the hospitals’ implementation of the HIPAA Security Rule, including the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively implement the HIPAA Security Rule - with no hardware and no on-site software.

Audit Found 151 High Impact Vulnerabilities
The OIG's audits identified 151 vulnerabilities, of which 124 were determined to be high impact. Where high impact means they could significantly violate, harm, or impede the hospitals mission, reputation, and interest, or result in human death or serious injury.

While each of the hospitals had implemented some controls to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule.

For the OIG's complete report see - Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight

Sources:
(a) Press Release - HHS Office of Inspector General, May 16, 2011
(b) Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight - HHS Office of Inspector General, May 16, 2011


Saturday, May 14, 2011

Casinos are Tempting Target for Computer Crime

A Las Vegas casino fended off 860,000 attempts to hack into the computer system in a single month according to the former head of security at the Venetian.

David Shepherd, CEO and chief preparedness officer of Las Vegas-based Readiness Resource Group, spoke on computer security threats facing casinos to 200 security officers attending the International Tourism Safety Conference at the Golden Nugget.
Las Vegas resorts are an obvious target for external and internal cyber threats due to the personal information and financial records of guests enrolled in loyalty programs, .
Shepard argued that a key responsibility for tourism companies is to make sure they do not become a part of the terrorism financing chain, “It takes money to finance something as big as 9/11."

“The most important thing you can do is ask the questions,” Shepherd said. “The two most important words are ‘what if.’ You don’t want to be asking ‘what if’ after the fact.”
Learn how Verihphyr's Identity and Access Intelligence as a service delivers increased security against insider threats - with no hardware and no on-site software.
Sources:
(a) Security expert says casino databases tempting target for cyberterrorism - VegasInc, May 12, 2011


Thursday, May 12, 2011

Electronic Medical Records Security and Privacy - Cover Story


This month's cover story in "For the Record" is a good overview of the IT security issues healthcare organizations face as they transition from paper-based protected health information (PHI) to electronic protected health information (PHI).

Traditional approaches to detecting inappropriate access to electronic health records requires dedicated IT staff and burdens privacy and compliance officers with huge volumes of activity logs to investigate. The problem lies in static rules and scenarios that yield too many false-positives and false-negatives.

For example, traditional approaches cannot differentiate between appropriate access by a nurse looking at the records of a current patient and inappropriate access when the same nurse looks at the records of the same patient after the patient has been transferred to a different unit where the patient is under the care of a different nurse.

Only a combination of privacy training and a reliable medical snooping detection capability will deter unauthorized access by employees.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
Read the rest of the article in For the Record

Sources:
(a) Finding Holes in IT Security - For The Record, Vol. 23 No. 8 P. 10, April 25, 2011
(b) For The Record - Digital Edition - Vol. 23 No. 8 P. 10, April 25, 2011

Electronic Medical Records Security and Privacy - Cover Story

"For the Record" has a good overview of the IT security issues healthcare organizations face as they transition from paper-based protected health information (PHI) to electronic protected health information (PHI).

Traditional approaches to detecting inappropriate access to electronic health records requires dedicated IT staff and burdens privacy and compliance officers with huge volumes of activity logs to investigate. The problem lies in static rules and scenarios that yield too many false-positives and false-negatives.

For example, traditional approaches cannot differentiate between appropriate access by a nurse looking at the records of a current patient and inappropriate access when the same nurse looks at the records of the same patient after the patient has been transferred to a different unit where the patient is under the care of a different nurse.

Only a combination of privacy training and a reliable medical snooping detection capability will deter unauthorized access by employees.

Read the rest of the article in For the Record
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
Sources:
(a) Finding Holes in IT Security - For The Record, Vol. 23 No. 8 P. 10, April 25, 2011
(b) For The Record - Digital Edition - Vol. 23 No. 8 P. 10, April 25, 2011

Wednesday, May 11, 2011

How Identity and Access Intelligence
Maximizes Identity and Access Management

Organizations implementing identity and access management (IAM) solutions are looking for a shorter path to business value and improved return on investment (ROI) from their IAM implementation.

Identity and Access Intelligence (IAI) is an emerging solution that was recognized by Gartner in 2010. But what is IAI and how can it dramatically improve your business? A new IAI article in Enterprise System Journal provides a clear overview every manager should read.
"Identity and access intelligence (IAI) solutions mine identity, rights, and activity data for intelligence that is useful to the operation of the business, as well as to the deployment of an IAM system. It can accelerate IAM, and once IAM is in production, serve as an analytical layer that augments IAM." - Article in Enterprise System Journal
IAI uses an analytical process to discover user rights and activity patterns hidden in directory, application, system, and network data. The output of the analysis provides insight into user behavior patterns delivered in a format that business managers can easily understand and use to improve decisions about business processes, asset utilization, and security.

To read the rest of the paper go to Enterprise System Journal
Learn how Verihphyr's Identity and Access Intelligence as a service delivers business insights - with no hardware and no on-site software.

Tuesday, May 10, 2011

SEC Study Recommends Not Expanding Sarbanes-Oxley
404(b) Exemption to Medium Size Companies

The Security and Exchange Commission (SEC) just published a study which concludes that the controversial Section 404(b) of the Sarbanes-Oxley Act should continue to be required for companies with a market capitalization between $75 million and $250 million.

The study is the result of a Dodd-Frank act mandate that the SEC consider exempting certain types of companies from Section 404(b) of the Sarbanes-Oxley Act
"The staff did not find any specific evidence that such potential savings [from eliminating the auditor attestation provisions of Section 404(b)] would justify the loss of investor protections and benefits to issuers." - Report by ACO of the SEC
On the issue of the 404(b) requirement's influence on companies going public on US markets, the report admits that "the research regarding the reasons for listing decisions is inconclusive" but goes on to say that "the evidence does not suggest that granting an exemption ... would, by itself, encourage companies in the United States or abroad to list their IPOs in the United States."
Cut the time and expense of user access compliance. See how Identity and Access Intelligence as a service assures compliance - with no hardware and no on-site software.
Sources:
(a) Study and Recommendations on Section 404(b) of the Sarbanes-Oxley Act of 2002 For Issuers With Public Float Between $75 and $250 Million - Staff of the Office of the Chief Accountant of the U.S. Securities and Exchange Commission, April, 2011

Monday, May 9, 2011

32 People Fired over Violation of HIPAA Patient Privacy Rule at Minneapolis Hospitals

32 employees at two Minneapolis hospitals were fired for violating the federal patient privacy rules. The employees are accused of snooping on the electronic medical records (EMR) of 12 patients who were treated for last March for an overdose of a designer drug named "2C-E".
"We take our obligation to protect patient privacy very seriously. Anything short of a zero tolerance approach to this issue would be inadequate." - David Kanihan, Allina Director of Marketing and Communications
The employees were discovered as part of an audit of who accessed high-profile patients' medical records. The hospital's investigation determined that the employees had no legitimate patient care reasons to look at the information.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Allina Fires 32 Over HIPAA Violations - Fox Channel 9 News, 5/8/2011

Sources:
(a) VIDEO - Allina Fires 32 Over HIPAA Violations Tied to Blaine 2C-E Overdose - Fox Channel 9 News, May 8, 2011
(b) Allina fires 32 employees over patient privacy - NBC KARE Channel 11 News, May 7, 2011


Saturday, May 7, 2011

Violation of HIPAA Privacy Rule = Bad Press and PR

"Fines are only part of the penalty [for violating healthcare regulations]. It’s the bad PR and bad news about the practice and the physician’s procedures when patient data is lost or stolen that will really hurt the practice.” - John Brewer, founder and owner of MedTech USA, LLC
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
Sources:
(a) Taking Patient Privacy to the Next Level - Medical Office Today


Wednesday, May 4, 2011

Doctor's Receptionist Arrested for Patient Identity Theft

The receptionist at a Chicago healthcare practice was arrested for identity theft and for being the "organizer of a continuing financial crimes enterprise". The receptionist's accomplice withdrew cash from a local bank using a fake ID that had the accomplice's picture but the patient’s personal information.

The bank has reimbursed each of the 26 known victims, but police believe there may be more victims and the amount of the fraud may exceed the $125,000 identified to date.
"She’s in a position of trust. You feel comfortable and here she is. She’s taking your information. I think that’s pretty bold”." - Chicago police detective Christine Jalloway
The investigation began when several women in the same geographic area reported bank fraud. The police found that a commonality among the victims was their healthcare provider.
Learn how an on-demand, pay-per-use patient privacy breach detection service can cost effectively catch violations of HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
The owner of healthcare practice was alerted by the Chicago Police Department Financial Crimes Division that it was investigating a matter involving one of its employees.
We take information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect our patients." - Healthcare practices' lawyer
Sources:
(a) Chicago Police Crack ID Fraud At Doctor’s Office - CBS Chicago (chicago.cbslocal.com), April 26, 2011

Patient Data Privacy is Top Priority for New Head of the ONC

Patient privacy was highlighted in a recent interview by Farzad Mostashari, the new head of the Office of the National Coordinator for Health IT (ONC).
" We need to ensure and maintain the public's trust in health information systems ... to have the confidence that the information is secure where it's kept, where it's moving, and also that their privacy rights are protected." - Farzad Mostashari, head of ONC
Mostashari also emphasized increased enforcement of the HIPAA privacy rule and security rule by the Department of Health and Human Services' Office for Civil Rights (HHS/OCR). "OCR recently imposed such civil monetary penalties for entities that violated [HIPAA], and I think we're going to see continued cases like that."
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
Sources:
(a) ONC's Mostashari Outlines Priorities - HealthcareInfoSecurity.com, May 3, 2011


Sunday, May 1, 2011

"Regulatory Compliance" - #1 Issue for Information Systems Audit and Control Professionals

Regulatory compliance topped the list of business issues according to a recent survey by ISACA, a global organization for information security, audit, control, and governance, professionals.

Issues within regulatory compliance were managing and sharing personally identifiable information (PII), the costs associated with required controls, compliance process management, and the segregation of duties and privileged access monitoring.
"Keeping up with the ever evolving legislative and regulatory requirements is time consuming and expensive as IT must design and maintain systems." - ISACA Survey Report
The top seven business issues identified by the survey are
  • Regulatory compliance
  • Enterprise-based IT management and IT governance
  • Information security management
  • Disaster recovery/business continuity
  • Challenges of managing IT risks
  • Vulnerability management
  • Continuous process improvement and business agility
Cut the time and expense of user access compliance. See how Identity and Access Intelligence as a service addresses user access compliance - with no hardware and no on-site software.
The results are based on a survey of 46,101 ISACA members and 2,405 responses (6.9 % response rate). The survey was conducted between 10/12/2010 and 11/19/2010.

About ISACA
ISACA is global organization for information information security, audit, control, and governance, professionals. The ISACA information system auditing and control standards are followed by practitioners worldwide.

Sources:
(a) ISACA - Top Business/Technology Issues Survey Results 2011 (registration required) - ISACA, 2011

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.