Tuesday, October 25, 2011

ACP Recommends Privacy Safeguards for Patients

The American College of Physicians (ACP) has issued a position paper, "Health Information Technology and Privacy," which argues for restrictions on the sharing of patient data, including restrictions on the sale of patient data to third parties. At the same time, the ACP is concerned that physicians not be burdened with excessive regulatory restrictions on uses of patient data that inhibit the sharing of medical data for treatment purposes or blunt the adoption of electronic health record (EHR) technology. In the words of the ACP:

"A balance needs to be achieved between the need for complete, accurate, and available medical records and the requirement that all protected health information be secure and confidential to serve the best interests of the patient."

While the ACP agrees that patients should have the right to know about disclosures of their health information, health care providers should be able to put reasonable constraints on patient rights:

"Providers should be permitted a reasonable period to comply and to charge the patient a fee that is based on the cost of providing the information."

A few months ago, we wrote about California's effort provide patients with an audit history of modifications and deletions, as well as access, to their medical records. The growing initiative to provide patients with an audit history of access to their health information, spearheaded by HHS and several states, will provide a challenge to health care compliance and privacy officers already taxed to keep up with violations of patient privacy.

To cope with the emerging reporting challenges, and to minimize provider workload and costs, health care providers can turn to a new generation of data analytics applications that import raw data from the conventional EHR systems and analyze patient record transactions in ways not previously possible. These new SaaS-based analytical intelligence solutions provide health care compliance and privacy personnel the ability to easily adapt to new reporting requirements imposed by changing regulatory requirements without diverting IT personnel to installation, configuration, and custom development of site-deployed software.

Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Health Information Technology and Privacy - American College of Physicians, July 2011

Want updates on patient privacy issues? Subscribe to our newsfeed and follow us on Twitter (@Veriphyr)!

Wednesday, October 19, 2011

SEC Issues Cybersecurity Reporting Guidance

Assessment of InfoSec Risks Also Mandated

Following a spate of high-profile data and privacy breaches afflicting publicly-traded companies, the SEC has issued "CF Disclosure Guidance: Topic 2." This Guidance describes factors that influence what and when to disclose concerning incidents and risks of incidents. Disclosures may include:
  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences

  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks

  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences

  • Risks related to cyber incidents that may remain undetected for an extended period

  • Description of relevant insurance coverage
The Guidance also requires registrants to report conclusions on the effectiveness of disclosure controls and procedures. Specifically, "management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective." Reading between the lines, management should assess whether deficiencies in the ability to detect cybersecurity incidents, whether from external threats or from insiders misusing approved access rights, have an impact on the effectiveness of disclosure controls.

A well-balanced portfolio of internal controls encompasses both prevention and detection of cybersecurity incidents (both internal and external), in order to reduce operational and reporting risk. Veriphyr Identity and Access Intelligence is the first application to detect enterprise user access vulnerabilities with a hosted, on-demand delivery model, not with site-deployed software or hardware. Veriphyr analyzes identities, activity, and privileges to expose access weaknesses that enable insiders and intruders to capture, leak, or alter data through breach of systems, applications, databases, and networks.

Click below to share this article and subscribe to our newsfeed!

Tuesday, October 4, 2011

Gartner - "Identity & Access Intelligence Comes Into Its Own"


Gartner's Earl Perkins has an insightful posting today on the adoption of Identity and Access Intelligence in the enterprise. His thesis is that enterprises are moving to adopt a "formal security and IAM ‘intelligence’ practice" as a product or service.

He points out that "as larger and more sophisticated IAM shops evolved their practice, they realized that without having a continuous stream of intelligence available to them from the processes IAM was involved in, they would be unable to answer important questions regarding matters related to forensics (e.g. detecting and preventing fraud during the access process) or compliance (e.g. providing detailed reports on meeting regulatory requirements as required by government and policy)."
"The real value that IAM can provide to the business is in the intelligence it generates and owns about identity and access activities and events, not in the control it provides for access." - Earl Perkins, Gartner VP
He concludes that it "wasn't enough to store identities and attributes, or to log authentication events– some method and tool was also needed to make sense of what was happening, to understand through correlation and analysis of data from a number of different sources the true picture end to end of those activities in identity and access management that occur every day to get work done."

To read the entire blog click here.
Learn how Veriphyr's Identity and Access Intelligence as a service delivers business insights on compliance, privacy, and security- with no hardware and no on-site software.
Sources:
(a) IBM Buys Q1 Labs: Identity and Access Intelligence Comes Into Its Own - Gartner Blog, October 4, 2011


$20 Million Lawsuit Over Patient Data Privacy Breach

A $20 million class action lawsuit was filed in Los Angeles County Superior Court on September 28th on behalf of approximately 20,000 patients whose protected health information (PHI) was breached.

Shana Springer filed the complaint on behalf of herself and other patients treated at by San Francisco Bay Area hospital's emergency department between March 1, 2009, and Aug. 31, 2009
Suit alleges the hospital violated the Confidentiality of Medical Information Act, a California state law requiring healthcare providers safeguard patient data privacy..
The patient data that was breached included patient names, medical records numbers, diagnosis codes, billing charges, and dates of emergency room admissions and discharges. No credit card or Social Security numbers were part of the breach.

According to the hospital there is no evidence that the information was improperly used it for fraudulent or any other improper purpose. But in at least one case, a patient's psychiatric diagnosis was made public.
"SHC intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit." - Hospital spokesman.
The suit seeks compensation of $1,000 per patient, plus penalties, damages and attorneys’ fees. Los Angeles-based lawyers Brian S. Kabateck, Richard L. Kellner, Karen Liao, Byron T. Ball and Bradley I. Kramer are said to be representing the person bringing the suit, as well as, the proposed class.
Download a white paper on patient privacy audits as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.
Sources:
(a) Statement from Stanford Hospital & Clinics - Stanford Hospital & Clinics Website, October 3, 2011
(b) Stanford Hospital & Clinics vows to fight $20M class action - MercuryNews.com, October 4, 2011


Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.