Monday, November 28, 2011

Police Probe Medical Records Stalker

Following patient privacy breaches affecting several hospitals in the Lothian region of Scotland, in which dozens of health care staff were disciplined, Scottish police are now investigating a case in which a patient was stalked by a worker.

A janitor working at Edinburgh Royal Infirmary, one of Scotland’s largest hospitals, has been accused of contacting a patient via email and via her Facebook account. The janitor has admitted using hospital computers to access the woman’s medical records, which he used to obtain her contact information and pursue her online.

The day after receiving treatment for a broken hand, she received a Facebook friendship request with the accompanying message: “Btw if ur wonderin who i am, i was checkin u out yest :) ha hows the hand?X”

In all the woman received five messages, including one pleading with her not to pursue an investigation.
“I was really upset when I read the e-mail,” she said. “I didn’t know who he was, what he was capable of, or whether he also knew my address and telephone number. I didn’t know if he was just going to turn up at the house. It’s just wrong in so many ways.”
Chairwoman Margaret Watt of the Scottish Patients Authority called for an investigation: “Workers should not have access to patient files…This has hugely overstepped the mark. It means there is no safety if people like this can go and read files.”
If you're required to investigate a breach of patient privacy, how long will your personnel be tied up doing the work? Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Sources:
Police probe hospital patient privacy breach - The Scotsman, November 25, 2011

Stay updated on privacy issues: get our RSS feed and follow us on Twitter (@Veriphyr)!

Friday, November 18, 2011

16 Suspended for Snooping on Co-Worker

Sixteen workers at the New York State Office of Children and Family Services have been suspended after allegations they snooped into the confidential files of a co-worker.

The worker, Kristen Trapalis, had been arrested in May on charges of marijuana possession and child endangerment, but the charges were later dropped. OCFS officials refused to identify the specific information the woman’s co-workers had been looking at, but it’s believed that they were accessing a restricted register of child abusers to see if Trapalis had been added to it. If the allegations are true, the employees face sanctions ranging from loss of pay to termination of their employment.

Misuse of access to confidential information beyond what is needed for an employee’s job function is spreading across multiple industries: government (particularly tax authorities), health care, and financial services have all reported employee access violations this year. Earlier, we blogged that employee snooping of confidential medical records of their co-workers was the leading cause of insider breaches among health care providers we surveyed.
Regular audits of access to sensitive information deter employee misuse of access. Learn how Veriphyr identity and access intelligence services streamline detection of insider abuse of access rights and deter data snooping and theft by insiders.

Source: Snoop Case Snares 16 State Workers - Albany Times-Union, November 15, 2011

Thursday, November 17, 2011

Report: Government Insider Breaches on the Rise

A report conducted by Telus and the University of Toronto's Rotman School of Management indicated that reported breaches of confidential information by Canadian federal and provincial insiders rose in 2011. The study found that forty-two per cent of breaches in government were perpetuated by insiders either misusing authorized access or violating access controls entirely.

Violations of access control by insiders are among the most difficult types of attack to detect. This is so because of the need to manually review mountains of log data and compare actual usage with authorized permissions to detect violations of policy. Worse, users may have accumulated unnecessary or obsolete rights as a result of job changes. The personnel who perform the analysis may not have the knowledge of what is legitimate business access and rely on business leaders for review. The result is lots of time spent chasing false positives – it’s no wonder that most businesses neglect this type of review.

Veriphyr Identity and Access Intelligence is a SaaS application that automates the review of user access activity with rights without the need to deploy hardware or software on-premises. We take uploads of raw, unfiltered, and unmapped exports of your directory rights, access control lists, and system and application activity logs to automatically correlate identities, rights, and activity to detect violations of access policy.

Veriphyr delivers reports on policy violations that are quickly and easily grasped by non-technical business leaders.

Visit Veriphyr to learn more. Other vendors deliver technology; Veriphyr delivers answers.

Source:

Friday, November 11, 2011

Survey: Regulatory Compliance is Top Data Security Job for Health Care

HealthcareInfoSecurity has published the results of its inaugural "Healthcare Information Security Today" survey, sponsored by Experian and Diebold. The report casts light on health care providers' top information security trends, threats and priorities. The number one data security priority? Improving regulatory compliance. This is not surprising, as we previously wrote about HHS' Office of Civil Rights expanding audits of HIPPA compliance ("OCR Begins HIPAA Compliance Audits")
"When I speak with business leaders about data security, many tell me that protecting sensitive data is a top priority but can't say how it's being done." - Ozzie Fonseca, Director, Experian DBR
Highlights of the top data security priorities include:
  • 63% - improving regulatory compliance
  • 49% - preventing and decting internal breaches
  • 46% - investing in and improving audit logging
51% of respondents indicated that their ability to meet the requirements of the proposed Accounting of Disclosures Rule was either poor, indadequate, or needing improvement.

The results mirror what we learned in our own Veriphyr 2011 Survey of Patient Privacy Breaches, which we released in September. In our findings, we revealed that over 70% of health care providers surveyed reported one or more breaches of patient privacy in the past year. Insider abuse of privileges to snoop on medical records was the leading cause of privacy violations.

Source:
"The State of Healthcare Information Security Today" - HealthcareInfoSecurity.com, November 2011

Want to stay updated on data security issues in health care? Subscribe to our RSS feed!

Wednesday, November 9, 2011

OCR Begins HIPAA Compliance Audits

Six months ago, we blogged in our post, “More Hospital Audits to Find HIPAA Security Rule Violations,” that the Department of Health and Human Services Office for Civil Rights would step up their enforcement activity in response to a critique of HIPAA enforcement by the Office of the Inspector General.

As expected, OCR announced today that it will begin pilot audits, including site visits, this month at 20 covered entities to test compliance with HIPAA compliance and security rules, and that testing would expand to include 150 entities by the end of 2012. Any covered entity, regardless of size, is eligible for inclusion in these audits (business associates will be covered in future audits).

"Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem." - Department of Health and Human Services.

If you've been putting off a review of your security and compliance posture with respect to HIPAA, now is a good time to consider your response to an audit notification. Some steps to include in a review may include:

  • Taking an inventory of PHI wherever it resides -- all applications, systems, and devices, including end-user devices such as iPhones and iPads.
  • Reviewing access control policies to ensure that access to applications and systems holding PHI meet the standard of least privilege. Is access limited only to users with a need to know and only as necessary for their job function?
  • Auditing not only access to PHI, but also modifications and deletions. Do applications and systems log the information necessary to conduct an audit? Can you retrieve logged data in a timely manner?
  • Encrypting data at rest and in transit.

Of all the internal controls over PHI, auditing may be the among the most important yet usually receives short shrift. The sheer number of applications, systems, employees, and medical records may prove daunting. Most providers only have the headcount to audit a small portion of activity: access to records of VIPs, employees, friends or relatives, and a small sample of the rest of the patient record population. Compliance and privacy personnel may need to manage an audit console for each individual application or system, and event logging may be incomplete or misconfigured.

Demands on compliance and privacy personnel to prove their organizations' compliance with HIPAA privacy and security requirements will only increase. There is a need to provide auditing and reporting on access to systems holding PHI in a way that business managers and executives can quickly understand and that does not tax an already overworked compliance staff. The verification process should be made more effective and more efficient by making better use of data the organization already collects. The process should be improved without adding more hardware or software and by replacing manual activity whenever possible.

Veriphyr is a new SaaS Identity and Access Intelligence service that improves the use of data that you're already capturing. There's no need for new on- premise equipment or software and no burden on your IT, compliance, and privacy staff. Veriphyr accepts raw identity, privilege, activity, and business data from any source, in any format (including EMR/EHR formats), even if the data is incomplete or damaged.

Veriphyr's analytics technology correlates user activity with user identities and rights to give you a complete picture of access both to patient records and to any application, database, or network in your IT environment.


Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.

Source: OCR HIPAA Audit Program - U.S. Department of Health and Human Services

Did you like this article? Subscribe to our RSS feed, and click below to share!

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.