Monday, April 30, 2012

GAO - Insider are the Principal Source of Computer Crime

Federal agencies -- including those that manage health data -- have significant weaknesses in their information technology security, according testamony of Greg Wilshusen Director of Information Security Issues, U.S. Government Accountability Office (GAO). Of particular concern is the insider threat from disgruntled employees.
"The disgruntled organization insider is a principal source of computer crime."
- Greg Wilshusen, GAO Director Information Security Issues
His prepared comments addressed security across many government agencies, but he noted the growing dependence of healthcare and public health on information technology, adding that the security of these systems and networks is vital in protecting public health.
Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
(a) Testimony Before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives - United States Government Accountability Office, April 24, 2012

Friday, April 27, 2012

Journal of the American Medical Association on Challenges to Electronic Healthcare Data Sharing

A member of the Harvard School of Public Health published an article in The Journal of the American Medical Association (JAMA) on the barriers to health information exchange in the U.S. health care system.
#1 barrier hindering the widespread exchange of electronic health data is data privacy and security concerns. - Ashish Jha of the Harvard School of Public Health and Julia Adler Milstein of the University of Michigan-Ann Arbor.
"The vision of complete patient information available across care delivery settings is compelling and central to a high-functioning health care system. However, the vision is deceptively simple: there are enormous challenges to enabling clinical data to flow across organizations."
Address your data privacy and security concerns by proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software. Download a white paper on patient privacy breach detection.
(a) Sharing Clinical Data Electronically, A Critical Challenge for Fixing the Health Care System - JAMA, April 25, 2012, Vol 307, No. 16, pp 1669-1766

Thursday, April 26, 2012

KPMG Study - 71% of Healthcare Providers are Over 50% Complete with the Implemention Electronic Medical Records

According to a new poll from consultancy KPMG, the 71% of the hospital and health system business leaders said they are more than 50% of the way to completing EHR system adoption.
"In the long-term, EHR implementation is a critical driver for clinical and other business intelligence mandates." - Joe Kuehn, partner in KPMG Healthcare financial management
The KPMG Healthcare & Pharmaceutical Institute conducted a webcast on meaningful use Stage 1 and Stage 2 requirements last month. The results reflect responses from more than 250 hospital and health system administrators who self selected to participate in the webcast poll. Respondents consisted of senior members of these organizations who have awareness of, or responsibility for, their organizations' IT and finance programs.
Now that you have adopted electronic medical records, download a white paper on electronic medical records breach detection. Learn how to proactively identify unauthorized access of patient data by employees and outsiders - with no hardware and no on-site software.
A replay of the KPMG webcast can be accessed via the following link:

(a) 'Meaningful Use' Requirements Seen As Compliance Challenge, Despite High Hospital EHR Adoption Rates, Says KPMG Poll - KPMG, April 24, 2012

Tuesday, April 24, 2012

Webinar - Chase Away Cloud Challenges: User Access Governance & Compliance

If you are interested in cloud technology and enjoy this blog, be sure to catch my webcast on "Chase Away Cloud Challenges: User Access Governance & Compliance". The talk was on May 23, 2012, 4pm Eastern (1PM Pacific) and you can watch it here

Whether you are taking advantage of cloud-based commercial application or moving your own custom application to a cloud infrastructure, the cloud brings new challenges for user access governance and compliance.

My talk will cover what you need to do both contractually and operationally to ensure the user access of your cloud-based applications is as secure and compliant as your data-center applications.

Topics covered will include
  • Key contract terms you need to be able govern user access?
  • Architectural components are critical to user access governance.
  • What about cloud-based Identity & Access Management services?
  • Operational components are required to support user access governance.
  • How user access governance is evolving to meet cloud compliance.

Sunday, April 22, 2012

Podcast - HIPAA Survival Guide Interview of Alan Norquist

HIPAA Surivival Guide's Carlos Leyva
You can now listen to a rebroadcast of an interview of Alan Norquist, CEO of Veriphyr by HIPAA Survival Guide's Carlos Leyva.

This interview covers Veriphyr's flagship SaaS data analytics application which analyzes identities, activity, and privileges to expose violations of data security and privacy. The interview probes Veriphyr's work addressing some of the user access issues posed by the HIPAA Security and Privacy Rules.

Friday, April 20, 2012

Hospital Fires Two for Potential Fraud; 9,500 at Risk

Memorial Healthcare System of South Florida fired two employees for unauthorized access to the protected information of 9,500 patients. The exact time frame over which the breach occurred was not given, but it was believed to have occurred in "2011 and early 2012." The employees were alleged to have stolen patients' names, dates of birth, and Social Security numbers in order to conduct tax fraud.

MHS began sending breach notification letters to the affected patients earlier this week and will provide credit monitoring services for up to a year.

Almost daily we see articles about auditing the security and integrity of EHR systems, but this event provides a reminder to include financial and billing systems in the audit scope.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
"Two Memorial Healthcare System Employees Fired over Information Breach" - The Miami Herald, April 12, 2012.

Tuesday, April 17, 2012

Gartner - Business Intelligence Expands to Lines of Business

Drives Business Intelligence Software Market Over $12 Billion in 2011

Gartner says business intelligence is spreading beyond the IT department. A recent announcement states "new buying centers are opening and expanding outside of IT, in line-of-business initiatives, and taking an increasingly large stake of the spending pie."

Veriphyr Identity and Access Intelligence is part of this trend as the service is being bought not only by IT but also by compliance officers and audit departments to enable self-service discovery of data privacy issues.
Dan Sommer, principal analyst at Gartner says cloud and big data will help " shift the center of gravity away from BI and analytics being only an enterprise IT push adopted by key stake-holders in lines of business, to one with a strong focus on the individual context."
The result is that business intelligence (BI) is the second-fastest growing sector of the enterprise software market with revenues of $12.2 billion in 2011, a 16.4%increase from 2010, according to Gartner.
Learn how Veriphyr Identity and Access Intelligence delivers business intelligence - with no hardware and no on-site software.
(a) Gartner Says Worldwide Business Intelligence, Analytics and Performance Management Software Market Surpassed the $12 Billion Mark in 2011 - Gartner press release, 4/2/2012

Monday, April 16, 2012

Virgin Employee Violates Data Privacy of Customers

A Virgin Atlantic employee has resigned amid allegations she took information about customers from the airline booking system and passed on details about eight celebrities. A source at the airline said it was investigating who could access its booking system. It is alleged the recipient was a London-based paparazzi agency named Big Pictures.
"The security of customer information is our highest priority...The allegations that have been raised are extremely serious." - Virgin Atlantic spokeswoman
The Guardian newspaper reported that celebrities included actresses Sienna Miller, Scarlett Johansson and Gwyneth Paltrow; singers Robbie Williams, Cheryl Cole, and Nicole Scherzinger, and footballers Ashley Cole and Jermain Defoe.
Learn how Veriphyr customer privacy breach detection proactively identify unauthorized breaches of customer data privacy - with no hardware and no on-site software.
(a) Worker quits over privacy breach - The Press Association, 4/6/2012

Sunday, April 15, 2012

HIMSS Report - Majority of Patient Data Privacy Breaches by Employees

Employees continue to be the biggest source of medical data privacy breaches according to the 2012 report by the Healthcare Information and Management Systems Society (HIMSS).
"56% indicated that the source of the breach was unauthorized access to information by an individual employed by the organization at the time of the breach." - HIMSS Report on Security of Patient Data
The report states "while hospitals are stepping up to regularly audit their monitoring and response procedures, reports of data breaches are on the rise."

Most hospitals have no automated analytic tools to detect unauthorized access to be medical records. Particularly difficult is determining when an employee's inappropriately accesses medical records of patients who are not under their care.

HIMSS Analytics invited a variety of individuals with experience in their healthcare organization’s privacy and security environment to participate in this telephone-based survey. The 250 respondents included senior information technology (IT) executives, Chief Security Officers and Health Information Management (HIM) Directors/Managers, Compliance Officers and Privacy Officers. Only one respondent per organization was invited to participate in this survey. Data was collected in December 2011.
Download a white paper on detecting unauthorized access to medical records. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Saturday, April 14, 2012

Nurse Arraigned for Identity Theft Using Patient Records

A registered nurse was arraigned in Nassau County, New Jersey for identity theft, and possessing stolen information both a local hospital and an international freight company.

The hospital admits confidential records with critical information from approximately 100 patients were stolen, not once, but twice over several months in the past year.
"They told me there was a fraudulent return, that the person worked at [the hospital] and had my social security number." - Victim in Flushing, Queens
One Victim had $11,000 Tax Refund Stolen
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
(a) Nurse arriagned for ID theft - WABC, April, 13, 2012
(b) North Shore-LIJ Notifies Patients of Identity Theft - North Shore-LIJ , April, 12, 2012

Friday, April 13, 2012

Healthcare CIOs Losing Sleep over IAM

In his blog, “Life as a Healthcare CIO,” Dr. John Halamka of Beth Israel Deaconess Medical Center identifies ten information security issues keeping him awake at night. IAM is prominent among them:
5.  Identity and Access management - Managing the ever changing roles and rights of individuals in a large complex organization with many partners/affiliates is challenging.  If an affiliate asks for access to an application, how do you automatically deactivate accounts when users leave an affiliate, given the lack of direct employment relationships?
Provisioning and de-provisioning user access in a timely manner is a key issue for all IT organizations. Unfortunately, among many IT professionals we've spoken with, there is a tendency toward over-reliance on provisioning controls as a solution to IAM issues. Effective detection controls are an oft-neglected part of the access control security regime. Thus, another of Dr. Halamka's worries:
9.  Forensics -  increasingly sophisticated security infrastructure implies more events to research which requires additional staff that are challenging to find, recruit and retain.
Not only is it hard to find qualified staff, but the choices for infrastructure to support the analysis all have significant drawbacks. SIEM-based approaches deal only with network-level data and over relatively short time windows. They lack sophisticated data analysis features, and don't allow for custom schemas. They are good for real-time alerting to events, but lack the more evolved capabilities to look at user and application-level data and their behaviors.

Custom data warehouse/OLAP solutions have their own problems: the expense of development and maintenance, managing ETL from a wide variety of systems, and writing and maintaining SQL queries for various policies and exceptions (and that's assuming that the all relationships between workers, patients, and resources can be modeled effectively).

No wonder CIOs are losing sleep.

Veriphyr uses big data analytics to tackle the investigation problem: unlike SIEMs, we focus on user and application-level information to identify problem activity with more sophisticated analysis. Unlike OLAP systems, we use our proprietary heuristics to analyze the data, reduce the scale of the data problem, and evaluate policy against suspicious activity, instead of brute-forcing an analysis against an entire data warehouse. Unlike either approach, we leverage cloud infrastructure so that nothing needs to be installed at the client's premises – we don't disrupt your environment or your workflow.

Put your user access worries to bed, and sleep better yourself. Visit Veriphyr at

“What Keeps Me Up at Night 2012” - Life as a Healthcare CIO, April 10, 2012

For more posts like this, subscribe to our RSS feed, and follow us on Twitter (@Veriphyr).


Thursday, April 12, 2012

Gartner - Compliance as a Service and Security as a Service Increasingly Popular

Compliance was a driver for growth in security software even at a time of tight IT budget. Worldwide security software revenue totaled $17.7 billion in 2011, a 7.5 percent increase from 2010 revenue of $16.4 billion.
"Products within the security market are undergoing rapid evolution, in terms of both new delivery models — with security as a service (SaaS) showing increasing popularity — and new technologies being introduced, often by startup companies."
- Ruggero Contu, research director, Gartner
Additional information is available in the Gartner report "Market Share Analysis: Security Software, Worldwide, 2011".
Download a white paper on privacy breach detection as a service. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
(a) Market Share Analysis: Security Software, Worldwide, 2011 - Gartner, April 26, 2012

Wednesday, April 11, 2012

New Trend - Plaintiffs Lawyers Suing Hospitals for Data Privacy Breaches

Plaintiffs' lawyers think they have found a profitable new line of business - data privacy breach suits against hospitals, medical services providers and health insurance companies.

The suits are driven by stricter patient data privacy laws where fines start at $1,000-per-instance and can run up to $250,000 per violation if the disclosure is done willfully or negligently.

Moreover, plaintiffs' lawyers who specialize in other types of consumer actions are interested because recent pro-business court decisions make non-healthcare suits less attractive.
"The privacy data breach area offers some new opportunities to expand the types of cases that we're handling." - Eric Grover, lawyer known for employment and nonhealth-related consumer protection cases
The health care industry views these lawsuits as a serious risk. One lawyer claimed that McKesson Corp. unsuccessfully lobbied Sacramento legislators to remove the $1,000 damages clause from the California's Confidentiality of Medical Information (CMIA) Act of 1981.
Protect your healthcare firm with Veriphyr's patient privacy breach detection service. Learn how to proactively identify unauthorized breaches of patient data privacy - with no hardware and no on-site software.
(a) Health Data Breaches Offer New Vein for Plaintiffs Lawyers to Tap - The Recorder, 4/5/2012

Tuesday, April 10, 2012

New Report - Demand for Healthcare IT Staff Exceeds Supply

Demand significantly exceed supply in the market for healthcare information technology professionals. This is driving the shift toward outsourcing compliance and privacy to cloud services. The most recent evidence comes from a study in Texas done by the Department of Health Information Management at Texas State University-San Marcos.
"Texas will need an additional 10,000 health IT workers by 2013 to meet its goal of implementing and effectively using electronic health records (EHRs) at hospital and provider settings." - Dept of Health Info Mgmt at Texas State University-San Marcos.
Previous Texas government had estimated the state needed 3,500 new health IT workers by 2015 but this new report discovered that Texas had dramatically underestimated the requirement for health IT workers. It would not be surprising to find that other states had also underestimated their staffing requirements.
"I was stunned. What happens today when you can't find the trained person you are seeking? ... Some may do without, which is very concerning when you start considering some of the potential adverse unintended consequences if health IT is not implemented correctly." - Susan Fenton, Texas HIT workforce project director, health information management, at Texas State University
The report authors say demand for health IT workers is growing due to US government's HITECH incentives intended to increase the adoption of health technology. Since the technology must be deployed quickly, the demand for qualified IT staff has grown just as quickly.
Download a white paper on meeting governmental requirements for patient privacy - with no hardware and no on-site software.
(a) Texas Needs 10,000 Health IT Pros - InformationWeek Healthcare, 4/9/2012

Monday, April 9, 2012

Healthcare IT Security Spending to Top $70.0 Billion by 2015

A recent analyst report "estimates that healthcare data security spending in 2012 will top $40 billion, a 22% increase from 2011 levels." Looking out further, the report predicts that "spending will top $70.0 billion by 2015."
"Much of this spending and job growth will come from investments in electronic health records (EHR), mobile health applications and efforts to comply with new government standards." - Boyd Company Report
The report compares the cost of data security in the $2.6 trillion healthcare services industry across 50 US cities with significant concentrations of medical and healthcare industry operations, as well as, smaller regional centers.
Download a white paper on meeting government privacy standards for electronic health records (EHR) - with no hardware and no on-site software.
(a) Healthcare Services Industry: A Comparative Cost Analyisis for Information assurance Operations - The Boyd Company of Princeton, NJ, 3/30/3012

Tuesday, April 3, 2012

EMR vs. Healthcare IT Security ($17.9B vs. $32.7 B in 2011)

The move to electronic medical records is creating a large opportunity in healthcare IT. Just one part of the market, electronic medical record systems (EHR), was a $17.9 billion market in 2011. Where as the healthcare IT market was a $32.7 billion market in 2011.
"Many vendors are rolling out new and innovative products and many more are in the works. As more installations occur, so do opportunities for additional revenues." - Bruce Carlson, publisher of Kalorama Information
The top companies in the EMR market, according to the analyst firm Kalorama, were Cerner, McKesson, Siemens, GE Healthcare, Epic and Allscripts. But Kalorama says there are opportunities for other vendors to grow as the market is more fluid than it might appear.
Moving to electronic health records? Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
(a) EMR 2012: The Market for Electronic Medical Records - Kalorama Information, Mar 13, 2012
(b) Kalorama: Six lead the EMR pack - CMIO, Mar 23, 2012

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at