Thursday, July 27, 2017

Becker's Hospital Review - Detecting Patient Privacy Breaches

Steve Katz, the worlds first Chief Information Security Officer, offers valuable insights on addressing impermissible use of patient data by employees, contractors, and 3rd parties in his article in Becker's Hospital Review

Katz highlights how the impermissible use of patient data at a Florida hospital resulted in a $5.5 million-dollar fine by the US Department of Health and Human Services (HHS).

Katz points out that detecting impermissible use of patient data by employees, contractors, and others is a significant challenge in a healthcare setting.

"The challenge is understanding each employee's job responsibilities in fine detail and knowing whether those responsibilities justify an employee's access to a particular piece of patient data at a given point in time."

"Moreover, a worker's job responsibilities and "Permissible/Impermissible Use" profile can change if they are temporarily redeployed to a different assignment or faced with an emergency."


- Steve Katz, Advisor for the NH-ISAC (National Health Information Sharing and Analysis Center)

Katz suggests that recent technical advances in data technology, in particular Structural Analytics, can help companies address the impermissible use of patient data for a fraction of the cost Wall Street firms paid years ago.

"Structural Analytics are enabling hospitals to automatically and accurately determine the specifics of each employee's job responsibilities by analyzing data in their EHR and other clinical and business systems. "

- Steve Katz, Advisor for the NH-ISAC (National Health Information Sharing and Analysis Center)

The article concludes that new data analytics, such as Structural Analytics, enable hospitals to detect and deter patient privacy violations and data theft by automatically comparing an employee's access to patient data with their job responsibilities.

When implemented correctly, this approach can reliably distinguish between "Impermissible Use" and "Permissible Use" even when two workers, in the same department and with identical titles, access the same patient data just once. And it does so without require adding more staff.

About Steve Katz: Steve Katz is an Advisor to the Board of the NH-ISAC (National Health Information Sharing and Analysis Center), was a founder of the FS-ISAC (Financial Services Information Sharing and Analysis Center), and is currently an executive advisor on privacy and security for Deloitte. He has been Chief Information Security Officer for Citigroup, head of Information Security for JPMorgan and helped manage the Information Security program at Kaiser Permanente.

Sources:
(a) HIPAA Violations and What Healthcare Can Learn From Financial Services - Becker's Hospital Review, 03/14/2017


Monday, March 27, 2017

Becker’s Hospital Review: HIPAA Violations--What Hospitals Can Learn from Financial Services

Steve Katz, an advisor to NH-ISAC (National Health Information Sharing and Analysis Center), offers valuable insights on addressing impermissible use of patient data by employees, contractors, and 3rd parties in his article in Becker's Hospital Review

Katz highlights how the impermissible use of patient data at a Florida hospital resulted in a $5.5 million-dollar fine by the US Department of Health and Human Services (HHS).

Katz points out that detecting impermissible use of patient data by employees, contractors, and others is a significant challenge in a healthcare setting.

"The challenge is understanding each employee's job responsibilities in fine detail and knowing whether those responsibilities justify an employee's access to a particular piece of patient data at a given point in time."

- Steve Katz, Advisor for the NH-ISAC (National Health Information Sharing and Analysis Center)

Katz suggests that recent technical advances in data technology, in particular Structural Analytics, can help companies address the impermissible use of patient data for a fraction of the cost Wall Street firms paid years ago.

"Structural Analytics are enabling hospitals to automatically and accurately determine the specifics of each employee's job responsibilities by analyzing data in their EHR and other clinical and business systems. "

- Steve Katz, Advisor for the NH-ISAC (National Health Information Sharing and Analysis Center)

The article concludes that new data analytics, such as Structural Analytics, enable hospitals to detect and deter patient privacy violations and data theft by automatically comparing an employee's access to patient data with their job responsibilities. This approach eliminates false positives and does not require adding more staff.

About the Author: Steve Katz is an Advisor to the Board of the NH-ISAC (National Health Information Sharing and Analysis Center), was a founder of the FS-ISAC (Financial Services Information Sharing and Analysis Center), and is currently an executive advisor on privacy and security for Deloitte. He has been Chief Information Security Officer for Citigroup, head of Information Security for JPMorgan and helped manage the Information Security program at Kaiser Permanente.

Sources:
(a) HIPAA Violations and What Healthcare Can Learn From Financial Services - Becker's Hospital Review, 03/14/2017


Tuesday, February 21, 2017

Hospital Fined $5.5 Million by HHS/OCR Due to Lack of Proactive Patient Privacy Controls


A Florida hospital has paid the Department of Health and Human Services (HHS) a $5.5 million settlement for "protected health information (PHI) impermissibly accessed by employees and impermissibly disclosed to affiliated physician office staff." The resolution agreement cited a lack of audit controls as a major factor in the determined settlement.

"They failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
- OCR Acting Director Robinsue Frohboese

Robinsue Frohboese, OCR Acting Director, stated "access to ePHI must be provided only to authorized users, including affiliated physician office staff. Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

Learn how Veriphyr uses Structural Analytics to detect "impermissible use" of patient data in clinical and business applications by employees, contractors, and third parties.

Sources:
(a) HHS $5.5M Settlement - HHS, 2/17/2017

Monday, January 30, 2017

Man Sentenced for Selling Patient Data Stolen from Medical Device Company

The crime was discovered when the man contacted a government confidential informant (CI) and offered to sell names, dates of birth, and social security numbers of 957 patients for about $15 per identity.   

A review of the data by the government found that that the patient data contained the medical records from Rotech Healthcare, a nationwide medical device company specializing in respiratory and sleep apnea.. 

Two employees of Rotech Healhtcare, misused their legitimate access to patient data to steal the patient data.  These co-conspirators were indicted and charged with conspiracy, computer intrusion, and identity theft crimes.

Learn how Veriphyr uses Structural Analytics to detect "impermissible use" of patient data in clinical and business applications by employees, contractors, and third parties.

Sources:
(a) U.S. Attorney’s Office, Middle District of Florida
(b) Thank you to Databreaches.net who was the source for this posting

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.