Welcome to the Nexus of Ethics, Psychology, Morality, Philosophy and Health Care

Welcome to the nexus of ethics, psychology, morality, technology, health care, and philosophy
Showing posts with label Data Encryption. Show all posts
Showing posts with label Data Encryption. Show all posts

Thursday, December 27, 2018

You Snooze, You Lose: Insurers Make The Old Adage Literally True

Justin Volz
ProPublica
Originally published November 21, 2018

Here is an excerpt:

In fact, faced with the popularity of CPAPs, which can cost $400 to $800, and their need for replacement filters, face masks and hoses, health insurers have deployed a host of tactics that can make the therapy more expensive or even price it out of reach.

Patients have been required to rent CPAPs at rates that total much more than the retail price of the devices, or they’ve discovered that the supplies would be substantially cheaper if they didn’t have insurance at all.

Experts who study health care costs say insurers’ CPAP strategies are part of the industry’s playbook of shifting the costs of widely used therapies, devices and tests to unsuspecting patients.

“The doctors and providers are not in control of medicine anymore,” said Harry Lawrence, owner of Advanced Oxy-Med Services, a New York company that provides CPAP supplies. “It’s strictly the insurance companies. They call the shots.”

Insurers say their concerns are legitimate. The masks and hoses can be cumbersome and noisy, and studies show that about third of patients don’t use their CPAPs as directed.

But the companies’ practices have spawned lawsuits and concerns by some doctors who say that policies that restrict access to the machines could have serious, or even deadly, consequences for patients with severe conditions. And privacy experts worry that data collected by insurers could be used to discriminate against patients or raise their costs.

The info is here.

Thursday, June 7, 2018

Protecting confidentiality in genomic studies


MIT Press Release
Originally released May 7, 2018

Genome-wide association studies, which look for links between particular genetic variants and incidence of disease, are the basis of much modern biomedical research.

But databases of genomic information pose privacy risks. From people’s raw genomic data, it may be possible to infer their surnames and perhaps even the shapes of their faces. Many people are reluctant to contribute their genomic data to biomedical research projects, and an organization hosting a large repository of genomic data might conduct a months-long review before deciding whether to grant a researcher’s request for access.

In a paper published in Nature Biotechnology (https://doi.org/10.1038/nbt.4108), researchers from MIT and Stanford University present a new system for protecting the privacy of people who contribute their genomic data to large-scale biomedical studies. Where earlier cryptographic methods were so computationally intensive that they became prohibitively time consuming for more than a few thousand genomes, the new system promises efficient privacy protection for studies conducted over as many as a million genomes.

The release is here.

Saturday, January 5, 2013

New tools to help providers protect patient data in mobile devices

U.S. Department of Health & Human Services
Press Release
December 12, 2012

Launched by the U.S. Department of Health and Human Services (HHS) today, a new education initiative and set of online tools provide health care providers and organizations practical tips on ways to protect their patients’ protected health information when using mobile devices such as laptops, tablets, and smartphones.

The initiative is called Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information and is available at www.HealthIT.gov/mobiledevices.  It offers educational resources such as videos, easy-to-download fact sheets, and posters to promote best ways to safeguard patient health information.

“The use of mobile health technology holds great promise in improving health and health care, but the loss of health information can have a devastating impact on the trust that patients have in their providers.  It’s important that these tools are used correctly,” said Joy Pritts, HHS’ Office of the National Coordinator for Health Information Technology (ONC) chief privacy officer. “Health care providers, administrators and their staffs must create a culture of privacy and security across their organizations to ensure the privacy and security of their patients’ protected health information.”

Despite providers’ increasing use of using mobile technology for clinical use, research has shown  that only 44 percent of survey respondents encrypt their mobile devices.  Mobile device benefits—portability, size, and convenience—present a challenge when it comes to protecting and securing health information.

Along with theft and loss of devices, other risks, such as the inadvertent download of viruses or other malware, are top among reasons for unintentional disclosure of patient data to unauthorized users.

“We know that health care providers care deeply about patient trust and the importance of keeping health information secure and confidential,” said Leon Rodriguez, director of the HHS Office for Civil Rights. “This education effort and new online resource give health care providers common sense tools to help prevent their patients’ health information from falling into the wrong hands.”

For more information, tips, and steps on protecting and securing health information when using a mobile device visit www.HealthIT.gov/mobiledevices.

Wednesday, November 21, 2012

25 Tips to Prevent Data Breaches

By Sharon D. Nelson & John W. Simek
The Wisconsin Lawyer
Volume 85, No. 11, November 2012

Another day, another data breach. Data breaches have proliferated with amazing speed. Here is the roundup of some of the largest victims in 2011 alone: Tricare, Nemours, Epsilon, WordPress, Sony, HB Gary, TripAdvisor, Citigroup, NASA, Lockheed Martin, and RSA Security. Some mighty big names on that list.

Don't be lulled into thinking that law firms (large and small) aren't suffering data breaches just because they don't have millions of clients affected. On Nov. 1, 2009, the FBI issued an advisory, warning law firms that they were specifically being targeted by hackers. Rob Lee, an information security specialist who investigates data breaches for the security company Mandiant, estimated that 10 percent of his time in 2010 was spent investigating law firm data breaches.

(cut)


Top Practical Security Tips

1. Have a strong password – at least 12 characters. No matter how strong an eight-character password is, it can now be cracked in about two hours. A strong 12-character password takes roughly 17 years to crack. Much easier to hack someone else. Use a passphrase so you can remember the password: "Love ABATECHSHOW 2013!" is a perfect example.

2. Don't use the same password everywhere. If they crack you once, they've got you in other places, too.

3. Change your passwords regularly. This will foil anyone who has gotten your password.

The entire story is here.

Thanks to Ken Pope for this article.


Thursday, April 19, 2012

Two Healthcare Data Breaches Show Importance Of Encryption

Patient data from Howard University Hospital and California Department of Child Support Services wasn't fully encrypted, and one security expert wants to know why.

By Neil Versel
InformationWeek
Originally published April 5, 2012

The theft of a laptop containing more than 34,000 unencrypted records from Howard University Hospital in Washington, D.C., and the loss of backup tapes containing records of 800,000 people enrolled in California Department of Child Support Services programs are just the latest in a string of healthcare data breaches that could have and should have been prevented, a data protection expert contends.

Last week, Howard University Hospital disclosed that it had notified 34,503 patients that a personal laptop of a former contractor was stolen in January from that individual's car. The laptop, according to the hospital, was password-protected, but the actual data was not encrypted.

That is disturbing to Mark Bower, data protection expert and VP at Voltage Security, based in Cupertino, Calif. "Why was their contractor allowed to use their own laptop, connect to the network, and download this data?" Bower wondered. "Why was that information not encrypted on the back end?"

The entire story is here.

Wednesday, February 15, 2012

8 Breach Prevention Tips: Action Items Based on Lessons Learned


By Howard Anderson
Govinfosecurity.com
Originally published February 8, 2012


What can be learned from the more than 390 major breaches affecting more than 19 million individuals that have been reported as a result of the federal HIPAA breach notification rule? Plenty, breach prevention experts say.

Here are eight key breach-prevention insights from information security thought-leaders:

1. Don't Forget Risk Assessments
The details of the biggest breaches last year "make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breaches," says Dan Berger, CEO at Redspin.
2. Encrypt Mobile Devices, Media
"Even though encryption is what's referred to as an addressable standard in the HIPAA security rule - which means it's not actually mandated in all cases - I don't see any reason why information shouldn't be encrypted in all cases on portable media and devices," says Robert Belfort, partner at the law firm Manatt, Phelps & Phillips LLP. "That's one step that organizations can take that can address a very significant share of the types of breaches that are occurring."
3. Beef Up Training
"People have to be trained to understand the policies of the organization, and they have to be trained about common-sense safeguards that they can follow to avoid breaches or the misuse of information," Szabo stresses.
4. Conduct Internal Audits
In addition to training, an important step toward addressing internal breach threats is to conduct audits of records access, Belfort says.
5. Monitor Business Associates
About 22 percent of major breaches, including many of the largest incidents, have involved business associates. As a result, it's essential to work with vendor partners to ensure they're taking adequate breach prevention steps.

In the Resources section of this blog, there is a White Paper on Preventing a Data Breach and Protecting Health Records – One Year Later: Are You Vulnerable to a Breach? by Kaufman, Rossin & Co. to augment these security issues.

Friday, December 30, 2011

Digital Data on Patients Raises Risk of Breaches

By Nicole Perlroth
Published 12/18/11
The New York Times: Technology

One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it.

So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed.

Mr. Tripathi’s nonprofit, the Massachusetts eHealth Collaborative in Waltham, Mass., works with doctors and hospitals to help digitize their patient records. His employee’s stolen laptop contained unencrypted records for some 13,687 patients — each record containing some combination of a patient’s name, Social Security number, birth date, contact information and insurance information — an identity theft gold mine.

His experience was hardly uncommon. As part of the 2009 stimulus bill, the federal government provides incentive payments to doctors and hospitals to adopt electronic health records. Some 57 percent of office-based physicians now use electronic health records, a 12 percent jump from last year, according to the Centers for Disease Control.

An unintended consequence is that as patient records have been digitized, health data breaches have surged. The number of reported breaches is up 32 percent this year from last year, according to the Ponemon Institute, a security research group. Those breaches cost the industry an estimated $6.5 billion last year. In almost half the cases, a lost or stolen phone or personal computer was responsible.

The entire story can be read here.

Thursday, December 8, 2011

UCLA breach: Do Not Take Data Home

By PAMELA LEWIS DOLAN
amednews.com

Even if practices think they have a strong data security plan in place, too often a new breach occurs that reminds them there are always additional steps that can be taken, or that certain vulnerabilities were overlooked.

The most recent reminder came through the UCLA Medical Center, which issued a public notice on Nov. 4 saying that a former employee's computer external hard drive that contained information about 16,288 patients was stolen during a house burglary. Although the data were encrypted, a piece of paper containing the password needed to unencrypt the data also came up missing after the burglary.

UCLA said in the notice that the records did not contain Social Security numbers or financial information. But they did include first and last names and possibly birth dates, addresses and medical record numbers and information. The data ranged from July 2007 to July 2011. The theft occurred in September, and UCLA said it took until November to determine who was affected and obtain valid addresses for notification. The employee whose home was burglarized ended his employment with UCLA in July.

The entire story is here.

Saturday, November 19, 2011

Electronic medical records rarely encrypted: expert

(Reuters) - Electronic medical records, which the Obama administration would like to see widely used, are rarely encrypted so a data breach could be triggered by the simple theft of a laptop or misplaced thumb drive, a privacy expert told lawmakers on Wednesday.

Regulations require healthcare providers to report data breaches unless the data lost had been encrypted.

(cut)

"The bottom line is that people have a right to privacy and to know that their data is safe and secure, and right now that right is not a reality," Franken said after the hearing.

The entire story can be found here.

Saturday, October 22, 2011

Stanford Hospital & Clinics vows to fight $20M class action

By Jason Green
MercuryNews.com

Stanford Hospital & Clinics vowed Monday to "vigorously defend" itself against a $20-million class-action complaint filed in the wake of a data breach that saw the medical records of 20,000 patients posted on a commercial website for nearly a year.

Shana Springer filed the complaint on Sept. 28 in Los Angeles County Superior Court, on behalf of fellow patients treated in Stanford's emergency room between March 1, 2009, and Aug. 31, 2009. She is seeking $1,000 per patient, as well as other penalties, damages and attorneys fees.

The nine-page complaint alleges the hospital violated the Confidentiality of Medical Information Act, a state law that requires medical providers to safeguard patient information and prohibits its disclosure without written consent.

"On its website, Stanford claims that its patients' 'health care experience is [its] highest priority.' Thus, it should be no surprise that when patients are treated at Stanford's facilities, they expect that their private medical information will be kept confidential and will not be disclosed to anyone without their authorization," the complaint states.

In a brief statement released Monday, Stanford placed the blame on complaint codefendant Multi-Specialty Collection Services LLC, saying it was the subcontractor that mishandled the data. The hospital has since cut ties with the Woodland Hills-based company, which provided collection and billing services.

The entire story can be read here.

Monday, August 15, 2011

BC/BS of Tennesse: $6 million to encrypt data


BlueCross BlueShield (BCBS) of Tennessee has invested $6 million to encrypt all data at rest within the organization in response to a 2009 data breach that affected one million members.

The company encrypted 885 terabytes of mass data storage; 1,000 Windows, AIX, SQL, VMWare, and Xen server hard drives; 6,000 workstation hard drives and removable media drives; 25,000 voice call recordings per day; and 136,000 volumes of backup tape.

BCBS of Tennessee said it undertook the effort in response to an October 2009 data breach, in which 57 unencrypted hard drives were stolen from a BCBS facility. The hard drives contained audio and video recordings related to customer service phone calls from providers and members, including personal information on around one million members.

BCBS notified all affected members and provided free credit monitoring services to members at a higher risk of identity theft. Next, the company launched an effort to encrypt more than 885 terabytes of data at rest.

The company began by completing an inventory of all the points where data resides within the company, from computer hard drives to servers and removable media devices, such as USB drives and CD/DVD burners. BCBS divided the encryption efforts into six areas of focus and completed the project, which took 5,000 hours of work, in just over a year.

“We searched the country and were unable to find another company that has achieved this level of data encryption,” said Michael Lawley, vice president of technology shared services for BCBS. “In addition to world-class information security technology, we have adopted even stricter policies and procedures that support our ongoing commitment to security. Our members can rest easier knowing we implemented this process to better protect their privacy.”