Alexandria Wilson Pecci
MedPage Today
Originally posted February 26, 2017
Here is an excerpt:
Broken down by industry, hacking was the most common data breach source for the healthcare sector, according to data provided to HealthLeaders Media by the Identity Theft Resource Center. Physical theft was the biggest breach category for healthcare in 2015 and 2014.
Insider theft and employee error/negligence tied for the second most common data breach sources in 2016 in the health industry. In addition, insider theft was a bigger problem in the healthcare sector than in other industries, and has been for the past five years.
Insider theft is alleged to have been at play in the Jackson Health System incident. Former employee Evelina Sophia Reid was charged in a fourteen-count indictment with conspiracy to commit access device fraud, possessing fifteen or more unauthorized access devices, aggravated identity theft, and computer fraud, the Department of Justice said. Prosecutors say that her co-conspirators used the stolen information to file fraudulent tax returns in the patients' names.
The article is here.
Showing posts with label Data Security. Show all posts
Showing posts with label Data Security. Show all posts
Monday, March 27, 2017
Friday, June 5, 2015
Ethical issues in researching daily life
Researchers who conduct ambulatory assessment should be aware of the pitfalls that may come with new technology that captures participant data.
By Timothy J. Trull, PhD
The Monitor on Psychology
April 2015, Vol 46, No. 4
Print version: page 70
Here is an excerpt:
With this increased utility comes a parallel increase in both ethical issues and assessment challenges. They include:
Informed consent. As with all forms of assessment, it is necessary to ensure that ambulatory assessment participants are informed about the procedures or protocol of the study, the exact nature of the data to be collected, and potential risks and burdens related to the study. Several unique features of ambulatory assessment should be considered. First, especially because ambulatory assessment may involve passive data collection, it is vital to make the participant aware of all of the data that are being collected, as well as how these data might be used. It is also important to recognize that ambulatory assessment may unintentionally capture data on nonconsenting people who interact with the participant via audio recordings, videos or photos. Investigators must decide ahead of time how this should be handled. Should people be encouraged to discuss their participation in the ambulatory assessment study with others with whom they have contact? Some U.S. states may forbid the recording of third parties without their permission. Participants should be given the option to stop recording at any point and to review their data if recording has occurred in sensitive situations.
The entire article is here.
By Timothy J. Trull, PhD
The Monitor on Psychology
April 2015, Vol 46, No. 4
Print version: page 70
Here is an excerpt:
With this increased utility comes a parallel increase in both ethical issues and assessment challenges. They include:
Informed consent. As with all forms of assessment, it is necessary to ensure that ambulatory assessment participants are informed about the procedures or protocol of the study, the exact nature of the data to be collected, and potential risks and burdens related to the study. Several unique features of ambulatory assessment should be considered. First, especially because ambulatory assessment may involve passive data collection, it is vital to make the participant aware of all of the data that are being collected, as well as how these data might be used. It is also important to recognize that ambulatory assessment may unintentionally capture data on nonconsenting people who interact with the participant via audio recordings, videos or photos. Investigators must decide ahead of time how this should be handled. Should people be encouraged to discuss their participation in the ambulatory assessment study with others with whom they have contact? Some U.S. states may forbid the recording of third parties without their permission. Participants should be given the option to stop recording at any point and to review their data if recording has occurred in sensitive situations.
The entire article is here.
Friday, May 1, 2015
The experts' step-by-step guide to cyber security
By Kitty Dann
The Guardian
Originally published April 2 2015
Where does cyber security fall on your to-do list? If it’s not a priority, it should be because 60% of small businesses suffered a breach in the year leading up to October 2014. The worst of these breaches disrupted operations for an average of seven to 10 days.
We recently held a live Q&A on the topic, with a panel of experts on hand to answer your questions. From risk assessment to keeping your business safe on a budget, here are some of their suggestions:
The entire article is here.
The Guardian
Originally published April 2 2015
Where does cyber security fall on your to-do list? If it’s not a priority, it should be because 60% of small businesses suffered a breach in the year leading up to October 2014. The worst of these breaches disrupted operations for an average of seven to 10 days.
We recently held a live Q&A on the topic, with a panel of experts on hand to answer your questions. From risk assessment to keeping your business safe on a budget, here are some of their suggestions:
The entire article is here.
Sunday, May 11, 2014
Fourth HIPAA breach for Kaiser
By Erin McCann
Healthcare IT News
Originally published April 7, 2014
Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.
The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.
The entire story is here.
Healthcare IT News
Originally published April 7, 2014
Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.
The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.
The entire story is here.
Monday, April 7, 2014
Nearly half of identity thefts involve medical data
By Adam Levin
Credit.com
Posted on Market Watch March 18, 2014
Here are two excerpts:
“Despite concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their organization’s networks or enterprise systems such as email. Similar to last year more than half of (these) organizations are not confident that the personally-owned mobile devices or BYOD are secure.”
According to the report, very few organizations require their employees to install anti-virus/anti-malware software on their smartphones or tablets, scan them for viruses and malware, or scan and remove all mobile apps that present a security threat before allowing them to be connected their networks or systems.
(cut)
Medical identity theft is on the rise, just as the rise in criminal breaches of health care providers is spiking. Medical identity theft accounted for 43% of all identity theft reported in 2013, and the U.S. Department of Health and Human Services estimates that somewhere between 27.8 and 67.7 million people’s medical records have been breached since 2009 (and that’s before the flawed rollout of the Affordable Care Act).
The entire article is here.
Credit.com
Posted on Market Watch March 18, 2014
Here are two excerpts:
“Despite concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their organization’s networks or enterprise systems such as email. Similar to last year more than half of (these) organizations are not confident that the personally-owned mobile devices or BYOD are secure.”
According to the report, very few organizations require their employees to install anti-virus/anti-malware software on their smartphones or tablets, scan them for viruses and malware, or scan and remove all mobile apps that present a security threat before allowing them to be connected their networks or systems.
(cut)
Medical identity theft is on the rise, just as the rise in criminal breaches of health care providers is spiking. Medical identity theft accounted for 43% of all identity theft reported in 2013, and the U.S. Department of Health and Human Services estimates that somewhere between 27.8 and 67.7 million people’s medical records have been breached since 2009 (and that’s before the flawed rollout of the Affordable Care Act).
The entire article is here.
Thursday, August 22, 2013
Health, fitness apps pose HIPAA risks for doctors
Physicians should check apps’ privacy protections before suggesting them to patients. A new report says most apps — especially free ones — don’t offer much privacy.
By SUE TER MAAT
amednews.com
Posted Aug. 5, 2013
Physicians might think twice about advising patients to use some mobile health and fitness apps. A July report indicates that many of those apps compromise patients’ privacy. Just recommending apps may put doctors at risk for violations of the Health Insurance Portability and Accountability Act.
“Even suggesting an app to patients — that’s a gray area,” said Marion Neal, owner of HIPAASimple.com, a HIPAA consulting firm for physicians in private practice. “Doctors should avoid recommending apps unless they are well-established to be secure.”
The entire story is here.
By SUE TER MAAT
amednews.com
Posted Aug. 5, 2013
Physicians might think twice about advising patients to use some mobile health and fitness apps. A July report indicates that many of those apps compromise patients’ privacy. Just recommending apps may put doctors at risk for violations of the Health Insurance Portability and Accountability Act.
“Even suggesting an app to patients — that’s a gray area,” said Marion Neal, owner of HIPAASimple.com, a HIPAA consulting firm for physicians in private practice. “Doctors should avoid recommending apps unless they are well-established to be secure.”
The entire story is here.
Sunday, February 10, 2013
Ethical Framework for the Use of Technology in Supervision
By LoriAnn S. Stretch, DeeAnna Nagel and Kate Anthony
Ethical and Statutory Considerations
Supervisors must demonstrate and promote good practice by the supervisee to ensure supervisees acquire the attitudes, skills, and knowledge necessary to protect clients. Supervisors and supervisees must research and abide by all applicable legal, ethical, and customary requirements of the jurisdiction in which the supervisor and supervisee practice. The supervisor and supervisee must document relevant requirements in the respective record(s). Supervisors and supervisees need to review and abide by requirements and restrictions of liability insurance and accrediting bodies as well.
Informed Consent
Supervisors will review the purposes, goals, procedures, limitations, potential risks, and benefits of distance services and techniques. All policies and procedures will be provided in writing and reviewed verbally before or during the initial session. Documentation of understanding by all parties will be maintained in the respective record(s).
Supervisor Qualifications
Supervisors will only provide services for which the supervisor is qualified. The supervisor will provide copies of licensure, credentialing, and training upon request. The supervisor will have a minimum of 15 hours of training in distance clinical supervision as well as an active license and authorization to provide supervision within the jurisdiction for which supervision will be provided. Supervisors providing distance supervision should participate in professional organizations related to distance services and develop a network of professional colleagues for peer and supervisory support.
Supervisee and Client Considerations
Supervisors will screen supervisees for appropriateness to receive services via distance methods. The supervisor will document objective reasons for the supervisee’s appropriateness in the respective record(s). Supervisors will ensure that supervisees screen clients seeking distance services for appropriateness to receive services via distance methods. Supervisors will ensure that the supervisee utilizes objective methods for screening clients and maintains appropriate documentation in the respective record(s).
Supervisors will ensure that supervisees inform clients of the supervisory relationship and that all clients have written information on how to contact the supervisor. Written documentation of the client acknowledging the supervisory relationship and receipt of the supervisor’s contact information should be maintained in the respective record(s). Supervisors will only advise the supervisee to provide services for which the supervisee is qualified to provide.
Clients and supervisees must be informed of potential hazards of distance communications, including warnings about sharing private information when using a public access or computer that is on a shared network. Clients and supervisees should be discouraged, in writing, from saving passwords and user names when prompted by the computer. Clients and supervisees should be encouraged to review employer’s policies regarding using work computers for distance services.
The entire story is here.
Saturday, December 29, 2012
'Not One Successful EHR System In Whole World'
Longtime advocate of computerizing healthcare C. Peter Waegemann calls current health IT policy 'misguided.'
By Neil Versel
InformationWeek
Originally posted on December 17, 2012
While federal health IT officials were touting the perceived successes of their efforts to increase physician usage of electronic health records (EHRs), one longtime advocate of EHRs was criticizing the whole direction of health IT policy.
"In my opinion, there is not one successful EHR system in the whole world," said C. Peter Waegemann, who founded and ran the Boston-based Medical Records Institute from 1984 to 2009. "User friendliness, usability, and interoperability are not there," he added in an interview with InformationWeek Healthcare.
He defined a successful EHR as one that is fully interoperable. "We have been focusing too much on documentation [for the purpose of reimbursement]," he said. This point has not been lost on the Obama administration, which has warned providers about using EHRs to "game the system."
Still, Waegemann believes the administration has not been aggressive enough with its $27 billion federal Meaningful Use EHR incentive program, based on published rules for Stage 2 and early recommendations for Stage 3. "MU2 and MU3 are just small steps. They rely on old technology," Waegemann said.
He noted that a number of leading EHR systems are written in the MUMPS programming language that originated at Massachusetts General Hospital in the late 1960s. Meaningful Use also relies on outdated standards such as version 2.x of Health Level Seven International's messaging standards rather than the more recent version 3.
The entire story is here.
By Neil Versel
InformationWeek
Originally posted on December 17, 2012
While federal health IT officials were touting the perceived successes of their efforts to increase physician usage of electronic health records (EHRs), one longtime advocate of EHRs was criticizing the whole direction of health IT policy.
"In my opinion, there is not one successful EHR system in the whole world," said C. Peter Waegemann, who founded and ran the Boston-based Medical Records Institute from 1984 to 2009. "User friendliness, usability, and interoperability are not there," he added in an interview with InformationWeek Healthcare.
He defined a successful EHR as one that is fully interoperable. "We have been focusing too much on documentation [for the purpose of reimbursement]," he said. This point has not been lost on the Obama administration, which has warned providers about using EHRs to "game the system."
Still, Waegemann believes the administration has not been aggressive enough with its $27 billion federal Meaningful Use EHR incentive program, based on published rules for Stage 2 and early recommendations for Stage 3. "MU2 and MU3 are just small steps. They rely on old technology," Waegemann said.
He noted that a number of leading EHR systems are written in the MUMPS programming language that originated at Massachusetts General Hospital in the late 1960s. Meaningful Use also relies on outdated standards such as version 2.x of Health Level Seven International's messaging standards rather than the more recent version 3.
The entire story is here.
Wednesday, November 21, 2012
25 Tips to Prevent Data Breaches
By Sharon D. Nelson & John W. Simek
The Wisconsin Lawyer
Another day, another data breach. Data breaches have proliferated with amazing speed. Here is the roundup of some of the largest victims in 2011 alone: Tricare, Nemours, Epsilon, WordPress, Sony, HB Gary, TripAdvisor, Citigroup, NASA, Lockheed Martin, and RSA Security. Some mighty big names on that list.
Don't be lulled into thinking that law firms (large and small) aren't suffering data breaches just because they don't have millions of clients affected. On Nov. 1, 2009, the FBI issued an advisory, warning law firms that they were specifically being targeted by hackers. Rob Lee, an information security specialist who investigates data breaches for the security company Mandiant, estimated that 10 percent of his time in 2010 was spent investigating law firm data breaches.
(cut)
Top Practical Security Tips
1. Have a strong password – at least 12 characters. No matter how strong an eight-character password is, it can now be cracked in about two hours. A strong 12-character password takes roughly 17 years to crack. Much easier to hack someone else. Use a passphrase so you can remember the password: "Love ABATECHSHOW 2013!" is a perfect example.
2. Don't use the same password everywhere. If they crack you once, they've got you in other places, too.
3. Change your passwords regularly. This will foil anyone who has gotten your password.
The entire story is here.
Thanks to Ken Pope for this article.
The Wisconsin Lawyer
Volume 85, No. 11, November 2012
Another day, another data breach. Data breaches have proliferated with amazing speed. Here is the roundup of some of the largest victims in 2011 alone: Tricare, Nemours, Epsilon, WordPress, Sony, HB Gary, TripAdvisor, Citigroup, NASA, Lockheed Martin, and RSA Security. Some mighty big names on that list.
Don't be lulled into thinking that law firms (large and small) aren't suffering data breaches just because they don't have millions of clients affected. On Nov. 1, 2009, the FBI issued an advisory, warning law firms that they were specifically being targeted by hackers. Rob Lee, an information security specialist who investigates data breaches for the security company Mandiant, estimated that 10 percent of his time in 2010 was spent investigating law firm data breaches.
(cut)
Top Practical Security Tips
1. Have a strong password – at least 12 characters. No matter how strong an eight-character password is, it can now be cracked in about two hours. A strong 12-character password takes roughly 17 years to crack. Much easier to hack someone else. Use a passphrase so you can remember the password: "Love ABATECHSHOW 2013!" is a perfect example.
2. Don't use the same password everywhere. If they crack you once, they've got you in other places, too.
3. Change your passwords regularly. This will foil anyone who has gotten your password.
The entire story is here.
Thanks to Ken Pope for this article.
Wednesday, October 10, 2012
ONC advancing Blue Button, CDS standards efforts
Automating the Blue Button to Exchange PHI
Mary Mosquera
Senior Editor, Government Health IT
Originally published on September 26, 2012
Developers in an ONC voluntary community are beginning to drill down into what will be required to automate the Blue Button feature to exchange patient health information at the consumer’s request under different scenarios.
The Blue Button enables patients to view and download their information in simple text format and is currently available to veterans, military service members and Medicare beneficiaries. A few private sector health organizations have begun to make it available to their members.
The ONC’s Standards & Interoperability Framework community has just created three panels to identify standards and tools to push personal data to a specific location, such as using Direct secure messaging protocols and the Consolidated Clinical Document Architecture (CDA), and allowing a third-party application to access personal health data on demand, in a pull transmission, according to Doug Fridsma, MD, director of ONC’s Office of Standards and Interoperability and acting chief scientist.
The entire story is here.
Tuesday, May 1, 2012
UAMS investigating breach of patient information
By David Harten
Arkansas Online
Originally published 4/21/2012
The University of Arkansas for Medical Sciences is investigating a breach of patient information after a document wasn't properly redacted.
Arkansas Online
Originally published 4/21/2012
The University of Arkansas for Medical Sciences is investigating a breach of patient information after a document wasn't properly redacted.According to a release from UAMS, the investigation began after an unidentified physician sent financial information on a patient to someone outside the UAMS offices in mid-February. The physician failed to remove all identifiers of the patients, such as names, account numbers and dates of service, among others. Bank card, credit card or bank account numbers were not included in the released information.
Thursday, April 12, 2012
Howard University Data Breach due to Stolen Laptop
NBC Channel 4 in Washington.
Originally published on March 28, 2012
A heads up if you have personal information on file with Howard University Hospital.
The entire story is here.
Editorial note:
This story is yet another example of protected health information data loss due to a stolen laptop.
A guiding principle can be derived from multiple stories like this: Prevent data breaches by not taking PHI home in a laptop or portable storage device.
Originally published on March 28, 2012
A heads up if you have personal information on file with Howard University Hospital.
The facility sent letters to more than 34,000 patients about a laptop stolen in January.
The entire story is here.
Editorial note:
This story is yet another example of protected health information data loss due to a stolen laptop.
A guiding principle can be derived from multiple stories like this: Prevent data breaches by not taking PHI home in a laptop or portable storage device.
Thursday, January 26, 2012
Small medical practices greatly at risk for data breaches
They often lack sophisticated technology to deter thieves, making them bigger targets.
By PAMELA LEWIS DOLAN, amednews staff. Posted Jan. 16, 2012.
Data breach experts are issuing a warning to small practices -- don't be the vulnerable target that data thieves assume you are.
Kroll Fraud Solution's Top Cyber Security Trends for 2012 reported that small practices are more susceptible to security vulnerabilities because they are "the path of least resistance." Many rely on outdated technology. Basic security protections, such as proper use of encryption, often are overlooked as practices focus on meeting regulatory requirements, such as those related to meaningful use.Small practices often lack the technical sophistication to know what tools to put in place to avoid attacks, said Jason Straight, managing director of Kroll's Cyber Security and Information Assurance unit. Or they have the right tools, but the tools are not implemented or monitored correctly, he said. One example is having incorrectly installed data encryption.
Large organizations have become more "hardened," meaning they spend more money to safeguard their data, said Beth Givens, founder and director of the Privacy Rights Clearinghouse, an education and advocacy group that has tracked publicly reported data-breach trends across all industries since 2005. "It only stands to reason [that data thieves] would go after small practices," she said.
The story can be found here.
Saturday, December 17, 2011
Breach concerns rise for health care firms
By Judy Greenwald
Business Insurance
Originally published on November 27, 2011
Health care institutions are particularly vulnerable to data breaches because of factors that include stringent federal and state regulations, widespread dissemination of patient data and a growing black market for patient medical information.
At CNA Financial Corp., for instance, health care represents about 25% of the data breach insurance business written but 60% of all claims, said Mark Silvestri, Quincy, Mass.-based vp of product development and director of CNA's NetProtect.
There are steps health care firms can take to minimize breach risks (see related story on best practices).
Despite the data security challenges they face, health care institutions generally perform well, experts say.
“By and large, I think they do a good job, some better than others,” said Nicholas Economidis, an underwriter of professional liability and specialty lines at Beazley Group P.L.C. in Philadelphia. However, information that “exists in multiple forms throughout an organization,” as it does in health care institutions, is a “very difficult exposure to control,” he said.
The dispersal of that data is an issue as well. While banks tend to keep information internally, health care data is handled by many more organizations, said Tom Srail, Cleveland-based senior vp with Willis North America Inc. “The nature of the health care business requires the sharing of that same information,” he said (see related story on third-party providers).
Patrick Moylan, New York-based senior associate with Dubraski & Associates Insurance Services L.L.C., said health care institutions are increasing their Internet activity with partners that include physicians, health plans and pharmacies.
Having “more people in the line of that chain that have the potential to handle sensitive data simply increases the risk that data will be accessed by accident, or by a third party,” with the potential that it could be used fraudulently, he said.
The sheer breadth of personal information that health care institutions hold complicates the issue.
The entire story is here.
Thursday, December 8, 2011
UCLA breach: Do Not Take Data Home
By PAMELA LEWIS DOLAN
amednews.com
The most recent reminder came through the UCLA Medical Center, which issued a public notice on Nov. 4 saying that a former employee's computer external hard drive that contained information about 16,288 patients was stolen during a house burglary. Although the data were encrypted, a piece of paper containing the password needed to unencrypt the data also came up missing after the burglary.
UCLA said in the notice that the records did not contain Social Security numbers or financial information. But they did include first and last names and possibly birth dates, addresses and medical record numbers and information. The data ranged from July 2007 to July 2011. The theft occurred in September, and UCLA said it took until November to determine who was affected and obtain valid addresses for notification. The employee whose home was burglarized ended his employment with UCLA in July.
The entire story is here.
Sunday, November 13, 2011
Privacy and Security for EHR: US and EU Compared
PRIVACY AND SECURITY IN THE IMPLEMENTATION OF
HEALTH INFORMATION TECHNOLOGY (ELECTRONIC
HEALTH RECORDS): U.S. AND EU COMPARED
By Janine Hiller, Matthew McMullen, Wade Chumey, and David Baumer
Abstract
The importance of the adoption of Electronic Health Records (EHRs) and the associated cost savings cannot be ignored as an element in the changing delivery of health care. However, the potential cost savings predicted in the use of EHR are accompanied by potential risks, either technical or legal, to privacy and security. The U.S. legal framework for healthcare privacy is a combination of constitutional, statutory, and regulatory law at the federal and state levels. In contrast, it is generally believed that EU protection of privacy, including personally identifiable medical information, is more comprehensive than that of U.S. privacy laws. Direct comparisons of U.S. and EU medical privacy laws can be made with reference to the five Fair Information Practices Principles (FIPs) adopted by the Federal Trade Commission and other international bodies. The analysis reveals that while the federal response to the privacy of health records in the U.S. seems to be a gain over conflicting state law, in contrast to EU law, U.S. patients currently have little choice in the electronic recording of sensitive medical information if they want to be treated, and minimal control over the sharing of that information. A combination of technical and legal improvements in EHRs could make the loss of privacy associated with EHRs de minimis. The EU has come closer to this position, encouraging the adoption of EHRs and confirming the application of privacy protections at the same time. It can be argued that the EU is proactive in its approach; whereas because of a different viewpoint toward an individual’s right to privacy, the U.S. system lacks a strong framework for healthcare privacy, which will affect the implementation of EHRs. If the U.S. is going to implement EHRs effectively, technical and policy aspects of privacy must be central to the discussion.The entire .pdf can be found here.
Thanks to Ken Pope for this lead.
Subscribe to:
Posts (Atom)