HHS issues voluntary guidelines amid rise of cyberattacks

Samantha Liss
www.healthcaredive.com
Originally published January 2, 2019

Dive Brief:

• To combat security threats in the health sector, HHS issued a voluminous report that details ways small, local clinics and large hospital systems alike can reduce their cybersecurity risks. The guidelines are voluntary, so providers will not be required to adopt the practices identified in the report. 

• The four-volume report is the culmination of work by a task force, convened in May 2017, that worked to identify the five most common threats in the industry and 10 ways to prepare against those threats.  

• The five most common threats are email phishing attacks, ransomware attacks, loss or theft of equipment or data, accidental or intentional data loss by an insider and attacks against connected medical devices.

The info is here.

A more comprehensive source can be found here.

Health records lost, stolen or revealed online

Health privacy problems persist a decade after law went into effect to protect patients

By Deborah Shelton
Chicago Tribune Reporter
Originally published April 23, 2012

Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.

Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.

One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation's health program for military members, their families and retirees.

The entire story is here.

Small medical practices greatly at risk for data breaches

They often lack sophisticated technology to deter thieves, making them bigger targets.

By PAMELA LEWIS DOLAN, amednews staff. Posted Jan. 16, 2012.

Data breach experts are issuing a warning to small practices -- don't be the vulnerable target that data thieves assume you are.

Kroll Fraud Solution's Top Cyber Security Trends for 2012 reported that small practices are more susceptible to security vulnerabilities because they are "the path of least resistance." Many rely on outdated technology. Basic security protections, such as proper use of encryption, often are overlooked as practices focus on meeting regulatory requirements, such as those related to meaningful use.

Small practices often lack the technical sophistication to know what tools to put in place to avoid attacks, said Jason Straight, managing director of Kroll's Cyber Security and Information Assurance unit. Or they have the right tools, but the tools are not implemented or monitored correctly, he said. One example is having incorrectly installed data encryption.

Large organizations have become more "hardened," meaning they spend more money to safeguard their data, said Beth Givens, founder and director of the Privacy Rights Clearinghouse, an education and advocacy group that has tracked publicly reported data-breach trends across all industries since 2005. "It only stands to reason [that data thieves] would go after small practices," she said.

The story can be found here.

Privacy and Security for EHR: US and EU Compared

PRIVACY AND SECURITY IN THE IMPLEMENTATION OF

HEALTH INFORMATION TECHNOLOGY (ELECTRONIC

HEALTH RECORDS): U.S. AND EU COMPARED

By Janine Hiller, Matthew McMullen, Wade Chumey, and David Baumer

Abstract

The importance of the adoption of Electronic Health Records (EHRs) and the associated cost savings cannot be ignored as an element in the changing delivery of health care. However, the potential cost savings predicted in the use of EHR are accompanied by potential risks, either technical or legal, to privacy and security. The U.S. legal framework for healthcare privacy is a combination of constitutional, statutory, and regulatory law at the federal and state levels. In contrast, it is generally believed that EU protection of privacy, including personally identifiable medical information, is more comprehensive than that of U.S. privacy laws. Direct comparisons of U.S. and EU medical privacy laws can be made with reference to the five Fair Information Practices Principles (FIPs) adopted by the Federal Trade Commission and other international bodies. The analysis reveals that while the federal response to the privacy of health records in the U.S. seems to be a gain over conflicting state law, in contrast to EU law, U.S. patients currently have little choice in the electronic recording of sensitive medical information if they want to be treated, and minimal control over the sharing of that information. A combination of technical and legal improvements in EHRs could make the loss of privacy associated with EHRs de minimis. The EU has come closer to this position, encouraging the adoption of EHRs and confirming the application of privacy protections at the same time. It can be argued that the EU is proactive in its approach; whereas because of a different viewpoint toward an individual’s right to privacy, the U.S. system lacks a strong framework for healthcare privacy, which will affect the  implementation of EHRs. If the U.S. is going to implement EHRs effectively, technical and policy aspects of privacy must be central to the discussion.

The entire .pdf can be found here.

Thanks to Ken Pope for this lead.