security

Seattle system will pay $100K HIPAA fine after repeated breaches

Anne Zieger — Sat, 19 Jul 2008 22:56:35 -0400

A Seattle-based health system has agreed to pay a $100,000 HIPAA fine to HHS--as well as improve its medical data security--after failing to properly secure data backup tapes, disks and laptops. This marks the first time HHS has agreed to a Resolution Agreement. During 2005 and 2006, medical data was stolen from Providence Health & Services several times, with backup tapes, optical disks and laptops being lost or stolen repeatedly. All told, the unencrypted personal health information of more than 386,000 patients was compromised.

In light of these incidents, the health system will now revise its policy on transporting patient records outside of company buildings, and it will improve employee training. It will also undergo security monitoring by the feds, and turn in report on data security measures for three years.

The fine that will be paid by Providence is actually fairly unusual, as very few HIPAA fines have actually been imposed to date. However, its security issues are also unique. While many health organizations have lost a single laptop or backup tape to theft or disorganization in recent years, I haven't encountered any that have actually had to report multiple losses. That might explain why federal monitors took a particular interest in this organization's troubles.

To learn more about the HIPAA settlement:
- read this Seattle Post-Intelligencer piece
- read this Briefings on HIPAA article

Related Articles:
IT staffer fired after data theft, sues hospital
Tenet warns of potential data theft
VA pledges better data security
Johns Hopkins investigates data breach

Study: Top health IT initiatives listed

Anne Zieger — Sun, 13 Jul 2008 12:15:52 -0400

According to a new study sponsored by healthcare IT company Logicalis, data storage is the top driver for many hospital and healthcare IT projects underway right now. However, when it comes to the projects themselves, predictably, EMRs are in the lead, according to the study, which names the top 10 IT initiatives being undertaken by healthcare organizations. The remainder of the list includes disaster recovery; medical archiving systems; storage consolidation/virtualization; backup; business intelligence; PACS; health IT infrastructure; compliance and the security of personal health information.

What's interesting about these conclusions is that they differ in some respects from those drawn by a status released by HIMSS in April. For one thing, HIMSS respondents said that improving safety and reducing errors were key drivers of IT investment. Also, it's worth bearing in mind that according to HIMSS results, security breaches still seem to be rather common within healthcare organizations, with 18 percent of respondents having seen a breach within the past six months. If patient safety and security are key drivers, that takes one down a different road than projects driven by storage. I'm not sure how to reconcile these results--readers, what do you think?

To learn more about the study:
- read this Healthcare IT News piece
- read the Logicalis press release

Related Articles:
HIMSS: Patient safety top reason for IT investment
Study: Hospital execs stress IT investment for coming years
Study: Nursing point-of-care IT can interfere with workflow
Study: Better health IT could give nurses more patient time

U.S. hospitals have security 'blind spot'

Mon, 14 Apr 2008 06:59:57 -0400

A new study confirms what many health IT administrators already know--that hospitals aren't doing a great job when it comes to investing in security. The study, which was commissioned by risk consulting firm Kroll Fraud Solutions and published by HIMSS, concluded that hospitals' focus on medical privacy and compliance has distracted them from the threat of patient identity theft and other data breaches. While HIT administrators are very familiar with HIPAA, and eager to meet its privacy provisions, their HIPAA compliance measures won't do much to prevent fraud or malicious hacking, the study noted.

In addition, hospitals aren't being reminded as often as they should be that their peers are having security problems that could affect them, too. The HIMSS study noted that many data breaches don't get reported, given that there's no firm rules in place requiring such disclosures.

Even worse, HIT leaders and their peers may be ignorant as to just how expensive a malicious data breach can be--despite the fact that the average cost of such a breach generally is estimated at nearly $200 per record and $6.3 million per incident.

To learn more about the study:
- read this Healthcare IT News piece
- register and download the original report

Related Articles:
More hospital data security breaches
Hospitals face ID security holes
HIMSS08: IT execs ready to lock down security

NIH security breach includes data on U.S. Rep

Mon, 07 Apr 2008 06:59:58 -0400

Now this must be a little embarrassing for officials at NIH. As it turns out, Rep. Joe Barton (R-TX) was one of 3,000 patients involved in a cardiac MRI study whose records were possibly lost when a laptop computer was stolen from the agency. Not only is the loss of records on a U.S. Representative a faux pas, Barton happens to be a founder of the Congressional Privacy Caucus, which focuses on educating other Congressional offices and staff members on individual privacy issues. Though the laptop was stolen in February, Barton learned of the breach a couple of weeks ago, and didn't know his data might be involved until late March. Now Barton and colleagues are asking HHS's Inspector General to investigate why the data wasn't encrypted on the laptop, and why the agency didn't notify people sooner of the breach.

To learn more about the data theft:
- read this Modern Healthcare piece (reg. req.)

Related Articles:
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report

UCLA staff accused of viewing Britney Spears' records

Mon, 24 Mar 2008 07:59:56 -0400

In what is unfortunately an all-too-predictable episode, UCLA Medical Center executives have said that they're investigating 13 staff members who seem to have accessed Britney Spears' medical records without authorization. The staff members are accused of viewing her non-medical records during her psychiatric stay in January. The Los Angeles Times reported that none of the staff members involved in the incident were physicians, but that they would be fired and that 12 others--including some doctors--would be disciplined. This incident follows on another, taking place in mid-2007, when two dozen employees at a New Jersey hospital were suspended without pay after viewing the medical records of actor George Clooney without authorization.

To learn more about the episode:
- read this article from Healthcare IT News

Related Articles:
Union fights suspensions for workers viewing star's records. Report
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report

UCLA staff accused of viewing Britney Spears' records

Mon, 24 Mar 2008 07:59:56 -0400

New Hampshire EMR privacy rule struck down

Mon, 17 Mar 2008 07:59:57 -0400

This week, the New Hampshire House rejected a measure that would have added new privacy protections to EMRs. The bill, which was opposed by providers and hospitals, would have allowed patients to block access to their EMRs and see who has viewed their records. The law would also have allowed patients to restrict the transfer of their EMR to a physician, as well as restricting the use of their EMR data in marketing efforts. Bill supports said that the bill wouldn't improve big costs, that the restrictions wouldn't be difficult to administer and that patients would have had to to pay for audits. However, critics said the measure would complicate work for physicians, add bureaucracy to the process and impose as-of-yet unknown costs.

To learn more about the bill:
- read this iHealthBeat piece

Related Articles:
Privacy concerns slow EMR push. Report
Health data schemes skimp on privacy. Article
GAO reports numerous security breaches. Article
Ehealth record privacy report coming. Article

Clinical IT leads to security neglect at hospitals

Mon, 03 Mar 2008 06:59:59 -0500

This week's piece from Network World points to a troubling problem--that hospitals are in crosshairs these days when it comes to cyberattacks and other forms of black-hat hacking. Given the growing number of well-publicized security breaches over the last year alone, you'd think that IT leaders would have no trouble getting the bucks they need to boost security protections. You'd think wrong.

With hospital leaders outside the IT suite under tremendous pressure to improve the quality of care--and document that they've done so--clinical data is a priority for most. But along the way, HIT executives are becoming increasingly concerned that their data protection efforts are inadequate.

Now, I'm not suggesting that there's anything wrong with wanting to improve care. But as I've said before, it seems to me that adding big-ticket, shiny clinical solutions without securing the network isn't smart. I know it's a balancing act, but it seems pretty clear that at this point, the balance isn't weighed enough in favor of robust security.

Now, with HHS doing surprise audits of hospitals' HIPAA compliance, some non-IT hospital leaders may get a rude shock when it comes to their security infrastructure. Some CEOs who had no idea that their networks were vulnerable are going to flunk the inspection.

When that happens, maybe these execs will loosen the purse strings where better security protection is concerned. But it shouldn't take an outside agency to make this happen. Here's hoping that as the EMR furor settles down, HIT leaders can make their case for not neglecting the basics. -Anne

Report: HIEs/RHIOs are states' top HIT priorities

Mon, 25 Feb 2008 06:59:54 -0500

States consider health information exchanges and RHIOs (pick your acronym) to be their top e-health priorities, according to a new Commonwealth Fund report. When surveyed in 2007, 25 of 41 of states said that HIE adoption was one of their top two e-health priorities, and 12 said HIE policy development was a key initiative. Meanwhile, states cited the other usual suspects in third, fourth and fifth place as priorities, namely EMRs, e-prescribing and addressing health data privacy and security issues.

States said that the biggest obstacle to jump-starting HIE development efforts were getting together funding for implementation and long-term operations. (Reading between the lines, it appears that state policy-makers aren't too confident that HIEs or RHIOs can be self-financing, as some advocates seem to be.) Many said they had difficulty building a business case for HIEs, lacked adequate standards and shared terminology to use.

To learn more about the study's results:
- read this Government Health IT article

HiMSS '08: Navigating the vendor maze

Thu, 21 Feb 2008 06:59:59 -0500

So, HiMSS '08 is upon us. You know, it seems like only yesterday that my feet were recovering from the blisters I got walking the giant show floor in New Orleans last year! This HiMSS, which takes place in magical reality land of Orlando, isn't likely to be easy on the shoe leather, either. In fact, it promises to be a blockbuster--a spectacle worth of Disney.

For one thing, there's a brain-boggling list of more than 900 exhibitors competing for your attention with booth babes, gear, demos and lots of giveaway toys. And of course, there's a smörgåsbord of brain food available at the 200-odd educational sessions taking place throughout the show's run, user groups, innumerable vendor-sponsored events, games and parties and God knows what else in the way of entertainment. (I like Citrix's booth game "Are you Smarter Than an IT Geek?"--a bit arch, but hey, I'm ready to play.)

So, where's should the smart but weary health IT exec spend their limited HiMSS time? Here's a few ideas on how to navigate the vendor maze:

* It never hurts to play with an EMR--or any other technology that has to be accessible to non-geeks--since an awkward design can make an otherwise clever product useless to your docs.

* By all means, fire tough questions at the security vendors, many of whom just seem to be getting the idea that healthcare-specific products are a Good Thing. But don't be fooled: a lot of them seem to be talking security without really "getting" healthcare realities.

* Anyone who claims they can make your pay-for-performance program's documentation and management easier deserves a listen. As with EMRs, the wrong technology here can actually make things worse.

* If a vendor has ready-to-roll technology available which can support remote patient monitoring, I'd love to see it--and you might want to as well.

By the way, while the most noise always comes from the billion-dollar vendors with the gigantic booths, dazzling light shows and models in short skirts, smaller vendors are staking their claim there too, and you should check some of them out. Actually, you're likely to encounter vendors at HiMSS that you won't run into any other way, as they probably don't have the marketing budget to reach you otherwise.

Don't underestimate these small, scrappy players. Even if you don't end up buying their products, talking with emerging vendors can be quite a source of ideas. And after all, aren't ideas why you come to shows like HiMSS in the first place?

Now, read on to get more detail on topics that should prove to be some of the hottest and most interesting at the show. I hope they're helpful. Meanwhile, with any luck, I hope to meet some of you there. If you see me, feel free to say hello! - Anne