breaches

Study: Better staff training could protect EMR privacy

Mon, 21 Apr 2008 06:59:56 -0400

If providers do a better job of training their staff, privacy breaches will be far less common, according to a new report issued by the AHIMA. Experts quoted in the report note that the recent rash of incidents in which records of celebrities like George Clooney and Britney Spears were accessed demonstrates how easy it is to get to such records. While institutions usually can find out who accessed what record, that's after the incident takes place. In some cases, far too many people may have access to EMRs, and it's in a provider's best interests to impose tougher access restrictions, the authors said. Ultimately, however, technical fixes like this can't do the job by themselves. Providers need to remind employees regularly what privacy rules are, how to address them, and what the consequences will be if they don't, experts quoted in the report contended.

To learn more about the report:
- read this Healthcare IT News piece

Related Articles:
UCLA staff accused of viewing Britney Spears' records
Park Nicollet suspends employees for EMR snooping
Union fights suspensions for workers viewing star's records
Overapplying and misapplying HIPAA is common

GAO warns of widespread ID security breaches

Mon, 16 Jul 2007 06:59:56 -0400

The reports detailing federal data security holes keep rolling in, but somehow, nobody seems to be getting terribly upset about it. In a recent report from the Government Accountability Office, just to site a few upsetting stats, the agency said data breaches have been common of late, with more than 570 breaches being reported in the news media between January 2005 and December 2006. What's more, 17 government agencies reported a total of 788 separate data breaches of government system. It's enough to give a CIO a giant migraine. As if that wasn't enough, the GAO notes it's still not clear to what extent these data breaches result in identity theft.

While some of the breaches fall well outside of the health industry, health data invasions are disturbingly common as well. One recent GAO-mandated AHA survey of 46 hospitals concluded 17 breaches had occurred at 13 of the 46 hospitals since 2003. Three led to fraudulent activity on existing accounts and another three in other forms of ID theft. While all identity theft can do damage, the GAO has previously conceded health identity theft can do perhaps the most long-lasting and harmful damage. Still, the GAO has chosen not to focus its data breach investigations primarily on the health sector of late.

To find out more about the GAO's research:
- read this Modern Healthcare piece

Related Articles:
GAO: Government HIT efforts lack privacy, security. Report
CMS security holes expose patient data. Report
VA revamping IT infrastructure. Report

Editor's Corner

Sun, 04 Mar 2007 19:01:39 -0500

For several months, the VA has been under intense scrutiny as it struggles to close the massive holes in its security infrastructure. In recent times the agency has gotten a great deal of heat from stakeholders, including Congressional committees that oversee its work.

From reading tales of the VA's problems, one might think it's got a uniquely difficult problem to address. In reality, though, the vulnerabilities it faces aren't much different than the ones which have led to breaches elsewhere. These include maintaining large pools of unencrypted medical data, poor control of laptops loaded with such data, and an inability to track which users have data access.

Given how common health IT breaches are these days, I'd argue that it's time to implement a set of health IT security standards uniformly across the industry, perhaps even establishing them as part of The Joint Commission's hospital surveys. These standards, which would call for both technology and internal process changes, could take HIPAA requirements as a jumping off point.

Please note that I'm not suggesting that hospital and health system IT managers don't know their stuff when it comes to security. Still, a healthcare-specific security framework would give health IT managers something to focus on when they're reviewing their existing security plans. And that can't be a bad thing.

Just as importantly, such standards would give IT managers something to use as a consensus-building tool. While it can be hard for IT to pitch security investments to non-technical decision makers, having external standards to comply with is easier to sell.

I know that the industry already has countless rules to adhere to already. But given how important it is to lower the number of intrusions, it's worth establishing standards everyone can accept. Adopting new standards might lead to more work at first, but in the end, implementing them would make life easier for all concerned. - Anne

More hospital data security breaches

Sun, 05 Nov 2006 19:01:38 -0500

Two healthcare organizations are taking a public beating over info security breaches that exposed patient data--and one of them may be on the hook for huge legal penalties. The Akron Children's Hospital publicly admitted last week that an intruder had gained access to patient and charitable donor information. Around Labor Day, the hospital learned that German intruders had accessed information concerning about 200,000 patients. The data included Social Security numbers, bank account information and donor routing numbers. Last week, the hospital went public with the incident. In a statement on its website addressing the issue, the hospital said that it wasn't aware of any illegal use of the information. Repairing the breach could be costly; If one industry industry is correct, it could cost Children's $200 per record breached to lock down its systems again. And there's no guarantee that it couldn't happen again, with a world full of attackers trying to outsmart honest admins.

Still, if Children's is fortunate, it will avoid the fate of the Sisters of Saint Francis Health Services, which is being sued for an eye-popping $1.3 billion (or $5,000 per claimant) over its recent data breach. SSF, which runs hospitals in Illinois and Indiana, lost track of 260,000 records when a contractor copied patient information onto CDs, placed the CDs in a computer bag, then inadvertently returned the bag to a store with the CDs still inside. The suit names SSF, the contractor and the contractor's employer, Perot Systems subsidiary Advanced Receivables Management. The attorneys involved are hoping to get the suit certified as a class action. In the mean time, they want to force SSF to pay credit monitoring fees for the patients and employees involved, which apparently, they haven't yet volunteered to do. (If they haven't, shame on them.)

For background on the breaches:
- read this article from WKNY.com on the Children's situation
- read the Indianapolis Star piece on the St. Francis suit

HIPAA case highlights patient legal vulnerability

Sun, 17 Sep 2006 20:01:36 -0400

The recent indictment of a former Florida employee for conspiracy to commit health care fraud with the personal information of more than 1,100 Florida patients probably won't result in big civil fines against the hospital by the federal government--which has yet to sanction a hospital or other health care entity for patient privacy breaches--says a news article in the Florida Naples News.

The case is potentially precedent-setting as it is the first in South Florida to be prosecuted for violating the federal law protecting patients' privacy rights and the third such case nationally, according to the U.S. Attorney's Office in Miami. But patients may be left out in the cold because of the Health Insurance Portability and Accountability Act (HIPAA) as the federal law doesn't allow individuals to pursue legal action when there's been a breach of their personal health information, privacy rights and HIPAA attorneys told the Naples News.

For more on the case:
- Read the story at the Naples News here

GAO reports numerous security breaches

Sun, 10 Sep 2006 20:01:34 -0400

Oops. More than 40 percent of federal contractors to the Medicare and Tricare programs and state Medicaid agencies responding to a survey by the Government Accountability Office (GAO) said they had experienced privacy breaches involving personal healthcare information of beneficiaries, according to a study of 378 contractors and agencies.

Was outsourcing a factor? Kinda sounds like it. More than 90 percent of Medicare contractors and state Medicaid agencies and 63 percent of Tricare contractors reported some outsourcing of their work to domestic companies, while only one federal vendor and one state Medicaid agency reported directly contracting with an offshore entity for outsourced work. And 33 Medicaid Advantage contractors, two Medicare fee-for-service contractors and one Medicaid agency responding to the survey admitted that their domestic vendors transferred some of their work to offshore organizations. "Moreover, the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to their locations or vendors," the report said.

For more on the breaches:
- see the full report (.pdf)