Things you should know before going live with a Complete Data Breach Response Strategy

by Heather Noonan June 14, 2013

So you find yourself in the debacle of a data breach? Where in the world do you begin? Your management team is sending you emails left and right, meetings have started to run amok, and you haven’t had lunch in the last two days.

MORE INFO: Data Breach Response "How To" Series

Data breaches can be full of politics, high energy, and a lot of miscommunication. If you break it down to the basics, communicate, and make some smart decisions from the beginning, you are guaranteed to see some light at the end of the tunnel.

Data breaches are also highly regulated under State and Federal guidelines and the requirements can be rather confusing. Similar to a crisis communication strategy, there are some main things you need to consider before you pull the trigger.

Affected Population - Were forensics completed? Do you know the true population of how many people were affected? It’s highly recommended that you complete digital forensics and have a final population before you begin mailing letters. It’s all too often that another 1,000 people will be found or in some cases, what you thought was your affected population, wasn’t even affected at all.
Resources - Who will be the decision makers and who will be the administrators? Who will handle the mailing, the multitude of phone calls, the concerned and angry callers, and a possible investigation?
State and Federal Requirements - Whether you fall under state guidelines or HITECH, you will run into many regulations with specific guidelines and timeframes. Pay close attention to these. They aren’t there just for a warning.
Forms of Notification - Most state and federal laws require notification in writing and by first class mail. You also need to ask who will handle the mailing. Will you hire a third party vendor to manage it? Do you have the necessary resources available?
Contents of Notification - What happened and when? What personal information was lost? What are you doing to protect personal information from further unauthorized access? Do you need to include information for the consumer credit reporting agencies? Instructions on how to place a fraud alert or a security freeze? Consider everything that needs to be in the notification letter and take into account state and federal requirements.
Contact Information - A telephone number for callers if they need further information and assistance.
Notification to Regulators - State attorney generals, enforcement agencies, and the consumer credit reporting agencies all have specific deadlines and requirements of when they require notice. Remember, you not only have to notify the affected population, but other state and federal regulating bodies too.
Notification to Media - Will you be issuing a press release? Do you need a public relations or marketing firm to assist? What are you legally required to say and to whom will you submit the release to?
Notification to Website - Do you fall under the requirement to post notification on your website? If you are, how much information is necessary?
Document - Document everything. You never know when you will need to refer to certain specifics and the decisions that were made.

Okay, now that you have those 10 steps under control, move forward and good luck!

MORE INFO: Experts highlight top data breach vulnerabilities

SGWVDFY9DVX7

About the Author

Heather Noonan

Heather is the Senior Project Manager for the ID Experts Data Breach Response Team. She provides subject matter expertise, state and federal regulatory requirements and best practices. She is the primary point of contact for client communication and data breach engagements. Heather has been with ID Experts since 2008 and works in all areas of ID Experts including informational webinars and blog discussions. Heather has a Bachelors of Science, specializing in Business Communication, and has over 15 years of experience in client customer service with 10 years specific in Project Management.

What I learned at the ID 360 event in Austin

by Christine Arevalo June 13, 2013

I spent a week at The Center for Identity’s ID360 event in Austin, TX last month. What an amazing event this proves to be year after year!

ID360 is a community of participants interested in fostering research, development and implementation of innovative solutions to meet current and future challenges to identity theft, fraud, misuse and detection.

ID Experts has been a founding partner for the Center for Identity for five years now and this is one of the events I really look forward to. From the great weather, the caliber of speakers on such a wide array of subjects, all focused on the topic of identity, what’s not to like? I’m fond of saying, “it’s where all the identity geeks get together annually.”

Some of the fascinating tidbits I picked up and would like to share:

Social Implications of Predictive Modeling

Fascinating implications about Google’s use of search terms to “predict” the spread of the flu. Can search query trends provide the basis for an accurate, reliable model of real-world phenomena?

“Each week, millions of users around the world search for health information online. As you might expect, there are more flu-related searches during flu season, more allergy-related searches during allergy season, and more sunburn-related searches during the summer.”

Also, relating predictive modeling, an interesting article from Forbes I somehow missed: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did

This certainly makes you pause to consider privacy implications. Executive Director at the Center, Suzanne Barbur, made a great observation about the on-going conflict we have pertaining to privacy, in particular - defining and agreeing what it means for our customers. She noted that what consumers really desire is CONTROL. I would add that the degree of control consumers desire varies based on the type of information being shared, and with whom.

Other interesting statistics, presented by Bryan Hjelm, VP CSID

Small business are still a major target for attacks -more than 50% of targets in 2012 were companies with 2500 or fewer employees.
Companies still think they are safe - 77% think they are safe from attack but only 83% of those polled have a formal cyber security plan.
Healthcare is the sector affected significantly by data breach -Of reported breaches in 2012, 36% were in healthcare, more than twice that of any other sector.

Final note:

One speaker made an appeal to those of us in product development within the industry to strive to deliver “real” products that add real value to consumers. As the market continues to shift and consumer needs change it’s important for the integrity of the identity marketplace that we heed this warning. He also asked that we do the industry a favor and be more responsible with marketing and billing practices!

About the Author

Christine Arevalo

Christine is a founding employee of ID Experts and leads industry initatives around healthcare identity management. She has experience managing risk assessments, complex crisis communication strategies, and data breach response for ID Experts clients.

Analyzing the US HIPAA Legacy and Future Changes on the Horizon

by Christine Arevalo June 10, 2013

The US Department of Health and Human Services issued the long-awaited final omnibus rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on January 17^th,2013. This ruling set a federal level baseline for US healthcare privacy.

In a recent Data Protection Law & Policy article (Vol. 10, Issue 2) analyzing HIPAA’s legacy in light of future changes, Kirk Nahra, partner at Wiley Rein, LLP, reviewed HIPAA’s beginnings, subsequent rulings to fill in the gaps, and concerns going forward.

He noted that while HIPAA regulations have been the primary driver of privacy protection for a decade and provide the foundational principles in most situations, even these rules reflect both inconsistent internal approaches and often provide little assistance or overall confidence in more difficult situations.

He reflects that the current rules do not control a wide variety of situations involving healthcare privacy which other laws, particularly state laws, control or, in fact, no law controls. He succinctly states that with each new regulation and law we see “a movement towards more confusion and controversy, rather than less.”

Nahra provides a nice historical background for HIPAA by illustrating that for many decades healthcare privacy protection in the U.S. was driven exclusively by professional ethics and a myriad of state laws with no consistent federal baseline. This provided gaps in application and much confusion. When the HIPAA era began with the passage of the act in 1996, it focused on ‘portability’ - the idea that individuals could take their health insurance coverage from one employer to the next, without having pre-existing health conditions acting as an impediment to job transitions.

When Congress passed HIPAA, it also included other healthcare topics, including large funding for an extended fight against industry fraud and the move to electronic health records (EHRs). Nahra posits how privacy concerns around EHR implementation prompted HIPAA’s further Privacy and Security rules, respectively, and stated that these new rules had limits on the applicability to “covered entities” - such as doctors, hospitals and health insurers who might be participating in these standardized transactions. Hence, a large number of entities who obtain or use healthcare information are not within the scope of these rules, such as consumer-facing entities, many healthcare websites, life and disability insurers, employers in their employment role, etc.

He explains that while the covered entities are core participants in the industry they rely on vendors to provide services, many of which involve patient information. The limitation referenced above led HHS to develop the concept of “business associates” - an entity that provides services to the healthcare industry where the performance of those services involves the use or disclosure of patient information.

Nahra further explains the confusion with the business associate rule by noting that because HHS had no direct jurisdiction over these “business associates”, they imposed an obligation on the covered entities to implement specific contracts with the vendors that would create contractual privacy and security obligations. The failure to do so would mean a violation of HIPAA rules and a breach of contract, but would not subject the business associate to government enforcement because said associate was not regulated under the HIPAA rules. This confusion has existed since the inception of the HIPAA Privacy Rule in 2003.

Nahra brings us to the present with round two of HIPAA regulations, driven largely by Congress, which are only beginning to be reviewed, analyzed and implemented. He surmises that after almost four years, the Department of Health and Human Services finally has released its omnibus HIPAA/HITECH regulation, implementing changes to the HIPAA Privacy, Security and Enforcement Rules, as well as the interim final regulation on breach notification and certain changes to the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA Act). The regulation was published in the Federal Register on January 25, 2013.

The recent changes result from the 2009 passage of the HITECH act. According to Nahra, the “schizophrenic nature” of the act has been well documented with Congress’ desire to incentivize - meaning pay - healthcare providers to implement EHR systems. Congress decided that it would impose new privacy compliance obligations on those who chose to use EHRs; and then would create a new set of privacy obligations for everyone else, unconnected in any way to the use of these EHRs.

Nahra concludes that this statute “fixed” one of the key gaps of the original legislation and rules by applying the enforcement reach of HIPAA to not only covered entities but their 'business associates' as well. It increased the available penalties for HIPAA violations, cut down on permitted marketing, and modified and expanded certain individual rights.

Nahra encapsulates with a few final points. Namely, that even with its recent expansion, HIPAA is still not a general medical privacy law and that while its scope has broadened, the protections still depend on where healthcare information starts - with a healthcare provider or health plan. He argues this leaves enormous gaps in protection, particularly given recent developments that are encouraging consumer centric involvement in their own healthcare and providing the technology to make this goal a reality. Secondly, although the legislation does not turn business associates into covered entities, it does impose - for the first time - direct accountability on these business associates, with potential civil and criminal liability for a failure to meet these requirements. And finally, that aside from some modest clarifications the HITECH law did not fundamentally broaden the overall HIPAA scheme, nor did it address in any way the tensions between HIPAA and the thousands of applicable state laws.

Highlighting concerns for the future, Nahra claims the structure leads to a variety of ongoing tensions that affect the efficiency of the healthcare system, the effectiveness of individual privacy and the operations of the overall healthcare system, including the systemic benefits of large scale data analysis.

The concerns being mainly

1. Single rule vs. Multiple Rules - federal floor versus individual, more stringent, state laws

2. Research - HIPAA rules create significant limitations on how research can be conducted and have been heavily criticized by many in the research community

3. Technology vs. Security – Balancing technological advances with security in relation to breaches, etc.

4. Health Information Exchanges – Exchanges being driven by state law privacy concerns that dictate what information can and cannot be included

Nahra concludes by stating that the healthcare privacy model in the U.S. is a work in progress and the progress is slow, while the movement of technology is fast. However, he offers that HIPAA works most of the time in most situations and more stringent state laws fill the gaps, when applicable, and that one solution would be to allows states to pass more stringent future laws, yet tailored to the HIPAA model. “A better healthcare privacy system would in fact benefit individuals, healthcare business and the system on the whole, but we are a long way away from solving this wide variety of issues.”

About the Author

Christine Arevalo

Are You a HIPAA Business Associate? It isn’t as Simple a Question as it Sounds.

by Doug Pollack June 5, 2013

As we enter summer this year, it is just a short few months to September 23, 2013 and so what is special about that date? That is when HIPAA business associates, those organizations that work with healthcare providers, health plans, and others who are exposed to sensitive patient data (protected health information, or PHI), are required to comply with new privacy, security and breach notification rules from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) - known as the HIPAA Omnibus Final Rule.

So with this date fast approaching, do you know if your organization is a HIPAA Business Associate? And do you know all of the organizations that you work with that are also HIPAA business associates? It may not be as simple as you think (or hope) to know. But first, do you really need to care?

The answer to this question is a definitive “yes”. If you are considered a business associate under HIPAA and the HITECH Act, you have substantial obligations beginning in September to ensure the privacy and security of patient health information, and you also have notification obligations if you have a “breach” of such information. If you were investigated by OCR and found to be “neglectful” in complying with these provisions under the HIPAA Omnibus Rule, you may find your organization subject to fines, penalties, and corrective action plans, which can be financially substantial and operationally onerous.

So let’s look at what defines a business associate. On the HHS website, they define a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Under the Final Omnibus Rule, the definition is further explained and clarified.

Thanks to the Godfrey & Kahn Law Firm for their description of clarifications made in the Final Rule

“Under the Final Rule, a “business associate” is generally a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity. Health information that is created or received by a covered entity, identifies an individual, and relates to that individual's physical or mental health condition, treatment, or payment for health care is considered PHI when it is transmitted by or maintained in any form of medium, including electronic media. Notably, the new definition clarifies that "business associates" include entities that "maintain" PHI for a covered entity, such as a data storage company.

The Final Rule also clarifies the definition of a "business associate" by expressly including health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require "routine access" to PHI. Additionally, as further explained below, the new definition of "business associate" provides that certain subcontractors of business associates are also "business associates." Due to the significance of the new rules and the imposition of direct liability on business associates under HIPAA, entities which are unsure of whether they qualify as a business associate should clarify with legal counsel.”

So the healthcare world that we are about to move into isn’t as simple as the one in which we are today. How so? Well first, HIPAA covered entities, those organizations such as healthcare providers and health plans, must revisit their inventory of business associates, and based on the Final Rules, see if they have other organizations that would be considered business associates based on the clarified definitions. If so, they are obligated to have business associate agreements with those organizations.

Then second, if your organization currently works with HIPAA covered entities and has a business associate agreement with them, you would be well served to investigate and understand the new obligations that you now carry under the Final Rules. It is fairly likely that your organization is either unaware of or unprepared to comply with the provisions of the Privacy Rule, the Security Rule and the Breach Notification Rule. There are specific actions that you must take to consider yourself in compliance. Take a look at our Final Omnibus Rule Playbook for an outline of the steps you should consider.

Third, if your organization is currently a HIPAA business associate, you now may have subcontractors that you work with that are also considered business associates under the Final Rules. You have obligations to execute a business associate agreement with them. And they have obligations to comply with the new Rules. And in some cases, these subcontractors may not even be aware that they are now considered business associates. Whether they know it or not, they do have new obligations. So hopefully they are paying attention.

And that brings us to our fourth item. If your organization works in any way with healthcare organizations or healthcare patient data, you should get a legal opinion as to whether you could be considered a business associate under the new Rules. Waiting for your covered entity or upstream business associate to notify you of your obligations and provide you a business associate agreement to sign, may not be the best path. They may not recognize in a timely manner that your organization is, in fact, a business associate. You would be well served to be proactive in this regard and find out for yourself if you are considered a business associate under the new Rules and if so learn more about your obligations.

So hopefully in reading this, you realize that there is a lot of do and consider this summer, before we reach September 23, 2013. If you require any further motivation, note that OCR has recently completed an audit program where they audited a collection of HIPAA covered entities as to their level of compliance with HIPAA standards. The results were really not encouraging. You can check out the presentation by Linda Sanchez, OCR Senior Advisor, Health Information Privacy and Lead, HIPAA Compliance Audits here. In this presentation, she notes that in the next phase of audits, HIPAA business associates will also be included.

So think about it. If you received a letter from OCR notifying you that your organization is a HIPAA business associate and that you were selected for a HIPAA privacy and security audit, do you think you’d be ready?

About the Author

Doug Pollack

CIPP, MBA. With over 25 years experience in technology industry products and services, Doug is an expert in personal information privacy and security. He is currently a senior executive at ID Experts.

How to manage employee based data breaches?

by Heather Noonan June 4, 2013

I will keep this blog relatively short since it follows the same guidelines and recommendations of “How to inform internal teams of a data breach?”.

MORE INFO: Data Breach Response "How To" Series

Your employees are vital to the growth of your company. Their loyalty, happiness, and well-being are crucial. Look at companies like Google. They cater to every need of their employees. Why? Well, there is a very good reason for it. I recommend you Google it.

Employee perceptions and satisfaction will be swayed during a breach, whether it is a security break-in or a system hacking. Employees fear not only for their personal information and job security, but now their trust in the company has also been altered.

My main recommendation is to be very transparent with your employees, reach out to them, and take care of them. I know this may sound like a no brainer, but you would be VERY surprised how many companies handle a breach as just another day. If employees’ personal information was affected, offer them some type of credit monitoring or recovery service. You want to show them that you regret that this incident happened and that the company will go above and beyond to mitigate it and make sure it never happens again. You want to regain their trust not only in you, but in the company.

Be transparent with employees. Provide what you know and the details you are still working through.
Provide full disclosure. Were police or federal entities involved? Did you catch the perpetrator?
Provide services for affected employees. Provide a credit monitoring or recovery service in case employees are affected by true identity theft. Nothing makes an individual more upset than to have their information stolen and while they sit there helpless, you continue on with your day. Help them.
Provide additional information and updates when available.
Open door policy. You want to avoid rumors and employee gossip.
Be patient and understanding with the disgruntled group. You will always have angry employee(s). Work with them one on one and truly listen to them. Sometimes all they need to do is vent and it may have nothing at all to do with the breach.
Be leery of email notification. Information, such as this, is best handled in person at a company forum or in a comfortable environment where employees can ask specific questions. There are a lot of risks with email notification and the risk of emails being forwarded to non-employees. Remember, we live in the world of social media. In an instance like this, Facebook and Twitter are not your friends.
Have managers available for employees with additional questions.
Educate employees on State and Federal guidelines. As with a healthcare breach and specific states, you need to explain that the incident could be investigated.
Remind employees that this is common and this too shall pass.

Additional helpful tips can be found at “How to inform internal teams of a data breach?”.

MORE INFO: How to inform your internal teams that your company has had a data breach?

About the Author

Heather Noonan

Harm Standard: Gone But Not Forgotten? New Factors Mimic Current Breach Regs

by ID Experts June 3, 2013

This article was reprinted with permission from the Report on Patient Privacy

Although covered entities (CEs) have been required since 2009 to notify affected individuals and the government, when appropriate, of breaches of unsecured protected health information (PHI), the so-called “harm” standard that triggers notice no longer exists under the new final regulations. Or does it?

Are CEs really starting over when it comes to assessing whether an incident is a reportable breach under the final regulations issued on Jan. 25, which have a compliance deadline of Sept. 23?

Just how hard CEs will have to work in the next few months to implement the new regulations on breaches may well depend on how thoroughly they absorbed the 2009 interim final regulation — including its chatty preamble. Another factor is whether they have a detailed process in place already that they use to assess whether incidents have to be announced, or if they’ve been just kind of winging that part of it.

“If the CE had decided to look at the breach notification rule as a serious matter, and has attempted to comply,…used the interim final rule and followed the spirit of the rule, you are in pretty good shape,” Mahmood Sher-Jan, vice president of product management for ID Experts, a breach prevention, assessment and mitigation firm based in Portland, Ore., tells RPP.

To be sure, there’s one big difference between the old and new breach regulations: The new regulation requires a presumption that an incident is a reportable breach, unless the CE’s analysis proves the data probably haven’t been, and won’t be, misused (RPP 2/13, p. 1). And while the “harm” standard has been replaced with another that relies on a “low probability of compromise,” there’s much that’s the same, such as three exceptions in the old rule that are also found in the new rule, with the one dealing with limited data sets now omitted.

Harm: New Regs Pose Few New Problems

Sher-Jan and other privacy experts point out that the preamble to the 2009 regulation used some of the exact language to describe the analysis based on risk of harm that now appears in the new regulation in the form of four factors under the “low probability” standard that CEs, and now business associates, must consider to determine if a breach meets the legal definition of an incident requiring notice.

As in the old regulation, the new regulation states, “Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” The old regulation also said the following, which is now gone from the new regs: “For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”

In its place is the following, which describes the four new factors to be used instead of the harm standard:

“(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

“(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

“(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

“(iii) Whether the protected health information was actually acquired or viewed; and

“(iv) The extent to which the risk to the protected health information has been mitigated.”

Lisa Sotto, who heads the privacy and information management practice for the New York-based law firm of Hunton & Williams, LLP, says the health care community can make a “seamless shift” to the new standard and the assessment process. “I don’t think it matters” that the standard was changed, she says. “When you are faced with the breach, you conduct an analysis based on the relevant requirements.”

What CEs are doing now, she says, “is pulling out their incident response procedure and revising it to remove the ‘risk of harm’ and inserting the new standard.”

Sotto termed it “good and bad” news that the language from the preamble of the 2009 regulation has been reframed into the four factors now present in the new regulation. “Very good in that we have a clearer description” of what goes into a risk analysis, she says, “but the negative, I venture to guess, [is] that those will be the only ones to be considered.”

Many CEs already have experience complying with state data breach laws, many of which include similar standards, and allow for, or even require, mitigation, she says.

Sher-Jan cautions that “no single factor should determine” whether a reportable breach has occurred or not, and he warns CEs against a “tendency to drop to factor three, if it was viewed or acquired — ‘Yes’ — then it’s a breach.”

“Mitigation will be the biggest question in my mind,” he says. “The final rule says ‘if you take the proper steps’…what are the proper steps? I think that will be an area” of need for greater clarification by OCR.

It will be important for CEs and BAs to develop mitigation strategies, since the opportunity to engage in such actions is now spelled out in the regulation, he adds. OCR, in the final rules, “recognized that there can, and should, be mitigation. Even though the word ‘harm’ has been removed, there is an obligation to minimize the adverse effect,” Sher-Jan adds. “Ensuring that the PHI is secured or is no longer misused or abused is part of protecting the patient,” he says.

Regardless of where CEs are in their efforts to comply with the new four-factor standard, Sher-Jan says they need to be certain that whatever they do is part of an overall breach management program, with consistent policies and procedure, “metrics” and a process for detecting potential breaches. “How many are you [seeing]? How are you classifying them — breach or not? Are those going up or down?” he asks.

Admitting he has a “bias toward automation,” Sher- Jan stresses that while his company has a product that will provide assistance with compliance and documentation of an analysis, the ultimate decisions are up to the CE. If investigated, “You can’t say, ‘a tool told me what to do.’”

ID Experts’ flagship product, RADAR, is a software decision-support program that “plots an incident’s risk level on a heat-map using a proprietary incident risk index.” The program “takes into consideration the severity of the incident, as well as the financial, reputational, and medical risk levels associated with the exposed [information],” and compares the resulting score against federal and state breach notification laws, he says.

Sher-Jan says the weight assigned to the various factors may be “adjusted” if necessary based on the forthcoming guidance, which he hopes will “give us some scenarios” for when breach notification is required.

So far, there is no consensus on whether the new regulation will result in more or fewer breach notifications. Some organizations have made public notification of incidents, along with how they disciplined employees, in cases that some saw as marginal.

Of course, some notifications might have had less to do with a strict interpretation of the harm standard and more to do with a CE’s desire to set an example for its workforce, or fear that the Office for Civil Rights could conclude the CE erred in not treating an incident as a breach, perhaps subjecting the organization to more calamitous actions than the actual breach would.

“In many cases CEs just notify whether there is knowledge [of a breach] in or outside. There is often a weighing in favor of notification because there can be less risk associated with it,” Sotto says, as opposed to later being second-guessed or investigated and then penalized if it is determined notice should have been made.

“We have handled over 900 data breaches and everyone is unique. Everyone has to be separately [assessed],” Sotto says. Of these, entities have ended up notifying affected individuals more than 90% of the time, a percentage she does not expect will change.

When the incident is “murky,” entities tend to notify, Sotto says. Circumstances in which they might not include when the PHI was sent “to a single trusted partner, maybe another CE,” when it involved “innocuous data — name, address” — that is sent, and when a valid affidavit is obtained attesting to the return or secure destruction of the data, she says.

The new standard “will be a big deal,” says Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP, who adds that, of the new changes in the rule, this will have “definitely the biggest impact.”

He disputes the final rule’s assertions that no breaches will be reportable under the new regulation that aren’t currently reportable, and its premise that the new standard is more exacting than the 2009 harm standard.

“The new rule is no more ‘objective’ — or less ‘subjective’ — than the old rule. It’s still a judgment call,” says Drummond, who predicts an uptick in reported breaches.

“For anyone with a possible breach incident that is using the new standards, unless you meet one of the three statutory exceptions, it will be very, very difficult to come to the conclusion that there is no reporting requirement,” he says. “This is very troubling, potentially, since something as little as a breach of the minimum necessary standard could (should, will) require notification to affected individuals.”

“We may see a spike,” Sher-Jan agrees, “but I don’t think it will be [among those] who were already compliant,” but among “people who were really on the fence [in the past], who didn’t follow the rules before.”

“Maybe they had a process that was far more subjective” than that spelled out in the new final rule, he adds. Breach notification hasn’t fully matured, Sher-Jan says, adding that more time is needed now that the four factors are in place for that process to continue, and for some, to perhaps get underway for the first time. “Breach is still in its teenage years,” he says. “It may get a little more rambunctious before it settles down.”

Contact Sher-Jan at mahmood.sher-jan@ idexpertscorp.com, Sotto at lsotto@hunton.com and Drummond at jdrummond@jw.com

About the Author

ID Experts

Cyber Risk & Privacy Liability Forum 2013

by Jeremy Henley May 29, 2013

Well it’s that time of year again when all the key players of the cyber liability insurance world arrive in Philadelphia. Net Diligence works closely with HB Litigation conferences to get more than 300 attendees to the Cyber Risk & Privacy Liability Forum on June 6-7 which is sure to be another great event.

MORE INFO: Market for healthcare data breach insurance growing rapidly

We can always count on an update on the litigation surrounding data breaches. This session usually has a great back and forth between panelists who are generally attorneys that would be opposing counsel for these kinds of legal matters. It is also a great opportunity to learn how the plaintiff’s attorneys are making their cases. This is great research to keep our strong track record of not having clients sued by the breach victims post data breach.

There are some interesting topics that are new to the conference this year as well like reinsurance and subrogation. These topics largely deal with how insurance companies protect themselves against major losses. There appear to be several reinsurance carriers attending this year which is new as well. I am looking forward to meeting them understanding there business.

Again there will be a panel specific to healthcare and some of the challenges of underwriting these organizations with cyber liability. They will discuss the recently finalized HIPAA Privacy rules and the effects relative to insurance. The only thing disappointing about this panel is that one of the questions they suggest will be answered is what services are healthcare entities looking for that are not currently offered? However, there is no representation from a breach response vendor that can speak to all the challenges or differences of responding to a healthcare data breach. Maybe next year?

Cyber terrorism will have a bigger spotlight this year for sure with all the press around the recent events and threats from around the globe. The Stuxnet virus was discovered 3 years ago still has plenty of buzz. The idea that a foreign enemy could disrupt our utilities, flight controls, or our banking systems is very interesting or maybe scary is a better term. I can honestly say that when I joined ID Experts to prevent ID theft and respond to data breaches I didn’t realize I so close to terrorism and national security issues!

Another conference session that is always interesting is the one on claims data. This session provides highlights of an annual report that Net Diligence puts together offering summaries and averages of what claims are actually coming in via this form of insurance. Every year I am even more surprised at how different the numbers collected are from what ID Experts clients actually experience.

Last year’s report stated that the average breach claim was $3.7M with $2.1M of this cost being tied to legal fees and settlement costs of class action law suits. For starters, none of our clients have had the expense of a class action, so this makes ID Experts 57% less than what insurance carriers paid for those claims. The report also breaks down the leading cost of an incident response being the credit monitoring, which also does not match with our experiences at ID Experts. There is a better and more efficient way to manage breaches and believe this has everything to do with our patented data breach response process, YourResponse™. To see my blog on the report Net Diligence report click here.

The event also provides several opportunities for reconnecting with friends and customers and learning what everyone is up to and what the next big thing for Privacy and Cyber liability insurance might be. If you will be attending shoot me an email at Jeremy.henley@idexpertscorp.com and we can meet up.

DOWNLOAD: 10 Things to Consider Before Purchasing Cyber Insurance

About the Author

Jeremy Henley

Jeremy Henley is an Insurance Solutions Executive for ID Experts. He is has been certified by the Healthcare Compliance Association for Healthcare Privacy and Compliance and brings 11 years of Sales and Leadership experience to the ID Experts team.

HHS’ Sensible Compromise on the Controversial Harm Threshold (Part 2)

by Mahmood Sher-jan May 28, 2013

In part 1 of my analysis of the HIPAA final breach notification rule, I focused on the implications for covered entities and business associates of the change to the definition of “breach.” The revised definition removed the controversial “risk of harm” language and instituted an incident specific risk assessment requirement. According to HHS, the harm threshold was giving covered entities too much flexibility to apply their own perception of whether the incident could harm the affected patients. The focus of this Part 2 analysis is on the practical choices facing covered entities to comply with the newly minted “compromise” standard and the associated risk four factors.

MORE INFO: HIPAA Final Omnibus Rule Playbook

The “compromise” standard

Covered entities and business associates must now assess the probability that the protected health information (PHI) has been compromised based on a risk assessment that at a minimum considers the following factors outlined in the final rule:

(1) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

(2) The unauthorized person who used the protected health information or to whom the disclosure was made;

(3) Whether the protected health information was actually acquired or viewed;

(4) The extent to which the risk to the protected health information has been mitigated.

What Must You Do and What are Your Options?

The final rule is effective on March 26, 2013 and covered entities and business associates are expected to comply with the applicable requirements of the final rule by September 23, 2013. The enforcement of the final breach notification rule by the Office for Civil Rights (OCR) will be carried out pursuant to the Enforcement Rule. It is time to get busy and prepare for compliance.

The single most important thing that any covered entity or business associate must do is to create a CONSISTENT methodology for conducting incident risk assessment for meeting your burden of proof. This requires that your suspected (paper or electronic) incidents are:

Submitted to the organization’s incident response team and recorded.
Evaluated based on a consistent risk assessment model using the four factors outlined in the final rule. This is where most organizations fall short and put themselves at risk of non-compliance.
Designated as breaches or non-breaches according to a consistent decision support process using the outcome of the risk assessment.
Tracked and stored in a common repository with all supporting documentation, including investigation, corrective action-plan, sanction(s), attestation(s), and notification(s) for internal as well as OCR investigation or audit.

I must admit that I have a bias for an approach that is software-based and uses analytical modeling for quantifying the outcome of any risk assessment. There are many benefits to this approach including consistency, efficiency, collaboration, one tool for handling HIPAA and state laws, tracking performance metrics and management reporting to name a few. None of these benefits can be effectively achieved using paper or Excel worksheet based approaches. I was recently speaking with a Health Plan that had developed a solution using a combination of excel and Access database. They pointed out that this solution did not offer collaboration, nor did it support state laws or any audit trail to establish the consistency and efficacy of the decision process when investigated. I have had numerous complaints from folks that are using paper or excel tools about the inherent subjectivity and lack of consistency of the risk scoring and the “human error” factor that can never be eliminated. So why would any covered entity use these inadequate approaches? I am told that the paper and excel approach does not require any scarce IT resources and that they are not aware of better and affordable options that is really easy to use.

If you are a covered entity or business associate who is compliant with the IFR’s breach notification rule, you now must review your risk assessment process and make sure that you are using all the 4 required factors and embed the on-going guidance from HHS to remain compliant with the final rule. So depending on the risk factors you used before, this could be a small or big effort. The good news is that the final rule retained all the exceptions allowed under the IFR except the narrow limited data set exception. The rules around incident discovery and notification timelines remained virtually unchanged. So depending on your satisfaction with your existing solution, the internal effort needed to comply with the final rule and vendor-based solutions, you can chart your compliance path as September 2013 approaches.

If you are an entity that has yet to fully comply with the IFR, the time is ticking and you need to make a choice whether you have the resources to build and maintain your own HIPAA and state(s) risk assessment solution or to buy a proven vendor solution. Our ID Experts RADAR^TM, online incident decisioning and management software, is a proven and easy-to-use solution used by many hospitals and health plans to perform incident risk assessment as prescribed in the HHS final rule and state laws. RADAR could help you achieve compliance in a timely and cost-effective manner.

DOWNLOAD: HIPAA Final Rule: Top Three Actions You Must Take Now

About the Author

Mahmood Sher-jan

Mahmood is Vice President of Product Management at ID Experts and is a veteran of high technology & services industries. He lives in Portland, Oregon and holds a BS in Computer Science from University of Washington and an MBA from the University of Redlands.

Big Data Increases Breach Risk

by Deanna Jones (DJ) May 20, 2013

Our existence as a consumer society has led us to our current big data reality. Everything about us is compiled, categorized, sorted, analyzed, often with our permission, though the knowledge of what we’re doing has largely been hidden in the fine print, if shared at all. In exchange for dense digital dossiers of our lives, we often get a coupon or an offer, matched just for us, from the logs maintained about our lives. And this is just the mild form of big data’s usage.

The debate of big data stretches onward, its use and disuse, its privacy pitfalls and the unregulated frontier in which it thrives, but a recent Wall Street Journal blog brings to light how the data that is maintained can be used against us – not in the way you’d think – but in the case that the data is breached.

The increase in data increases the risk of data breach. Imagine the amount of data of an electronic health record processor for a health plan or a retail chain’s loyalty card program. If the company faces a data breach, imagine the loss of the data involved – how many millions of people would have to be notified, across how many states and in compliance with how many varying state laws? Wall Street Journal blogger, Nicholas Elliott, informs us that according to several experts “ignorance about stored data can magnify the costs of notifying customers and the risk of regulatory or legal repercussions.”

With all the data that exists, what is needed and what is redundant or simply of no use? Companies have been so quick to collect information, but they’ve barely stopped to think of the repercussions of what has been collected. Bruce Radke, chair of the data privacy group at law firm Vedder Price, advised “the first step in any company’s assessment of its data should be really looking at the information you need and getting rid of everything else.”

Radke foresees a time when breached companies will be sued for keeping too much data, with the allegation that poor data management will lead to more data being lost or compromised, unless companies adhere to stricter policies. He echoed the recommendation that ID Experts maintains, that companies should have a breach response plan in place, outlining what steps to take should a breach occur, rather than figuring it out on the fly, post-breach.

Sadly, the best-prepared companies are those that have already been hacked. “Once someone has been through a breach, they have a very different focus,” said Bantick. They tend to be prepared for the next instance. Radke continues, “The folks that have experienced pain tend to be prepared for the next instance.”

About the Author

Deanna Jones (DJ)

Deanna Jones (DJ) is an Investigator within ID Experts’ Special Investigations Unit. She came to ID Experts from the Portland Police Bureau and has an extensive background in legal and insurance investigations for plaintiff case preparation, backgrounds and workman’s compensation fraud. She also worked with the former Bureau of Alcohol, Tobacco and Firearms, now under the US Treasury, where she assisted with regulatory investigations and compliance. DJ has obtained government security clearance through her duties at ID Experts and is a Certified Fraud Examiner (CFE). She holds a BA in English and Journalism and a MS is Criminology.

Senior Identity Theft: A Problem In This Day and Age

by Robin Slade May 16, 2013

The May 7^th Federal Trade Commission (FTC) Senior Identity Theft: A Problem in This Day and Age panelists related that seniors are often preferred targets, especially for medical identity theft. Fraudsters, who may include unscrupulous relatives and/or caregivers, view these individuals as more trusting, less financially sophisticated and less likely to report the crime because they fear family members may think they cannot maintain their independence.^[1] Panel members discussed the many still unanswered questions regarding how to prevent tax and government benefits fraud, medical identity theft, and identity theft in long-term care, and how to reach older consumers.

Individuals are the only ones with the detailed knowledge of their medical care or financial expenditures who can raise the alarm when they do fall victim, it is essential for consumers to learn the true impact of these crimes and how to protect themselves as best they can and raise the alarm when it is needed.

In addition, system practices continue to make personally identifiable information (PII) available in ways advantageous to criminals. For example:

Social Security Numbers are used on Medicare insurance cards.
HIPAA rules intended to protect patient privacy also prevent victims from gaining access to their records to correct them.
Healthcare providers have been implicated in the vast majority of crimes and may choose not to help the victims at all.^[2]
94% of US healthcare organizations studied have had critical PII data breaches and 45% of these organizations showed five or more breaches during the study period.^[3]
Three out of five providers studied, including major hospitals and healthcare providers, do not have the policies and procedures in place to safeguard health records.^[4]
More than six in ten healthcare organizations studied say they do not have enough resources to ensure data security.^[5]

We know that medical identity theft and fraud cost the healthcare industry $41 billion in 2012 and cost taxpayers and consumers in higher premiums and healthcare costs and has life-altering consequences for patients and their families, so the attitude that resources cannot be dedicated to data security indicates a lack of understanding regarding the true value of the PII.

In financial identity theft, the financial institution may make the individual financially whole again – not so for medical identity theft victims. We are seeing some success in which insurance companies are some of the most proactive players, as are federal government investigation units and law enforcement. And Medicare has assisted patients by simplifying EOBs and providing some consumer education. The public/private consortium, the Medical Identity Fraud Alliance, is leading the current opportunity to include all ecosystem stakeholders in developing cost effective technologies, policies, and best practices that we need to lessen patient exposure to fraud and theft.

[1] National Crime Prevention Council, 2012.

[2] The majority of medical identity theft occurs with provider and sometimes patient complicity, though in some cases provider licenses are stolen or data breaches provide the information needed to commit these crimes. World Privacy Forum, 2013.

[3] Ponemon, Third Annual Benchmark Study on Patient Privacy & Data Security, 2012.

[4] Ibid.

[5] Ibid.

SGWVDFY9DVX7

About the Author

Robin Slade

Robin M. Slade is the Development Coordinator for the Medical Identity Fraud Alliance, a public/private partnership that unites the healthcare ecosystem to develop solutions and best practices for medical identity fraud. Ms. Slade is also the President and Chief Executive Officer of the Foundation for Payments Fraud Abatement and Activism and FraudAvengers.org, a non-profit corporation and weblog focused on helping consumers lessen their exposure to fraud and scams. She is also Senior Vice President and Chief Operating Officer for The Santa Fe Group, and manages the Shared Assessments Program, a consortium created by leading banks, auditing firms, and service providers to inject efficiency and cost savings into the vendor risk assessment process.

Breach Notification Laws: An Evolving Mine Field

by Mahmood Sher-jan May 15, 2013

In 2012 there were a number of states, which made changes to their breach laws including Connecticut, Texas and Vermont. The most noteworthy was Texas' House Bill 300, which amended the state's existing data breach law effective September 1, 2012, requiring covered entities in Texas to notify affected individuals regardless of their state of residency. This is ground breaking because it is the first time that a state has expanded the reach of its obligations beyond its own borders by basically saying that the obligations of a breached entity that does business in the state does not stop at the borders of the state but it follows the affected patients where ever they may reside.

MORE INFO: Update from Texas: Understanding the New Privacy Law

Less ground breaking in its scope of change were the Commonwealth of Connecticut which passed House Bill 6001 effective October 1, 2012 repealing and substituting the state's existing data breach law and Vermont which amended its law in May of 2012 to require notification of affected individuals and the State Attorney General within 45 days of discovery of a breach incident.

For users of our RADAR incident risk assessment/decisioning and management software, these regulatory changes were simple to comply with because they were embedded in the software well in advance of the corresponding enforcement dates.

Fast forward to 2013, the HIPAA final omnibus rule is now published and with enforcement date of September 23^rd, 2013. After studying the final rule at great detail and a few discussions with covered entities and legal community, there's little consensus on the rule's final impact. Some folks think that a lot more breaches will be reported to HHS while other think that the difference between the number of reported incidents under the final rule as compared to the interim final rule will be insignificant. So who is right? The final rule leaves room for interpretation, especially when it comes to the 4th factor—the extent to which the risk to the PHI has been mitigated. The rule states that CEs and BAs should attempt to mitigate the risk to the PHI following any impermissible use or disclosure through a confidentiality agreement or similar means. Our RADAR software uses the factors required by the final rule to ensure compliance.

My observation is that many "experts" seem to forget that the final rule requires the incident risk assessment to use a minimum of FOUR factors and that no one factor should determine the outcome of the assessment. In other words, when a CE mails information containing PHI to the wrong patient or policy holder and the recipient actually views the information and informs the entity of the error, this incident should not automatically constitute a breach if appropriate mitigation is performed according to the 4th factor of the final rule. The mitigation should consider the recipient and whether an attestation or confidentiality agreement is obtained from the recipient as an example of proper PHI risk mitigation. The mitigation bar may be even lower, according to the final rule, when the recipient is another entity obligated to abide by the HIPAA Privacy and Security rules. The rule suggests that in such cases, there may be a lower probability that the PHI has been compromised given these entities' existing obligations to protect PHI.

In the final analysis, the final rule does not completely put to bed the concerns over subjectivity of the required risk assessment and nor does it create an unambiguous framework. However, the rule establishes that risk assessment is a required element of incident management and we now have a minimum of four factors to consider in the assessment. At the HCAA 2013 compliance institute conference in DC, I was able to confirm this point and HHS further told me that within a few weeks the department will issue additional guidance on the breach incident risk assessment. Apparently a paper-based tool will also be provided but my assumption is that it will be fraught with issues common to manual tools.

So to that end, this is progress since there's no room for staying on the fence about adopting policies, procedures and tools to help your organization comply with the final breach notification rule and its looming enforcement date of September 2013. And let's not forget the continued evolution of state breach laws. Your incident management must account for any changes in these laws as well.

DOWNLOAD: HIPAA Final Omnibus Rule Playbook

About the Author

Mahmood Sher-jan

HCCA 2013 - The Year of the Security Risk Analysis

by Heather Pixton May 13, 2013

It is with great pleasure that I write this recap of the HCCA Annual Conference and Tradeshow. The event was held outside of Washington DC on April 21-24, and ID Experts was one of many organizations represented in the tradeshow. I can honestly say that this was one of the most fun, productive, and energized events we have ever done. The caliber of people we had visiting our booth was extremely impressive! We had Compliance Officers from complex Health Systems talking about their HIPAA/HITECH obligations, we had HIM Directors talking about data flow and security, we had Nursing Practice Managers talking about workflow risks, and we had administrators of medical practices who wanted to talk about it all! The conversations I both personally had with visitors, as well as conversations I overhead from my colleagues, were compelling and very advanced. We were not talking about basic HIPAA and Data Breach, we were having very in-depth conversations about compliance and risk mitigation. I absolutely loved hearing our team being utilized as a trusted advisor in healthcare!

ID Experts also hosted a cocktail event… well, really more beer and burgers. It was during this event that we were able to sit down and have more in-depth conversations with the people who had visited our booth. I personally had a couple of great conversations about HIPAA risk assessments and how organizations are performing those today. We talked about Meaningful Use as well as the Final Omnibus Rules. It is apparent that these two motivating factors are playing a big part in the 2013 plan. Even organizations who operate as a business associate had a heightened awareness of their HIPAA obligations under the Final Rule. It seems that 2013 may be the year of the Security Risk Analysis.

In addition to the amazing conversations our visitors brought to us, we also had an unbelievable response to our Wounded Warrior fundraiser. Instead of giving away iPad’s or Kindle’s we decided about a year ago to do something very meaningful. We have been collecting tributes to the Wounded Warrior Project for a year and have raised a total of $6,250. $2,150 more was raised during the HCCA event alone! What an amazing accomplishment! We had over 400 people visit our booth and add their name to the “wall” of Wounded Warrior tributes. For every name we collected, we donated $5 to the Wounded Warrior Project. I am so proud of the attendees at this conference who added their names to this important cause.

Overall, as I reflect on this event, I am so proud to be part of ID Experts and thrilled that our experience in healthcare is being so well received. This event reinforced for me why ID Experts is a perfect fit in healthcare… we understand the environment, we speak the language, and we genuinely care about the privacy and protection of health information. No other industry can match the care and compassion that is found in healthcare, and I am so happy to be a part of that greater community.

About the Author

Heather Pixton

Heather Seward came to ID Experts with 12 years of experience in sales and marketing, and is using her experience to grow new territories for the company. Heather will encourage this growth through securing strategic partnerships and developing strong relationships in the industry. Before joining ID Experts, Heather was President of a successful small business, managing a variety of tasks including sales, marketing, and operations. Heather has a BA from Southern Oregon State College.

Patient Identity Infection—A Multi-Faceted Risk Facing Patients

by Mahmood Sher-jan May 7, 2013

At ID Experts we have been helping identity theft victims and patients protect and restore their identities for over a decade. It is our mission after all. It shapes our company culture and values. We know very well that identity theft and medical identity theft are growing problems. So what are the risks to patients’ identity in the healthcare setting and how to we protect against these risks? We know intuitively that prevention is the best medicine but how can we truly prevent a problem with so many root causes—some intentional but most unintentional?

MORE INFO: Balancing Privacy and Access: Preparing for the Risks of Health Information Exchanges

I attended a session by Mark Ruppert, Dir. Internal Audit, Cedars-Sinai Medical Center, at the HCAA 2013 Compliance Institute conference. The session highlighted how in a hospital and research setting, the vulnerabilities to patient’s identity are endless. And I am not just talking about technology-based vulnerabilities—the human kind is pretty prevalent. Here’s a sample list, from the session, of ways that a patient’s identity could get infected and ultimately her medical record could be falsified or tampered with in a healthcare setting:

Errors during the initial patient identity capture process due to:

Inadvertent human error
Untrained front end personnel
Incomplete front-end capture processes
Faulty system edits and or interfaces
System errors that could miss-classify a patient. It took one year to get a deceased patient back into the living world once the patient was incorrectly flagged to be deceased in the system.
Patient claiming to be victim of ID Theft
Misdirected information (mail, fax, email)
Spouse causing compromise of PHI due to family issues such as divorce
Appointment replacements
Sharing Insurance cards between patient and family members
Stolen and lost equipment with unprotected PHI (laptops, media devices, medical equipment, fax machines)
Moving multi-function printers around a facility – settings are not changed so it would capture and send PHI.
Inappropriate disposal of PHI
Community outreach programs- lack of sufficient training for volunteers and attending physicians
Patients presenting with false ID (shared ID/Stolen IDs/No ID)
Research subjects presenting false ID and representing false information.
Not knowing where your PHI resides, not knowing who should have access
Medical record access is not controlled and systems containing PHI are not protected
Individuals authorized to access PHI are not trained on proper handling
Inappropriate system access (creating false patient information)
Authorized individuals access PHI and misuse their authority
Systems/files containing PHI are not known and can’t be identified for proper protection.
Vendor supplied equipment and medical devices with PHI can leave facility without proper disposal.
Unnecessary collection of PHI using old forms that are no longer necessary.
Sending information requests to unauthorized individuals
Curious employees, clinicians, consultants, etc.
Corrupt employees, clinicians and consultants
Weak Physical security--open facility access
Inappropriate use of email/texting/tweeting (& other social media)
Insufficient policies & procedures and workforce training.

Looking at this list, which is not exhaustive by any means, it is easy to assume that there are endless opportunities for infecting patients’ identity and that patients should fear getting an identity infection as much as any other type of medical infection when visiting a medical facility. This also highlights the immense patient protection challenges that privacy, compliance and security folks face within healthcare institutions. A good place to start is to perform a periodic risk assessment where the scope of the assessment needs to include these threat and vulnerabilities. This will hopefully help elevate management’s awareness and concern and create the need for better controls and monitoring for patient protection.

On another note, ID Experts would like to thank all of the compliance professionals at HCCA who helped raise $2,150 for the Wounded Warrior Project. To date through the various trade show booths at conferences, we have raised $8,400 for the non-profit organization.

ID Experts donated $5.00 per person to the Wounded Warrior Project who came by the booth to show their support for this non-profit organization whose mission is to honor and empower wounded warriors. Their vision is to foster the most successful, well-adjusted generation of wounded service members in our nation's history.

About the Author

Mahmood Sher-jan

Big Data Will Turn Privacy Upside Down

by Jon Neiditz May 7, 2013

This post by Jon Neiditz is part of our ongoing series of contributed content. Reprinted with permission - you can read the full article here: Big Data Will Turn Privacy Upside Down in a Way that Will Put New Burdens on Cloud Providers, and Individuals May Turn Big Data Upside Down

Privacy scholars and practitioners the world over have now noted that the current regulation of privacy simply does not work well in a big data world.^[1] Thus to the extent that they are openly welcoming or at least acknowledging the inevitability of such a world, many of them (us) are beginning to seek new approaches. Among the major concerns regarding the application of current privacy law to big data are the following:

Current privacy law focuses on data minimization in collection, while big data extracts unpredictable value from combinations of data the collection of which might not have appeared necessary.
Current privacy law often requires that data be destroyed when no longer needed for the purpose for which it was collected, while big data looks for derivative uses and opportunities.
Current privacy law often relies solely on notice and consent at the time the data is collected, (although this is changing with privacy by design, that often emphasizes “just in time” notices for particular uses and disclosures of data), and big data uses are generally not known at the time of collection.
Current privacy law allows for free alienation of all personal rights at the time of consent or authorization, which makes no sense when the uses of the data are not known.
Current privacy law exempts information that has been anonymized or de-identified, but big data facilitates reidentification of anonymized data.^[2]
The White House Privacy Bill of Rights, drawing on the work of scholar Helen Nissenbaum, made “respect for context” one of its core principles, while big data companies like Google take big data in precisely the opposite (context-disruptive) direction.

If big data leads us to (a) give up on data minimization and destruction as soon as the primary use has been completed, (b) limits reliance on complete alienation of rights based on an initial notice and consent, and (c) undermines to some extent reliance on the effectiveness of de-identification, then the protection of privacy must have what are called in information security “compensating controls.” Those controls are particularly important to emphasize here, because in my view they go to the very heart of using cloud computing in big data:

EXTREMELY good information security. Insofar as cloud computing may raise both regulatory- and risk-based information security issues that, say, a DoD-certified facility does not, then I would suggest that cloud-based big data providers hold themselves to a strong service organization-oriented assurance standard such as a SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Big data cloud repositories are already — and will be increasingly – targets for hackers, particularly as the value of the data increases.
A focus on big data company accountability for appropriate use of the data, (to complement in my view some continued reliance on informed end-user notice and consent). This point is made well in two ways by Mayer-Schonberger and Cukier.^[3] First, they stress the need for a formal big data use assessment and plan based on regulatory ground rules. The plan would incorporate “differential privacy” (now being explored by Microsoft and others) that deliberately obscures or masks the data, and maximum retention periods prior to secure data destruction. The problem posed by this idea is big data’s black box problem stressed in Section 2 above; complexity of big data analysis and proprietary innovation make public accountability difficult. I believe their call for quasi auditor s– both independent/external and employees internally — given the infelicitous name of “Algorithmist,” will be a necessary and likely development, particularly in the absence of changing individual rights like those discussed below.

These new professionals would be experts in the areas of computer science, mathematics, and statistics; they would act as reviewers of big-data analyses and predictions. Algorithmists would take a vow of impartiality and confidentiality, much as accountants and certain other professionals do now. They would evaluate the selection of data sources, the choice of analytical and predictive tools, including algorithms and models, and the interpretation of results.^[4]

These two “compensating controls” — as substitutes for the more traditional privacy regulatory requirements at the beginning of this section — would put a great deal of regulatory and auditing pressure on both big data firms and cloud providers to become both less messy and more transparent.

A third force that would have a similar impact might come from Europe in the next year. Among the sets of ideas under consideration in the transformation of European data protection regulation that is now underway are many that would put more power in the hands of individuals. In the US, Tene and Polonetsky made the case for such a shift in control in a popular paper,^[5] and Rubinstein extended their thinking, incorporating Doc Searls’ work on Vendor Relations Management (VRM).^[6] If the European Union proceeds in this direction, it will render the creation of aggregators that lower transactional costs likely, opening the door to individuals to play an active role in the big data economy. And where would individuals store their big data, but in their “personal clouds” that many of them already have and others will soon given the consumerism of IT?

One way or another, value will be delivered to the individual as an individual, thanks to big data. The question as between an American approach and a European approach may be how much the individual will be consciously involved in the creation of that value.

[1] For two good looks at where big data may lead privacy regulation, see,Christopher Kuner, Fred H. Cate, Christopher Millard and Dan Jerker B. Svantesson, The challenge of ‘big data’ for data protection, Oxford Journal of International Data Privacy Law, Volume 2, Issue 2, (Pp. 47-49) and Ira Rubinstein, “Big Data: The End of Privacy or a New Beginning,” International Data Privacy Law (2013)

[2] But see, Ann Cavoukian & Khaled El Emam, Info. & Privacy Comm’r of Ont., Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy 7 (2011), available at http://www.ipc.on.ca/images/Resources/anonymization.pdf.

[3] Mayer-Schonberger and Cukier, op cit., pp. 172-184.

[4] Ibid., pp. 179-182.

[5] Omer Tene and Jules Polonetsky, ‘Big Data for All: Privacy and User Control in the Age of Analytics,’ (forthcoming) Northwestern Journal of Technology and Intellectual Property.

[6] Rubinstein, op. cit., at p.8.

About the Author

Jon Neiditz

In April 2013, I brought my big data, privacy and information security practice to Kilpatrick Townsend, a firm that has become one of the leading information law firms in the world. I had led information management practices at other law and consulting firms, worked in-house and in government. My work includes: • Regular management of responses to data security breaches -- including the largest governmental data breach on record • Global privacy and information security counsel to private and public sector organizations • Assistance in formulating “big data” plans, including: - contracts that value and protect newly-defined data assets in new ways, and - information management programs that combine defensible disposal with protected “lakes” of big data • Assistance in “privacy by design” initiatives My J.D. was from Yale and my B.A. from Dartmouth.

How to inform internal teams of a data breach

by Heather Noonan May 6, 2013

What is the best way to tell your internal teams that your company has had a data breach? A data breach isn't unlike any other public relations debacle. Like any crisis that needs a public relations strategy and a game plan, it needs to be well thought out and executed with finesse. Unfortunately during all this, your company faces reputational harm, deadlines, and client, consumer, and media backlash.

MORE INFO: Data Breach Response "How To" Series

For your internal teams, gather your decision makers and be transparent with what you do and don't know about the breach. Discuss what is being done and the plans in place. Bring in legal and human resources to provide input on the decisions being made. Assuming your information technology (IT) team is already involved and doing their job to fix what may have been broken, whether it was a break-in or a hack, make sure you keep everyone on the same page. I have found that communication is KEY in instances like this. If you aren't communicating well, right from the beginning, you will have half the company moving in one direction, poor decisions being executed, and your right hand won't know what your left hand is doing. Also remind your teams to keep information confidential as you work through forensics and put the pieces together.

I have seen too many companies want to send a company email to explain the data breach. This can be a very bad company decision. Unless your employees were all affected, I would highly recommend against this. Rumors begin this way. People begin to talk and ask immediate questions, which then starts the telephone and "what if" game. Your best intentions email will often be forwarded to an employee's friend or family member. That friend or family member then forwards the email and so on and so forth. (Not pretty.)

Yes, definitely tell your company what happened, but tell them during a company forum. Tell them face to face where they are able to ask questions. Let them voice their concerns and let you explain how the company is working through this incident, how people are being cared for, and the changes that are being made.

A couple pieces of advice from someone who has seen the good and bad decisions made while a company works through a data breach.

Don’t rush and don’t panic. When we rush we can often make quick, irrational decisions.
Don’t make emotional decisions. (same as above)
Keep to the facts.
Don’t play the hypothetical game.
Be transparent and avoid rumors.
Be very leery of email notification.
Keep the initial information on a need to know basis as you gather all the evidence.
Dedicate your main decision makers. Keep the key people involved and make decisions as a group. Even the smallest decision can affect the final outcome.
Avoid too many cooks in the kitchen. Too many people making decisions can become very problematic and tiresome.
Remember you are a team and you are protecting the company. Too often employees become worried about themselves and the politics involved.
Avoid politics during decision making. Same as above, when politics are involved, bad decisions can be made.
Remember State and Federal guidelines when making decisions. If under HITECH, you will most likely be investigated.
Document everything. Every decision should be documented, no matter how small. This will be vital years from now.
Keep your door open- People will continue to have questions and concerns. Be ready for them. Don’t think that because the incident was five months ago that questions won’t come up and you won’t have to deal with them…again.
Take the high road- Don’t backlash against people that attack you or the company. Always take the high road and save face.
Smile through it all and remain the leader. This too shall pass.
Again, don’t rush and don’t panic. Take the time to make sure everyone is in the car before you drive off and make sure you have a map.

About the Author

Heather Noonan

FTC Workshop to Highlight Senior Identity Theft

by Rick Kam May 1, 2013

Medical identity theft is the latest threat to affect patients—especially senior citizens. Although medical identity theft can make a victim of anyone who seeks healthcare, there are factors that can increase a person’s likelihood of becoming a victim of medical identity theft. One is age. Simply being a senior citizen can elevate a person’s chances of falling prey to this crime.

Learn how and why, and more about what can be done, as we explore the best consumer education and outreach to seniors at the Federal Trade Commission’s workshop, “Senior Identity Theft: A Problem in This Day and Age.” The FTC workshop is open to the public and will take place next week, on May 7, 2013 in Washington D.C. Consumer advocates, government officials and representatives of private industry—that’s where I fit in—will discuss the challenges facing victims of senior identity theft. FTC Chairwoman, Edith Ramirez, will provide opening remarks.

For more information, please visit http://www.ftc.gov/opa/2013/04/senioridtheft.shtm

About the Author

Rick Kam

Rick Kam, CIPP, is founder and president of ID Experts. He is an expert in privacy and information security. His experience includes leading organizations in policy and solutions to address protecting PHI/PII and resolving privacy incidents and identity theft. He is the chair of the ANSI PHI Project, Identity Management Standards Panel and the Santa Fe Group Vendor Council ID Management working group. He is also an active member of the International Association of Privacy Professionals and is a member of the Research Planning Committee for the Center Identity which is part of the University of Texas Austin.

Do you really need security to attest to meaningful use?

by Doug Pollack April 29, 2013

CMS (the Centers for Medicare & Medicaid Services) has begun auditing participants in the federally funded electronic health record (EHR) incentive payment program that makes funding available to hospitals and other healthcare organizations who can demonstrate meaningful use of certified EHR systems. And while one of the meaningful use criteria is that the organization carry out a HIPAA security risk analysis, the initial audits have found that one of the two most common adverse findings is non-compliance with the requirement to conduct a security risk analysis.

MORE INFO: Meaningful Use Stage 2: ToolKit

As noted by iHealthBeat in their article One in 20 Meaningful Use Attesters to Face Audits, April 23, 2013, Robert Anthony, deputy director of the CMS’ Health IT Initiatives Group, noted that “a few health care providers with adverse audit notices are starting the appeals process, and that some providers are facing investigation for possible fraud”.

But Anthony acknowledges that the security risk analysis is one of the greatest areas of confusion for providers, even though the EHR incentive program requires little beyond what they should be doing under HIPAA.

“We're certainly seeing some instances where people haven't done [a HIPAA security risk analysis] or people just aren't sure what they're supposed to be doing,” Anthony said. “There are not additional requirements here beyond HIPAA….they need to have something in their risk analysis that is specific to their EHR. It doesn't have to be all about the EHR. It needs to be stated and indicated that it's about your practice.”

The inspector general at the US Department of Health and Human Services (HHS) issued a report last December that was critical of the oversight provided by CMS over the meaningful use incentive payment program. As of February 2013, 234,000 organizations have received EHR incentive payments totaling $12.7 billion. The OIG report in particular highlighted that CMS was not conducting audits before making payments.

CMS now plans to conduct both pre-payment and post-payment audits with a goal of auditing 5% of all participants in the program. And given that Anthony has now further clarified what should have been totally clear, that meaningful use attestation must include confirmation that your organization carried out a security risk analysis, per the requirements of the HIPAA Security Rule, the answer to this post’s title question is “yes” – if you attest to meaningful use, you are well advised to have and documented a security risk analysis of your EHR and any related systems.

It is terrific to see CMS and HHS shine a bright light on the need for a rigorous analysis of your system’s security. Millions of Americans will find their ePHI (protected health information) entrusted to these EHRs, and we all will sleep a little better knowing that our healthcare providers take the privacy and security of this information seriously.

SEE ALSO: HIPAA Security Risk Analysis

About the Author

Doug Pollack

ID Experts doing its part for the Wounded Warrior

by Bob Gregg April 22, 2013

Part of ID Experts' core mission is to give back to its' community, not just in the Portland, Oregon area (our home town), but on the national stage. All of us made a conscious effort to find the right organization to get involved with about a year and a half ago. Unanimously, we chose the Wounded Warrior Project.

The mission of Wounded Warrior Project is to honor, empower and enable wounded warriors from all branches of military service. The organization raises public awareness to the needs of injured service members, providing them with unique, direct programs.

Typically in a trade show booth, attendees have the opportunity to win some good prizes like iPads, Kindles, or even TVs. It's all part of the excitement of walking the show room floor – that one chance of dropping a business card into a fish bowl and walking away with an expensive new toy.

We're a little different. Like the March of Dimes fund raising drives at your local McDonald's, all we ask is that attendees sign our Wounded Warrior Respect Board at each show and for that, ID Experts donates $5.00 to the Wounded Warrior Project. These small individual donations add up. We raised around $6,250 last year through these various trade shows and conferences we attended.

We'll be doing this again this week at the Health Care Compliance Associations' Compliance Institute in National Harbor, MD, April 21 – 24 in Booth #417-419. If you happen to be attending this event, come see us, and help us help the Wounded Warrior.

About the Author

Bob Gregg

With over 30 years of experience in high technology and software services, Bob joined ID Experts as CEO in 2009. He is particularly interested in the emerging trends involving identity theft and privacy data breaches, with emphasis on healthcare. "Let's keep our private, confidential information just that...private and confidential"

Why does a victim of a data breach benefit from having a Recovery Solution?

by Heather Noonan April 18, 2013

Someone once explained recovery solutions with the analogy of repairing your car. Yes, you could probably put in your own engine or reattach your own bumper, but would you want to? With the time it takes to get the parts, educate yourself, acquire the tools needed, it could be days to weeks to even months before you attempt, let alone finish the task at hand. Recovery solutions are the same idea. Yes, you could contact the Social Security Administration, the IRS, the credit bureaus, the creditors, etc., but the amount of time and energy it takes is very daunting.

MORE INFO: Data Breach Response "How To" Series

Let me explain.

With recovery services, you are assigned a specific, personal recovery advocate throughout the entire process. These trained specialists know who to contact, how to get up the chain of command, the specific phone numbers and how to reach a live human being without waiting on hold for hours at a time. The recovery advocate will do the work for you, so you can go on living your life, working and being with your family.

Why should a company purchase recovery solutions? Simple answer. They were responsible for your information and the problem, they should make it better. Recovery services will repair someone’s credit if and when there is identity theft. They will work on the individual’s behalf, as their power of attorney, to bring their credit back to pre-theft status. They will be the person that tells your story over and over and will push when they need to push. They will speak with the agencies that don’t care about your story and who see you as just another victim. Recovery advocates will carry that stress and burden for you. They will make the phone calls, fax in the numerous documents, follow up relentlessly to make sure things are getting down, and progress is being made, so you can carry on without pulling your hair out and losing sleep.

Remember the last time you lost your debit card or your cell phone and the panic you felt? When someone has stolen your credit card or your identity, speaking to multiple agencies and multiple people can make you feel the same way. You automatically go into panic mode and want the damage mended now, and now isn’t soon enough. You simply want someone to just “fix it”. This is where a recovery advocate comes in. And yes, it can take months to have information removed from your credit, but it’s worth it to have someone assisting and doing it for you.

After a breach, the last thing you want as a company is one of your patients or clients threatening to sue you. They will sue if they feel ignored or had to spend weeks on the phone trying to fix something that was turned upside for them. Take it from me and I have seen it. There are always a handful of individuals that if you push them too far, they will be going directly to their lawyer and you will not only be paying for their broken credit, but you will be paying for their legal fees and mental anguish, too.

Recovery solutions are also interminable for people. They typically don’t end at one year like a credit monitoring service will. If you are enrolled in a recovery solution, the recovery assistance for an individual will be there for the original issue for as long as they need it.

If you still aren’t sold, I have one last example that hit it on the nail for me. Plus the fact that I don’t want to replace my own engine and don’t have the time or skills for it, I learned that medical identity theft is one of the most complicated thefts there is. Not only do you need to contact the doctor’s office, the billing office, the specific lab where the service took place, the insurance carrier, but you also need to contact the collection agency who will be collecting on the late payment. You also need to contact medical records as it is now on your record. The list goes on and on. Something I didn’t realize or understand either. I didn’t realize how complicated this could be and after thinking about it, it wears me out. Including recovery services is a logical idea for the company and individuals that have been breached. Take my advice on this one. Following a company breach, the last thing you want is to be sued and more reputational harm.

About the Author

Heather Noonan

Analytics May Reduce PHI Exposure Risk in a Healthcare Data Breach

by Megan Bell April 16, 2013

This post by Kivu Consulting's Megan Bell is part of our ongoing series of contributed content.

Ponemon’s Third Annual Benchmark Study on Patient Privacy and Data Security reported that most healthcare organizations have experienced a breach–94% of healthcare organizations in the study have had a data breach in the past two years, and 45% have experienced more than 5 data breaches. In many cases, digital forensics is used to identify the reasons for a breach. Lesser known is the importance of forensics in determining the extent to which PII / PHI is exposed and the number of affected individuals.

DOWNLOAD: Ponemon’s Third Annual Benchmark Study on Patient Privacy and Data Security

Quantifying exposed PII / PHI takes place once a breach is established. This step is often limited in scope due to misinformation.

Data intimidation. Just the size of 10 terabytes of data may appear daunting. However, the total size of a data set does not necessarily correlate with the number of records that is relevant to analysis of exposed PII / PHI.
Time constraints. Time allotted to the assessment of exposed PII / PHI is often a small fraction of a forensics investigation. Minimizing time for analysis without evidence may increase risks such as scrutiny from regulators.

Best Practice Approach to Quantifying PHI:

Using a consistent approach to evaluate and quantify exposed PII / PHI and identify individuals will reduce costs and risks associated with a healthcare data breach.

1. Build a profile of the source data. Analysis of exposed PII / PHI begins with knowledge of the source data such as a single database or several thousand emails. The more that is known, the better the efficiency in identifying exposed PII / PHI.

Characterize user habits. In many cases, user-based patterns are present. This includes the entry of notes into a database or the storage of files on a computer. Understanding user habits facilitates in locating pockets of exposed PII / PHI to review and may eliminate other sources.

Look for similar populations of data. Consider the case of a laptop that has Excel files, emails and x-ray images with embedded patient data. Creating three separate populations for review improves the speed and accuracy of targeting and extracting PII / PHI.

2. Develop metrics and reporting templates before initiating analysis.

Identify notification-specific PII / PHI data elements. Review of potentially exposed PII / PHI begins with understanding notification requirements for a specific investigation. Criteria for notification are often provided by counsel and, in the U.S, are derived from a broad set of federal and state laws. International laws can also affect the scope of PII / PHI information (e.g., EU data protection laws).

Establish pre-approved reporting templates. Reporting templates are used to collect and organize exposed PII / PHI. Fields may include names, address, email, phone numbers, birth dates and diagnosis codes.

Use caution in reporting certain data such as credit card numbers. If data such as credit card numbers or financial data are identified, then counsel should be consulted for appropriate data-handling and reporting.

3. Apply a combination of tools to for effective analysis. Using appropriate digital forensics and search-oriented tools expedites identification of potentially relevant PII / PHI.

PII / PHI such as medical record numbers (MRNs) should be located with tools that search for data patterns.

Email and text files should be evaluated using a search tool and responsive search terms (e.g., “Last Name”).

PII/ PHI is frequently stored in compressed files (e.g., zip files). Any potentially relevant data set should be analyzed for such compressed files and a determination made whether the scanning tools being used are correctly searching such compressed files.

PHI is often contained in digital files that are not normally searchable by automated review tools (e.g., patient information found within image files such as x-rays or CAT scans). The presence of such files should be investigated and other non-automated reviews such as manual sampling should be carried out.

4. Create an audit trail. Audit trails assist in documenting all phases of analysis—from preliminary profiling to identification of exposed PII / PHI for affected individuals. They are also crucial in proving to regulators, plaintiffs’ attorneys, and a skeptical public that a proper examination was indeed carried out.

About the Author

Megan Bell

Megan Bell directs data analysis projects and manages business development initiatives for Kivu Consulting, a strategic ID Experts partner. She has 15 years’ experience designing and implementing reporting and analysis solutions for software, insurance, and consumer product companies. Kivu Consulting combines technical, legal and business experience to offer investigative, discovery and analysis services to clients worldwide. Kivu’s professionals work with organizations to effectively investigate, mitigate and prevent data breaches.

The Doctor Can See You Now - Mobile Threats and How Healthcare can Reduce Risks

by Rick Kam April 15, 2013

One of the significant new trends in the use of technology in healthcare comes from doctors and patients using smartphones and other mobile devices like tablets . The technology helps improve the quality and lower the cost of healthcare delivery. The most recent third annual Ponemon study on patient privacy and data security found that 81% of the healthcare organizations surveyed permitted employees to use their own mobile devices at work. There are many apparent benefits, some I can think of are:

Provides doctors convenient access to a patient’s electronic health record
The ability to email a lab report to a patient and answer questions
Both patients can research the internet for information on a new medication

There are lots of reasons why using mobile devices in the healthcare setting makes sense. It can help doctors be more productive and patients be better informed. But there are also emerging risks to PHI security and patient privacy when using mobile technology that needs to be addressed. The Ponemon survey I reference earlier also found that 46% of the organizations that allow use of personal mobile devices do nothing to secure them.

Here are three suggestions on ways to protect PHI on mobile devices:

Encryption: Turn on encryption and use strong passwords
Policy: Implement a corporate policy around mobile devices
Training: Include mobile use and protection in employee HIPAA training

For more information on this important topic, be sure to join Ted Kobus, National Co-Leader, Privacy & Data Protection at Baker & Hostetler and me at our panel on Mobile Threats and How Healthcare can Reduce Risks (session #404) on Monday afternoon at 4:30 pm at the 17^th Annual HCCA 2013 Compliance Institute. Please come by and meet your friends at ID Experts at our booth #417. We are making a $5 donation to the Wounded Warrior Project for everyone that comes by signs our bulletin board.

About the Author

Rick Kam

It’s all about the patients

by Christine Arevalo April 3, 2013

By now you've heard about the great success of the recent Protected Health Information (PHI) Protection Network's first conference in Boston.

My colleague, Rick Kam, (who is also chairing the project) posted a great summary of the event in another blog. He also shared what I think is the most important point;

"...at the PPN conference — attended by senior health system IT leadership, HIPAA legal authorities and vendor privacy executives — a theme is emerging in healthcare leaders' message: It's all about the patients."

And keeping a focus on the patient is what I want to talk about today.

It seems that all the events I attended in 2012 echoed this theme. Whether sessions were oriented on HIPAA compliance, consumer engagement, patient privacy, or fraud detection; the "put the patient first" focus seems to be almost a trend.

The changes we will be seeing within the health care delivery system mean health plans need to be diligent in protecting their brands. It also means they need to find innovative ways to remain competitive in a changing environment.

A key component of this renewed focus on the patient requires innovation.. The kind of innovation I'm most excited about involves engaging patients like never before in all aspects of their healthcare, including detecting and preventing healthcare fraud - the economic impact of which cannot be ignored.

Something else exciting took place in Boston following the PPN event. In keeping with the patient centric theme, a collection of thought leaders from the healthcare fraud and privacy fields gathered together to mobilize the Medical ID Fraud Alliance (MIFA). We held a half-day brainstorming session, led by Jack Price, Interim Executive Director and former head of fraud at Blue Cross Blue Shield Tennessee, to give these champions a meaningful platform for discussion.

Dialogue centered around key initiatives of the alliance including education and awareness of the devastating effects of medical id theft and fraud, engaging health plans in the pursuit to collaborate in meaningful ways that put the patient first, and in general, enlisting others in the campaign to change the way patients interact with the healthcare ecosystem.

Jack's enthusiasm with the process was evident, I got him to share with me: "The result of this session is that all came away very excited about what MIFA will be able to do once plans are finalized and executed. The discussions during that session have resulted in our being able to modify the initial model and plans to make MIFA even more germane to the issues of medical identity fraud. We are all eagerly moving forward to bring MIFA to life."

I encourage you to inquire about getting involved.

About the Author

Christine Arevalo

Cyber Liability Insurance at the State Government level

by Jeremy Henley April 2, 2013

I read an interesting article recently on Cyber Insurance within the public sector titled "Are Governments Ready to be Buyers of Cybersecurity Insurance". There were two main points that stood out to me and a surprise as well.

We know that the actual penetration of Cyber Insurance in the privacy sector is somewhere around the 20% mark and that it is lower in the government sector. I was surprised however that the only known state to be purchasing coverage was Montana, and that it's only a $2 million limit. This is very surprising when you look at the risks state governments carry. Over the past year two of the large breaches exposed millions of records one being the Utah Department of Health breach of nearly 800,000 records and the South Carolina Department of Revenue that breached over 3 million taxpayers' records. This breach and the costs of it have been reported on extensively and are near $20 million, still very few government agencies are purchasing the coverage.

One of the key points of the article that stood out to me was the complexity of the underwriting:

"there is not real clarity from governments — a lack of putting together what their security picture is when it's time to sit down and write a policy," Freeman said. Therefore, it's difficult for underwriters to assess risk. Government risk officers and insurance commissioners, meanwhile, counter that they need more information and education about cyberinsurance products, as well as true dialog with the industry before they buy. Some have likened the situation to two poker players who don't know each other's cards and therefore aren't willing to bet."

Why is this like a poker match? That just doesn't make sense to me. I can appreciate the fact that a larger government agency or even a large corporation that has grown through many acquisitions will have a complex technology systems and structure, but so complex that they cannot find suitable insurance? Why couldn't they complete a privacy and security risk assessment which is recommended by one of the various regulations even government entities are covered by and it at minimum it would be a best practice to do so. If done properly it would inventory these systems and the data within them. It would highlight the areas of increased risk of a data breach. This would be a great source of information for both the potential insured, and the insurer to provide a competitive policy.

I kept reading however and came to another interesting point in the article. It seems that Grace Crickette, Chief Risk Officer for the University of California system has a good start on a solution for this complex issue. She has worked with insurance brokers in the US and London to create a new type of policy called "reverse underwriting."

This cutting-edge approach, as its name implies, flips underwriting upside down.

Consider how the car insurance business operates today: Agents write policies that cover cars individually, based on make and model, and the driver's age and driving history. This process is fairly straightforward, done in a manner that the underwriter only has to check off a series of boxes. But doing that same process for risk assessment of IT in big universities and governments is simply unrealistic, Crickette said, because there are so many systems within one enterprise.

Reverse underwriting changes the game by agreeing to a set of controls ahead of time. In car insurance, these controls theoretically could be "no texting while driving" or "wearing a seatbelt." For cybersecurity, a control could be the usage of encryption or password protection. If all of the agreed-upon controls are followed during a security incident, the claim is paid. But if a forensics team finds that any of the controls aren't present, the claim is denied.

The University of California agreed to 18 of these controls in its cybersecurity insurance policy. "And it's covered in a much more generous way than the typical policy," Crickette said. "Not only are they going to pay for fines, which is unusual, they're going to pay for litigation costs and breach response costs — it's very holistic." Coverage for data housed in third-party systems also was thrown in by the broker. So far this type of coverage has proved to be effective for the university, Crickette said, and she's optimistic reverse underwriting could work well for cities, counties and states.

To me this seems like an excellent approach since it takes what the government wants, compliance from all that manage sensitive data to protect the individuals, and promotes the movement toward more secure environment. The regulations imply that a risk assessment should be completed frequently and the gaps discovered closed as soon as practicable.

If you look at other forms of insurance it seems what the regulators want can match very closely with what the insurance carrier will require. In those cases the insurance can be used more as a carrot to lead organizations in the right direction instead of a cushion if an incident does occur.

About the Author

Jeremy Henley

Lesson Learned by OCR Privacy & Security Audits

by Doug Pollack March 29, 2013

Right on the heels of a terrific inaugural workshop meeting for the PHI Protection Network (PPN) last week in Boston, I wanted to take a moment to revisit some of the key findings presented by representatives of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) at the IAPP Global Summit the prior week. The results that they presented were incredibly detailed, and highlighted just how far healthcare organizations still have to go, in order to comply with HIPAA/HITECH privacy, security and breach notification provisions. Especially important, now that the Final Omnibus Rule has been published and the clock is ticking down on the timeframe for compliance.

- Learn more about the HIPAA Omnibus Rule: New HIPAA has teeth -

The presentation was made by Linda Sanches, MPH and Verne Rinker, JD MPH, both from OCR on March 7, 2013. They clarified that the objective of the audit was “to analyze the key processes, controls, and policies of the auditee relative to selected requirements of the Rules….”

The audits included 115 covered entities across of spectrum of size and sophistication. OCR noted that they classified those to be audited into four categories.

Level 1 Entities: large providers and health plans. Revenues or assets greater than $1B
Level 2 Entities: large regional hospital systems or regional insurance companies. Revenues $300MM to $1B
Level 3 Entities: Community hospitals, outpatient surgery, regional pharmacies. Revenues $500MM to $300MM
Level 4 Entities: Small providers, community or rural pharmacies. Revenues less than $50MM

It was terrific to see this classification scheme, so that audit findings could be interpreted across covered entities of very different scale and presumed sophistication.

The audit process for any particular entity would take several months following the process defined in this illustration. Covered entities should note that the process is kicked off with a request for documentation from OCR, where the covered entity will need to provide documentation associated with compliance of the numerous regulations within the privacy, security and breach notification rules. A potentially ominous requirement for some healthcare organizations.

Now on to the results.

The following chart summaries the overall findings and observations by OCR from the audit program.

I think not surprisingly, one of the key findings was that a majority proportion (60%) of “findings”, meaning issues with compliance with regulations, were associated with the security rule. And also not surprisingly, the Level 4 entities, the smallest healthcare organizations, struggled with all three areas (privacy, security, breach notification)

In the area of privacy, the following chart notes that the area of privacy compliance where there were the most findings (44%) were associated with the Uses and Disclosures of PHI.

Given the complexities involved in the disclosure of PHI, this wasn’t a huge surprise.

But the security results were somewhat concerning. 58 of 59 providers audited had at least one security finding or observation. So basically all of them. And in two-thirds of the entities audited, there was not a complete and accurate risk assessment.

In wrapping up the presentation, OCR noted that for every finding or observation in the audit, there was a specified “cause”. The most common cause cited (30%), across all entity classes, was that the “entity was unaware of the requirement”. This was 289 or 980 findings.

In the area of privacy, the top elements where entities were unaware of a requirement were in the notice of privacy practices, access by individuals, minimum and necessary, and authorizations. In security, the top elements were in risk analysis, media movement and disposal, and audit controls and monitoring.

In closing, it was enlightening seeing this presentation by OCR. Net-net, the most significant take away for me was that, despite a lot of time that has passed since the original passage of the HIPAA laws, many covered entities, especially smaller providers, are unaware of some of the key requirements in the privacy and security rules. This is somewhat understandable; the rules are extensive and complex.

But as noted by others extensively over the last year, and by Director Rodriguez himself, we have entered a new era of HIPAA/HITECH rules enforcement, both by OCR and by state AGs, and covered entities, and now also their business associates are going to have to figure out how to become more compliant, or risk the potential fines and penalties that are being levied.

- Learn more about the 3 flavors of Risk Assessments -

About the Author

Doug Pollack

Mobile Threats in the Healthcare Ecosystem

by Rick Kam March 27, 2013

How many healthcare organizations allow their staff to use their smartphone at work to send/receive email, check calendars, access electronic patient records systems, etc.?

81% of the organizations in a recent study by Ponemon Institute.

Come join us at the HCCA conference on April 22^nd to hear Ted Kobus, National Co-leader in Privacy and Data Protection at Baker & Hostetler and me talk about this important topic. We will highlight the risks and share best practices on this topic.

Also please come by and visit us at the ID Experts in booth #417-#419.

About the Author

Rick Kam

Privacy Class Actions may be in your future

by Bob Gregg March 27, 2013

In our never ending effort to keep you informed about the latest developments in the world of privacy data breaches and identity theft, comes the very recent news that the U.S. Court of Appeals for the 11^th Circuit just ruled on a case that could impact many of us with a need to protect personal information. In the attached article written for “The Privacy Advisor,” Henry Chalmers, attorney with Arnall, Golden, Gregory, LLP in Atlanta, writes:

“A recent U. S. Court of Appeals ruling may make it easier for class-action plaintiffs to survive early motions to dismiss their data breach claims, thereby substantially expanding the costs of litigation and the risk of sizeable judgments against businesses.”

To summarize, up until now U.S. courts have generally ruled that unless the victims of a data breach can definitively show damages from identity theft or other unlawful use of the breached personal data, and that the damages resulted from the direct use of the breached data, there is no basis for a class action lawsuit to proceed. However the 11^th Circuit in the Resnick v. Avmed case was much more circumspect, ruling that the plaintiffs argument that they had never experienced identity theft prior to the breach and they had to take “substantial precautions” to protect their personal information, and in fact had some instance of ID theft after the breach gave “sufficient nexus to state a viable claim.” Big difference!

The point here is, if this 11^th Circuit Court ruling catches on, the likelihood of class action litigation and the cost to fight that litigation in a data breach circumstance just went up dramatically. So as if you didn’t have enough reason to do everything possible to prevent a breach of Personally Identifiable Information (PII) or Protected Health Information (PHI), you have all the more reason now.

The full article can be read here: Recent Ruling Could Prove Costly for Hacked Businesses

About the Author

Bob Gregg

How Much is $234 Billion?

by Rick Kam March 27, 2013

That’s like giving $793 to each of the 300 million people living in the U.S. It also turns out to be the estimated amount of annual medical fraud.

“Healthcare fraud is costing American taxpayers up to $234 billion annually, based on estimates from the FBI. It’s no wonder that a stolen medical identity has a $50 street value, according to the World Privacy Forum – whereas a stolen social security number, on the other hand, only sells for $1.”

What can be done to impact this problem?

One thing is to do a better job at protecting our personal data from identity thieves who would use it to commit medical fraud. We held a PHI Protection Forum in Boston in March, that focused on enhancing the business case for PHI security. Eighty experts from around the U.S. attended the session. There were several topics covered, but the major themes were:

The focus needs to be on protecting patients
The importance of education and training of healthcare employees on privacy and security
The need to make appropriate levels of investments in PHI security

A recent article in Wired, outlines this problem in World’s Health Data Patiently Awaits Inevitable Hack, reinforcing that healthcare security breaches have been on the rise. According to Avi Rubin, the director of the Health and Medical Security Lab at Johns Hopkins University, “Any system that consists in large part of software is hackable…At some point, someone will hack a major repository of healthcare data. And it won’t be pretty.”

About the Author

Rick Kam

PHI Security Experts Preaching Patient Advocacy - Boston PPN Forum A Success!

by Rick Kam March 19, 2013

As Chair of the PHI Protection Network Forum, I am proud to say our first annual PPN Forum that was held in Boston on March 12 and 13, 2013 was a success!

Highlights:

Very positive feedback from all who attended
A sharp focus by all who attended on protecting the patient and patient data
Tools and best practices discussion on enhancing PHI security

I will be tweeting (@RickKam) information on the results of the forum as I get feedback from our survey.

Join the community of PHI protectors and sign up to the linkedin group to participate in the special community focused on enhancing PHI security and privacy. Go to this link to sign up now.

The following post by Don Fluckinger was reprinted from the original source Health IT Exchange

Here at the Protected Health Information (PHI) Protection Network’s first conference — attended by senior health system IT leadership, HIPAA legal authorities and vendor privacy executives — a theme is emerging in healthcare leaders’ message: It’s all about the patients.

Discussions at patient data security conferences usually revolve around hot new technologies, emerging threats, and common-sense technical safeguards and policies to protect healthcare businesses. Up until this security confab, we’ve heard health care leaders list their top reasons for HIPAA compliance as protecting a hospital’s revenue stream, its reputation, and its hard-earned place as a trusted entity in a city or community in the face of these regulations that seemingly set them up for failure.

Patient advocacy — actively protecting patient interests by protecting their data — usually gets mentioned in passing, fourth or fifth on the list of reasons to shore up HIPAA compliance programs.

Here, however, it’s all about the patients. Executive attendees still are talking about business priorities and defending their health systems’ reputations in a world where HIPAA is forcing transparency in disclosing data breaches to the patients, press and government overseers. But those business priorities are dropping down the list, slotted somewhere under protecting the patient.

“We’re in the people business,” said attorney James Pyles, who helped draft the HITECH Act that gave rise to federal EHR incentives and who currently is principal at Powers Pyles Sutter & Verville, PC. “We’re treating patients, not manufacturing widgets.”

HITECH’s tightening of privacy provisions and conferring of new patient rights (such as when a patient pays cash in full for an item or service, they can require it not be disclosed to their insurers), Pyles said, resulted from elected officials “hearing about literally millions” of patient records being improperly disclosed. Pyles said he consulted with several senators’ staffs in late-night, bi-partisan meetings to help craft the patient-centric principles that gave rise to the HIPAA omnibus rule — and the legislators were focused on patients’ rights.

Here, almost four years later, health care privacy officers and IT leaders seem to be getting the message, and Pyles noted and praised the shift from the dais.

“I want to say how gratified I was to hear some of the remarks in the earlier sessions,” Pyles said after a morning’s worth of sessions en route to asking HIPAA questions of the health data security experts. Pyles was referring to several health care executives standing and professing their employers’ “patients above all” philosophies — even though those same organizations might find HIPAA onerous. “I have been involved in health information privacy before we had HIPAA, all through the HIPAA statute and regs, amended rules, HITECH Act and HITECH regs. I’ve been to literally hundreds of meetings in Washington when the patient was not mentioned once. Not one time….When [health care leaders say] that the patient ought to be at the center of the system, boy do I applaud that.”

About the Author

Rick Kam

Is the Juice Worth the Squeeze?

by Doug Pollack March 11, 2013

HHS/OCR Commissioner Leon Rodriguez presented his views on the state of healthcare privacy, security and data breach notification at the IAPP Global Privacy Summit last week in Washington, D.C. The title of this post is based on a question put to him by a neighbor as to whether the efforts in Rulemaking and enforcement actions by OCR (the squeeze) yield the positive outcomes and benefits (the juice) that the agency is trying to bring about.

Director Rodriguez was wonderfully open and candid in his remarks. After reminding the audience of the key dates that healthcare organizations should be aware of relative to their timetable for being in compliance with the new HIPAA Omnibus Rule, and reviewing the key changes in the Rules, he went on to discuss his perspective on today's healthcare privacy environment.

He indicated that while the Breach Notification Rule made a significant change as to how an organization must determine if a security incident is a notifiable data breach, relinquishing the somewhat controversial "harm threshold" determination in favor of a determination as to whether the protected health information (PHI) was "compromised", that it is his belief that in 99.8% of cases, the results of the incident risk assessment result would be the same.

He did, however, reinforce the philosophy behind the change. It is the intent of OCR that an organization's presumption must be that unless information is clearly unreadable or undecipherable, the risk assessment must justify not disclosing a breach. So in other words, the agency's intent is that unless an organization can clearly and unequivocally determine that information was not compromised, then their presumption should be that it was and that a data breach has occurred.

While noting the amazing number of smaller data breaches (under 500 records) that have been reported to OCR, 64,000 of them, he went on to say that the most significant causes of breaches are theft, loss, and unauthorized disclosure. It is a "story of human frailty and vulnerability". While he acknowledged that a very small proportion of breaches today are a result of hacking, he believes "that this is likely to change" in the future.

And so what about enforcement? He and his agency have adopted an aggressive enforcement posture because of the belief that "enforcement promotes compliance". But he and his staff consider breaches as "learnable moments" relative to how organizations can avoid monetary penalties based on actions taken before, during and after breaches occur.

It is those organizations where there is an "on-going pattern of behavior that can result in a harmful breach that are the targets of monetary enforcement." And lastly, he noted that one of the biggest changes based on the new rules is that Business Associates will now be required to comply with the Privacy and Security Rules. While this obligation in now squarely on the shoulders of BAs, he reminded Covered Entities that it is their responsibility to ensure that their BAs are in compliance and that HHS/OCR will hold the Covered Entity accountable for their BAs compliance with the Security Rule, in particular.

So with that, as my favorite (fictional) detective has often said, "the game is afoot."

About the Author

Doug Pollack

Why Not Pull the Trigger on Cyber - Privacy Liability Insurance?

by Jeremy Henley February 27, 2013

Almost every business collects sensitive data. This means that almost all businesses are at risk of a privacy breach that results in unplanned expenses like forensics, legal fees, notification and monitoring costs. Some breaches even have legal fees from class action lawsuits or regulatory actions. For other unplanned expenses like a building fire or a heart attack, companies and individuals alike purchase insurance as a way to protect themselves and/or their assets. For organizations with sensitive data, which is most, there is cyber/privacy liability insurance to protect them, so why don’t all organizations buy this coverage.

Cyber - Privacy Liability Insurance is available to all businesses. It is a relatively new insurance product and many organizations are asking their insurance agents what products best meet their specific needs. I find it interesting that a very high percentage of organizations are considering this coverage but a relatively low percentage are currently buying it. If you attend any conference on the topic, many insurance carriers say they have been offering the coverage for years ago however the majority of organizations still have not purchased it. I'm trying to understand why that is the case since this risk has been around for nearly 10 years when California enacted the first data breach notification law.

I believe there are two basic reasons why companies have not yet purchased Cyber - Privacy Liability Insurance. The first factor is that insurance premiums are typically determined based on revenue and potential size of loss which are difficult factors to use when trying to determine the risk and costs of a data breach. Typically data breaches are dependent upon your industry, the type of data you collect, who you share it with and how you protect it. How compliant you are to the regulations also has a considerable bearing on the amount of potential liability post breach.

When you are considering insurance to protect your home or your automobile it's a lot easier because we know the values of these items with a high degree of certainty and the likelihood of damage or other types of loss to those assets, so it’s easier to determine the amount of coverage and the appropriate premium. With protected health information (PHI) or personally identifiable information (PII) it's significantly more challenging to put a value on it. The level of compliance and how well trained your staff are at following those policies and procedures are important factors. Routine risk assessments can be helpful to assess and quantify these risks, but many industries still do not have a well-developed compliance program due to a lack of resources. In other words they have a difficult time justifying the expense of compliance until after it is too late.

If there was a way to “put a number on it” many projects that are currently on hold may be able to calculate a straightforward Return on Investment that would show value in many desired projects that are currently on hold. Well, the value estimator exists now and the American National Standards Institute (ANSI) has completed a report that is available to anyone and can be downloaded for free.

This report provides information that will enable organizations in the health care sector to build a strong business case for the benefits of investing in PHI protection and turning compliance with privacy and security laws to their market advantage. The report explores the reputational, financial, legal, operational, and clinical repercussions of a PHI breach on an organization, and offers a 5-step method – PHIve (PHI Value Estimator, pronounced “five”) – for evaluating the “at risk” value of their PHI. This tool estimates the overall potential costs of a data breach to an organization, and provides a methodology for determining an appropriate level of investment to reduce the probability of a breach. Download the report at www.ansi.org/phi

If you are an executive tasked with protecting your organizations private data you should attend the PHI Protection Workshop in Boston March 11-12. Any organization that completes the workshop and accurately understands the value of their data will have two basic outcomes. First you will be able to justify additional investments in technology, training and staff to minimize risk. The second is important to the insurance community, if you are an insurance agent or broker you will learn how to help your clients value their data. Understanding this process will bring tremendous value to your clients and that valuation is a key piece to the investment of insurance.

ID Experts has clients who have already successfully used this estimation process to secure additional insurance to protect their highly vulnerable organization. They were able to determine how much is appropriate and justify it because of this report.

The second major hang up for companies who are interested but not buying this type of insurance is the knowledge level necessary from the broker to connect the dots from compliance, privacy, and risk management. Nearly every day I speak with folks who are potential insured, or who are insurance agents and brokers offering this type of insurance. Often I see insurance brokers are extremely knowledgeable in regards to limits and coverage terms but not as educated on privacy and security risks related to a data breach. They often focus on the wrong parts of a policy, in my opinion. The result is a broker who may be advising clients on insurance policies that will not hit the mark for their client putting their own reputation at risk as an insurance agent. When this is the case agents that are presenting cyber coverage tend to go with the simplest, best limits, and most marketed policy (safety in numbers) approach to the coverage.

From my side of the breach response world I see these policies as having more protection for the wrong issues. It is not common for a breach to end in litigation or result in significant fines, the liability is much more tied to the notification expenses so flexibility here makes sense. Executives want to control how the “bad” news is communicated to their customers more than extra 3^rd party liability coverage.

So how do we solve this problem? The simple answer is more education but there are so many sources of education where do we start? I would recommend a few basic reliable sources one of which is our own website that is extremely helpful and educational and with a consistent flow of webinars that are free to our attendees and provide education focused around privacy and security risks so you can’t go wrong. Who better to learn from than the folks that spend all day working through these kinds of challenges for our customers?

Another great source I recently learned of is from AIG. They recently released CyberEdge, a new app for your iPad. This app is free and an easy source for lots of different news relative to privacy breaches and information on different case studies all related to this type of incident

Here is a list of other sources I visit routinely to stay on top of my game:

All Things Data Breach – A data breach workgroup
ACE – News, podcasts and more
CHUBB – Videos, news, and policy information
HHS “Wall of Shame” – A list of reported Healthcare breaches over 500 records

About the Author

Jeremy Henley

Top of the Charts in Cloud Risk: Data Breaches

by Doug Pollack February 26, 2013

The Cloud Security Alliance (CSA) this week, as part of the RSA 2013 Conference, released its “Notorious Nine”. This is a list of the top threats associated with cloud computing. At the top of the charts for 2013 – data breaches. With data breaches going to the top of this list, now is probably a great time to ask yourself the question: When should I consider placing personal privacy information from my customers and others in the cloud?

The risks and associated liabilities of breaches of privacy-protected information are only growing. The cloud offers a “target rich environment” for those who are looking to mount cyber attacks, with the intent of either disrupting commerce or more typically monetizing the data through criminal means. So what should you do before implementing systems that migrate your organization’s privacy data into the cloud? Jay Heiser at Gartner Group notes that while data breaches are a concern, that cloud outages that lead to data loss are even more likely a risk, a perspective that appears in contrast to that of the CSA. In a recent article he suggests that “many enterprises are ill-prepared for [data breach] incidents”.

Given that fact, evaluating and improving your organization’s preparedness for a data breach incident would seem prudent. That is why increasingly organizations are carrying out “simulated incident response” scenarios as desktop exercises for testing their incident response plans.

He also looks to data classification as a way to evaluate what data and what risks you incur when moving information to the cloud. “Incomplete or nonexistent data classification is a common problem. If the buyer doesn’t know what the security requirements are for a specific piece of data compared to other data, it’s difficult to assess whether the provider can provide adequate security.”

Given the general risks associated with the newness of cloud systems, something an organization might consider is keeping its most sensitive data, say personally identifiable information (PII) and protected health information (PHI), which have enhanced regulatory requirements and oversight, and the greatest liability profile when breached, within your organization’s environment rather than migrating them to the cloud.

You may argue that cloud providers can do a more thorough job of data security, given that their livelihoods are based on providing computing services in a safe and secure manner. But unfortunately, the more data that they are entrusted with, the bigger the target on their backs from the perspective of cyber criminals. A recent report from ENISA, The European Network and Information Security Agency, titled “Critical Cloud Computing” discusses the importance of “preventing large cyber-attacks and cyber disruptions.”

They note that while offering significant benefits, the “concentration of IT resources” in cloud services represent a “double edged sword. On one hand, large cloud providers can deploy state of the art security and business continuity measures and spread the associated costs across customers. On the other hand, if an outage or a security breach occurs then the consequences could be big, affecting many citizens, many organizations, at once.”

Such is the risk inherent to cloud computing. Cloud providers who are hosting applications or data with mandated privacy protections, like PII and PHI, are more likely targets for cyber criminals, and are more likely to have the “mother of all data breaches”, if they at penetrated and the bad guys are able to acquire data without detection, at least for a while.

Bryan Ford from Yale University in his paper “Icebergs in the Cloud: the Other Risks of Cloud Computing” illuminates the fact that privacy risks associated with data hosted it he cloud are likely to evolve over time, but unlikely to be eliminated any time soon. He highlights what he considers “less well-understood” risks that may emerge including stability risks, availability risks, and preservation risks. Of all of these, it is the last one that concerns me most.

He discusses how cloud-based applications and services eliminate the property of decentralized archivability. Using books as an example, he notes that because of the physical nature of books, they inherently are de-centrally archived. As we become more dependent upon cloud-based services, over time, one can see the risks associated with the preservation of historical content of all types.

So for today, those of our organizations that maintain private information on customers, and other organizational stakeholders, should focus on managing cloud risks around data breach and service interruption, especially related to cyber attack. We should be intentional about the data that we choose to host in the cloud. We should carefully assess the security capabilities of our cloud provider. And revisit them often. And we should work with them to prepare for the unwelcome event of a data breach incident.

Once we get our arms around these risks, as Dr. Ford notes, there will be many new, unexplored risks to cloud computing for consideration in the future.

About the Author

Doug Pollack

Does Your Budget Cover HIPAA Privacy, Compliance, and Security?

by Rick Kam February 26, 2013

You have an important budget approval meeting coming up with your executive management, to review the HIPAA privacy, compliance, and security initiatives in your budget this year. Are you ready?

Here are some of the questions you will need to be prepared for:

Can I prioritize my proposed budget initiatives by “Return on Investment,” so my CFO and CEO can compare my proposal against other alternatives for scarce resources?
What is the appropriate level of investment in HIPAA security of protected health information (PHI) for our organization and business associates?
What is the value of PHI we are managing?

If you can answer these three questions, you are in a greater position to have your budget approved. However, if you are like most HIPAA privacy and healthcare security experts, these are not questions you can readily answer. Yet.

Where can you find help?

You can get a head start at an upcoming industry forum on March 12 and 13, 2013 in Boston. This will prepare you to answer the three questions above—including learning what your PHI is worth—and be ready to present your business case to your executive team. Register for this unique event now at www.phiprotection.org.

About the Author

Rick Kam

Healthcare Security - One of the Most Vulnerable Industries

by Deanna Jones (DJ) February 25, 2013

“One of the most vulnerable industries in the country” is the statement used to describe healthcare in America in a recent Washington Post article. Rather damning words and ones that give us much to worry about as our fractious medical systems crawl into the digital age.

The article highlights The Post’s year-long study on the subject, stating that healthcare lags behind in addressing known problems and has “gaping security holes”. Normally, such system inadequacies and related issues are relegated to the financial industry, however, in recent months, officials with the Department of Homeland Security have expressed growing fear that healthcare presents an inviting target to activist hackers, cyberwarriors, criminals and terrorists.

What’s at risk: patient safety, theft, loss of medical information – things rather important to us in health and personal privacy; the culprit: the routine failure to fix known software flaws in aging technology and a culture in which physicians, nurses and other health-care workers sidestep basic security measures, such as passwords, in favor of convenience.

The call to action is now – before the new electronic health record systems are implemented and begin to dictate the medical interactions of our lives. Security must be built in advance of implementation, not after the fact, and the human element must be addressed in protocols of security training. The digital age moves so quickly that often potential security issues are overlooked in favor of availability. As healthcare is being reformed, let’s ensure it touches security, as well. Let’s ensure we create something safe, as well as useful.

About the Author

Deanna Jones (DJ)

New HIPAA Rules: Is Your Organization Ready?

by Doug Pollack February 20, 2013

As most of you are already aware at this point, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the Final HIPAA Omnibus Rule in the Federal Register last month on January 25, 2013. So the question I think many of you should be asking is, so "what does this mean for me and my organization?"

In order to develop your "Playbook" for being compliant with this mass of Rules, ensuring that you reduce your risks to the onerous fines, penalties, and corrective action plans that otherwise might be in your future, the first step is to understand specifically what is in the Rules, and where the "low hanging fruit" is for your organization relative to demonstrating compliance.

In order to assist you in your digestion of the Rules and their implications, feel free to take a look at the recently published paper titled "The HIPAA Final Omnibus Rule: An Analysis of the Changes Impacting Healthcare Covered Entities and Business Associates." It provides readable coverage of all of the changes and implications to the Privacy Rule, Security Rule, Breach Notification Rule and GINA, the Genetic Information Nondiscrimination Act.

If you are a covered entity, you are probably aware of many of your general obligations, but need to understand what has specifically changed in these Rules that you need to incorporate into your policies, procedures, and operational plan. The changes to the definition of "breach" in the Breach Notification Rule are certainly something that is a "must read". In additional, take careful note around your Security Rule obligations for carrying out a periodic Security Evaluation and Security Risk Analysis.

And if you're a HIPAA business associate – let me go back a step – if you are a company that in any way handles patient information (HIPAA protected health information or PHI), you are a business associate – then you should carefully review the obligations that you have under the Omnibus Rule. The likelihood is that there are a lot of companies in the position where they are in fact HIPAA business associates, but are unaware of the specific privacy, security, and breach notification obligations that come along with being a business associate. And in this case, what you don't know, can hurt you. OCR has stated their intention to be aggressive in assuring that HIPAA business associates are responsible in complying with the new Rules.

So, download the paper on the HIPAA Final Omnibus Rules now and start developing your HIPAA Omnibus Rule Playbook.

About the Author

Doug Pollack

What’s The Worst That Can Happen?

by Rick Kam February 18, 2013

I was talking to a news reporter a few days ago about the risks of a breach of patient medical records and she asked:

"What's the worst thing that can happen???"

My response was to tell her about the potential for medical identity theft and medical fraud.

A few days have gone by and I have read several news articles and reports that prompted me to reflect on the answer I gave. Some of these articles covered topics such as:

"Health-care Sector Vulnerable to Hackers"

"Zero Day Exploits in Cyberspace"

"2,644 Breach Incidents in 2012 Exposing 267 million records"

So let's let our imaginations run wild for a few moments... Can you think of possible scenarios that would answer this reporter's question? Please send me scenarios you think could make the "worst case" list. You can reach me here.

Let's take this one for example. A server at a major New York City hospital, that stored the hospital's database of over 845,000 patient records, could no longer be accessed due to the mechanical failure of the hard drives. The IT manager followed procedures to restore the database from the hospital's magnetic backup tapes, but the backup tapes were blank.

The permanent loss of the database records would put the hospital in clear violation of HIPAA data retention and availability requirements. To restore the server, the IT manager contracted with a local third-party data recovery service provider. With no documented policy or procedure for assessing the capabilities and security compliance of such service providers, the IT support manager selected the company based on its 48-hour turnaround time, and shipped it the damaged hard drives without vetting the company's data security protocols.

The data recovery was a complete success. Within two days, the recovered data was returned to the IT support manager who uploaded the full database of patient records onto the hospital's new server and the tape backup system was fully functional again. The IT manager made a note in his files to use the local data recovery service provider again, thinking all had gone quite well.

But all was not well. Several months after the recovery, the hospital discovered that a breach of protected health information (PHI) had occurred during the recovery process. While creating an image of all the data on the drives, the data recovery engineer discovered the database of PHI records, including financial and health care account information. He made a second copy of the database for himself, found the records of a female patient with a description closely matching that of his ailing wife, and altered them to fit his wife's description perfectly, removing reference to the female's blood type and life-threatening allergy to insulin. His wife used the fraudulent identity to receive surgical treatments for cancerous tumors in her lungs. The engineer used the credit card data found in other records to pay for the surgery, pharmaceuticals and rehabilitation.

Several of the hospital's patients then began reporting unauthorized purchases on their credit cards. The cause of the security breach was not discovered until the woman whose record was altered received emergency surgery after a car crash. Unconscious when she arrived at the hospital, she died from anaphylactic shock during a simple surgical procedure—an allergic reaction to the insulin she was administered during the operation.

The husband was convinced that his wife's allergy to insulin was well documented in her health record. After investigating the woman's health records more closely, it was discovered that her PHI recently had been altered and the changes were traced back to the NYC hospital's database. The hospital's forensic team was called in, and the breach was traced to an unscrupulous third-party data recovery service provider and its data recovery engineer, who, it was then revealed, had not been subjected to a background check upon hiring. The data recovery engineer had a criminal history of identity theft.

Reports of the breach, the altered medical records, and the woman's death were picked up by the media. The hospital posted a public notice of the PHI breach and notification letters were sent to all impacted patients outlining the details of the breach, the PHI disclosed, and who had handled their data. Two years of credit monitoring and fraud resolution services, along with credit and identity theft restoration if needed, were offered by the hospital to all affected individuals. However, the larger threat to the consumer was the misuse of the PHI, which went unmonitored. The hospital's name and image were damaged severely.

An internal study was conducted at the hospital and new protocols were adopted to mitigate the risk of using third-party data recovery vendors. The hospital's risk management process was updated and the hospital's CISO and the IT support manager were fired.

I would like to have you send me scenarios you think could make the "worst case" list. I will include them in my next blog and share them with the experts participating at the PHI Protection Forum on March 12th and 13th in Boston. I will share the top 5 submissions and give people recognition at the event and on our Linkedin Groups and blogs.

About the Author

Rick Kam

ID Experts RADAR 2.5: Final Rules Ready

by Mahmood Sher-jan February 7, 2013

Today we announced the availability of the latest release of our ID Experts RADAR 2.5, our HIPAA and States data breach risk assessment and incident management software. The timing of this release also coincides with the recent publication of the HIPAA Final Breach Notification Rule as part of the HIPAA Omnibus rule. I want to congratulate my team and our clients including hospitals, health plans and insurance carriers who have contributed significantly to this release through their participation in our Beta testing and feedback process.

The final rule removed the controversial “harm standard” and replaced it with what is being called the “compromise standard”. The rule requires covered entities and their business associates to use a minimum of 4 factors when performing risk assessment to determine if an incident is a breach requiring notification of affected individuals and agencies. Additionally the narrow exception for limited data set when it excludes date of birth and zip code was also eliminated but the rest of the old 3 exceptions from the interim final rule and the encryption safe-harbor were reaffirmed. The good news for our RADAR users and any organization required to comply with the final rule is that our RADAR 2.5 is “final rule” ready. In reality these factors are not new. These risk factors are derived from similar factors listed in the previous interim final rule (IFR) but unlike the IFR they are required now. RADAR’s risk assessment engine has been using and refining these risk factors since its inception three years ago.

The final rule goes into affect on September 23, 2013 so as further guidance is provided by the Health and Human Services (HHS) department RADAR will continue to stay in front and ensure that our users remain compliant.

About the Author

Mahmood Sher-jan

HIPAA Omnibus Final Rules: What you need to know and do

by ID Experts January 31, 2013

You can download our HIPAA Omnibus Final Rule Whitepaper here.

You can view our HIPAA Omnibus Final Rule Webinar here.

Join us for an in-depth analysis of the final rules with Adam Greene, a nationally-recognized authority on HIPAA and the HITECH Act and Partner with Davis Wright Tremaine, LLP and Mahmood Sher-Jan, Vice President of Product Management at ID Experts, including expectations of regulatory enforcement and specific recommendations for compliance. Adam and Mahmood will cover:

Review the scope and history of the rules
Key areas of change: what's new and what's different
What the changes mean for covered entities and business associates
Implications of the removal of the harm threshold from breach notification
Guidance and recommendations for compliance

Webinar: HIPAA Final Rules: What you need to know and do - Wednesday, February 6, 2013 11:00 am

New Omnibus Rule Released: HIPAA Puts on More Weight

Originally posted on Davis Wright Tremaine Advisories. Reprinted with permission.

On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the long-awaited "Omnibus Rule," which amends the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). The Omnibus Rule, which is expected to be published Jan. 25, 2013, implements most of the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends the reach and limits of HIPAA. The Omnibus Rule, in part, expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA).

In response, covered entities should consider:

Performing a gap analysis to determine what policies and procedures must be revisited in light of the Omnibus Rule;
Revising privacy and security policies and procedures to bring the organization into compliance—this is a good opportunity to review and fine-tune existing policies based on guidance and experience;
Revising breach notification policies, procedures, and breach response plans, particularly with respect to conducting a risk assessment for determining whether notification is required;
Amending notices of privacy practices (and making sure the revised notices are properly posted and distributed);
Training workforce and promoting more ongoing awareness;
Revising business associate contract templates and beginning the painful process of amending/renegotiating each one;
Determining whether any forms, such as requests for access, should be updated or created;
Continuing—or making an increased effort—to take advantage of the safe harbor provision by encrypting PHI according to HHS' guidance; and
Making sure an updated risk analysis is in place and reflects vulnerabilities addressed in HHS guidance, such as mobile devices.

Business associates and their subcontractors will need to create and implement a HIPAA compliance program if they have not already done so. This includes performing (or possibly revisiting) their risk analysis and risk management processes, developing and implementing appropriate policies and procedures, and training workforce.

Webinar: HIPAA Final Rules: What you need to know and do

Read the whole Davis Wright Termaine Advisor here:

New Omnibus Rule Released: HIPAA Puts on More Weight

About the Author

ID Experts

HIPAA Omnibus Final Rule Brings Sweeping Changes

by Doug Pollack January 30, 2013

You can download our HIPAA Omnibus Final Rule Whitepaper here.

You can view our HIPAA Omnibus Final Rule Webinar here.

I was asked recently by HITECH Answers to address some questions about the recently published HIPAA Omnibus Rule which addresses privacy, security and breach notification issues for HIPAA covered entities and business associates. The rules have been characterized as bringing "sweeping changes" in these areas. I think certainly that there are numerous areas within the Final Rules that will require the careful attention of all members of the healthcare ecosystem. Without a doubt, now that the Final Rules have been issued the breadth and intensity of investigations and enforcement actions by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) are only likely to increase, exposing healthcare organizations and their business partners to greater risks. Learn more about the Rules and their implications at the upcoming webinar: HIPAA Final Rules: What you need to know and do. Speakers include Adam Greene, Partner at Davis Wright Tremaine. Previously, Adam was a regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing the HIPAA rules.

Now on to the questions.

1. The HIPAA Omnibus Bill has been in the works for several years now and modifies the HIPAA Privacy & Security Rules passed as part of the HITECH Act. Can you tell us why modification was needed?

To clarify, the HITECH Act was a piece of legislation that required the rulemaking body, the US Department of Health and Human Services Office for Civil Rights (OCR), to update HIPAA Privacy and Security Rules to comply with provisions of the Act. For example, there were provisions in the law that required updates to the Security Rule requiring not just HIPAA covered entities but also HIPAA business associates to be in compliance with the rule and be subject to fines and penalties for potential negligence for non-compliance. The Final Rule also clarified language from the Interim Final Rule in order to clarify that downstream contractors from business associates that touch PHI will also be considered business associates, as an example.

2. When does the HIPAA Omnibus Bill go into effect for Covered Entities (providers) and their Business Associates?

This final rule is effective on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013. Until then, they must comply with the Interim Final Rules as published.

3. We're reading the HIPAA Omnibus will bring "sweeping changes" to HIPAA privacy and security enforcement. Can you give us a brief rundown of a few of the of key compliance issues contained in the Bill?

Sure. One compliance issue where there were significant changes in the rules was in breach notification. There is a requirement that for every data security incident involving protected health information (PHI), that the entity conduct an incident risk assessment in order to determine the probability that the information was compromised. The rules lay out objective measures for carrying out this assessment covering four factors that must be evaluated. So for instance, if an entity has an incident and their risk assessment concludes that there was a very low probability of compromise of the PHI, they could chose to not notify the affected individuals or OCR. However, the rules require that the entity maintain a “burden of proof”, if their conclusions are called into question. So for instance, if they were investigated by OCR, they would be required to provide conclusive documentation of their incident risk assessment and analysis as to why the incident did not result in a “compromise” of PHI. If they don’t meet that burden of proof, they could be found to have been negligent in not notifying the affected individuals and subject to substantial fines, penalties, and corrective action.

Other compliance issues include the requirement that healthcare organizations be able to provide patients with copies of their electronic medical records, upon request; compliance with new restrictions on the “sale” of PHI and associated patient consent; the need for business associates to comply with all of the rules, including downstream contractors that may not have been considered business associates in the past; and compliance with GINA, the Genetic Information Non-discrimination act, which restricts disclosure and use of such information for underwriting purposes, among others.

4. How will the HIPAA Omnibus Bill impact how providers handle personal health information (PHI) and patients access to this information?

The Final Rules reiterate the importance that healthcare providers meet stringent requirements for patient privacy and data security. Today, however, their financial exposure has grown, given the aggressive enforcement posture that OCR has adopted towards organizations that have lax privacy/security postures. The most significant clarification in the rules in this regard is related to patient access. Patients will now have the right to get electronic copies of all of their electronic medical records upon request. In the past, providers policies in this area have varied significantly.

5. Finally, what sort of challenges do you anticipate for providers meeting the new compliance requirements in the Bill?

I see one of the greatest challenges will be in these organizations being methodical in carrying out the required privacy and security risk analyses, and rigorously documenting the results and you’re their remediative actions. A recent survey indicated that a majority of hospitals haven’t done a security risk assessment in the last year. There will be little tolerance for that level of neglect going forward.

A second key challenge for providers will be putting in place the appropriate operational mechanisms (policies, procedures, methodologies) for carrying out the security incident risk assessments that are required in the Breach Notification Rule, and documenting their results in such as way as to maintain a burden of proof that will stand up to an audit or investigation by OCR.

About the Author

Doug Pollack

2013 Data Privacy, Information Security and Cyber Insurance Trends Report Released

by ID Experts January 28, 2013

This exclusive report released by Cyber Data Risk Managers has many well known top industry experts that have offered their thoughts on what they think, feel and should happen in 2013 as it pertains to Data Privacy, Information Security and Cyber Insurance and what steps can be taken to mitigate risk. Several experts also share their thoughts on "why organizations may or may not be rushing to purchase cyber insurance."

ID Experts President Rick Kam and friend of the firm Dr. Larry Ponemon were both asked their thoughts on 2013.

Rick Kam – CIPP/US, President and Co-Founder, ID Experts

"Data breaches are now part of doing business. To help address this, organizations need to operationalize pre-breach and post-breach processes," said Rick Kam, president and co-founder of ID Experts. "Looking ahead to 2013, organizations should also update their policies and procedures to include mobile devices and cloud, since these pose high risk areas for data."

Dr. Larry Ponemon – Chairman and Founder, Ponemon Institute

Question: Why do you think the organizations that you have interviewed through your research are not rushing to purchase cyber insurance? Especially when data breach costs continue to increase and cyber insurance can help cover the residual costs.

"Our research shows healthcare providers such as hospitals and clinics are late adopters when it comes to investments in data protection and information security. This is probably true for cyber insurance as well," said Dr. Larry Ponemon, chairman and founder, Ponemon

You can download and read the whole report by Cyber Risk Managers here: "2013 Data Privacy, Information Security and Cyber Insurance Trends Report"

About the Author

ID Experts

HHS’ Sensible Compromise on the Controversial Harm Threshold

by Mahmood Sher-jan January 22, 2013

(Part 1)

The HIPAA Final Rule is finally here, which means the end of uncertainty about the future of the controversial “risk of harm” assessment introduced by the Interim Final Rule (IFR). Now it is time to analyze the Final Rule and get on with the preparations for compliance. The focus of this analysis is on the implications for covered entities and business associates of the change to the definition of “breach.” The definition removed the controversial “risk of harm” language without compromising the spirit of the HITECH Act, which is to mitigate harm to individuals. This article will cover:

The breach definition change
Specifying a risk assessment approach
OCR enforcement
Actions to take towards compliance

Breach Definition and Risk Assessment (§164.402)

The IFR defined a “breach” as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information.” In addition, the IFR established that “compromises the security or privacy of the protected health information” means the breach poses a significant risk of financial, reputational, or other harm to the individual as determined through a risk assessment by covered entities and business associates. Given the large number of public comments in support of the risk assessment, the U.S. Department of Health and Human Services (HHS) upheld the requirement for incident specific risk assessment by covered entities and business associates but removed the use of “significant risk of harm” as the threshold for notification. This compromise by HHS addresses the concern about the subjectivity of establishing such a threshold resulting in inconsistent interpretations across covered entities and business associates.

As a result, instead of assessing the risk of harm to the individual, covered entities and business associates must now assess the probability that the protected health information (PHI) has been compromised based on risk assessment that considers at least the following factors outlined in the final rule:

The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed;
The extent to which the risk to the protected health information has been mitigated.

HHS also wants us to know that the use of these factors will result in a more objective evaluation of the risk to the PHI and a more uniform application of the rule. To emphasize this point, the final rule states that “...this type of assessment of risk should not be a new or different exercise for covered entities and business associates. Similar assessments of risk when data have been compromised must be performed routinely following security breaches and to comply with certain State breach notification laws.” In other words, if you are compliant with state laws and meet your current burden of proof (§ 164.414) according to the IFR then you should be well prepared to comply with the final rule because the factors to consider in the risk assessment are derived from factors listed in the IFR.

It is noteworthy that although the term “significant risk of harm” was abandoned in favor of less controversial risk assessment to determine the probability of PHI compromise, the statutory language retains the need for covered entities and business associates to mitigate “harm to individuals.” The final rule retains the statutory term “mitigate harm to individuals” to make clear that the notification should describe the steps the covered entity or business associate is taking to mitigate potential harm to individuals resulting from the breach and that such harm is not limited to economic loss.”

Another key outcome of the revised breach definition and the risk assessment requirement in the final rule is the improved harmonization of the federal and state breach notification laws, which in most cases already require such risk assessment. The final rule clarifies that only contrary state laws are to be preempted by the federal breach law. This should help covered entities and business associates in creating a consistent risk assessment approach to ensure compliance with HIPAA-HITECH and state breach laws.

OCR Enforcement:

The enforcement of the final breach notification rule by the Office for Civil Rights (OCR) will be carried out pursuant to the Enforcement Rule. OCR has the discretion to work with entities to achieve voluntary compliance through informal resolution or impose a civil money penalty for a failure to comply with the breach notification rule. There’s an exception to voluntary resolution in cases in which OCR finds a violation due to willful neglect. OCR also has the authority to impose a civil money penalty for the underlying Privacy Rule violation(s), even in cases where all required breach notifications were provided.

What You Should Do:

The final rule is effective on March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.

The good news for covered entities and business associates that are already compliant with the IFR’s breach notification rule, which became effective on September 23, 2009, is that they are well positioned to comply with the final rule given the limited scope of what was changed in the final rule. For example, the final rule retained all the exceptions allowed by the IFR except the limited data set exception. The rules around incident discovery and notification timelines remained virtually unchanged.

For those entities not yet compliant with the IFR the time is ticking and they need to get started to meet the risk assessment and burden of proof obligations. Our ID Experts RADAR^TM, online incident management software, is the only proven and easy-to-use solution used by many covered entities to perform incident risk assessment as prescribed in the HHS final rule. These entities will be well served to explore how RADAR could help them achieve compliance in a timely and cost-effective manner.

About the Author

Mahmood Sher-jan

The Final Rule Contest Comes to an End!

by ID Experts January 21, 2013

ID Experts is excited to announce the winner of our Final Countdown contest! With hundreds of entries this person was only 10 days off, which is impressive considering we received guesses ranging the span of 2 years! Fellow IAPP member Colin Morrow won with the closest guess of January 15th, 2013.

We started the contest as a fun internal pool but we were glad that all of our HIPAA/HITECH friends could join us in the fun. The winner will receive a $2,500 donation in his name to the Wounded Warrior Project, a $200 gift card to Amazon, a 1 year subscription for RADAR: a secure online tool that helps hospitals, clinics, and health plans comply with both the updated HIPAA/HITECH and states data breach regulations. And most importantly of all... Internet bragging rights*

Like watching your children graduate from college, I never thought this day would come. I take solace in the fact that it will now take me a while to read through the 563 page novel that is the “HIPAA Privacy, Security, Enforcement, and Breach Notification Rules."

* No cash value

About the Author

ID Experts

2013: The Year of the Data Breach: 11 Data Security Tips to Immunize Your Organization

by Rick Kam January 9, 2013

According to the Chinese zodiac, 2013 is the Year of the Snake. I predict that 2013 will be the Year of the Data Breach, at least in healthcare. According to the newly released Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, 94 percent of healthcare organizations surveyed suffered data breaches. The common-cold frequency of data breaches causes legal, financial and reputational headaches for everyone.

Healthcare organizations want and need to protect against these stresses, but the pervasive nature of electronic protected health information (PHI) makes this a difficult task—an understatement—to be sure. However, I believe that data breaches don't have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. With that in mind, a handful of colleagues and I assembled a list of 11 recommendations for a healthier organization in 2013—and beyond. Click here for the complete list:

Government HealthIT: 11 data security tips for a healthy organization in 2013

Patient information is at risk for infection. If healthcare professionals commit to a healthier organization, however, they can prevent what is otherwise a "common-cold" data breach from becoming life-threatening pneumonia. These strategies are a good start.

About the Author

Rick Kam

Major Attention Paid to Patient Privacy as Ponemon Report Hits the USA Today

by Christine Arevalo January 8, 2013

As evidenced in today's USA Today, patient privacy is a serious issue and the threats of medical identity theft to patients, is receiving an increased level of attention in the mainstream media. This is largely due to the fact (as seen in the graphic) that more personal health information (medical files and billing records) are being lost or stolen as opposed to financial data (payment details) like in the past. This presents very real and nebulous concerns for patients affected.

This and additional heightened awareness highlights the threat to patient privacy is not only a real, but rapidly gaining attention of concerned consumers. The accompanying USA Today poll also reveals that at least 76% of the population are at least somewhat concerned about the issue.

More importantly, the recently published Third Annual Benchmark Study on Patient Privacy and Data Security confirms that medical ID theft is on the rise as a result of compromised patient data, and more than half of the healthcare providers who responded (52%) said that they had experience with medical ID theft in 2012.

About the Author

Christine Arevalo

Are You Getting the Internal Support and Resources to Protect PHI?

by Rick Kam January 8, 2013

Have you been working on creative and innovative ways to get your executive team to recognize the importance of investing additional resources in securing PHI? If you need some ideas on how to approach this challenge, read on…

This is the subject of the next free webinar in the PHI Protection Network Webinar Series. The pre-recorded webinar will be available on January 15, 2013. The webinar is presented by Mary Chaput, CFO and Compliance Officer of Clearwater Compliance.

Mary will cover:

Why senior leaders should increase the security of PHI entrusted to their care
A methodology for defining the potential cost to your organization of a data breach
How a cohesive business case can help you obtain resources and support for a strong PHI protection plans

There are also 3 other free webinars available in this series that were made available over the past three months:

Please go to this website to view these webinars and to learn more about the PHI Protection Workshop scheduled March 12^th and 13^th 2013 in Boston (http://www.phiprotection.org). The workshop will bring together privacy and security professionals who are developing business cases for enhanced PHI Security for their organizations and guest speakers and the authors of the white paper “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced Security” (get a free copy at www.ansi.org/phi).

About the Author

Rick Kam

Ponemon Study on Patient Privacy Highlights Security Failings

by Richard Santalesa December 17, 2012

This post by Richard Santalesa is part of our ongoing series of contributed content. Reprinted with permission from the InfoLawGroup.

Released last week, the Ponemon Institute‘s Third Annual Benchmark Study on Patient Privacy & Data Security (available at, http://www2.idexpertscorp.com/ponemon2012/) starkly highlights the continued serious challenges faced by healthcare organizations in adequately safeguarding protected health information (“PHI”).

As the study notes straight out of the gate “the threats to healthcare organizations have become increasingly more difficult to control” in part due to the rise of BYOD, file-sharing applications and cloud computing in parallel with “sophisticated and stealthy” criminal attacks that are on the rise since 2010. The end result is that average costs over two years for organizations responding to PHI data breaches have risen to $2.4 million – up from the $2.2MM and $2.1MM reflected in the analogous Ponemon studies in 2011 and 2010, respectively. What were the key findings? The overall news isn’t good.

In short:

More healthcare organizations are experiencing multiple data breaches.
- The report notes that an incredible 94% of healthcare organizations in the study have had a data breach in the past two years, with 45% reporting “more than five incidents.” That’s not only an amazing figure in the abstract, but stresses that thoroughly determining the cause of a breach and following through on concrete steps to forestall future incidents must be a key aspect of any breach response. And that proactive data security reviews are valuable cost effective measures.
Data breaches can have severe economic consequences.
- Not every data incident automatically results in a $2.4 million dollar price tag. Indeed, the study states that the data breaches studied ranged from less than $10,000 to more than $1 million over a two-year period, but given the size of the industry the findings indicate that “the annual cost to the healthcare industry could potentially be as high as almost $7 billion” given the total number of registered hospitals in the U.S.
Insider negligence continues to be the primary cause of breaches.
- People are always the weak link in any security system, but the fact that the main causes of data loss and breaches are employee mistakes, carelessness and “third party snafus” reiterates that a KISS approach to security combined with realistic privacy risk assessments and fostering a security situational awareness culture can, perhaps more than any other measure, increase security and limit data loss incidents. However, the report also notes, somewhat counterintuitively at first blush, that employee training “does not seem to be effective in reducing insider negligence.” The cause of this appears to be that annual or periodic privacy and security training, without more, is essentially – and we’ve seen this in practice – useless. Employees toss the “manual” in a drawer and get back to work. The key is truly fostering security awareness day in and day out otherwise the efforts spent in “training” are basically little more than feel-good exercises of wasted time and money.
Medical identify theft occurs and can affect patient treatment.
- Documenting why increased “red flag” measures and other health provider point of service ID confirmation is an ongoing battle, only one third of healthcare organizations believe they have sufficient controls in place to prevent patient ID theft, with 52% of organizations reporting that they had experienced one or more incidents of medical ID theft. Let that sink in a minute.
Trends in mobility and employee owned devices put patient data at risk.
- Amazingly, use of BYOD in the healthcare field is significantly higher than in other areas, with 81% of organizations allowing employees and medical staff to “use their own mobile devices” to connect to their network or enterprises, with, on average, 51% of employees BYOD’ing. That’s stunning.
Unsecured medical devices are vulnerable to hackers.
- Mirroring the recent spate of news stories about the possibility of hacking of pace makers, etc., the study notes 69% of organizations do not “secure” medical devices such as wireless heart and insulin pumps, mammogram imaging and other critical health devices. I expect this to rapidly change as awareness of the issue broadens.
Healthcare organizations embrace the cloud in a big way.
- Interestingly, and in what may come as a surprise to those otherwise following cloud computing closely, the study revealed that 62% of health organizations make “moderate or heavy use of cloud services” with a paltry 9% not using cloud services in any form. On the flip side, however, in a mode apparently embracing “hope as a strategy” 47% were not confident their information in the cloud was secure while only 23% expressed confidence in the security of their cloud services. That strikes me as a dramatic indictment of apparently common place cloud contracting practices.
Concerns about the security of Health Information Exchanges (HIE) are keeping organizations from joining.
- Security still matters to many, thankfully. In the drumbeat chorus of bad news, the report speculates that many organizations have steered clear of joining HIE’s due to a lack of confidence in HIE security and privacy of patient data. To me that’s actually good news, given the already shocking number and amount of health-related breaches documented in the study, but highlights that HIE’s have their work cut out for them in raising the comfort level on security and patient privacy.
The ability to prevent and detect data breaches has made strides, but is far from sufficient.
- What to say here that doesn’t have us all rushing to stick our heads in the oven? First, deep breath. On the downside, only 40% of healthcare organizations are confident today in their ability to prevent and detect patient data loss or theft, which clearly means we’re in worrying “Mayday! Mayday! Mayday!” territory. And with every organization under fiscal and performance pressure the situation is not likely to rapidly improve. That’s the bad news. But the report does note the positive that organizations are moving away from loosy goosey “ad hoc” processes towards regimented policies and procedures and security tech. Good. But we all have work to do in this area and, really, it again comes back to ensuring key personnel embrace security seriously and are then willing to personally backstop efforts to enable osmosis to imbue security awareness throughout their organizations.
The carrot and the stick works. Sort of.
- Or as the report puts it “compliance encourages improvements in privacy and data security” – in English, this mean HHS OCR audits and fines have thrown fear into organizations with 68% of organizations having in response conducted and documented post data breach incident risk assessments. We all know that no one, well almost no one, enjoys the threat of HIPPA/HITECH penalties hanging over them, but it has enabled security personnel to point to the danger over the horizon and then stick a finger on their data map where it now says “Here be dragons!” to gain new attention for security efforts.
Barriers to achieving a stronger defense against data breaches continue to be a shortage of technologies, funding and expertise.
- In other words, “dog bites man.” Money is always short. Crucial skills are both fleeting and in short supply. Technology marches on at light speed. That said, a resounding 52% (up from 41% in 2010) of organizations agreed they have “sufficient” policies and procedures in place to prevent or quickly detect unauthorized patient data access, loss or theft. But policies and procedures are one thing. The proof of the pudding comes in when the data hits the road and on that front significant road rash was reported with only 27% of organizations stating they have enough security resources and 34% claiming their security budgets were satisfactory. As any road racer knows “your vehicle/cycle steers to where you’re looking.” No, that’s not a Zen koan.

Overall, the Ponemon Third Annual Benchmark Study on Patient Privacy and Data Security is a sobering, but extremely useful read, and at 37 pages is comprehensive without being overwhelming. Frankly, I’d recommend that every healthcare organization (or business associate) that interacts with PHI should plan on scheduling a meeting with IT, legal and C-level executives to, at least, review the study’s executive summary and then develop sound, sensible and serious benchmarks for 2013 to address its findings and the yawning gap that continues to exist in data security around PHI.

About the Author

Richard Santalesa

Richard Santalesa is Senior Counsel at the Information Law Group, representing clients on electronic commerce and internet issues, privacy and data security, outsourcing, and software and website development transactions. With over 20 years of technology experience, Richard began his career as a computer programmer on Wall Street and later covered the technology field as an award-winning journalist, editor and analyst covering security, internet, hardware, software and wireless issues. As a journalist he’s held the positions of executive editor of NetGuide, editor in chief of Windows User, and technical editor of Computer Shopper.

Patients at Growing Risk of Medical Identity Theft

by Bob Gregg December 13, 2012

Today I want to comment on the report released last week on the Third Annual Benchmark Study on Patient Privacy and Data Security, a research study conducted by The Ponemon Institute and sponsored by ID Experts. While this study revealed lots of important data regarding the state of healthcare privacy and security in this country, including the fact that healthcare breaches continue to grow and technology trends are only making things worse, I want to concentrate today on one particular serious finding…. Patients and their personal health information (PHI) are facing a growing risk of medical identity theft.

Through all three years of the study we have seen a trend of increasing risks. And I want to remind everyone that we at ID Experts view medical ID theft as some of the worse ID theft one can experience. Besides the obvious problems, hassles and financial concerns connected with someone else using your medical ID to obtain healthcare goods, services, and prescriptions, you have to understand that everything that gets performed on the ID thieves’ behalf goes on your medical record. Suddenly your blood type changes, your pre-existing conditions are altered, even your prescription history is polluted. Your personal health and your ability to get proper medical treatment is seriously compromised. Some key findings from the study:

More than half of the healthcare providers who responded (52%) said that they had experience with medical ID theft in 2012
Almost one-third (29%) said that patient billing systems are the most susceptible to theft or breach
Data breach incidents continue to rise, caused by employee errors (42%), technology glitches (31%), outside malicious attack (33%), third-party errors (outsourcing) (42%) and lost or stolen devices (laptops, thumb drives) (46%) (adds to >100% as many listed multiple causes)
95% of healthcare organizations say that breaches cause harm to patients….yet 74% don’t offer even the most basic of identity monitoring services to patients following a breach

When you combine these findings with the results of a previous 2012 Ponemon Study that indicated that 1.8 million Americans were victimized by medical ID theft in the past year, at a cost of $41.3 billion, it is obvious this is getting to be a real problem for all of us. Not only is the number of victims up, the dollar cost is dramatically up from $30.9 billion reported in the 2011 similar research study.

So what can you do? While a significant amount of this is outside your control there are some basics that can help.

If you go to a new healthcare provider you have not previously seen and they ask for your insurance card but not your proof of identity, tell them they need to start asking for proof.
If your provider is recording your personal information on a computer, laptop, or tablet ask if the data on the device is encrypted.
When you receive your Explanation of Benefits (EOB) from your insurer or third party administrator, review the activity and verify as best you can that you or your family members received the care described.
If your provider notifies you that your information was involved in a data breach, insist on ID monitoring protection for at least 2 years.
If you are part of a company or organization that can or would like to help with this growing problem, check out the Medical Identity Fraud Alliance, a public/private alliance organize to fight Medical ID fraud.

So once again, I post this not to scare you but to try to inform. With the move to Electronic Health Records this problem is only going to get worse and we have to do all we can to protect ourselves and our families.

Bob Gregg
CEO

About the Author

Bob Gregg

Third Annual Patient Privacy Study Released

by Larry Ponemon December 12, 2012

Could BYOD increase the risks of a healthcare data breach and medical identity theft? The third annual study on Patient Privacy and Data Security reveals the explosion of mobile devices used in healthcare organizations. Most organizations in our study say they permit their employees to bring personally owned devices such as smart phones and tablets and connect to their networks or enterprise systems. While productivity may increase, so does the risk that patient data may end up in the wrong hands. In fact when asked, these organizations admit they are not confident they can make sure these devices are secure.

Ninety-Four Percent of Hospitals Surveyed Suffered Data Breaches; Estimated Cost to Healthcare Industry Averages $7 Billion

What should hospitals do today? Conduct a privacy risk assessment to identify organizational gaps and create a comprehensive mobile device policy (including detailed guidelines) for all employees and contractors. The policy should address the risks and the security procedures that should be followed. They should also reinforce their mobile device policy with employee education on the importance of safeguarding their mobile devices and how to avoid risky behaviors. For a copy of the study, please click here: http://www2.idexpertscorp.com/ponemon2012/

About the Author

Larry Ponemon

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

A Look Back at 2012: Healthcare Data Privacy and Security: A Year in Review

by Rick Kam December 10, 2012

How would you characterize the changes that took place in data privacy and security in 2012?

From my perspective, there were three important things to note—and one ongoing problem that seems to plague many organizations’ ability to make significant progress.

Groundbreaking work on identifying the corporate value of our health information
New data breach legislation that increases the focus on protected health information (PHI)
Organizations struggling with the assessment of the HITECH “risk of harm” when they discover a “privacy incident”
No “mega” (over 1 million people affected) data breaches of PHI listed on HHS “Wall of Shame”

In March of 2012, the American National Standards Institute (ANSI), Santa Fe Group Shared Assessments, and Internet Security Alliance (ISA) sponsored an initiative to determine the value of PHI. The resulting white paper was the work of over 100 experts in privacy and security from 70 organizations. What was groundbreaking was the approach the team developed to determine the “value at risk” of PHI. The approach—“PHI Value Estimator (PHIVE – “5”)—provides a methodology to determine the value of PHI that the organizations is responsible for. The value at risk provides the basis to determine what the appropriate level of investment is to protect this corporate asset as well as the return on investment (ROI) for these expenditures compared to other initiatives. This is extremely helpful during a budget cycle when the executive team is determining where to direct resources. You can obtain a free copy of the white paper titled “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” at www.ansi.org/phi. There is also a series of free webinars available on this topic and seminal workshop in March 2013 in Boston to learn how to apply this approach and enhance the business case for organizations ‘ privacy and security investments before the next budget cycle (see www.ppnprotection.org for more information).

The second interesting change in the privacy and security legal landscape in 2012 was new legislation, specifically from Texas. On September 1, 2012, Texas amended its data breach notification legislation. Here is a excerpt from an article written by Anna Trimble and Bill Cobb from JW|Cybersecurity:

“On September 1, 2012, Texas's amended data breach notification law passed in June 2011 will go into effect, and residents of all 50 states will potentially feel the effects. Under the amended law, Texas extends the reach of its data breach notification laws beyond Texas borders to all affected "individuals."

Under the current law, any entity that "conducts business" in Texas and maintains sensitive personal information on its computer network is required to notify any "Texas resident" whose personal information is, or is reasonably believed to have been acquired by an unauthorized user. The types of Texas businesses affected include most businesses that maintain customer information, as well as virtually any health care-related business. Yet under the new amendment, any such entity conducting business in Texas must notify all affected "individuals" regardless of whether they call Texas home or not. Thus, any entity conducting business in Texas may be required to notify residents of all 50 states in the event of a data breach involving sensitive personal information. However, for affected out-of-state residents who live in states with their own notification requirements (all but four states have their own data breach notification laws), compliance with their own state law satisfies Texas requirements.(Click here to read more)

I expect to see other states follow Texas’s leadership in protecting personal information. One of the things we all expected in 2012—and have not seen yet—is the HITECH data breach notification “final rules” from the U.S. Department of Health & Human Services/Office for Civil Rights (HHS/OCR). There are still a few days left in 2012. Maybe we will see these – or more likely not. If you would like to venture a guess, you can still add that to this link!

One of the issues we see our clients struggle with is the HITECH “risk of harm” assessment when they discover a privacy incident. Our Data Breach Response Team leader at ID Experts, Heather Noonan, told me that she has been part of many debates where the legal assessment of a privacy incident suggests no requirement to notify affected individuals. Whereas, the “right thing to do” may be to provide notification so people can take appropriate action to protect themselves from medical identity theft and medical fraud. Noonan says this internal debate seems to be happening more and more. From my perspective, the HHS/OCR interim rules provide “safe-harbor” under specific conditions like encryption. Organizations may want to look to external privacy and security experts to expand their perspective of “risk of harm” and to provide third-party validation of risk as a way to facilitate the debate and enhance overall risk mitigation. Having third-party validation as part of the risk assessment could help save a lot of grief for a privacy officer when HHS/OCR audits the incident.

And finally, there were no “mega” data breaches of PHI in 2012. The top 5 breaches listed on the HHS “Wall of Shame” that impacted the most individuals are listed below. Compared to years past, where organizations lost millions of patients’ records in a few significant events,, 2012 was potentially an improvement.

Covered Entity	State	Individuals Affected	Date of Breach	Type of Breach	Location of Breached Information
Memorial Healthcare System--	FL	102,153	01/1/11-07/5/12	Theft	EMR
Alere Home Monitoring, Inc.	CA	116,506	09/23/12	Theft	Laptop
So. Carolina Dept. of HHS	SC	228,435	01/31/12-04/2/12	Unauthorized Access	Email
Emory Healthcare	GA	315,000	02/07/12 – 02/20/12	Unknown	Backup Disk
Utah Dept. of Health	UT	780,000	03/10/12 – 04/02/12	Hacking	Network Server

The one thing that hasn’t changed in 2012 is many organizations viewing a breach of PHI as an occasional, but significant privacy/security incident (i.e. hurricane or tsunami) versus part of doing everyday business and incorporating management of this risk into daily operations. The Ponemon Institute released the Third Annual Benchmark Study on Patient Privacy & Data Security on December 6, 2012. One of the key findings:

“While some organizations have taken steps to strengthen their privacy and security programs the research indicates the majority lack budget and resources to prevent or detect breaches.”

Read more results from this important study by going to this link (click here).

To learn more about our Final Countdown Contest click here.

2012 was an interesting year for privacy and security. I can’t wait to see what 2013 holds!

About the Author

Rick Kam

New Ponemon Study Reveals “Common-Cold Frequency” of Data Breaches

by Rick Kam December 5, 2012

Let's face it. Data breaches have passed the trend phase and have entrenched themselves into the fabric of everyday business. Data breaches in healthcare are now as common as the cold, requiring an ongoing approach to minimize their frequency, size, and impact.

The newly released Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute reveals that 94 percent of healthcare organizations surveyed suffered at least one data breach during the past two years. What's more, 45 percent of organizations experienced more than five data breaches each during this same period.

Data breaches are expensive, costing the U.S. healthcare industry nearly $7 billion annually. For patients, the cost is more personal: Of the 52 percent of organizations that experienced medical identity theft, 39 percent say it resulted in inaccuracies in the patient's medical record and 26 percent say it affected the patient's medical treatment.

5 Keys to Protecting Your Organization

The Ponemon findings highlight the need for organizations to act now to secure protected health information (PHI) and protect patient privacy. The common occurrence of security incidents requires an ongoing approach to minimize their frequency, size, and impact. We recommend that healthcare organizations:

Operationalize pre-breach and post-breach processes, including incident assessment and incident response procedures. Embedding breach-related processes into everyday business demonstrates what we call a culture of compliance—something regulators love to see.
Restructure the information security function to report directly to the board. This move symbolizes a commitment to patient data privacy and security.
Conduct combined privacy and security compliance assessments annually. A professional risk assessment is less than 1 percent the cost of the average data breach response, a wise investment by any standard. These assessments identify the gaps between an organization's privacy and security profiles and what the law requires. An accurate assessment forms the basis for successful breach prevention and response measures.
Update policies and procedures to include mobile devices. This is especially critical since, as we discussed, the vast majority of organizations permit employees and medical staff to use their own mobile devices—bring your own device (BYOD—to connect to their networks or enterprise systems such as email.
Ensure the Incident Response Plan (IRP) covers business associates, partners, and cyber insurance. Third parties can be the weak link in the PHI food chain. In 2011, for instance, a business associate of TRICARE reported a breach affecting nearly 5 million military clinic and hospital patients. In addition, many organizations have sought relief from the high cost of data breach response with cyber insurance. An effective IRP encompasses third-party contingencies and the role of cyber insurance in managing a security or privacy incident.

Perhaps the most disturbing statistic is that 54 percent of organizations have little or no confidence that they can detect all patient data loss or theft. Patient information is at risk, yet healthcare organizations continue to follow the same processes. For the trend to shift, organizations need to commit to this problem and make significant changes. These five steps are a good beginning.

About the Author

Rick Kam

Health Information Privacy in Our Brave New World

by Doug Pollack December 3, 2012

The challenges to maintaining privacy of confidential patient data continue to grow as more and more of this information is going into new electronic systems as mandated by government regulations. The recent article titled "Heart Gadgets Test Privacy-Law Limits" (Marcus and Weaver, Wall Street Journal, November 28, 2012) highlights the controversial collection of medical data from devices that are embedded or attached to patients to monitor various types of activity. This data, interestingly, does not fall within the control of HIPAA regulations that, among other things, dictate the rights that patients have to access to their medical records and data. Given this circumstance, this also opens up the potential that commercial interests can "monetize" data that they collect from patients via medical devices. Given such trends, it is timely that the Ponemon Institute is releasing its 3rd Annual Benchmark Study on Patient Privacy and Data Security later this week, on December 6, 2012. To learn more about the patient privacy landscape and this soon-to-be-released study, consider attending a webinar hosted by the American Hospital Association (AHA) titled "Are Emerging Technologies Putting Your Patient Data at Risk?".

The Marcus/Weaver article is particularly interesting because it focuses on medical data that is captured by an embedded heart monitor and transmitted directly to Medtronic, the company that manufactures the device. This case illustrates how medical data can flow in the system and how it can be cumbersome, and in some cases impossible, for patient's to get "access" to the data that is produced by their own bodies. I suspect that many patients believe that they "own" their health data. It seems like a natural and logical conclusion. It, however, is not true. Patient's have rights to access their health data under HIPAA laws. But that does not translate to some of the attributes of ownership (for more on this topic, see "Who Owns Patient Data In Electronic Health Records Systems", Pollack, June, 2012).

In the case of this heart monitoring device from Medtronic, the medical data is transmitted directly to Medtronic. The company then makes summaries of this data available to the health provider (doctor, hospital) that provided the device to the patient. And if the patient desires access to this data, they must request it from the provider, as provided for under HIPAA laws. But the patient has no control whatsoever over how the data may be used subsequently. Companies like Medtronic are focused on developing business models for monetizing such data, data that you as patient might consider your personal property.

As noted in the WSJ article, "companies including Medtronic are pushing to turn the data into money. Ms. Hoff [Elizabeth Hoff, general manager at Medtronic] said the company is contemplating selling the data to health systems or insurers that could use it to predict diseases and possibly lower their costs. At a July industry event, a senior Medtronic executive, Ken Riff, called these kinds of data 'the currency of the future.' " So while a patient might think that their personal medical data can only be shared with their permission, this case illlustrates how that wouldn't be an accurate assumption.

So are there really any issues with sharing of medical data without the knowledge or permission of the patient. As noted in the same article, "Tolu Odomusu, a research fellow at Harvard University's Science, Technology and Public Policy program, says people have no idea what information their devices collect. He learned only last year after seeing a physician for severe apnea and being given a 'continuous positive airways pressure' machine, or CPAP—a mask that delivers oxygen at night—to improve his sleep." While this may seem benign, he goes on to note that "data he doesn't know about could somehow be used to his disadvantage. For instance, if he were in a car accident and an insurer wanted to try to blame his sleepiness, 'could they get the data from the machine at my home?' he said. 'Would that be allowable?' " While HIPAA privacy laws might restrict access of this sort, it does illustrate that patient concerns related to non-authorized access to their medical records can have downstream affects that could be undesired and unexpected.

So take a few minutes to learn more about patient privacy and data security from Dr. Ponemon on December 6th. In this world, what you don't know really can hurt you.

About the Author

Doug Pollack

Open Letter to Governor Haley About South Carolina DOR Data Breach

by Doug Pollack November 21, 2012

Most of your citizens are now very aware of the data breach that was perpetrated by cybercriminals against a database at your S.C. Department of Revenue that was discovered last month (October, 2012). The cyber attack appears to have led to the acquisition by criminals of private information including social security numbers, debit and credit card numbers, and even bank account information on some 3.6 million of your citizens (CarolinaLive.com, Tax returns of 3.6 million SC residents are hacked, October 26, 2012).

As noted by NBC correspondent Michael Isikoff in a Today Show segment recently (November 10, 2012) Cyber Thief Puts South Carolina Taxpayers at Risk, this data breach has already led to the sale of personal financial information in criminal online black markets. Further, there are some hacking victims that have come forward to help get the word out that the cyber criminals are actually using the stolen information to drain bank accounts.

In the case of Tina and Wade Mather, who own a catering business, they had around $4,000 removed from the business checking account by criminals (First SC hacking victims come forward, Wistv.com, November 19, 2012). It amazingly didn’t take the criminal long to begin monetizing their stolen goods. "It was very surprising when we get up one morning [around November 2^nd) and found thousands of dollars missing from our account and that's when the reality really set in, like, oh my goodness, this is not going to be good," said Mr. Mather.

So the facts of what has occurred, and its implications are becoming well understood. The purpose of this letter, however, is to shine a brighter light on what South Carolina chose to do in order to help their citizens through this difficult challenge, and to suggest that some of your choices could have been better ones. I’m specifically talking about your decision to rely on Experian, the huge credit bureau, to provide the front line of communications with your citizens, and to ultimately provide them with an identity protection solution.

While I understand that providing your citizens with a credit monitoring product is a reasonable protective measure under the circumstances, it seems less logical to me that Experian is best suited to be the “first call” for your citizens.

As noted by your Senator Bryant (Local legislators chair committee looking into SCDOR breach, The Journal, November 14, 2012) in a recent interview, “Bryant also challenged Governor Haley’s decision to contract with Experian without seeking bids for the services. ‘This is going to end up meaning huge amount of business for that company. Why aren’t they paying us for the first year.’ ” And it is this point that I think requires further exploration.

Experian is a credit bureau. Part of their business model is selling credit monitoring services to consumers. This is a huge business for Experian. We all have probably seen their Free Credit Report and Free Credit Score .com TV commercials that promote their credit monitoring products. By contracting with Experian to provide the credit monitoring offering, their call center agents then also will often be the very first people that your citizens will talk with concerning the breach. I really think that you could do better

To be clear, Experian’s call center agents are primarily motivated to enroll your citizen’s in credit monitoring. They aren’t specifically motivated or qualified to help your citizens in understanding their risks associated with your particular breach nor how they can better address them. Experian’s business model here is simple. They are often the least expensive option for notification, taking incoming calls, and providing credit monitoring. This is because their long-term economic value in servicing breaches is derived from “retaining” these customers after the first year of free service. Their breach business in this case is a lot like a “loss leader” or marketing investment for acquiring new consumer customers.

As a contrast to this, our firm takes a different approach. So while I acknowledge that I also have an agenda in writing this, mine is to help organizations such as your DOR to understand that there is a better way to treat their victims of data breaches; an approach that will better protect your reputation and better protect your citizens.

To that end, we typically setup a special website, with information that is especially useful to the data breach victims, and we staff our call center with specially trained agents who are focused on helping victims understand what happened, what their risks are, and what they can do to protect themselves. That is because our business model is to serve our client, the organization that has the data breach, and to serve their “customers”, who in this case would be your citizens. In cases where we advise our client to provide credit monitoring and/or identity and fraud restoration services to the affected victims, we do this without the demonstrated intent to “sell” the victims on purchasing these services after the one year period of time that your organization has paid for it on their behalf. That isn’t part of our business model. It is the key to Experian’s business model.

While you might perceive our approach might be somewhat more expensive than the path you're pursuing with Experian, I would suggest that won't be the case at the end of the day. You should look at the "all in" costs for your data breach, which would include not just the security forensics and breach response costs (notification, credit monitoring, identity restoration, legal), but also include follow-on legal defense costs, and regulatory fines and penalties. It has been our substantial experience that the more that you focus NOW on taking care to address the real and perceived risks and concerns of your affected citizens, utilizing a "high touch" approach, the less likely that you will be defending class action litigation and/or being fined by regulators or other state AGs. In other words, avoiding a "penny wise but pound foolish" approach.

So had I had the opportunity to advise you prior to your decision to rely on Experian to care for your citizens, I would have recommended that you carefully choose a “data breach partner” who would help you in doing what Mr. Etter (DOR Director James Etter) has indicated was your intent. “From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we've taken has been consistent with that priority.” While our firm isn’t the only one that aligns with that sentiment, and objective, our perspective, based on observing experiences such as yours in South Carolina, is that it is exceedingly difficult for a credit bureau to adopt this approach philosophically. It just doesn’t seem to be in their DNA to focus all of their efforts on understanding and serving the real and perceived fears of victims of a data breach.

So while this letter might seem like Monday morning quarterbacking on my part Governor Haley, I hope that this might provide food for thought for other organizations that may find themselves on the receiving side of a cyber attack. The choice of partner in such instances, the partner that will play a significant role in speaking with, influencing, advising and taking care of the individuals affected by your data breach, is a crucial one that can make all the difference between a positive outcome and one that is not so much.

About the Author

Doug Pollack

Legal Settlements Over Half of Breach Costs. What to Do About This?

by Jeremy Henley November 14, 2012

I recently attended the Net Diligence conference in Marina Del Rey. It was great to reconnect with many friends in the space and discuss the latest trends in the cyber liability insurance universe. The most interesting news from the conference was the information in the most recent Net Diligence report on data breach claims activity, which got my attention for several reasons.

First, this is the only report I've seen with data breach cost data derived from actual claims, compared with survey-based studies such as those by the Ponemon Institute. Second, it was a surprise to me that the costs are growing so dramatically, with the average breach cost growing 54% from $2.4 million to $3.7 million. And lastly, the primary cost source that contributed to the increase suggests to me that there are opportunities for the claims departments to better manage (reduce) some of the cost elements.

Of the $3.7 million average data breach cost in this year's study, fully $2.1 million or 57% of the total cost can be chalked up to legal settlements related to class action lawsuits from the impacted individuals. While responding to data breaches can be expensive projects, this particular statistic leads me to wonder whether some organizations should focus more on their breach response strategies, specifically to better address the real and perceived harms that are experienced by the affected individuals.

My reasoning here is that presumably class actions are based on an underlying presumption that the affected individuals have experienced some types of harm. There may be a disconnect, however, between a "conventional" data breach response and the nature of response that can really address the concerns of affected individuals, reducing the potential for dissatisfaction that can lead to class action.

The conventional breach response is to provide notification by letter, make an offer for free credit monitoring services for a year, and establish a call center, typically with the primary focus on enrolling people in the credit monitoring. Based on the Net Diligence report, the most expensive part of the data breach response itself is the "crisis services", which is predominantly credit monitoring. Now interestingly, the credit monitoring is offered as a demonstration of goodwill although it is not required by any state or federal laws.

The more that I've been thinking about the conventional response, the more I've been considering that it may no longer be the best way to address the concerns of the individuals that are affected. Now the notification letter, and much of its contents, is dictated by law. So there isn't a lot of leeway there. But in my opinion, the efficacy of credit monitoring in addressing potential harms in many data breach circumstances has declined.

I believe that the solution is a different type of breach response strategy that does not hinge on credit monitoring as the centerpiece. ID Experts uniquely looks at the data breach response process through the eyes of the person who's personal information has been exposed. By conceiving a data breach response strategy through this lens, a methodology we refer to as YourResponse we first and foremost look at how best to address the real, and perceived, concerns and risks to the individual. And what we've concluded is that while in some cases credit monitoring is the most effected protection to offer, that increasingly other solutions such as identity recovery services and specialized cyber monitoring products can more directly alleviate the consumer's anxiety and risks, and in fact do so in a more cost effective manner.

Our success is rooted in our ability to constantly put ourselves in the shoes of a data breach victim. Doing so allows us to understand how these individuals feel and react to the news of a breach of their sensitive data. Our primary business is not selling credit monitoring, as is the case with many of the other companies that offer data breach response services. This enables us to take a unique perspective as to what is really best for the individuals affected by a particular data breach, independent of the built in bias that is just inherent with a credit monitoring vendor. Such independence of perspective frees us up to do whatever will best serve our client, the organization that experienced the data breach, through best serving their affected customers. It is our belief and experience that this both limits the prospective harms to data breach victims and can substantially discourage class action litigation.

I hope that all of the conference attendees, and others that are interested in reducing data breach risks through cyber insurance, will reconsider the conventional letter/call center/credit monitoring formula that has become prevalent for data breach response. The world is changing, hackers are getting smarter, threats and risks and expanding in new directions. You and your clients should consider that if they are smarter about "how" they respond to a data breach, that they might be able to substantially reduce the increasingly onerous "legal settlement" costs that are resulting.

About the Author

Jeremy Henley

Electronic Health Records vs. Patient Privacy: Who Will Win?

by Rick Kam November 5, 2012

This article was originally published in the November 2012 edition of the International Association of Privacy Professionals member newsletter, The Privacy Advisor (https://www.privacyassociation.org/publications/privacy_advisor/), and is republished here with permission.

Does your dermatologist need access to your reproductive health history?

Can you limit access to the psychiatric notes in your chart once they have been entered into your provider’s new electronic health record (EHR) system?

It sounds absurd, but the adoption of EHRs and health information exchanges could enable this level of access in the future. The goal with these initiatives is to provide access to each American’s medical records in order for physicians to better provide treatment.

With the rapid rollout of EHRs, serious issues in patient privacy rights need to be addressed: lack of trust in the system, human error, lack of patient control over their electronic data and legislative gaps.

A lack of trust

Maintaining patient trust is the cornerstone to a successful healthcare system. The Office of the National Coordinator for Health Information Technology has indicated that a lack of this trust “may affect willingness to disclose necessary health information and could have life-threatening consequences.”

Dr. Deborah Peel, founder of Patient Privacy Rights, agrees. “The lack of privacy causes bad health outcomes. Millions of people every year avoid treatment because they know health data is not private,” she says. She cites several cases where privacy concerns affected the quality of healthcare:

The HHS estimated that 586,000 Americans did not seek earlier cancer treatment.
HHS estimated that 2,000,000 Americans did not seek treatment for mental illness.
Millions of young Americans suffering from sexually transmitted diseases do not seek treatment.
The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns.
The lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

At the recent International Summit on the Future of Health Privacy, an attorney in Boston, MA, who suffers from bipolar disorder described how her mental health records were digitized for thousands of doctors and nurses to see—without her permission. “Personal details that took me years to disclose during therapy are being shared throughout my medical network, against my will,” she said. “It’s destroyed my trust with my doctors.”

Human error

41 percent of healthcare organizations surveyed for the 2011 Benchmark Study on Patient Privacy and Data Security said that data breaches involving PHI are caused by sloppy employee mistakes. A single oversight can affect the privacy of hundreds of thousands of people, as happened in Utah in March, when hackers broke into an unprotected server, stealing the personal information of 780,000 people.

"The Utah data breach is an example of human error because, as reported, the server did not have a secure password," Lisa Gallagher, senior director of privacy and security for HIMSS, stated in an eWEEK article. “Human error in healthcare delivery has impactful consequences when it comes to security. Training employees on security measures and implementing the proper security protocols are basic steps to take, but also, are often overlooked."

The problem grows exponentially when you consider how electronic data are sprawled across the healthcare ecosystem. Third-party mistakes, including those of business associates (BAs), account for 46 percent of data breaches reported in the Ponemon study.

A lack of patient control

With the adoption of electronic health records and health information exchanges, we wondered who owns patient data. The patient? The physician? The hospital? The health plan? Logically, the owner would be responsible for the privacy of this data. But legally, it’s unclear who owns the data, and in fact, it becomes more an issue of control.

So what control does the patient or other member of the healthcare ecosystem have when it comes to accessing, modifying and transmitting any medical data? We asked an attorney who specializes in patient privacy to clarify the issue.

“Few federal or state laws talk about ownership of health information,” says Adam H. Greene, a partner with the law firm of Davis Wright Tremaine LLP in Washington, DC. “Rather, we have a confusing tapestry of federal and state laws governing the level of control that patients have over the sharing of their health information.”

At the core of this privacy debate is the assertion that physicians need access to a patient’s records to provide optimal treatment. In his paper “Debate over patient privacy control in electronic health records,” Mark A. Rothstein, chair of law and medicine at the Louis D. Brandeis School of Law at the University of Louisville, notes that “many physicians assert that patients should not be able to control the content of their health records because doing so would fundamentally change medical practice.” This perspective is fundamentally at odds with that of patient privacy advocates.

Legislative gaps

Federal legislation such as HIPAA and the HITECH Act seek to safeguard protected health information (PHI). In addition, according to the National Conference of State Legislatures, 46 states have data breach notification laws. President Barack Obama’s Consumer Privacy Bill of Rights affords some level of privacy rights to patients.

HIPAA and the Consumer Privacy Bill of Rights, however, create an odd legislative gap. In his Health Information Privacy Bill of Rights, James C. Pyles, an attorney specializing in patient privacy rights, notes that the Consumer Privacy Bill of Rights excludes patients to the extent their health information is covered by HIPAA while offering greater privacy rights with respect to health information not covered by HIPAA. He cites a year-long study by ANSI and others that uncovered the “inadequacies” of HIPAA, including the fact that the HIPAA Privacy Rule was not even intended by the Department of Health and Human Services to serve as a “best practices” standard for privacy protection. This means that HIPAA-protected PHI does not benefit from the Consumer Privacy Bill of Rights and is subject to the same privacy pitfalls as before.

What we can do

Patient privacy is a fundamental right that is being challenged as patient records are digitized and access to those records increases exponentially. Our nation can’t afford to keep building out an electronic healthcare system without addressing these issues.

Pyles’ Health Information Privacy Bill of Rights, developed with the American Psychoanalytic Association, seeks to “protect the fundamental right to privacy of all Americans and the health information privacy that is essential for quality health care,” with prescriptions for patient control, security, accountability and other rights.

We support Pyles’ Bill of Rights. We also believe the answer lies in the private sector, specifically a consortium of EHR vendors, software developers and privacy/security professionals. Together, these experts can bring a holistic view of the issue of patient privacy and data control in a way that no governing body can. And we must act now.

About the Author

Rick Kam

South Carolina Data Breach Slam Fest – Tough Talk But Little Comfort

by Mahmood Sher-jan October 29, 2012

The governor of South Carolina wants the hacker(s) that got away with sensitive information on millions of state's residents slammed against the wall! You can bet that three quarter of the state's residents whose unencrypted social security numbers were stolen, would like to do the same. The bad news is that it looks like the attack came from a foreign country so no slamming is in the cards. Unlike the governor, I suspect that the residents also would like to slam those responsible for protecting their highly sensitive data as more information gets out about the lack of basic safeguards that could've significantly reduced the risk of harm to those affected. I say the chance of finding someone to slam here is better—How about slamming the governor (figuratively speaking of course) as the chief executive and where the buck should stop! Let's face it, when a well-organized hacking group decides to break into a network there's no guarantee that any practical safeguards can stop them but the electronic data that they are after can be better protected using NIST based encryption, for example. This can also qualify the incident for exception from federal and state data breach notification laws. Most hackers, just like fraudsters, look for vulnerable networks and barriers that can be easily breached and lead them to unprotected PII and PHI data.

As a "reactive" response to this devastating data breach incident, the governor has directed all cabinet agencies to immediately designate an information technology officer to work with the state Inspector General to improve the state's information security policies and procedures. Does it always have to take a breach before the decision-makers recognize the need for and prioritize information security? Sadly this is more often the case. This can be said about many companies in the private sector as well. Unlike the banking industry where information security has been a high priority for over a decade, other industries like Healthcare, find themselves under siege and unprepared for the ever increasing cyber attacks. In addition they suffer from traditional security and privacy weaknesses including ineffective employee training, policies and procedures and a lack of incident response planning. Although technology plays an important role in creating and closing vulnerabilities, you can't ignore the human factor.

Halloween is still a few days away but South Carolina residents got tricked into thinking that their information was safe in the custody of their department of revenue. I decided to use the phone number (866-578-5422) provided to the affected residents to get a sense of what their experience will be like when they try to find out more about the situation and to protect themselves. Well, I am afraid that the process will not be too comforting. The automated answering system directed me to the Experian's id protection Website along with an activation code. I opted for the option to talk to a human and I was told by the "automated" system that I should call some other time and was disconnected. I was calling during the hours of operation for the call number according to the machine. The process felt very cold and un-caring and I suspect that the state's reputation will suffer – not only for not preventing the incident in the first place but also for how it is managing its response.

The best time to prepare for an incident is before it happens but you have to convince yourself and your entity that incidents are bound to happen but they don't have to result in a reported breach or a PR nightmare. Building and testing an incident response plan is a very useful investment and practical investment for any entity that collects and shares PII and PHI. How an entity responds to a breach and handles the interactions with those affected is the only opportunity to rehabilitate its image and reputation. This opportunity should not be squandered if the entity truly cares about its customers, employees and reputation.

About the Author

Mahmood Sher-jan

Is Beazley Breach Response a Good Fit for Healthcare?

by Doug Pollack October 24, 2012

I was fortunate enough just recently to sit on a Cyber Liability Panel at ASHRM in Washington, D.C., moderated by Mary Anne Hilliard, president of ASHRM. The panel included representatives from two insurance firms that provide cyber insurance, Paul Bantick from Beazley and Kim Holmes from Chubb, as well as an insurance broker that specializes in cyber coverage, Joe Depaul from AJG Risk Management, as well as myself.

The panel discussion was very engaging and high energy. All of us are very involved in working with organizations to address data breach risks and incidents. And while there was a shared view as to the current environment, and its associated risks, there was some divergence among the panel as to how best to address these risks, specifically and especially for healthcare organizations.

As to the areas of agreement, there was clear consensus relative to the increasing level of instances of data security incidents and data breaches within the healthcare environment, as well as the fact that a growing number of healthcare organizations are looking at cyber insurance as a component of their overall data breach risk management program. These circumstances are somewhat indisputable.

Healthcare is the only industry that is required to report data breach occurrences to their regulatory authority, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), based on the HITECH Act and associated rulemaking by OCR on data breach notification. So unlike all other industries, the data is complete and public.

Relative to divergence in views, this was highlighted by a slide presented by Paul Bantick, who noted that there are two different approaches to cyber insurance – the “service model”, where the insurance company provides “breach management expertise and staff”, and the “bucket model”, which is the more traditional one where the insurance company provides the insured with a panel of approved vendors who have been vetted as competent and price competitive.

I believe that Paul considered Beazley Breach Response a policy that adopted the service model. And to a great extent, his presentation represented the service model as one that for cyber insurance is preferable to the more traditional model used by other insurance carriers.

I believe however that as with many things in life, there are tradeoffs between the models. Using another area of the health insurance world as an analogy, I think of the Beazley approach as being a lot like an HMO, where the other model used by many other cyber insurance carriers is more like a PPO.

In Beazley’s case, the client effectively transfers control of assessing and managing their data breach incident response to the Beazley team. They will provide their clients with assistance with privacy breach response services and with the investigation and notification process. And while they do provide their policy-holders with the flexibility to choose from a shortlist of lawyers and forensics firms to work with, Beazley will make the key decisions as to who will be speaking with your patients (the call center) and what identity protection product is offered, if any, to your patients.

Now, in industries where a data breach is a very rare event, and where the client is unlikely to have experienced staff in privacy breach issues, the Beazley service model approach may have some distinct benefits. By transferring control to their breach response team, you can quickly access resources to address an issue that you haven’t planned for. Just understand that your company culture and style may not be able to come through in the communication with the bulk of these decisions being made by the payer.

But for healthcare organizations, this approach has significant liabilities.

First, healthcare organizations often have experienced, certified privacy, information security and compliance officers who are not data breach generalists, but are specialists in privacy, security & breach issues within the context of the very complex healthcare regulatory statutes and mandates. These professionals may not feel it is in their organizations’ best interests, nor those of their patients, to defer to their insurance company in making all of the key decisions relative to responding to a data breach incident, especially when the insurance provider doesn’t have staff with the same level of healthcare certifications.

Second, because of the nature of healthcare, potential data breach incidents are an on-going fact of life. An average hospital system may evaluate over 10 incidents or more every month, to determine if they are notifiable data breaches or not. And they will also typically have a methodology and maintain meticulous records around this process, because doing incident risk assessments is required by HHS/OCR Data Breach Notification Rules. Such an organization may not want to defer to their insurance company (or the selected lawyer) as to making this determination. And it would be especially burdensome to do this for every small potential breach that the healthcare organization must assess.

Third, one of the most important elements in responding to a data breach by a healthcare organization is addressing the real and perceived concerns of their patients. Unlike many industries, healthcare is special in the culture of patient caring and safety that pervades their organizations. And it is in this regard where Beazley’s “service model” has the most significant tradeoffs and challenges. Beazley will decide who talks to your patients that have been affected by the breach, and they will decide what you offer them, as far as a product, to address their concerns.

Because of their relationship with Experian, the product offering will always be one of Experian’s credit monitoring products. The Experian monitoring may be well suited to breaches of financial information, but it is much less clear that they are helpful or appropriate for a data breach of protected health information (PHI). The risks that accrue to patients when PHI is exposed are very different, and it is very unlikely that credit monitoring will help them in addressing these risks, nor that Experian financial fraud resolution specialist will be terribly helpful with potential insurance or medical fraud issues.

While it is understandable why Beazley would want to standardize on a single monitoring (product and vendor) for all of their clients in all industries, that this enables them to provide their clients with a lower cost solution because of their volume buying power, it doesn’t however address the fact that the Experian offerings might not effectively address the real and perceived risks and harms to the patients that have been affected.

And lastly, by relying on Beazley to make the key decisions for your healthcare organization in dealing with a data breach response, you are entrusting them to make decisions that will stand up to the scrutiny of HHS/OCR when your breach is investigated. During such investigations, OCR will typically not only look at what you did in responding to the particular data breach that prompted the investigation, but will also investigate your broader HIPAA privacy and security posture, and how you assessed and managed other incidents, whether they were notifiable data breaches or not. Now to be fair, their coverage will probably pay for a portion of any fines or penalties that are assessed by OCR to your healthcare organization. But such payments will certainly not compensate for the stigma that will remain for being found negligent or otherwise inadequate by OCR in managing your patient’s very private personal health data.

So as you can probably discern, I believe that healthcare organizations in most cases, if they required cyber and data breach insurance, are better served by one of the other major carriers as opposed to Beazley.

Now to be totally transparent, I do have a dog in this fight, so to speak. My company, ID Experts, specializes in providing privacy and data breach solutions to healthcare organizations. We are the only such provider endorsed by the American Hospital Association (AHA). We serve a who’s who of American hospital systems and other so-called HIPAA covered entities, including New York Presbyterian, Memorial Sloane-Kettering, Johns Hopkins Hospital, Henry Ford Health, to just name a few.

And because we specialize in healthcare, we have optimized our offerings to work in partnership with the privacy, information security, compliance and legal officers in our healthcare clients, and to provide them with product and services that address the HIPAA/HITECH privacy, security and data breach notification provisions in law and rule. We believe that it is critical to go deep in healthcare, in order to help them with addressing these issues and risks.

With Beazley’s decision to adopt their “service model”, they negate the option for their clients to use ID Experts for data breach response. And as I said earlier, while this might be a benefit for organizations in industries where breaches are rare and that are unlikely to maintain privacy, infosec and compliance expertise on staff, this in many ways is often not the best approach for healthcare organizations to pursue when purchasing cyber and data breach insurance. Fortunately, most other insurance companies that are providing cyber and data breach coverage, do not take this posture. If you choose cyber insurance from Chubb, ACE, Chartis, or most other carriers, you will both be able to maintain choice and control in dealing with data breach decisions, and you’ll have the option of working with ID Experts if we’ve worked hard enough to earn your trust and your business.

About the Author

Doug Pollack

Tips for Making Patient Privacy Part of a Healthcare Organization’s DNA

by Doug Pollack October 23, 2012

A recent educational event in New York City sponsored by the American Hospital Association (AHA) brought together privacy and compliance experts in healthcare to discuss the challenges and opportunities for creating a culture of patient privacy within these organizations. While one might assume that there is a widespread focus on privacy within healthcare organizations, given the nature of patient medical information, it is probably more likely that in most organizations the urgency around medical need for access to patient information typically trumps any concerns over privacy. Because of these, the panel of experts that were brought together by AHA put together a document that includes "Five Tips to make Patient Privacy Part of your Organizational DNA".

I think that you'll find this set of tips useful, because they span on one end of the spectrum the benefits of security technologies to the other end with the focus on the "human side" of privacy risks. In particular, Meredith Phillips, Chief Privacy Officer of Henry Ford Health System with HQ in Detroit, offers advice on working with regulatory authorities, noting that “when engaging with OCR [the US Department of Health and Human Services Office for Civil Rights], be a partner and show that you are being proactive. When we look at our programs, we see where there are some gaps and we tell OCR what we are going to do to fix the gaps and report back. We want to show that we are taking action to correct any issues.”

Cheryl Parham, Associate General Counsel for New York-Presbyterian Hospital, separately focused on the need for planning and preparation. All of the experts agreed that data breaches were becoming a fact of life within healthcare systems, and that therefore, it was essential for these organizations to develop actionable plans for analyzing security incidents and, in cases where these were deemed notifiable data breaches, having plans and partners in place to handle patient, regulator and press notification, and communications, healthcare services monitoring, and fraud resolution services for the affected patient populations.

About the Author

Doug Pollack

Launching All Things Data Breach

by Christine Arevalo October 23, 2012

For about two years now, All Things HITECH has been a tremendous resource for my colleagues and me. The healthcare space is full of challenges and changes, and particularly when it comes to regulatory matters; the knowledge of the collective is a powerful thing. Over the last two years I've watched the membership grow to over 850 and counting. We have shared in lively debates, meaningful discussion, and overcome some major hurdles we've faced in our workplaces... none of this would be possible without the participation and enthusiasm YOU bring to the group.

In keeping with that spirit, ID Experts is pleased to launch its newest linked in group: All Things Data Breach. It is my sincerest hope that I will find you there, and we can continue to engage in meaningful discussions from privacy and compliance officers, the information security community, legal and cyber insurance professionals, risk managers and industry researchers, and YOU.

The group is designed to share data breach information and viewpoints to foster a dialogue about protecting organizations from the risk of a breach. All Things Data Breach explores every dimension of a data breach – prevention, response, notification, compliance, laws and regulations, digital forensics, best practices and research.

Please join today.

About the Author

Christine Arevalo

Announcing All Things Data Breach

by Rick Kam October 18, 2012

I'm excited to be introducing a new LinkedIn group today call All Things Data Breach. The new group hopes to collect, share and discuss data breach information and viewpoints to foster a dialogue about protecting organizations from the risk of a breach. With discussion from privacy and compliance officers, the information security community, legal and cyber insurance professionals, risk managers and industry researchers, All Things Data Breach explores every dimension of a data breach – prevention, response, notification, compliance, laws and regulations, digital forensics, best practices and research. Tweet about All Things Data Breach using the hashtag #databreach

How you can Participate in this new group?

Start by joining the Linkedin group now
Ask a question or respond to other members of the group on topics that interest you
Share the link to the group to other experts you work with

About the Author

Rick Kam

PHI Protection Network Announced…

by Rick Kam October 17, 2012

I want to share a significant announcement with you. Today we are launching a significant initiative called the PHI Protection Network. It is the result of 2 years of collaboration between over 100 privacy and security experts from 70 institutions in the healthcare industry.

On March 2012, we published a white paper sponsored by the American National Standards Institute, Shared Assessments Program, and Internet Security Alliance titled: "The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security". The result of this collaborative effort was a prescription to help "PHI Protectors", those experts whose role is protecting PHI build an enhanced business case for their privacy and security initiatives.

The PHI Project co-chairs decided that it was important to provide additional learning opportunities for PHI Protectors interested in understanding more and joining a new community of PHI Protectors who are working on their own business cases. A new Linkedin community has been started where PHI Protectors can share their stories and suggestions and interact with each other. Click here to go to join this new community.

There is a series of free pre-recorded webinars being offered to the PPN community, starting with the first one scheduled for release on October 23, 2012. Jim Pyles of PPSV will be talking about PHI Security: A View From Capital Hill. You can register for this free webinar here www.phiprotection.org

We will also be holding a seminal workshop on March 12 and 13, 2013 in Boston that will bring together the community of PHI Protector along with industry experts to develop enhanced business cases for PHI security and privacy for their respective organizations. You can register for this event starting today. Click here to learn more about this event and register.

There is a short pre-recorded presentation that provides an overview of the mission, goals, events, and how to participate in the PHI Protection Network. Please take a few minutes to learn more and join us in helping enhance your business case for improved PHI security and privacy. You can access the overview here www.phiprotection.org.

About the Author

Rick Kam

The Dangers of Social Engineering

by Deanna Jones (DJ) October 15, 2012

Disturbing news in a recent Washington Post article highlights the insidious dangers of social engineering and the natural human tendency to trust. The piece details the ruse of industry exchanged emails, often with domains or addresses that are trusted and familiar to the receiver, which contain malicious links or attachments. Once clicked or opened, they insert code that allows a back door to be opened into proprietary systems, wreaking havoc, undetected - potentially for years.

The investigation that goes into choosing the target of choice for the malicious emails, often high-level executives or low-level employees, is disturbing to say the least. The profile is derived from an array of sources, including social media sites like Twitter, Facebook, and LinkedIn, as well as other data mining techniques. Once a profile is established, the hacker then includes specific details relating to the targeted individual in an effort to lower their guard and entice them into launching the hidden malware.

How to protect your organization? Ensure employee security training includes information on social engineering and how to identity not only a potential threat, but how to report it and how to alert the organization. Require all new hires to undergo training and periodic reminders. Prevention is better than reaction.

About the Author

Deanna Jones (DJ)

Healthcare Risk Management Perspective on Social Media

by Doug Pollack October 8, 2012

I attended a session today at ASHRM titled “Social Media in Hospitals: a Lawyer’s Perspective”. It was a terrific overview of what a nightmare social media is becoming for privacy and risk managers in the hospital setting. It was a great discussion that highlighted the evolving nature of data breaches and how they are created.

Each of the three attorneys took on litigation, privacy and employment issues that are exacerbated by social media. While all were very interesting, I’ll focus this post primarily on the privacy issues.

To start off, it was clarified that “any communication via social media that includes PHI may be without consent, probably is not secure, and almost always a breach.” The challenge is that an increasing portion of the hospital workforce, including doctors and nurses, maintain Facebook pages, use Twitter and participate in other social media outlets.

They described a situation where a doctor posted information “about” a patient on their Facebook page. The post did not include the name of the patient, but because of the content of the post, it was possible for others to “determine” the patient’s identity. In this circumstance, the doctor was fired by the hospital, and reprimanded by licensure board for unprofessional conduct.

They also noted that social media posts, whether public or private, are “discoverable” as part of the legal process. Courts consider social media as just another means of communication and determined that “there is no social networking privilege in discovery.”

Examples such as this doctor’s Facebook post combined with the “discoverability” of social media content highlight the extreme risks that are posed by the use of social media within the context of healthcare. As noted, Facebook and other social media posts by any member of a hospital’s workforce about patients, no matter how circumspect, have the potential to be a HIPAA violation. And disciplinary actions can be rapid and severe.

One somewhat obvious conclusion by this panel was that hospitals should minimally have a social media policy that they characterized as “Thou Shalt Not Use Facebook at Work”. It certainly doesn’t address all of the risks and issues, but it is a start.

About the Author

Doug Pollack

The Rise of Incident Response Planning

by Mahmood Sher-jan October 2, 2012

Lately we have seen a strong uptick in requests for incident response planning and testing. What is driving this trend and why now? Maybe the better question is to ask why it took so long given the growing number data breach incidents among large and small healthcare organizations? I can only speculate about the drivers for the sudden surge in focus on this issue, which has long been a requirement under the HIPAA Security Rule and it was further codified through the burden of proof requirements under the HITECH Breach Notification interim final rule (IFR). I think for one thing, there's a realization that OCR HIPAA Privacy and Security Audit Program is going to continue and it is a matter of time before OCR knocks on the door. Another reason, in my opinion, is that developing, documenting and testing an IRP can provide very tangible and actionable outcome that can help improve cross-functional communications, processes and awareness in addition to helping to prevent some incidents since it focuses the entire team and organization on the topic of PHI/PII protection, emerging risks and associated implications. So it is a very good and low cost investment with concrete benefits.

I was recently listening to a discussion with an MIT professor who made the assertion that there's zero correlation between intelligence and wisdom. I wondered if this explained why smart people can do unwise things. It also occurred to me that this might explain why until now some smart and responsible folks in the Healthcare and other industries that are at high risk of security and privacy incidents have not taken the time to document and/or test their IRP? As I said on a recent webinar on this topic, I suggested that IRP development and testing transforms the collective intelligence of an organization into organizational wisdom that could make a big difference in the final outcome of any major incident for the organization and for those responsible to manage the process—in other words, it can save an organization's reputation, limit damage to affected patients/customers and not to mention save and even enhance careers. Based on an online survey of attendees during a recent American Hospital Association (AHA) webinar, 56% said they had documented IRPs, 22% of those with IRPs had not tested them and another 44% didn't have a documented IRP. This is the wisdom gap that is being addressed with the new surge in IRP documentation and testing. For some advice and perspective on best practices for incident response planning and testing, you can read the article in the October edition of GHIT that I have co-authored with Chris Apgar of Apgar and Associates.

About the Author

Mahmood Sher-jan

Four Steps for Managing a Data Breach Crisis

by Lisa MacKenzie September 27, 2012

When a data breach occurs, how an organization responds and communicates to its customer, patients or stakeholders can be the difference between a potential class action lawsuit and an opportunity to reinforce a commitment to quality and customer care. According to Second Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute, the negative impact of a data breach can diminish healthcare brand reputation, tarnish perception and lead to precipitous declines in patient goodwill.

This all sounds good in the abstract. Data breaches are becoming more common than the cold, yet oddly, a surprisingly small number of all organizations have a plan for managing the response with the media. Whether you operate a small dental office or run a multinational corporation, the response methodology is roughly the same. What varies greatly is managing the depth of the situation and integrating the communication with the entire response process.

Let's break it down to four steps:

Plan and Assess
Messaging
Outreach and Response
Analysis and Further Action

To begin, our focus will be on step 1: Planning and assessing the breach situation.

When a breach happens, inevitably everyone panics. Having a plan in place before a breach occurs is like taking an aspirin before the headache turns into a migraine. Sadly, most organizations are still stuck with the notion that it "will never happen to us."

Every organization needs a plan that is customized to meet its needs. Regardless, a plan should include the following baseline components:

Data intake from the CIO, privacy officers, legal and HR
A full written description of the incident and the total affected population
Review and analysis of pertinent documents including forensic reports and incident reports
A list of notification requirements (Federal and State) that matches the affected population
An action plan with timelines and responsibilities

Ideally, this plan "skeleton" can be developed outside of a breach incident and reviewed quarterly to make sure that it is still addressing organization needs. A good rule of thumb is to review the plan against industry trends and update it to include any new regulatory requirements.

With a plan in place, the next phase is messaging for both internal and external audiences. We'll address that in Part 2.

About the Author

Lisa MacKenzie

Lisa’s insight, passion and business acumen are the marks of her 25-year career in communications. From strategizing with large corporations—IBM, HP and Microsoft to name a few—to consulting numerous start-ups, Lisa has strengthened countless businesses’ marketing and public relations programs and created stronger brands. Since forming her own marketing agency in 1995, Lisa and her team have worked with a broad range of clients, including those in the high-tech, health and banking industries. Very much a strategist at heart, Lisa is always thinking of how to improve her clients’ communications and establish them as leaders in the marketplace.

Privacy & Breach Lessons Learned from Henry Ford Health Systems

by Doug Pollack September 25, 2012

This past week, I was fortunate enough to participate in a private educational event sponsored by the American Hospital Association in New York City featuring a presentation by Meredith Phillips, Chief Privacy Officer of Henry Ford Health System. Attendees included privacy, security, compliance and legal professionals from a multitude of hospitals in and around the Tri-state area. Ms. Phillips discussed many of the lessons learned at her organization based on their experiences in dealing with several data breach incidents that required notification. It was exceedingly enlightening to see how a prominent healthcare organization like Henry Ford was able to learn and evolve in the area of privacy when faced with the challenges of managing and responding to a data breach.

Ms. Phillips described that their organization decided to manage their first notifiable data breach incident using almost exclusively internal staff resources. In deciding to take this path, it took them almost the entire mandated 60 day period to meet their HHS/OCR notification requirements. Because of their organization's culture, and the associated importance of patient care and safety, they used this experience as an opportunity to learn how to better prepare their organization to respond to data breach incidents in a more timely manner.

They decided to select a data breach solutions partner to work with that shared their cultural focus on patient care and that could work as an extension of their very capable team. It is a source of great pride on our part that they chose ID Experts as this partner. Working with our privacy professionals, Henry Ford Health System created a new program for data breach response that allowed them to substantially shorten the timeframe from breach detection to patient notification.

What I found most enlightening in Ms. Phillips presentation, however, is the insight that many hospital systems are really unprepared for the realities of dealing with a sizable data breach incident. While they may have a "plan", such plans are often not actionable nor ever tested for operational readiness. It is the unanticipated, significant incident itself that is the catalyst that puts the organization on the path to learning what it takes to effectively manage a data breach. And it can also be the impetus for making investments in carefully assessing privacy and security risk factors, and addressing the greatest vulnerabilities.

Along these lines, Ms. Phillips described a very clever program initiated by her office that included a saavy marketing campaign focused on their workforce members to replace a voluminous number of unencrypted portable thumb drives with encrypted ones. This successful effort highlights the challenges in an organization of Henry Ford Health Systems size and scale of addressing the evolving risk landscape for protecting private patient information. While mobile and portable devices do represent a very real new threat to maintaining patient privacy and ensuring data security, they represent only one of many threats that are emerging as the healthcare world is growing more interconnected.

About the Author

Doug Pollack

Update from Texas: Understanding the New Privacy Law

by Brandon Kulwicki September 21, 2012

This post by Brandon Kulwicki is part of our ongoing series of contributed content.

Last year Governor Rick Perry signed into law Texas House Bill 300 (HB300) which marks a major shift in how Texas views health information privacy and security. The law went into effect on September 1, 2012. The new law expands the definition of a covered entity, mandates new patient privacy protocols for covered entities and implements harsher penalties for privacy violations related to electronic health records. House Bill 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health (or "HITECH") Act.

1. Who Is a Covered Entity?

The expansion of the definition of a covered entity now includes any entity or person that:

Engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information ("PHI");
Comes into the possession of PHI;
Obtains or stores PHI; or
Is an employee, agent, or contractor of a person described above insofar as the person or entity creates, receives, obtains, maintains, uses or transmits PHI.

Under the new law a "covered entity" is specifically defined to include a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site. The Texas definition is such a broad expansion to the HIPAA definition of covered entity that entire new industries (i.e. law firms, accounting firms, record storage companies) will now have to place safeguards on the handling and potential handling of PHI.

2. What must a Covered Entity Do?

Under the new Texas law, covered entities must now provide customized employee training regarding the maintenance and protection of PHI. Covered entities are required to tailor the employee training to reflect the nature of the covered entity's operations and each employee's scope of employment as they relate to the maintenance and protection of PHI. New employees must complete the training within 60 days of hire and all employees must complete training at least once every two years. Covered entities are required to maintain training attendance records for all employees. These training requirements are notably more stringent than those imposed by HIPAA. Under HIPAA, training is only required within a reasonable amount of time after hiring and when there are any material changes in privacy policies. Under both HIPAA and H.B. 300, "covered entities" must maintain records of every employee's training attendance.

3. What Rights Do Patients Have to their own Electronic Medical Records?

Under HIPAA a covered entity had 30 days to provide copies of medical records, H.B. 300 shortens that time period to requiring a covered entity to produce electronic medical records to the patient within 15 business days of the patient's written request. Additionally, Texas law now mirrors that of HITECH by limiting the sale of PHI and requiring notice to patients regarding the electronic disclosure of PHI.

Covered entities must provide notice to any patient when their PHI will be subject to electronic disclosure unless the electronic disclosure is made for purposes of treatment, payment or health care operations. Most facility operators will already have a compliant notice in their Notice of Privacy Practices and will, for most disclosures be either exempt from the requirement or well prepared for it.

Similar to monitoring of HIPAA by the Office of Civil Rights, House Bill 300 requires the Texas Attorney General to establish and maintain a website that states and explains patients' privacy rights under Texas and federal law. While this website does not currently exist, it is required to list the state agencies that regulate each covered entity, provide each agency's contact information and each agency's complaint enforcement process. The Texas Attorney General will also, starting in 2013, be required to issue an annual report regarding the number and types of complaints pertaining to patient privacy issues.

4. What Happens if I Ignore House Bill 300?

Covered entities that wrongfully disclose a patient's PHI will face increased civil penalties under House Bill 300, in addition to any penalties for violating federal laws. The new Texas law allows for penalties ranging from $5,000 to $1.5 million per year. To determine the penalty amount, House Bill 300 lists five factors a court may consider:

the seriousness of the violation;
the entity's compliance history;
the risks of harm to the patient;
the amount necessary to deter future violations; and
efforts made to correct the violation.

If a violation is found to be negligent, it can cost up to $5,000 per violation for each year the violation persists. Knowingly or intentionally violating the disclosure laws can cost up to $25,000 per violation each year it persists. If the violation is known or intentional and produces financial gain, the penalty can reach $250,000 per violation for each year that it persists. If the court finds that the violations are a "frequent pattern of practice," a covered entity can face up to $1.5 million dollars in fines as well as license revocation, civil action from the Texas Attorney General, and the Attorney General can independently request an audit by the U.S. Department of Health and Human Services. These penalties are in addition to the similar penalties that can be assessed by HHS under HITECH.

Bottom line: When the federal penalties are combined with the state penalties, a Texas covered entity could face fines up to $3 million per year for the single violation.

Like HITECH, House Bill 300 (HB300) requires covered entities in Texas that handle PHI to provide notification to individuals in the event of a privacy breach. However, House Bill 300 imposes additional penalties for failure to do so. Failure to notify individuals may result in a $100 penalty per individual each day the notice is not sent, but not to exceed $250,000. It may also be treated as a class B misdemeanor.

HB 300 compliance deadline is 60 days after the effective date of September 1st, 2012.

About the Author

Brandon Kulwicki

Brandon devotes his practice to health care litigation matters, including personal injury, medical malpractice, wrongful death, products liability and commercial litigation. Prior to joining Stewart Dugger & Dean in 2006, Brandon had a docket of over 100 cases involving a variety of legal issues. He has extensive research skills that allow for innovative approaches to catastrophic personal injury, medical malpractice and wrongful death cases. While at SMU, Brandon was on the Dean’s List and was the only two-time recipient of the prestigious W.W. Caruth, Jr. Fellowship. Through the combination of his research abilities and extensive case management, Brandon provides practical experience in virtually all types of litigation which may confront health care providers.

Latest HHS Fine Hits The Massachusetts Eye and Ear Infirmary

by Rick Kam September 19, 2012

The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), will pay $1.5 million to the Department of Health and Human Services (HHS) for potential violations of the HIPAA Security Rule. In the HHS release, they explain that it wasn't just one issue or misstep that led to the fine, but rather a series of errors and inaction.

"...such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response."

This was for a breach in February 2010 from an unencrypted laptop that contained ePHI – including patient prescriptions and clinical information – of some 3,621 individuals. If you're doing the math, that's $414 per record. How much would it have cost them to do a risk assessment, or to implement a privacy incident management process? This type of under investment isn't surprising, according to the March 2012 ANSI study titled "The Financial Impact of Breached PHI – A Business Case for Enhanced PHI Security", organizations are under invested in protecting PHI.

Here are 3 tips organizations can use to reduce the risk of a breach of PHI from mobile devices.

1. Consider geolocation tracking software or services for mobile devices.

Rick Kam, CIPP, president and co-founder, ID Experts

Geolocation tracking software is a low-cost insurance policy against loss or theft that can immediately track, locate, or wipe the device of all data. The majority of healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss or theft. And lost or stolen computing or data devices are the number one reason for healthcare data breach incidents.

2. Brick the mobile device when it is lost or stolen.

Jon A. Neiditz, partner, Nelson Mullins Riley & Scarborough LLP

In the last year, we have seen greater acceptability among employees of "remote wipe" processes that "brick" the entire device when it is lost or stolen, rather than just wiping the encrypted silo of corporate information, for example. The reason that bricking the entire device is more acceptable, in our view, is that personal data is now more frequently backed up in cloud storage, so the bricking of the entire device does not result in data loss, and protects the employee as well as the company. This is the first tip in the context of BYOD programs.

3. Encrypt.

Chris Apgar, CISSP, president and CEO, Apgar and Associates, LLC

All mobile devices and the often-overlooked media, such as USB drives, should be encrypted if they will be used remotely. The cost of encryption is modest and is sound insurance against what has been demonstrated to be a significant risk to healthcare organizations. Most breaches do not occur because of cybercrime. They are associated with people. Even if organizations allow their employees to use their own tablets, laptops and smartphones, they should require encryption if there is a possibility sensitive data will be stored on those devices. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but it is a very hard policy to enforced. At the very least, organizations should require the use of company owned and encrypted portable media.

About the Author

Rick Kam

ID Experts Announces YourReponse(tm) Breach Response Method

by Doug Pollack September 12, 2012

Data breaches have become a fact of life for many organizations that are entrusted with personal information of their customers, members, patients and colleagues. Responding to a data breach, however, is often a process that can be disjointed and undisciplined, which leads to confusion and poor outcomes. In order to address this issue, ID Experts has developed YourResponse^TM, the first structured methodology for data breach notification and response, announcing it today.

YourResponse is a four stage methodology that takes a structured approach to breach response. Each stage -- Discover, Analyze, Formulate and Respond -- have specific tasks and goals that in combination are intended to help organizations minimize the financial, legal and reputational risks that exist when a data privacy incident occurs. Too often, an organization will take a "cookie cutter" like approach to responding to a data privacy incident, notifying the affected customers with a very "legal sounding" letter and offering them plain credit monitoring.

While an approach may meet the letter of the law, it may not effectively address the longer term financial and reputational risks that are in play. By using the YourResponse Method, organizations can minimize the financial, reputational, and legal risks by taking a disciplined, methodical approach to making every decision at every stage of the data breach response. Federal and state laws can be confusing and conflicting as to what "defines" a notifiable data breach and what obligations your organization has in such circumstances. Clear analysis, and documentation of such, in this stage is critical in order to meet the burden of proof that the organization bears. Further, in formulating an appropriate response, it is also essential to look at the demographics and special needs of the people affected, and identifying appropriate set of products and services for them that will specifically address the level and nature of risks that they face as a result of the incident.

By using a structured, disciplined methodology like YourResponse, an organization will ensure that they have an "audit trail" and documentation for all key decisions, including their rationale, made during the course of addressing a data breach incident. It is our hope that the approach advocated for in YourResponse will become a standard and model for how organizations will address data privacy incidents in order to minimize risks and achieve positive outcomes.

About the Author

Doug Pollack

The 2012 Blue National Summit

by Christine Arevalo September 10, 2012

The 2012 Blue National Summit will be held in Orlando September 10 - 13, 2012, with up to 2,000 Blue Cross and Blue Shield executives gathering to exchange best practices, hear from renowned guest speakers, and discuss key local and national industry issues. The 2012 Blue National Summit promises to provide a platform for folks to demonstrate wide range of products and solutions for the healthcare industry. This will be the second year I will be fortunate enough to be there, and with last years keynote was heavy on fighting healthcare fraud, and finding a collaborative approach; I am anxious to see what this year has in store. I have heard that we can expect to hear from the co-creator of Twitter, and with the event just eight weeks before the election, political topics are likely to be top of mind.

The collaboration that happens at this event is encouraging, since fraud is not a competitive issue, and there is no single solution for the prevention of fraud. I also believe that consumers can take a more active role in the security and privacy of their PHI.

What we know, according to the Medical Identity Fraud Alliance:

Medical identity theft is a huge national problem – with 1.85 million Americans affected, with an economic impact of $41.3 billion per annum¹
Individuals are unaware – and unengaged with only 15% of insured adults familiar with medical identity theft²
There is currently no organization (institution or association) with a focused agenda on medical identity theft
Stolen, ransomed or misused patient data is at the core of many crimes perpetrated by the gamut of fraudsters, including organized crime
The growth in EHRs by 2013 will magnify the problem
As law catches up with technology, there will be additional regulations and increasing penalties for noncompliance

¹2012 Ponemon Survey on Medical Identity Theft
² 2012 Harris Interactive/Nationwide Study: Few Aware of Risk of Medical Identity Theft

So while the solution isn't a simple one, continuing discussions about ways in which we can come together in meaningful ways to find innovative solutions is.

About the Author

Christine Arevalo

Announcing The Medical Identity Fraud Alliance

by Christine Arevalo September 5, 2012

I'm so excited about the formation of the Medical Identity Fraud Alliance, a consortium launching in November, that I couldn't wait to tell you about it.

The "Alliance" is comprised of industry, technology service providers, associations and consumer organizations, law enforcement and government agencies, academia and research; whose goals include empowering consumers to better protect themselves from medical identity theft and the resulting financial, physical and emotional damage it can cause.

For years my colleagues and I have been watching while medical id theft was gaining on other types of fraud. As we watch it take the lead, and become the most devastating crime committed against consumers, we felt it was time to take meaningful action.

The Alliance has several goals, but I'm most excited about supporting research about medical identity fraud (vastly under studied), raising awareness to patients about the increasing threats to their health and safety as a result of medical identity theft, and discovering patient-centric technologies and services that empower consumers along the way.

There are many ways to show your support for the Alliance; and I encourage you to inquire today.

ID Experts is enthusiastically lending its support to the Alliance, which will provide education and awareness to all, while promoting best-in-class technologies and practices, and influencing government regulations, policies and laws. For more information visit our website http://medidfraud.org/ or please contact MedIDFraud@sbcglobal.net.

About the Author

Christine Arevalo

Key Steps to Reducing Data Breach Risks

by Jeremy Henley August 30, 2012

Risk Management focused Webinar 9.6.12 at 10SPT

The Risk Management Society (RIMS) recently invited ID Experts to provide a webinar educating their audience of Risk Managers on the perils of a data breach. I was able to recruit Ted Kobus—National Co-Leader for Baker Hostetler’s Privacy, Security and Social Media Team and Jeremy Gittler a Senior Complex Claims Director from Chartis/AIG Insurance to speak with me on the panel September 6^th at 10:00PST and 1:00EST.

Here is what we will be discussing:

Minimizing your risks before a data breach ever happens
Analyzing the incident facts and crafting a risk proportionate response should a data breach strike
Ensuring the effectiveness of your response and preventing future incidents
Complying with federal and state data breach notification laws
Avoiding class-action lawsuits

With this group we will be able to talk about these risks at each stage from a legal, insurance, and operational point of view. I will manage the operational and/or compliance perspective on some of the best prevention strategies to lower the costs of a breach before and after an incident. Ted Kobus will be able to provide a wealth of knowledge from a legal perspective at all stages of a data breach and lastly Jeremy Gittler will bring a dozen years of legal and insurance experience to touch on aspects of a breach specific to Cyber Liability insurance.

To register for the webinar please click here.

About the Author

Jeremy Henley

Is technology or compliance more important in terms of minimizing the risks?

by Jeremy Henley August 24, 2012

When it comes to spending money on your business we naturally look for investments that will show a nice return. Most business leaders understand that some level of privacy and security is important to their business, however the return on investment is not always clear. This makes it painful to spend money on technology or compliance programs when the value connection is difficult to see. When the budgets are being designed it seems technology has the spotlight and the money versus enhancements to compliance activities.

How important is technology when trying to minimize data breach risk? Technology is critical and can provide significantly enhanced protection against a data breach when it is multi-layered, configured properly and well maintained. Many would agree that all of the best technology in the world still could not prevent data breaches. However the seductive nature of technology can still send organizations down a risky path of thinking that they can prevent breaches from occurring if they just keep up the spending on additional layers of technology protection. Unfortunately, even when armed with the latest and greatest technology the breach can still happen. It could be poor configuration, a rogue employee working around the technology, or it could be the constant threat from the hackers that have made it a sport to break in. So do we really think that the next great technology is going to provide the bullet proof system to preventing a data breach? Is technology really more important than a strong compliance program when minimizing over all breach risks? I do not believe it is, at least in healthcare.

Let's see if a strong compliance program could minimize our risks. If a privacy and security compliance program is well funded it will have very specific and detailed policies and procedures. These procedures will be user friendly so that they staff can get comfortable using them and pull them out when there is a question. The program would have customized training that reflects the policies and procedures. There would be systems in place to audit the training and test how well employees are incorporating the training and carrying out the policies. Lastly the organization needs to create an environment and culture that has the management implement the training, not the compliance department or privacy officer.

If your compliance program is auditing and managing the security policies and procedures and training the staff in a way that the information is retained, the likelihood that an employee makes a mistake and creates a breach should drop considerably. Additionally if there are compliance checks with basic policies around password strength, the least amount of access necessary and other access controls, like when an employee changes roles or leaves the organization, we should further minimize the risk of a breach, malicious or accidental. With that being said, will investments in this area prevent a data breach from occurring? No, neither compliance nor technology can prevent breaches from happening.

The answer to the question, in my opinion, is that they need to be balanced equally to truly create a defensive position against the risks from a data breach. Currently they appear to be tilted heavily toward the technology that aims to prevent breaches. Organizations need to accept that a breach will occur and work toward minimizing the losses. By losses I am referring to the records, as well as the reputational exposure and outcome of a potential Office of Civil Rights (OCR) investigation. Rarely, in my experience, do organizations fully appreciate the risk of a breach prior to one occurring. If the budget were balanced between compliance efforts and technology to support these efforts versus technology now and compliance if we can afford it, the damage would be less.

To prove my point, let's look at a few recent examples. Recently the Federal Health & Human Services Department reported on the fine the Alaska Department of Health and Social Services (DHSS) received for $1.7 Million, it explains that "over the course of the investigation, Office of Civil Rights found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule."

Another example is from Phoenix Cardiac Surgery which had decent technology but failed to train staff to use it properly. The report on this case says, according to OCR "the practice did not implement adequate policies and procedures, document employee training, identify a security officer, conduct a risk analysis, or obtain business associate contracts with Internet-based email and calendar services." The investigation began due to a breach of 1000 records, which is unfortunate, but the cost of the penalty—in this case $100,000—along with the cost to comply with the OCRs Corrective Action Plan in a 12 month period is significantly more than the cost of the breach response. The resolution agreement between OCR Phoenix Cardiac Surgery is available here.

I believe the OCR, along with several State Attorney Generals, are going to continue the upward trend of investigating and potentially fining organizations that are not compliant even if they have decent technology.

The take away from this post is to make sure your investments in technology are followed by solid policies and procedures, training programs and compliance metrics. Then when you have a breach your organization will be in a significantly more defensible position to answer the many questions OCR starts asking. If you run your return on investment using the fines you may have avoided, you will be much happier the budget was more evenly balanced.

About the Author

Jeremy Henley

Cybercrime Targeting Health Records

by Doug Pollack August 17, 2012

The data breach incident that hit The Surgeons of Lake County, a medical services practice in Illinois, earlier this summer may be the precursor to a growing trend towards cyber-blackmail targeted at patient medical records. It also demonstrates a clever approach to monetizing data breach-oriented cybercrime without going through the trouble of acquiring and remarketing the data.

A data breach incident was discovered on June 25, 2012 by the Surgeons of Lake County in which a hacker broke into their computer systems, but rather than extracting the patient data that was in their electronic health records application, they instead encrypted the data, and left the medical practice a digital blackmail note. As reported in Bloomberg in a blog titled "Hackers Steal, Encrypt Health Records and Hold Data for Ransom", this incident demonstrates a novel new approach to marrying cybercrime with blackmail.

“This story is so ironic — most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors — in fact, nobody — can access these records.”

I think that this incident illustrates the beginning of a much larger phenomena. As we all know, medical practices are working tirelessly to implement electronic health record (EHR) systems in order to take advantage of funds available from the federal government for health providers that demonstrate "meaningful use", as it is known. In their rush to use meaningful use dollars by the 2014 deadline, physician practices and their vendors may underestandably be placing a lower priority on the privacy and security issues and risks that exist when moving patient data into new applications that will be used across the healthcare ecosystem. Therefore, vulnerabilities and weaknesses in their security architectures should be expected.

Not only do medical EHR systems themselves pose security risks, but the movement towards making patient data available whereever they may access medical services, implemented through participation in health informaiton exchanges (HIEs), exacerbates the level of risk by posing additional threat vulnerabilities. HIEs face funding challenges due to the fact that they lack clearcut and profitable business models, and yet federal grants and deadlines maintain a level of time pressure for implementing these systems that do not allow for thorough considerations of security concerns.

As professor Glancy states, “This is a warning bell. Maybe they’re [Surgeons of Lake County] the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

While the benefits to patients of broad based implementation and exchange of electronic health records could be substantial, when it comes to quality and timeliness of care, possibly the healthcare world should slow down a bit, to ensure that privacy and security issues are rigorously addressed before the data starts flying around in the ether.

About the Author

Doug Pollack

Despite Increasing Evidence of Healthcare Breach Response Plans, Many Still Without

by Rick Kam August 16, 2012

Does your healthcare organization have an incident response plan in place in the event of a data breach? We polled 200 healthcare privacy professionals this week and found that 22% responded affirmatively, that they do have a response plan. Thirty-three percent responded that they not only had a response plan, but had also tested the plan. Unfortunately, 44% responded saying they do not have a data breach incident response plan.

Although the response is positive compared to five years ago - it was rare to find an organization with a data breach IRP in place, much less one that was tested - but the overall adoption rate still remains low.

Here are 3 tips when considering your incident response plan:

Agree to goals as part of the plan: Get the executive team and incident response team aligned on the expected outcomes from the incident response. Is the highest priority meeting federal and state regulatory requirements? How important is it to avoid class action litigation? Where does protecting the brand fit into the priorities? What other factors does the board or executive team feel are key to a successful response? Once you set these goals, measure your success in achieving them and report that success to the executive team.
Calculate the financial value of the PHI your organization is protecting or just breached: Knowing the at risk value of the compromised data will help determine what is reasonable to invest in responding to a data breach and can facilitate management decision making when financial trade-offs are being considered. Refer to the ANSI white paper "The Financial Impact of Breached PHI" for a methodology and examples on how to do this (get it by clicking here).
Test your incident response plan: The poll showed 33% of the organizations polled tested their incident response plan. The best way to be assured the incident response team is prepared is to test the plan. There are a few ways to do this. Initiate a mock breach where you call IT and say your laptop was stolen and you think it had 500 patient records including SSNs and health insurance numbers on it – and see how your incident response team responds. Another option is to have an expert come in and help your organization through a practice breach response. The benefit of this approach is that the outside perspective and feedback may be more useful to help your organization refine your incident response plan and educate your executive team.

Go and check if an incident response plan exists for your organization and if it exists, ask these questions:

When was it last updated?
Has it been tested?
What are the goals for a breach response?
Does the plan have a methodology to calculate the "value at risk" of the compromised data?

About the Author

Rick Kam

The Risk Posed by Unauthorized PHI & PII Disclosure is Contextual

by Mahmood Sher-jan August 13, 2012

The list of data elements that the HIPAA data breach notification rule and states breach laws have designated as PHI or PII vary from mundane and publicly available items like name, and mailing address to more private information such as account numbers and medical record numbers. When PHI or PII is hacked, one of the factors that determine the level of risk to the individuals affected is the sensitivity of the PHI or PII involved. For example social security and full account numbers and pins are treated as high risk. It is very easy to dismiss any significant risk of harm with unauthorized disclosures of PHI/PII that include only names, email addresses, partial account number (last 4 digits) and mailing addresses since it is believed that this information can be assembled from publicly available sources and do not pose a significant risk of harm. But this week we learned from the wired magazine's Mat Honan's sad experience (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/) that in the wrong hands, even this seemingly innocuous set of PHI/PII can be used to trigger a malicious attack. Mat's entire digital life was wiped out remotely once the hackers used his limited PII (name, billing address, last 4 digits of credit card, and email) to exploit security gaps in the Amazon and Apple privacy and security policies and customer service practices.

What does this mean to the industry at large, and especially to the Healthcare industry with stewardship of incredible amount of highly sensitive PHI and PII? Should the industry treat unauthorized access or disclosure of any amount of PHI/PII as a data breach or is that a knee jerk reaction and unwarranted? In talking with industry colleagues and healthcare organizations that use our ID Experts RADAR^TM tool to perform incident risk assessment and decide if an incident is a breach (reportable) or not, the consensus is that each incident is unique and that RADAR's unique approach of allowing each incident to be scored according to the PHI/PII involved as well as the nature/circumstance of the incident (for example hacking vs incidental) gives them the ability to strike the right balance and consistency when analyzing an incident and make a decision whether the incident can cause significant risk of harm.

In the final analysis, while what happened to Mat is very alarming and could've happened to anyone with a digital footprint, we have to analyze each incident uniquely.

About the Author

Mahmood Sher-jan

AHA Leadership Summit - Changing the Course of an Unsustainable Industry

by Jason Porter August 8, 2012

We have all heard the statistics that demonstrate the unsustainable nature of the healthcare industry in the United States. 48% of healthcare expenses are eaten up by less that 5% of the population; the US spends 17 % of its GDP on healthcare (with projections showing this reaching 21% of GDP by 2021), more than any other industrialized nation, yet the life expectancy in this US is 78.49 years, 50th in the world.

In July, the American Hospital Association Health Forum brought together some of the brightest minds in the country to discuss how the industry will deal with the radically changing environment they operate in while improving the level of care provided to the American people. Politics and personal agendas were set aside for three days to discuss potential solutions to one of the biggest problems facing our nation today. Throughout the three day event, no word was used more than "unsustainable" to describe the current state of healthcare in the US.

Leaving the Leadership Summit there were several key messages that resonate as hospitals work through a time of tremendous pressure and change:

The hospital industry does not need to find some fantastic new idea to help it transform into a sustainable model. Innovative hospitals and health care systems all over the country are developing transformational systems today. The challenge is for large scale adoption of these models that will have a major impact on the financial model for healthcare today. Copy what is working today....don't try and re-create. Jim Collins, the author of "Good to Great" spoke on this key issue and provided examples that demonstrated businesses that choose to copy and scale current best industry practices always have outperformed those that decided to invent new systems on their own. Hospitals have this same opportunity today.
In order for our healthcare system to meet the demands of our aging population and the baby boomer impact, technology must continue to transform access to medical services and drive these services into the hands of lower cost healthcare workers. This transformation is beginning to take place today with home health monitoring solutions and technology driven through smart phones and tablet computers. The more we can push healthcare via technology to the home and put control in the hands of each of us, the more cost effective the system becomes.
There is a major shift under way in the healthcare system to move from "volume based" to "value based" reimbursement for services. This transition must continue and accelerate to motivate hospitals to integrate their services and focus on long term patient outcomes. The way hospitals and doctors get paid today is to drive procedures, not overall quality of life for patients. Hospitals and doctors have reacted to the way they are reimbursed by the government for services, leading us to a place where there is a lack of coordination and a proliferation of services that may not be necessary. We have seen the impact of this just this week at the news of HCA's internal investigation into cardiac procedures in some of their Florida hospitals showing that physicians were ordering cardiac procedures that could not be justified. This coordination of value based care will require cooperation throughout the delivery and payment of medical services, a major cultural change for the groups that today separately manage different pieces of the chain.

Overall, the Leadership Summit clearly demonstrated that the road to a revolution in healthcare management and delivery is possible, and in some organizations has already begun. As an industry, healthcare and hospitals are faced with transitions, some painful and others slight, that in total must drive towards a sustainable model for the future. "Unsustainable" is the same model that recently drove industries in the US (auto, mortgage) into the ground; this is not an option for the delivery of healthcare.

About the Author

Jason Porter

Jason works closely with ID Experts client's in both healthcare and the federal governenment to help shape their approach to data breach events. In this role Jason has worked with the privacy and security teams at FEMA, Department of Homeland Security, the Social Security Administation and other federal agencies.

Insights from the Annual AHLA Meeting

by Heather Pixton August 7, 2012

I can remember the first time I was presented with a HIPAA Notice of Privacy Practices that I had to sign when I visited the doctor. Little did I know that a whole new industry was being created that would impact me personally and professionally. My perception of these disclosures has changed so significantly since 1996, and I expect that this growing industry will only get more complex as time goes on.

I visited the American Health Lawyers Association Annual Meeting in June and was so impressed with the volume of attorneys that practice in the area of healthcare privacy & security. I met several people who were just entering the field because of the growth, as well as a host of privacy lawyers who were seasoned veterans. In both cases, HIPAA/HITECH was an enticing topic. I noticed that talking through case studies provided for very interesting conversations, and an opportunity to learn things about HIPAA/HITECH that I didn't already know.

The "Year in Review" session by Carder-Thompson and Schroder was like listening to a juicy soap-opera with fascinating twists and turns. While I was familiar with most of the cases discussed, they were all presented in a new way that caused me to think about them differently. It is fantastic to hear how some of the "older" data breaches are starting to change current best practices, and how legal rulings are impacting the future of this industry. It was noted that many if not most courts have dismissed consumer class actions lawsuits claiming harm from a data breach on the basis that the damage to the impacted individuals were speculative and could not be attributed directly to the data breach. This may change how state and federal laws interpret the risk caused by a data breach.

There was also a great session by Markey and Warma about the threat of hacking in healthcare. I was at the edge of my seat as Melissa Markey with Hall Render enumerated the risks inherent in a digital health system... while extremely beneficial, the reality is that a hacker can truly "take down" healthcare with the stroke of a keyboard. This was illustrated by Kathryn Warma with the US Department of Justice as she walked attendees through the take-down of a hacking ring that was committing fraud in ways that I didn't even knew existed. Warma showed how the fraudsters had outfitted a vehicle with high tech equipment, including extensive antennas, allowing them to search for wireless networks they could use both for hacking or to hide their 'digital fingerprints' when they accessed a company network. It was amazing to see that a portable system like that could create such havoc.

While this summary barely scratches the surface of the extensive content at this annual conference, I am in awe at the size and scope of healthcare law. We sure have come a long way since I signed my first Notice of Privacy Practices, and I expect that the future holds more interesting twists and turns. I look forward to next year's conference where I will reflect on another year of breaches, mishaps, incidents, hacks, and disclosures. No one can say this stuff is boring...

About the Author

Heather Pixton

Who Owns Patient Data In Electronic Health Records? – Redux

by Doug Pollack August 6, 2012

My post on this topic of June 15^th has generated a flurry of activity within the HIMSS discussion group on LinkedIn. With 150 comments and counting, I am somewhat amazed that there are so many dimensions, and perspectives, on this question. Especially among health information management professionals. This post, is my attempt to summarize some of what I’ve learned in reviewing the comments, and delving further into the available research.

First, the concept of “ownership” of patient data in electronic health records (EHRs) is conceptually simple and appealing to many individuals. In many of the discussion posts, knowledgeable professionals assert, “of course, it is the patient owns their medical data”. I believe this speaks to just how compelling this concept is at first blush. In our society and our legal structure, ownership implies a very high level of control that is comforting given the sensitive nature of our health information. In this discussion, what I see is a perspective that it is somehow “right” that patients should own their medical record information.

But as Dr. Evans in her paper “Much Ado About Data Ownership” notes, there is a balancing act between a patients strict ability to control dissemination of their medical information with the potential public good derived from such sharing of data. In this paper, she states that:

“The pro-privacy proposals rest on a mythical view of private property. Three centuries ago Sir William Blackstone noted how the human imagination is drawn to the idea of property as ‘that sole and despotic dominion which one man claims and exercises over external things of the world in total exclusion of the right of any other individual in the universe.’ This idea resonates with the ‘autonomy über alles’ strand of privacy advocacy that asserts that a patient’s right to control access to health data should trump all other interests, even society’s interest in conducting studies that might save or improve other people’s lives.”

While current privacy laws and regulations do provide the patient with significant rights that might otherwise be associated with “ownership” to their medical data, the concept of ownership in this context appears flawed.

Which brings us to my second point, that ownership is clearly a legal construct, and it does not appear that anyone has provided a reference to state or federal law that specifically speaks to ownership of patient data in electronic health records. I found one of Dr. Lafky’s comments thoughtful on this topic, and have seen it reflected in numerous other opinions and studies.

“Many people consider the collected and interpreted medical facts about themselves to be private, and assert ownership over these. But what they really seek, in my opinion, is to control dissemination of the information, which if they truly owned the information, would give them certain rights in that regard. But the ownership model is not robust in this case, since to exercise it requires painstaking specification of who is permitted to do what with each datum. It has been largely impossible to produce broader rules that cover even routine situations and preferences under and ownership model.

In Dr. Evans research, as well as others noted in my earlier post, there is a persuasive argument that “ownership” isn’t the right question, and that rather, the better question is about relative control and responsibilities of all parties in the healthcare ecosystem that potentially touch, transmit, or otherwise interact with EHRs. She in fact suggests that “propertization” of health data wouldn’t actually lead to better protections than are currently stipulated under the law. She notes that:

“The urge to propertize health data needs to be weighed skeptically and with a clear understanding of how property rights actually work. If pursued, data ownership may disappoint many of its proponents because of a surprising truth: the framework of patient entitlements and protections afforded by the HIPAA Privacy Rule and the Common Rule is strikingly similar to what patients would enjoy if they owned their data.”

Lastly and most importantly, however, this discussion has elevated my level of concern that the rush towards digitization and electronic distribution of medical health records based on the financial motivations of “meaningful use” has inherent patient privacy risks that haven’t been well thought out and addressed. Indicative of this disquieting fact is that there is such a lively debate about “ownership”, rights of control, and responsibilities for the caretakers of patient medical and health data.

This situation is one where it feels like the genie is already out of the proverbial bottle. When I visit my doctor or check into the hospital for a procedure, information about me, my medical conditions, my prescription history, the doctor’s diagnosis, the recommended treatment regiment, among other information, is entered into an EHR system. As my doctor’s clinic and my hospital strive to reach meaningful use, they will participate within a health information exchange (HIE), which will allow all of this information, and more, to flow out into the ether in many cases without my express permission.

All of this is moving too quickly. The push is towards implementing these systems in order to obtain meaningful use funds. While “ownership” of all this data may not turn out to be the right question, or the right legal approach to address the associated concerns, there is a very real need for practitioners across this ecosystem to place significant focus and resources on achieving a workable model that better empowers the patient to exert an appropriate level of control over the distribution and uses of their medical records.

As I stated in my recent article in Forbes, “our nation can’t afford to keep building out an electronic healthcare system without addressing these issues. No cut-and-dried legal remedy exists. It’s a robust debate with more facets than a well-cut diamond. I believe the answer lies in the private sector, specifically a consortium of EHR vendors, software developers, and privacy/security professionals. Together, these experts can bring a holistic view of the issue of patient privacy and data control in a way that no governing body can.”

What do you think? How best to get the genie back in the bottle long enough to get our arms around these issues?

About the Author

Doug Pollack

Why we need a Health Information Privacy Bill of Rights

by James C. Pyles July 30, 2012

"One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever."

So said a constitutional law professor who is our current President on the issuance by the White House of the Consumer Privacy Bill of Rights on February 23, 2012. The President was right. The right of all Americans to privacy for personal information, and particularly their health information, has been recognized as a fundamental right by all three branches of the federal government--the Executive Branch, Congress and the Judiciary--as well as under the standards for the ethical practice of medicine and psychiatry throughout the history of the country. But, strangely, the Consumer Privacy Bill of Rights contains an exception for health information subject to HIPAA. So, under this policy, Americans have a right to control the use and disclosure of their personal health information under the Consumer Privacy Bill of Rights if the information is NOT covered by HIPAA, but no right to control the use and disclosure of their health information that IS covered by the HIPAA Privacy Rule. Americans now have a recognized right to privacy for health information handled by a law firm, but no right to privacy for health information handled by a hospital. Americans can control the use and disclosure of information about the music they purchase online but not their cancer treatment information. This is federal privacy policy that is untenable.

The problem began in August of 2002 when the Bush Administration eliminated the individual's right of consent under the HIPAA Privacy Rule issued by the Clinton Administration for the use and disclosure of health information for treatment, payment, and health care operations. When it was pointed out that this reversal of policy put the HIPAA Privacy Rule at odds with Constitutional law, prevailing tort law, the law of physician-patient and psychotherapist-patient privilege and established standards for the ethical practice of medicine and psychiatry, HHS responded that the HIPAA Privacy Rule was only intended to be a "floor" of privacy protections and was not even intended to be a "best practices" standard. So practitioners could add additional privacy protections. Of course, this ignored the fact that adding additional privacy protections to the HIPAA "floor" would expose the provider to civil monetary and perhaps criminal penalties under HIPAA. So the HIPAA "floor" of privacy protections has also become the "ceiling" leaving the patients little room to exercise their privacy rights. This departure from privacy standards set forth in law and ethics has also resulted in a loss of trust by the public that the laws will protect their right to privacy and confusion by the regulated health industry that now does not know what is expected of them.

It is time to bring health information privacy laws back into alignment with constitutional law, professional ethics and the public's expectation. We can have a health care delivery system without health IT, but we cannot have a health care delivery system without patients. We should build an electronic health information system that conforms to the patient's time-honored right to privacy rather than erode the right to privacy until it fits within the current capabilities of electronic health information systems. All health information begins under the patient's private control--in his or her head or body. And there the information will remain, unless patients believe it is safe to disclose. The White House issued the Consumer Privacy Bill of Rights to preserve the trust that is essential for individuals to engage in commerce. Trust is even more important for access to quality health care. It is time for a Health Information Privacy Bill of Rights to preserve the public's trust in the health care delivery system and to allow for the acceptance of an electronic health information system that serves rather than conflicts with the patient's interests. Health information privacy is not only at the heart of our democracy--it is at the heart of quality health care.

About the Author

James C. Pyles

Jim Pyles, a co-founder of the firm Powers Pyles Sutter & Verville PC and has more than forty years of experience in litigation, counseling, and lobbying in the field of health law and policy. Upon graduating from law school, Mr. Pyles served for six years in the Office of the General Counsel for the US Department of Health, Education, and Welfare, where he received the department's Distinguished Service Award for successfully handling complex Medicare litigation.

Google’s Ongoing Issues with Customer Privacy

by Doug Pollack July 25, 2012

Once again, Google is in the news this month. The Wall Street Journal has reported that Google and the FTC are close to agreement announcing a settlement of charges that Google bypassed privacy settings on the Safari browser on iPhones and IPads. This settlement will cost Google $22.5 million.

While $22.5 million is just a drop in the bucket to Google, this case seems to represent a pattern of behavior at Google that isn't, shall we say, very respectful of their customers' privacy needs. It was only last October that Google signed a 20 year consent decree with the FTC, resolving another privacy-related dispute. In light of that recent commitment, this current situation with the Apple products does seem somewhat more aggregious.

In this Journal article, they discuss the privacy issue that led to the consent decree last year:

"In March 2011, the FTC charged Google with using deceptive tactics when it launched an online social network, Google Buzz. In October, Google signed a consent decree to settle the charges. It agreed to put in place a number of privacy-protecting measures, including a "comprehensive privacy program" to conduct privacy-risk assessments of Google's products and services and to be audited by a third party every other year for the next two decades."

And as we speak, Google's bypassing of privacy settings on Apple devices is under investigation by the European Union. Europe has very strict (more so than the US) data privacy laws and regulations. So the consequences from this lapse in judgment by Google do not seem to be going away anytime soon. So a question for those of you that use Google products, is it just too hard for a company in search and social media to really "get" the need to provide for and respect privacy of their customers? I do understand that it really isn't in their DNA. What do you think?

About the Author

Doug Pollack

What Do HIEs and Cracked Windshields Have in Common?

by Mahmood Sher-jan July 19, 2012

If you are a patient, like most, you are probably assuming that your protected health information (PHI) is well "protected" by those who are custodians of the data. You also may think that the data is yours and you control its primary and secondary use. I hate to be the bearer of alarming news but both of these assumptions may be faulty. The topic of "who owns patient data in EHRs" was extensively explored in a great blog post by Doug Pollack of ID Experts, which has already generated well over 100 comments on the HIMSS' LinkedIn group alone. I encourage anyone interested in the topic to check it out.

In this post I want to explore another PHI privacy implication related to sharing of the data through health information exchanges (HIE) and further through the Nationwide Health Information Network (NwHIN). ModernHealthcare.com reported that CHIME has raised a red flag to Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health Information Technology at HHS. My first impression to CHIME's suggestion that the ONC "should devote more time and resources to identifying and publicizing best practices among existing health information exchanges," was that security and privacy issues must be at the root of their concern. However, the real issue behind the objection, as it turns out, is the risk from imposing governance restriction to the HIE & NwHIN business model and making sure that restrictions that could limit the downstream monetization of the patient data (albeit de-identified) by 3rd parties are excluded or limited.

It is no secret that the biggest challenge facing HIEs is the lack of a sustainable business model once the gov't subsidies end. So creating a business model to help sustain these entities is key to their viability. What are patients willing to sacrifice for the benefits gained from HIEs and NwHIN? Since patients are a fragmented bunch, how can they mobilize against forces of capitalism that see a gold mine of value in the bit streams floating between these exchanges? I think the potential benefits from HIEs are still conceptual and not well understood or documented. The risk to the confidentiality, integrity, and accessibility of patient data, on the other hand, is much more real in this brave new world made up of health information exchanges.

Let me explain my choice for the title of this blog post. When a car is driving behind a gravel truck, there's a chance that a piece of gravel falls and hits its windshield causing damage well beyond the point of impact. What if multiple cars are driving side-by-side? The chance of one of them getting a cracked windshield is higher. The gravel truck represents the multitude of online security threats while the cars are HIEs. Since HIEs share/exchange data by design, the impact is felt by many, including patients, participating providers & plans, and other HIEs connected through the NwHIN. A car's damaged windshield can be treated so the cracks don't keep expanding to the rest of the windshield. But we have no clue at this point about how to contain any damage to the patient data once it is digitized and released into the wild. We need to be very thoughtful about the HIEs governance issues and make sure that our rapid march towards creating a totally connected healthcare ecosystem does not leave us cracked beyond repair!

About the Author

Mahmood Sher-jan

The Changing Landscape - The Impact to Patients’ Privacy

by Deborah Peel July 9, 2012

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system. Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

Patients have no control over who sees or sells sensitive personal health information.
Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.
Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.
Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.
There is no "chain of custody" for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779
HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777
Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778
The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. "Invisible Wounds of War", The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President's Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system --- starting with Principle #1:

"Consumers have a right to exercise control over what personal data companies collect from them and how they use it."

About the Author

Deborah Peel

Deborah C. Peel MD is a practicing physician and national expert on medical privacy. She became active in privacy rights at the federal level in 1993 when the Clinton Healthcare Initiative required every doctor-patient encounter to be entered in a federal health database. She advocated first as an individual and later on behalf of state and national medical specialty organizations for patient control of access to medical records. She presents at national panels and Congressional briefings, has provided state and federal testimony, and is widely quoted in trade journals and the national press. She is also the co-chair of the Committee on Government Relations and Insurance of the American Psychoanalytic Association.

Cyber Risk & Privacy Liability Forum

by Jeremy Henley July 3, 2012

At the beginning of June the "who's who" of the Cyber Insurance world descended on Philadelphia to attend the 3rd Annual Net Diligence Cyber Risk & Privacy Liability Forum. The objective was to discuss and debate a variety of topics around insuring against the risk of a data breach. Mark Greisiger, President of Net Diligence welcomed the audience and speaking panels which consisted of underwriters, brokers, risk managers and vendors that work in the data breach world. The conference provides risk managers the opportunity to learn the basics of cyber liability insurance policies, managing and reducing their organizational data breach risks and how to best minimize their exposure should a data breach occur.

This year's conference attendance grew thirty percent which to me is a strong indication that Cyber Insurance is becoming a standard coverage like General Liability or Errors and Omissions insurance. Cyber Insurance coverage is still fairly new, so policies can vary significantly. Organizations interested in cyber insurance coverage are encouraged to take their time evaluating policies and complete a thorough due diligence before binding a policy. This conference is a great way to start your due diligence process.

One of the more interesting sessions, other than the one I presented on, was the "Regulatory Challenges of Today." This panel was moderated by Tracey Vipoli SVP at CHUBB Group Insurance and featured Katherine Race Brin from the Federal Trade Commission. A good portion of their presentation focused on the Securities and Exchange Commission's guidance on the disclosure obligations relating to cybersecurity risks and cyber incidents. The SEC has elevated the conversation about cyber risks from the IT or Compliance Department to the Board of Directors. The panel made the point that many publically traded organizations are now seeking financial tools, like cyber liability insurance, to offset their exposures. At ID Experts, we have also seen an uptick in the number of organizations proactively seeking our services prior to a privacy breach event.

There was also a session on healthcare that highlighted the complexity of compliance for healthcare organizations. This conversation acknowledged the challenges for maintaining patient privacy and securing sensitive data while complying with the numerous regulations placed upon healthcare organizations. Additionally, if an organization has a breach, and is out of compliance, they are at an increased risk of fines and being placed under a corrective action plan.

A big take away for me were the similarities of the Federal Trade Commission's investigations and the Office of Civil Rights Privacy post-breach investigations. Both agencies investigations are evaluating organizational policies and procedures, determining if they are current and if they are being followed consistently. The number of investigations completed by the FTC is much greater than OCR. I found this interesting because we are now beginning to see the Office of Civil Rights ramp up their investigation program and levy fines against organizations that are found out of compliance. If the OCR follows the FTC's lead related to privacy breaches, it is about to get more expensive to be a healthcare organization, unless your business is compliant with HIPAA and HITECH regulations prior to a data breach.

About the Author

Jeremy Henley

Medical Identity Theft…..We knew consumer awareness was lacking but WOW!

by Bob Gregg June 28, 2012

We at ID Experts have been on a campaign to try to help educate consumers on the growing threat of Medical Identity Theft in the US. We know that most people don't really know what it is and, unfortunately, most people think of it as a potential financial loss issue instead of the serious health risk issue that it really is.

Just released poll conducted by Harris Interactive only 15% of insured U.S. adults said that they were either familiar or very familiar with the term "Medical Identity Theft." That leaves 85% that really have no good concept of what it is and why it is important to protect yourself from it.

Fraudsters who steal (or purchase on the internet) your medical identity (SSN, unique medical insurance ID, Medicare/Medicaid ID) have the potential to permanently pollute your personal medical history. Your blood type can change, your pre-existing conditions, your allergies, your prescription history....everything. And with the growing acceptance of electronic health records where your records can be transmitted anywhere in the world, this is no longer just a problem at your local provider. Even if you discover the fraud, good luck trying to get the errors corrected. The providers are very reluctant to discuss the problem, citing HIPAA privacy regulations.

So what to do? Short term you can help by helping us organize the "Coalition to Mobilize Patients to Combat Healthcare Fraud." Up until now, virtually all of the fraud fighting efforts have been left to the insurance companies, law enforcement, associations (like the National Healthcare Anti-Fraud Association-NHCAA), and some whistle-blowing efforts surrounding Medicare fraud.

This has got to change! Just like what occurred in the financial services industry many years ago where consumers were engaged to help identify and eliminate financial fraud, we have to mobilize consumers/patients to do the same in healthcare. We need to empower them with tools to help in this fight as well as educate them and their lawmakers on the scope of the problem.

We are in active discussions with a large number of organizations to make this happen, including healthcare payers, trade associations, law enforcement, consumer advocates, legislators, and companies with innovative solutions focused on the patient to help fight healthcare fraud and medical ID theft. Website for the coalition will be up soon, but in the meantime, if you are interested feel free to contact us here at HealthInfo@idexpertscorp.com.

About the Author

Bob Gregg

Does Migrating to Electronic Health Records Reduce Patient Privacy?

by Rick Kam June 26, 2012

Joe Conn of Modern Healthcare Magazine interviewed "Julie" who spoke at the 2nd International Summit on the Future of Health Privacy on June 6th, 2012 in Washington, D.C. Her story is an example of health privacy gone wrong (Click here to read her story).

Dr. Deborah Peel, CEO and Founder of Patient Privacy Rights points out why Julie's story matters.

"These stories matter for many reasons, not the least of which is that Partners is switching to Epic EHRs and Epic's CEO has openly opposed data segmentation for years. She claims it's impossible, too expensive, can't be done, etc. Partners is about to spend hundreds of millions of dollars on a failed electronic health records system.

The claim that data segmentation cannot be done is incorrect. One example is the open source consent technologies used for over 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on over 4 million people in over 8 states (the states belong to the NDIIC). Further, the state of MA has very strong laws that require consent for the disclosure of mental health information (actually all 50 states do too).

Why would Partners choose a product that fails to protect patient privacy in a such a major way? This will prevent trust in doctors, hospitals, and worst---in ALL electronic systems. Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows. Any HIE or EHR that cannot selectively share data with the patient's meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment".

What is important to note is EHR systems can provide many benefits. However, stakeholders in the healthcare ecosystem need to recognize the risks to patient privacy and make the appropriate investments in privacy and security controls to protect PHI. This is the major premise of the recent white paper "The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security" which is available at the ANSI website.

Another growing aspect of protecting your health records is mobilizing patients to get more involved with their health care, which could help them improve their quality of care and be in more control. One key aspect of this is being able to see your own records. The director of the Office for Civil Rights, Leon Rodriquez recently issued a memo that patients can take to their provider to help them get a copy of their health records and make corrections if they find inaccuracies. An important benefit of patient engagement is the ability to reduce health care fraud and medical identity theft.

The answer to the question, "Does Migrating to EHR Reduce Patient Privacy?" is: it doesn't have to.

About the Author

Rick Kam

Who Owns Patient Data in Electronic Health Records?

by Doug Pollack June 15, 2012

I recently began exploring the question of who, or what entity, owns the data that is incorporated in our patient electronic health records (EHRs). I originally began thinking about this because I was imagining that the “owner” would be responsible under circumstances where there was an unauthorized disclosure of such protected health information (PHI), in other words a data breach. It seemed like such a simple question, I had assumed I would find the answer to be just as straightforward. As it turns out, many have pondered this question and suggest that the question of “ownership” of medical data may be a misplaced one, an unanswerable question, and that the more relevant question is what control the patient, and other members of the health ecosystem, have relative to accessing, modifying, appending and transmission of this data. In other words, how is patient privacy provided for within the new EHR universe?

The dimensions of legal ownership were investigated by Hall and Shulman in their article “Ownership of Medical Information” published in 2009 in the Journal of the American Medical Association. They explored how property law would be only one of several “legal regimes that control the rights and responsibilities over economic goods” and that contract, tort and regulatory law would also come into play.

They discuss the overlapping rights that exist to patient health records, and note the economic obstacles that inhibit those with some possession of health records, as a result of their IT systems, from having financial motivation to share this information. They also discuss the question of whether the patient has any rights relative to the monetization of their health data. Specifically the ask “should patients be allowed to commercialize access to their medical information?” But they did little to answer my simple question of “who owns patient data”.

In an article aptly titled “Who owns patient data?” by Trotter published in O’Reilly Radar posits that the “notion of ownership is inadequate for health information.” While it seems like it should be an answerable question, he argues that it is inherently unanswerable. That “ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data.” It is with this insight that I began to realize that ownership may be the wrong question, and that the better question is who has what rights to access, modify, append, and share our health records.

In exploring the question (as it turns out it really is a debate) of patient privacy control of their electronic health records, a paper by Rothstein titled “Debate over patient privacy control in electronic health records” was published in 2011 in the Bioethics Forum. In reviewing Dr. Rothstein’s learned analysis, I realize that while there has been an exponential increase in the number of physicians using EHRs and patient records housed in EHRs, that the thorny question as to exactly what rights patients have to control the sharing of their health records, along with the mechanisms for sequestering highly sensitive information such as psychotherapy notes, reproductive issues, sexually transmitted disease information, and drug use history, and how any rights would be operationalized, are severely lacking.

In his overview of public hearings for two advisory committees of the Department of Health and Human Services (HHS) regarding privacy concerns raised as a result of EHRs in Washington, D.C. in February, 2011, he highlights three dimensions of the patient privacy concerns.While HIPAA privacy laws are extensive, they don't appear to address any of these three issues and concerns.

1. That healthcare providers will have access to information that they do not need to know. For example, your dentist probably doesn’t need access to your reproductive health history.

2. That individuals applying for jobs and insurance typically are required to authorize disclosure of their entire health record. Given that there are around 25MM such disclosures per year, the concern is broad and the potential for embarrassment, stigma and discrimination is high.

3. That many patients engage in defensive practices with their physicians to limit the sensitive information in their health records. So they either lie, or lie by omission, and may even risk sub-optimal medical care in order to protect the privacy of what they may view as sensitive or embarrassing information.

Rothstein goes on to describe three potential approaches to providing for patient privacy in this new era of networked EHRs. What is very scary to me, however, is that this conversation as to how to implement privacy controls is being carried on just as massive numbers of hospitals and physicians are implementing EHRs and testing their interoperability with Health Information Exchanges (HIEs) in order to capture billions of dollars in funding from the federal government via Meaningful Use grants.

He notes that “many physicians assert that patients should not be able to control the content of their health records because doing so would fundamentally change medical practice.” This position and perspective is one that is fundamentally at odds with that of patient privacy advocates.

The recent second annual Health Privacy Summit, organized by Patient Privacy Rights and its founder, Dr. Deborah Peel, recently took place in Washington, D.C. It brought together a who’s who of experts from every area of the patient privacy ecosystem, including Joy Pritts, Chief Privacy Officer, and Farzad Mostashari, National Coordinator, from the Office of the National Coordinator (ONC) at HHS, and these exact issues were discussed. In an article published in O’Reilly Radar titled “Health care privacy discussed as an aspect of patient control” by Oram just after the conference, he noted the “tension between privacy and the kind of data sharing needed to improve patient care” that existed among and between the speakers.

So the good news is that the question as to how patients will be able to control the accuracy of information in their health record, and the sharing of highly sensitive information that could lead to negative outcomes if shared, and potentially misused, is being discussed and debated. The “other news” is that this debate is taking place while our health information is being amassed into EHRs that are popping up at virtually every location where we are receiving medical services. It really would have been nice if such issues had been discussed and resolved PRIOR to a massive incentive plan and rollout of EHRs. But better late than never.

And of course, the question of “ownership” of our health records is one that is likely to go down as unanswerable or ultimately irrelevant. I’ll try to ask a more intelligent question next time.

About the Author

Doug Pollack

Your Mobile Device – Friend or Foe?

by Rick Kam June 13, 2012

I was at a risk summit meeting a couple of weeks ago and heard David Allen, Chief Technology Officer of Loc-aid.com talk about how people's attitudes and behavior had changed over the past few years with regards to their mobile phone. What he said was:

"People will more likely turn around and return home to get their mobile phone than their wallet if they happened to forget it".

I thought about his statement and believe it to be true. I have tested this by telling the David's story and seeing what my friends and family would do if they forgot their phone at home.

First let me start with a little background. One of the many capabilities of mobile devices today is called "GeoLocation" which is the ability to determine where the device is. A mobile device can be located to within a few feet of its physical location pretty much anywhere on earth. The fact that over 230 million Americans have mobile phones that they always carry with them along with GeoLocation, brings both opportunity for new uses and also risks.

Friend or Foe?

So let's talk about some of the really cool friendly things GeoLocation can help with. Have you ever misplaced your mobile phone? Many of us do, some more frequently than others. One of the great applications that exist today is on that finds your mobile phone and shows you on a map where it is. You can see whether you left your mobile phone at a restaurant or friends house or if it is somewhere nearby, like under the couch in the living room of your home. If you think about that fact that emergency services often will try to find lost or missing persons by trying to locate the geolocation of their mobile phone adds another significant benefit to this technology. There have been many stories in the news lately about how people lost in the mountains or on a trail were found this way.

Another great use of geolocation is being able to use your mobile device for authentication and authorization to use applications. These applications could be more familiar to you like performing an online banking transaction where the bank wants to send you a special code to your mobile phone to approve a money transfer. Or it could be something new like being able to place a bet in a Las Vegas casino using your mobile phone at the pool. Your mobile device would first check to see that the you and your mobile phone were actually in Nevada while placing the bet to ensure it was legal.

The flipside to these benefits and a significant risk is what happens if/when your mobile device is lost or stolen and used as your credentials to access your online banking account or your electronic systems at work. Criminals could pretend to be you if they had your mobile phone along with some of your identity (i.e. name, passwords, phone book, etc.).

How do you protect yourself against the risks? Thirteen experts weigh-in on ways to protect your mobile device at work and at play.

Click here to read more.

&amp;amp;amp;lt;a href="https://idexperts.wufoo.com/forms/x7x2q5/" _mce_href="https://idexperts.wufoo.com/forms/x7x2q5/"&amp;amp;amp;gt;Fill out my Wufoo form!&amp;amp;amp;lt;/a&amp;amp;amp;gt;

About the Author

Rick Kam

The Dangers of Bring Your Own Device (BYOD) in Healthcare

by Richard Santalesa June 12, 2012

There's no doubt mobile devices are making great contributions to healthcare services and patient interaction. And the trend will only continue given the continuous influx of increasingly powerful, inexpensive smartphones, tablets and other mobile devices. The Bring Your Own Device (BYOD) phenomenon is posing a direct and significant challenge for IT everywhere and in particular healthcare providers. Given human nature, even firm and clear infosec policies are bound to be sidestepped. And one particular area of concern with BYOD is that, by definition, the user owns and is primarily in control of the device - not IT. In short, accept that BYOD will, at some level, be used, with or without authorization, and focus on the security issues raised to minimize the risk of loss, theft or disclosure of PHI.

An often unappreciated BYOD danger, combined with the fact that savvy users can and often will self-configure their devices to access work email and documents (with the best of intentions), is not merely use of such device, but replacement/upgrades. As most smartphone users on individual plans are entitled to a "free" upgrade of their device at set regular, but uncoordinated, intervals (in exchange allowing service providers to lock them into service contracts for a defined term of years), what happens to those devices coming offline is almost always overlooked. Once a user upgrades to a new device the old one is very often given minimal or little thought. Such smartphone and other devices are typically given to children to play with, donated to various charity organizations or handed down to other family members - in many cases without confirmation that they've been sufficiently wiped and potentially leaving sensitive, confidential and other data intact.

The result is a constant stream of devices going offline within any company's BYOD framework that may be treated casually yet pose significant data breach risks. In addition the next generation of low cost tablets, for example the inexpensive very capable Kindle Fire, can run corporate Android-based email clients, such as Touchdown, which more savvy users may install and configure even though Kindles are often treated casually when it comes to security and provide in stock form minimal security or encryption capabilities.

Healthcare organizations should work to get ahead of the "BYOD upgrade" curve and as part of any BYOD initiative make sure that the dates of any user's plan "renewal" or free upgrade cycle are tracked in some fashion and that devices coming offline are adequately secured and checked before disposal or donation.

About the Author

Richard Santalesa

ID Experts RADAR Wins Best Privacy Technologies of 2012 Award

by Mahmood Sher-jan June 7, 2012

Today I had the honor of accepting the Best Technologies of 2012 Award on behalf of my entire ID Experts RADAR team. This was the recognition of our success in creating an intuitive and simple to use solution that addresses a very complex problem of compliance with HIPAA / HITECH and state data breach laws for the healthcare industry. RADAR's growing adoption by covered entities and now this acknowledgement by Health Privacy Summit is a testament to the value of RADAR as the right privacy incident management (PIM) tool properly balances regulatory compliance and patient protection.

The Health Privacy Summit featured Dr. Farzad Mustashari of ONC as the keynote speaker on the first day. He stressed that the government is doing everything possible on the culture, technology, and policy fronts to ensure privacy and security of the PHI. His other messages includes the fact that vendors play an important role in ensuring patient privacy—privacy can't be layered on after the fact but it must be part of the product design. Mustashari stressed what he called the 3 As:

- Access – patient must have access to their data (i.e lab results directly)

- Attitudes – must change on the part of providers when patients request their medical information

- Action – applications to help patients make better use of their data.

Additionally, I was struck by the amount of divergent perspectives on some of the panels, among lawyers, regarding HIPAA privacy and security provisions. Patient consent and secondary use of patient data was a recurring source of debate and disconnect throughout the event.

One area of agreement during the summit was that nobody reads or understands the detailed privacy policies posted or handed out. Jim Pyles presented the Patient Privacy Bill of Rights as a suggested blueprint based on the recently published (by the white house) Consumer Privacy Bill of Rights. The other consensus was that we are rushing to implement EMRs but have not done enough to design-in the necessary privacy and security controls and this will result in more data breaches and lack of patient protection. I think this is another reason why tools like RADAR will be necessary to ensure effective compliance and patient protection.

You can view the press release here.

About the Author

Mahmood Sher-jan

2012 Information Security Assessment Market Report

by Chad Boeckmann June 5, 2012

Secure Digital Solutions, a professional services organization with headquarters in Minneapolis, Minnesota, recently conducted a survey of 122 information security and privacy leaders to determine how organization size, regulatory responsibility, program maturity, and investment spending are related. The study examined six key components of an information security and compliance program. These areas include;

Understanding of Regulatory and Data Security Requirements
Policy & Procedures
Expertise within Data Security & Compliance Program
Regular Monitoring & Assessment
Timely Remediation (within 90 days of gap finding)
Technical Control Adoption/Implementation

The study found that eight out of ten respondents have established a control framework to address information security and privacy related requirements. Of these, the largest group report using industry control frameworks such as ISO 27001:2005, COBIT or NIST.

In addition to the control frameworks the study also examined who in the organization the information security office reports to. The majority of respondents indicate it as a function within the information technology department.

Organizations continue to struggle with understanding the regulatory landscape, but see the need to invest in this area to move the overall program closer to an optimized state. As experienced by many businesses, regulations often provide the necessity for action; however, improvement of processes, reporting of control compliance, and efficiency in control remediation and risk acceptance, are all practices that are under scrutiny by regulators and corporations alike. Most organizations understand the necessity for these practices to allow business to remain flexible and respond to market demands while maintaining and achieving a continual state of compliance. These are also areas where improvement is likely to continue over the next 12-18 months.

To read the full report visit here.

About the Author

Chad Boeckmann

Chad Boeckmann is the the founder/president of Secure Digital Solutions (SDS). Established in 2005 with over 15 years of information security experience, Mr. Boeckmann created SDS as an organization that provides value to clients through vendor neutral services tailored to business goals and objectives. Mr. Boeckmann is a previous Board Member of ISSA (Information Systems Security Association) and presently a member of ISACA (Information System Audit Control Association). He is CISSP and CISA certified and still actively participates in client projects.

Your Health Data: More Valuable than you thought

by Christine Arevalo June 5, 2012

This business week article caught my eye: What Happens When My Health Data Falls Into the Wrong Hands

One reason medical providers are breached more than any other type of organization, (including retailers and government agencies) is because of the valuable sensitive data contained in our medical records.

The Privacy Rights Clearinghouse, a nonprofit consumer rights group, has recorded 690 breaches involving a total of 23 million records from medical providers since 2005. That is a lot of patient data exposed.

Most consumers are by now aware of the devastating consequences of financial identity theft – ruining credit ratings, creating anxiety and stress, and taking hundreds of hours to unravel. What is much less understood are the farther reaching effects of compromised personal health information (PHI). Aside from the embarrassment of a medical condition or treatment being exposed, there are very real risks to patients. Ranking at the top of that list is medical identity theft, but this article covers others, such as being billed for treatment never received, insurance fraud, stolen health data used for financial scams, blackmail, as well as job and insurance discrimination.

The National Health Care Anti-fraud Association (NHCAA) is probably the leading resource on the topic of health care fraud. They claim that "Medical identity theft frequently results in erroneous information being added to a person's medical record, or even the creation of an entirely fictitious medical record in the victim's name." Victims can end up with polluted medical records, depleted insurance benefits, or worse... mistreatment that leads to death.

Knowing what to do when your records become exposed presents even more challenges. As the article states, "Because there is no centralized database of health records, there isn't a single easy way to watch for changes in your health files". So patients are left with a year of credit monitoring and advice to manually check our EOBs for errors. Not overly helpful in my opinion.

About the Author

Christine Arevalo

Considering putting PHI in the Cloud?

by Rick Kam June 1, 2012

Many entities are thinking about migrating their applications and PHI to the cloud. While there are many benefits to doing this, there are also risks.

Some of the benefits of cloud computing are:

Lower operating cost
Faster implementation
Quickly adjust capacity
Ability to handle "spikes" in resource requirements
Ability to have temporary computing capacity for a special project

With all of these benefits, entities must also be aware of the risks and how to mitigate them.

In cloud computing, where shared resources — hardware infrastructure, software, and data storage — are constantly changing hands among different users, securing PHI is like shooting at a moving target. With the exception of a private cloud environment, covered entities have little or no control where or how their data is moved, processed, and stored.

This lack of control presents compliance issues for the covered entity. As noted in The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, a seminal report by the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA), the covered entity is as responsible for the security of its PHI on the cloud as it is for PHI in its own environment. What's more, the report says, both the covered entity and the cloud provider could be subject to penalties under HIPAA and/or state regulations for a breach of PHI.

So what can you do to protect PHI in the cloud?

While covered entities have little control over the security of their PHI in a cloud environment, they can control their response to a data breach. An inventory of Personal Identification Information and PHI as well as privacy and security risk assessments can help demonstrate compliance and mitigate the impact of a data breach. Likewise, health entities should enact an incident response plan that includes roles and responsibilities for team members during a privacy event and provides instructions on determining notification requirements, including to regulatory authorities. And, of course, nothing can replace an organization's commitment to their patients, be it through caring, appropriate notification, consumer education, medical identity monitoring and recovery, and other remediation services.

About the Author

Rick Kam

Homeland Security Warns of Healthcare Privacy Risks from Medical Devices

by Doug Pollack May 30, 2012

The U.S. Department of Homeland Security recently issued an alert titled "Attack Surface: Healthcare and Public Health Sector" that details security risks within the healthcare world that result from the use of devices that are connected to organizations' enterprise networks. The exponential expansion of risks to patient privacy that have come into play based on massive adoption of mobile devices such as iPhones, iPads, not to mention USB drives, is staggering. DHS highlights the overall immaturity of the security tools that are available and in use with these devices.

The report from the National Cybersecurity and Communications Integration Center stated that "the expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of MDs opens up both new opportunities and new vulnerabilities to patients and medical facilities." They go on to state that "smartphones with poorly designed security protections are frequently connected to medical IT networks and provide a new vector for malware transmission."

While the threats that result from medical use of mobile technologies may seem daunting enough, there are further risks that come into play with the use of wirelessly-connected implantable devices. In an interview with eWeek, Mac McMillian, SEO of healthcare security firm CynergisTek and chair of the HIMSS Privacy and Security Policy Task Force noted that "implantable devices can present a real danger to patients through interruption of their function, tampering with their communications or by causing them to act or perform in a manner that is harmful to the person they are attached to."

As an example, the eWeek article notes that "the DHS report mentioned a demonstration at the 2011 Black Hat conference in which security researcher Jay Radcliffe, who is a diabetic, was able to shut down or change the settings on an insulin pump without the patient's knowledge." The fact that examples of this sort of being demonstrated at security conferences should be a wakeup call for all involved in building out this next generation of mobile healthcare technologies that privacy and security must be built in from the start, rather than trying to bolt them on once there have been shall we say, "negative outcomes".

About the Author

Doug Pollack

Net Diligence – Cyber Risk & Privacy Liability Forum

by Jeremy Henley May 30, 2012

At the beginning of June, Net Diligence, a widely known organization in the Cyber Liability insurance world, will be holding their 3rd annual conference to discuss the latest trends and analysis of Cyberspace from an insurance perspective. I have been invited to speak on a panel with John Mullen as the moderator of the event. Our group will take the 60 minutes to talk about Data Breach Preparedness and the day by day actions of how to survive the first 30 days of data breach hell. Some of the high points in that will be covered are:

Key things to have in place, ahead of time
The players you need to have in place
Preparing a timeline and what are the steps and issues at each step
Stumbling blocks at each

The audience at past events has been full of insurance agents and brokers, insurance carriers are generally represented by the underwriting, marketing and claims departments, and the balance of the group is risk managers and privacy breach related vendors, like ID Experts.

If you have any questions or comments on cyber insurance selection and how it plays into your overall data breach risk mitigation strategies, feel free to contact me Jeremy.henley@idexpertscorp.com.

About the Author

Jeremy Henley

What is the ROI of your Privacy and Security Initiatives?

by Rick Kam May 25, 2012

Has your CEO or CFO asked you the question "What is the ROI of your privacy/security initiatives?

Over the past few years, this question has been asked of privacy and security professionals in healthcare and other industries. Unfortunately, the answer to this question has not been easy to answer since it requires a fundamental piece of the information, namely the value of data you are protecting to complete the ROI calculation.

What is your health record worth?

This is one of the key questions answered by the white paper "The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security". The approach was developed as part of the PHI Project which was sponsored by the American National Standards Institute (ANSI), The Santa Fe Group Shared Assessments Program, and the Internet Security Alliance. Over 100 experts from private industry, academia, and government helped develop an approach to answer these questions:

What is the "value at risk" of PHI/PII
What is the appropriate level of investment in privacy and security initiatives to protect PHI/PII?
What is the ROI of those investments?

The PHI Report was published on March 5, 2012 and is available for free download at webstore.ansi.org/phi.

About the Author

Rick Kam

Balancing Health Exchange Benefits with Patient Privacy Concerns

by Doug Pollack May 23, 2012

A recent article in Bloomberg/BusinessWeek discusses the controversy brewing about whether potential benefits from health information exchanges outweigh the threats that these interconnected data networks pose to the privacy of patient information. What seems to be the general concern of average patients is that the government hasn't proven dilligent or capable to date in maintaining the privacy of our personal information, noting prominent data breaches that have occurred, and our concerns are only heightened when thinking about these exchanges holding our most sensitive and personal health details.

One of the most interesting issues that is noted in this article regards whether patients are providing their consent, or not, to having their health information shared within a health information exchange (HIE). Based on current law the treatment of patient consent, a key privacy issue, is determined at the state level rather than by federal law.

"A gap in federal law lets states set their own rules about whether to tell patients their medical data are being shared with an exchange and whether to let people opt out. The result: Many exchanges in the U.S. give patients no choice about such matters, according to the EHealth Initiative, a nonprofit organization that researches health-care technology. Many people don't know their medical files have been shared with an exchange, and they may not have a choice about having them removed."

And even when state laws require notification of patients and explicit "opt in" for participation in these exchanges, that doesn't ensure that healthcare entities are diligence in carrying out this requirement.

"Devore Culver, chief executive of HealthInfoNet, the nonprofit that runs Maine's exchange, said many medical professionals had been ignoring a requirement the exchange imposed at its launch in 2008 that they alert patients. "

And as we all know, just because you're paranoid doesn't mean that they aren't out to get you. Patients are certainly concerned generally about personal health details being exposed through a data breach. Many of these occur by accident, they are not malicious. But because health information also has "market value", there is every reason to be concerned about those with malicious intent. Healthcare fraud and medical identity theft is a growing crime, and often impacts individuals who are most vulnerable, the sick and elderly.

"Medical identity theft, a form of insurance fraud in which thieves masquerade as others to receive treatments, affects 1.5 million people in the U.S. every year, according to the Ponemon Institute, an independent research organization."

About the Author

Doug Pollack

The Main Thing

by Heather Pixton May 22, 2012

It was Stephen R. Covey that said "The main thing is to keep the Main Thing the main thing". I have been using this as my mantra now for a few weeks and find that it applies quite nicely to most areas of my life. For example... when my daughter spikes a fever three days before our family vacation... I breathe and focus on the main thing of helping her to get well. The family vacation will work itself out

I could go on, but the one that I think you are waiting for is this one: A data breach hits and I am paralyzed by the overwhelming task ahead of me. I recognize the daunting "to do" list, the looming risks of regulatory fines, the watchful eyes of the executive team waiting to see what solution I come up with, and let's not talk about the indigestion that sets in just thinking about the complaints I will get from patients. Does any of this sound familiar?

So, let's apply Stephen Covey's wisdom to this scenario to maintain perspective. The "Main Thing" in this scenario can be found in the mission statement of your organization. Is your company based on a foundation of medical excellence and quality care, or a mission of care and compassion? When you are faced with important decisions that will have a direct impact on the patient, start by asking "What would the founders of this organization do?"

We promise an uncompromising commitment to excellence and quality in the delivery of personal and compassionate health care. (Botsford)

Catholic Health Partners extends the healing ministry of Jesus by improving the health of our communities with emphasis on people who are poor and under-served. (Catholic Health Partners)

To improve the health of the communities we serve. We commit our skills and resources to the benefit of the whole person by providing the finest in health care, while addressing the physical, emotional and spiritual needs of individuals and their families.(Fairview Health Services)

After reading the mission statements of these hospitals, I am reminded why data breach response is so important within healthcare. The founders of these organizations, whether they are from a spiritual foundation or not, have a genuine concern for the health and well-being of each individual as well as the community. So the "main thing" to consider when responding to a data breach in healthcare might be to put yourself in the shoes of the individual and ask yourself how YOU would want to be treated. Do you want to be treated like a number or a person? Do you want to be left feeling taken advantage of or taken care of?

With this in mind, I have created a list of things to consider when responding to a data breach of protected health information:

Has your letter been reviewed by a PR firm or Crisis Communication firm to assess the readability or impact of the letter?
Have you offered a way to actually help or care for the people who were impacted? In other words, are you offering to fix the problem?
Have you considered the uniqueness's of the population and how they may perceive the incident?
Have you developed an internal communication plan so that your workforce knows how to answer questions from patients?
Is your assistance "real" or "automated"? Are you providing your patients with a real person to talk to who is skilled at crisis communication?
Are you hiding anything? Now is not the time to try to brush things under the rug, so are you really showing your patients respect by being honest with them?

It is always a good idea to be reminded that Healthcare is an industry of CARE. So in keeping with Stephen Covey's mantra, the "main thing" is caring for the patients and a data breach is another opportunity to shine in the eyes of your patients by truly considering their needs.

About the Author

Heather Pixton

Immediate Priority- Needs of the Victims

by Christine Arevalo May 18, 2012

While my colleague, Rick Kam, was discussing data breach preparedness strategies with InformationWeek Healthcare, in relationship to Utah's current data breach, the state department was issuing a call for proposals for crisis communications services in response to that incident.

Here is what we know:

On March 30, a configuration error occurred at the password authentication level, allowing the hacker, located in Eastern Europe, to circumvent DTS's security system
Authorities initially estimated that only 25,096 individuals were affected
On Monday DTS, along with the Utah Department of Health (UDOH), announced that an additional 255,000 people had their social security numbers (SSNs) stolen
DTS officials said the 280,096 victims were individuals whose information was sent to the state by their healthcare provider in a transaction called a Medicaid Eligibility Inquiry to determine their status as possible Medicaid recipients
Another 500,000 individuals had less sensitive personal information stolen, comprising names, addresses, dates of birth, and medical diagnostic codes
Bringing the final tally to 780,000 individuals affected by breach of Utah Department of Technology Services (DTS)

DTS admits the data still needs to be de-duplicated, a process that can shrink those final figures by matching data elements to individual identities. This process is important for proper determination of the scope of the incident; a.k.a. who is truly affected, in addition to any other forensic analysis that must be undertaken.

UDOH has hired two independent auditing firms to analyze the state's data security and storage systems and monitor efforts to notify and protect victims. This kind of outsourcing is also commendable, to ensure the affected population is adequately identified, and notified of the risks their compromised data carries.

Additional measures appear to be underway to "rebuild trust with the public, specifically those who were directly impacted by the breach and those who rely on the [Utah Department of Health] for critical health services" based on a bid proposal released May 11. These steps include a comprehensive communications plan and a host of outreach methods to the various constituents.

I also appreciated Tom Hudachko's comment, spokesman for UDOH. He shared that they have given thought to potential fines they could face, but their immediate priority are the needs of the victims. That is the right mindset to have in the face of a crisis such as this.

The fact that children's identity information was a part of the compromised data is also troubling - some of the hacked data was comprised of records from Children's Health Insurance Plan (CHIP) recipients. Troubling because, according to Suzanne Barber, UT Center for Identity Director, "There have been studies that children are 51 times more at risk for their identity being stolen..." [the issue of children and identity theft is such a concerning issue that The Center for Identity at the University of Texas has created a task force that will be led by Texas Comptroller Susan Combs and will work to counter such issues.

What will happen in terms of regulatory investigations, fines, and penalties, are anyone's guess; but hats off to UDOH. This is the kind of positive attitude that could help Utah overcome this matter with limited collateral damage. Having compassion for the individuals affected, offering a variety of services, and communicating thoroughly are all good strategies for managing this kind of crisis.

The full story can be found here: InformationWeek Healthcare

About the Author

Christine Arevalo

Data Breach Notification Challenges at Global Payments

by Doug Pollack May 17, 2012

For more information on digital forensics in healthcare sign up for our upcoming webinar: Digital Forensics: Key to Successful Healthcare Data Breach Response - Thursday, May 31, 2012

This past week, the data breach at Global Payments has been back in the news. Recent reports by the Wall Street Journal and Krebs on Security indicate that the number of credit card account holders that were affected by the breach may be somewhere on the order of five times (5X) those initially determined, over 7 million people. Why is it that so often in data breach situations, do the number of people found to be affected increase so dramatically as further analysis is performed?

At the core of this question, possibly, is whether the level of forensic analysis that is carried out, if any, is sufficient to accurately determine the extent of the breach. In other words, was the initial scope of digital forensics sufficient to identify the people and data that were subject to unauthorized exposure? And then, based on this information, whether the affected set of customer records meet the legal requirements notification. Obviously, this must not be a simple equation to calculate, or we wouldn't see such wide fluctuations in the estimated number of affected individuals.

A question to consider in looking at such cases is whether the current emphasis to notify people quickly, "without undue delay" as many statutes require, is causing the entire process of communicating with data breach victims to be more haphazard and ultimately confusing than is necessary or helpful. In this particular instance, it is not unreasonable that consumers affected by the breach may wonder just how accurate the information they are receiving from Global is given the fact that their initial calculation of which of their cardholders were impacted turned out to be so inaccurate.

I think that law makers and regulators need to consider the tradeoffs and tension that exist between a requirement for prompt notification individuals against the need to accurately analyze and assess the affected population of individuals as well as the data fields of these individuals that were exposed. While a delay in notifying individuals that their personal information was breached can lead to more extensive harms for them, an incomplete or cursory digital forensic analysis of data can lead to this type of situation where the breach becoming a "moving target".

Maybe the lesson here is that additional investment in proper forensic analysis, combined with assessment of associated legal notification obligations, during the "analysis phase" of a data breach incident response, can yield significant dividends down the line based on precise, consistent, and proportionate remediation for the consumers that have been exposed.

About the Author

Doug Pollack

Does HIPAA Require Forensics Investigation?

by Mahmood Sher-jan May 16, 2012

For more information on digital forensics in healthcare sign up for our upcoming webinar: Digital Forensics: Key to Successful Healthcare Data Breach Response - Thursday, May 31, 2012

The HealthcareIT News, recently interviewed me for an article—5 Reasons to Use Forensics—about the reasons for using digital forensics as an investigation tool when an electronic incident is discovered. There's a mystery about the term computer forensics since to many non-geeks, forensics can be hard to grasp.

Forensics is used to uncover the truth, the root cause about what happened and how it happened. I was recently asked if HIPAA requires forensics investigation after an incident. I gave the same answer when I am asked whether encryption is required by HIPAA?—no, as long as you have implemented or conducted an investigation that represents a reasonable/sufficient alternative. When a regulatory agency like HHS/OCR investigates a covered entity after a breach, it asks for documented actions by the entity to determine the root cause of the incident and the steps taken to prevent the incident from happening again. Forensics is an invaluable tool for ensuring a credible and compliant incident response and protecting your reputation. The time to consider your forensics options is well before an incident happens. So it is best to explore your internal and external options and update your incident response plan accordingly.

About the Author

Mahmood Sher-jan

Using digital forensics after a data breach can save your organization $

by Erika Tansey May 15, 2012

For more information on digital forensics in healthcare sign up for our upcoming webinar: Digital Forensics: Key to Successful Healthcare Data Breach Response - Thursday, May 31, 2012

The ID Experts Data Breach Examiner recently published an interesting article on the key benefits of performing a forensics investigation after a data breach. I found several of the cost-saving benefits surprising. I have highlighted a couple of the keys points below. Click here to read the full story.

Outside forensics investigation preserves critical evidence of the data breach. A proper forensics investigation utilizes specific methods to protect the evidence of the attack so the organization can best defend itself against regulatory fines and litigation. After an incident is suspected, the natural reaction of the IT department is to quickly remove the offending malware and patch the security gap. According to Winston Krone at Kivu Consulting this knee-jerk reaction oftentimes makes it harder to determine what actually happened and may make the breach response more complicated.
Forensics analysis can save notification costs. A quick, accurate identification of the data compromised allows organizations to correctly notify the appropriate individuals the first time and avoid damaging public misstatements. Krone said oftentimes forensics investigations determine the scope of loss was smaller than originally suspected or that the incident was not a breach that required notification.
Regulators want details on the data breach incident. State and federal regulators are starting to require organizations provide fuller explanations of the breach incident, its causes and what the organization has done to prevent future losses. Forensics analysis provides organizations with third-party expert analysis and proof that the organization is taking the appropriate steps.

Krone recommends including forensics into your organization's incident response plan so everyone knows what to do should an incident occur.

About the Author

Erika Tansey

Erika Tansey is a Marketing Manager at ID Experts where she focuses on new product development and strategic initiatives. Erika brings over 10 years of experience as a marketing and strategy professional at both large consumer product companies (Diageo and General Mills) and emerging start-ups in the technology sector. She has a BA from Claremont McKenna College and an MBA from the Tuck School of Business at Dartmouth College.

Add a Comment

Your comment may need to be approved before it will appear on the site. Thanks for waiting.

About ID Experts

ID Experts, the leader in data breach prevention and response, is an active advocate for privacy as a contributor to legislation, and a corporate member in many associations and organizations and is endorsed by the American Hospital Association. We ensure your customer’s privacy and your company’s reputation. Our people, tools and customized services transform potential disasters into positive outcomes.

Popular Tags

Newsletter Sign Up

Read about the latest solutions, tools, case studies and regulations from the industry experts. Sign up now.

Contact Information

	866-726-4271
	800-298-8457
	www.idexpertscorp.com
	Lincoln Center One 10300 SW Greenburg Road, Suite 570 Portland, OR 97223

A message from our lawyers. ID Experts, the ID Experts logo, and Breach HealthCheck are registered trademarks of ID Experts. RADAR, FraudStop, YourResponse, Breach Prevent, and Breach Respond are trademarks of ID Experts. All other trademarks used within the ID Experts website are the property of their respective owners.

Data Breach Tools

RADAR™

Breach HealthCheck®

Breach Prevention

Breach Response

Industries:

Breach HealthCheck®

Incident Response Plans

Things you should know before going live with a Complete Data Breach Response Strategy

About the Author

Heather Noonan

What I learned at the ID 360 event in Austin

About the Author

Christine Arevalo

Analyzing the US HIPAA Legacy and Future Changes on the Horizon

About the Author

Christine Arevalo

Are You a HIPAA Business Associate? It isn’t as Simple a Question as it Sounds.

About the Author

Doug Pollack

How to manage employee based data breaches?

About the Author

Heather Noonan

Harm Standard: Gone But Not Forgotten? New Factors Mimic Current Breach Regs

Harm: New Regs Pose Few New Problems

About the Author

ID Experts

Cyber Risk & Privacy Liability Forum 2013

About the Author

Jeremy Henley

HHS’ Sensible Compromise on the Controversial Harm Threshold (Part 2)

About the Author

Mahmood Sher-jan

Big Data Increases Breach Risk

About the Author

Deanna Jones (DJ)

Senior Identity Theft: A Problem In This Day and Age

About the Author

Robin Slade

Breach Notification Laws: An Evolving Mine Field

About the Author

Mahmood Sher-jan

HCCA 2013 - The Year of the Security Risk Analysis

About the Author

Heather Pixton

Patient Identity Infection—A Multi-Faceted Risk Facing Patients

About the Author

Mahmood Sher-jan

Big Data Will Turn Privacy Upside Down

About the Author

Jon Neiditz

How to inform internal teams of a data breach

About the Author

Heather Noonan

FTC Workshop to Highlight Senior Identity Theft

About the Author

Rick Kam

Do you really need security to attest to meaningful use?

About the Author

Doug Pollack

ID Experts doing its part for the Wounded Warrior

About the Author

Bob Gregg

Why does a victim of a data breach benefit from having a Recovery Solution?

About the Author

Heather Noonan

Analytics May Reduce PHI Exposure Risk in a Healthcare Data Breach

About the Author

Megan Bell

The Doctor Can See You Now - Mobile Threats and How Healthcare can Reduce Risks

About the Author

Rick Kam

It’s all about the patients

About the Author

Christine Arevalo

Cyber Liability Insurance at the State Government level

About the Author

Jeremy Henley

Lesson Learned by OCR Privacy & Security Audits

- Learn more about the HIPAA Omnibus Rule: New HIPAA has teeth -

Breach HealthCheck^®