RADAR™ Now Optimized for Financial Services Organizations to Manage Data Security Incidents
Our web-based software tools are designed specifically to assist our clients in managing data breach risks. Learn More »
RADAR helps you in risk assessment, documentation and reporting for HITECH data breach incidents.
Learn More »
RADAR™ Now Optimized for Financial Services Organizations to Manage Data Security Incidents
PORTLAND, Ore. — July 7th, 2014 — Phytel, a population health management company, adopts RADAR™, the patented incident management software from ID Experts, for assessing and managing data security and privacy incidents. Phytel joins the growing ranks of organizations in healthcare, finance, and insurance—and their service providers—responsible for maintaining and securing large databases of regulated data. Organizations and companies are increasingly using RADAR™ to meet and simplify regulatory compliance.
GovHIT - Rick Kam & James Christiansen - June 16th, 2014
Once upon a time, when CISOs were a new thing, information lived in the data center. IT managed the data, and CISOs protected the perimeter. Today, mobile computing links the back office with every employee and customer all the time — there is no perimeter. As information moves beyond the data center, so has the role of the CISO, shifting from data security to managing the inevitable risks of anytime, anywhere data. The threat landscape and security technology are also driving the change in the role of the CISO. There are over 700 security technologies available, with millions of potential threat actors around the world. It's not a question of if, but when and where a data breach will happen, requiring data incident management.
GovHIT - Rick Kam & Winston Krone - May 21st, 2014
2014 is the first financial year after the HIPAA Final Rule, and healthcare privacy has transformed in ways that are good, bad, and downright scary.
More complex information systems and business relationships are leading to larger, more complex breaches. Ironically, the data on the internal systems of HIPAA covered entities is now much better protected, but with so much data in the cloud or shared with business associates, large amounts of information have become less well protected.
PORTLAND, Ore. — May 22, 2014 — Data breaches are a modern-day plague to businesses: hard hitting, damaging, and costly. As a result, organizations have been turning to cyber insurance to mitigate data breach risks and protect their bottom line. Insurance brokers, carriers, and their clients increasingly rely on ID Experts for breach notification and response strategies and services. To meet this growing demand, data breach veteran Jeremy Henley, CHPC, will take on additional responsibilities as director of breach services for ID Experts.
PORTLAND, Ore. — May 20, 2014 — On April 22, 2014, the U.S. Patent and Trademark Office granted ID Experts U.S. Patent No. 8,707,445: Systems and Methods for Managing Data Incidents for RADAR, the industry leading incident management software. The patent covers RADAR’s process of assessing security incidents of sensitive data under both federal and state data breach notification regulations and automatically generating an outcome of the assessment to the user’s display device. This patent is in force over its full lifetime to February 14, 2032.
Washington, DC, May 6, 2014 – The Medical Identity Fraud Alliance (MIFA) announced it is moving from development to operational status, which includes installing a board of directors, hiring staff and launching several new initiatives to address medical identity fraud.
New directors include David Popik, Florida Blue; Meredith Phillips, Henry Ford Health System; Bill Fox, Emdeon; Greg Radinsky, North Shore-LIJ Health System; Ralph Carpenter, Aetna; Doug Mailhot, CareFirst BlueCross BlueShield; Bob Gregg, ID Experts; Marita Janiga, Kaiser Permanente; and Rick Munson, UnitedHealthcare. The board will drive MIFA's strategic vision for association growth and promote its mission to strengthen the healthcare ecosystem by collaborating to reduce the frequency and impact of medical identity fraud.
Huffington Post - Robert Siciliano - May 6th, 2014
Crooks want your health information. Why?
It’s called medical identity theft, and it’s not going away too soon. In fact, the ACA (Affordable Care Act) has only fueled the situation, says the Ponemon Institute, a security research firm.
This latest of Ponemon’s four annual Patient Privacy and Data Security studies reveals that sloppy behavior, like losing a laptop that has unencrypted data, is a primary cause of data breaches.
A crook would love this information because, “in the world of black market information, a medical record is considered more valuable than everything else," says Larry Ponemon, the Institute’s founder.
PORTLAND, Ore. — May 6, 2014 — ID Experts and its medical identity alert system MIDAS, have been selected by Gartner, Inc. as a “Cool Vendor for Healthcare Payers in 2014.” The annual “Cool Vendors” recognition is awarded to select organizations with innovative technologies and business models, representing new directions in the market.
PORTLAND, Ore. — May 5, 2014 — RADAR™, the patented incident management software from ID Experts, is adopted by Catholic Medical Partners for managing data security and privacy incidents. Catholic Medical Partners joins the growing ranks of healthcare organizations that use software-based innovation to improve patient data security and privacy.
Pittsburgh Post Gazette- Deborah Todd - April 26th, 2014
For shadowy cybercriminals who find backdoor access to stores of personal data, the process of hijacking identities and pocketing stolen cash can be instantaneous. For institutions hit by cybertheft, however, discovering that a breach exists, finding the source and stopping the bleeding is usually a monthslong process of investigation that leaves the identities and bank accounts of those impacted at the mercy of the thieves.
Fox Business - April 25th, 2014
FBN.com’s Kate Rogers, cyber security expert JD Sherry and data security expert Bob Gregg weigh in on the Heartbleed bug and ObamaCare security.
HealthIT Security - Patrick Ouellette - April 15th, 2014
One way or another, mobile devices are finding their way into healthcare organizations' four walls and onto their networks. Each organization's mobile needs vary based on size and available resources and many have come a long way with mobile security policies and protocols, but gaps still remain within healthcare. Based on the most recent Ponemon Patient Privacy & Data Security Study results, 40 percent of respondents said that their biggest security concern was with mobile devices. Further, more than half are not confident that the personally-owned mobile devices or BYOD are secure and only 23 percent require that anti-virus/anti-malware software resides on the mobile device prior to connection.
Privacy warriors face a daily battle over how to manage and assess incidents or disclosures of regulated data. Ever-changing regulations and the unique nature of each incident make it almost impossible to nail down a strategy that works all the time, every time.
The Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy and Data Security reveals how healthcare organizations continue to struggle with incident management and compliance, despite modest progress since the HIPAA Final Rule's enforcement date.
PORTLAND, Ore. and BOSTON — April 3, 2014 — One in three companies now has cyber insurance to protect against the threat of data breach, according to Marsh LLC, an insurance brokerage firm. In the wake of high-profile breaches, such as Target and Neiman Marcus, and 100 percent growth in cyber attacks targeting the healthcare industry since 2010, according to the latest Ponemon report, binding of cyber insurance policies is growing exponentially. As a result, insurance carriers need tools to help their clients mitigate data breach risks and protect their bottom line. To meet that opportunity, ID Experts, the leader in data breach software and services, has developed Virtual Privacy Expert, an online, one-stop resource to equip cyber insurance carriers with hands-on tools and information to minimize cyber risks. ID Experts has collaborated with Enquiron TM, an insurance industry leader in proactive risk management solutions with proven claims reduction results for insurance carriers, to include Virtual Privacy Expert as part of its value-add risk management services.
Boston Herald- Marie Szaniszlo - April 1st, 2014
The Internet connection serving all Boston-area hospitals is attacked about every seven seconds, prompting Beth Israel Deaconess Medical Center to block about 98 percent of incoming emails, the hospital’s chief information officer said yesterday.
“You get a lot of the sort of junk that’s on the Internet trying to get into server after server after server,” Dr. John Halamka said in an interview on Boston Herald Radio. “Most often, people do this in Eastern Europe and China because they want to use it as a spam relay.”
Of much greater concern, Halamka said, is organized crime — much of it also originating in Eastern Europe — involving the theft and sale of electronic medical records to people who may be uninsured and use those records to pay for operations and treatment.
PORTLAND, Ore. — March 31, 2014 — There is a new reality facing healthcare organizations in maintaining the privacy of patient information. The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts—announced earlier this month—reveals what’s keeping healthcare organizations up at night. The list includes the myriad of complex regulations and expanding threats to regulated patient data. The new risks—resulting from the Affordable Care Act, criminal attacks on healthcare security up 100 percent, employee negligence, unsecured mobile devices rampant in the workplace, and lack of trust of business associates—are bewitching, bothering, and bewildering HIPAA covered entities and their privacy, security, and compliance officers.
March 21, 2014 - NBR Staff
The latest type of identity theft you need to know about- medical ID theft- including cyber attacks on all your medical records and data from health care companies. It’s a growing problem, with 50 million reported data breaches each year.
InformationWeek - Alison Diana - March 18th, 2014
With regulators seeking tighter control over the role of external contractors in assuring healthcare privacy and security, other third parties are offering to help audit those relationships with services from the cloud.
Under the Department of Health and Human Services (HHS) HIPAA Final Omnibus Rule, contractors and subcontractors who work with healthcare providers, insurers, or other services that process patient health information (PHI) must meet HIPAA privacy rules. Referred to by regulators as "business associates," these external parties also include IT service providers. Despite the mandate that business associates meet HIPAA requirements, 40% of healthcare professionals are "not confident" and 33% are only "somewhat confident" in their partners' capacity to manage patients' sensitive data, according to Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy & Data Security, released on March 13.
GovHIT - Tom Sullivan - March 18th, 2014
With the first anniversary of the omnibus HIPAA Final Rule on Privacy and Security just days away the question of whether the rule is making healthcare organizations less prone to security problems — or actually more so — has arisen.
“We live in this daze where many people think if they’re complying with rules then they’re okay,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “But security is a lot more complicated than that.”
Indeed, HIPAA is “a federal floor of safeguards” that “does not guarantee data protection is maximized,” said Deborah Wolf, principal at Booz Allen Hamilton.
GovHIT - Rick Kam - March 17th, 2014
You manage one security threat, and up pops another. And another. It's like a bucket filled with water and holes. The water keeps spurting out. Every time you patch a hole, a new one forms.
This reactive approach of patching old and new security threats is overwhelming and never-ending for healthcare organizations. Unfortunately, these threats keep advancing, as revealed in the newly released Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute.
It's no surprise then, that 90 percent of healthcare organizations are still experiencing breaches, and 38 percent report that they have had more than five incidents in the last two years.
Some of the key threats the Ponemon study found are:
Business Insurance - Judy Greenwald - March 12th, 2014
The Patient Protection and Affordable Care Act is a contributing factor in new and expanded threats to the security and privacy of patient information in the U.S. health care system, according to a study released Wednesday.
Websites with documented security issues as well as database and health information exchanges that are "highly vulnerable to insider and outsider threats" are among the issues, according to the study conducted by the Traverse City, Mich.-based Ponemon Institute L.L.C. and sponsored by Portland, Ore.-based ID Experts Corp.
More pressure is being put on stakeholders in the health care system as "millions more" people get health ID Experts President Rick Kam said in an interview with Business Insurance.
SC Magazine - Danielle Walker - March 12th, 2014
An annual study revealed that data breaches at health care organizations are, on average, less costly and occurring less frequently than in the previous year.
On Wednesday, the “Fourth Annual Benchmark Study on Patient Privacy and Data Security” was released, and highlighted that the economic impact of data breaches was $2 million for health care entities, marking a nearly $400,000 decrease since last year's study.
In addition to the 17 percent decline in data breach-related costs, the study found that 38 percent of health care organizations had more than five breaches in a two-year period – accounting for a subtle drop in incidents.
CNBC - Herb Weisbaum - March 12th, 2014
Health-care organizations are under attack.
Criminals are stealing patient records in order to commit medical identity theft. And the Affordable Care Act (ACA) has made the situation worse, according to a new report from the Ponemon Institute.
Ponemon estimates that these breaches cost the industry about $5.6 billion a year.
The survey found the overall number of reported data breaches at health-care organizations declined slightly last year, but criminal attacks on health-care providers increased dramatically—up 100 percent since 2010.
TRAVERSE CITY, Mich. and PORTLAND, Ore. — March 12, 2014 — As millions of new patients enter the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals. The Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, sponsored by ID Experts®, reveals new security and privacy threats to hospitals and the patient records they manage. One of the key threats is the unproven security in the health insurance marketplaces, created as a result of the Affordable Care Act. According to the report, other top threats include: criminal attacks, employee negligence, unsecured mobile devices (smartphones, laptops, and tablets), and third parties—causing organizations to scramble. For a free copy of the Fourth Annual Benchmark Study on Patient Privacy and Data Security, visit www2.idexpertscorp.com/ponemon.
GovHIT- Rick Kam - February 11th, 2014
You almost feel sorry for Target. The breach of up to 110 million records — theoretically 34 percent of the U.S. population — is the stuff of unfortunate legend.
Chances are slim that a healthcare organization will suffer a Target-sized breach. But, as the 2013 Survey of Medical Identity Theft by Ponemon Institute shows, the breach of protected health information (PHI) creates significantly more risk for harm than the exposure of financial data: loss of insurance coverage, misdiagnosis, mistreatment, and more.
With that in mind, healthcare organizations can learn valuable lessons from the Target data breach — lessons that protect patients and other vulnerable people.
Mother Jones - Dana Liebelson - February 11th, 2014
Last year up to 110 million Target customers had their sensitive personal information stolen over the holidays in one of the largest data thefts in retail history. After stolen credit cards began to flood black market websites, Target offered all of its US customers one year of free daily credit monitoring to help them fend off identity theft. But credit experts and Consumer Reports say that this service is misleading victimized customers by providing incomplete monitoring—and advertising comprehensive reports for a fee.
You almost feel sorry for Target. The breach of up to 110 million records—theoretically 34 percent of the U.S. population—is the stuff of data breach legend.
Chances are slim that a healthcare organization will suffer a Target-sized breach. But, as the 2013 Survey of Medical Identity Theft by Ponemon Institute shows, the breach of protected health information (PHI) creates significantly more risk for harm than the exposure of financial data: loss of insurance coverage, misdiagnosis, mistreatment, and more.
Office of Inadequate Security - Dissent - January 28th, 2014
Over on CreditSesame.com, Kimberly Rotter wrote a tips article, “5 Steps to Take Immediately If You’ve Been a Victim of Identity Theft.” The article was also reproduced on Lifehacker. To briefly summarize the article, it lists some examples of identity theft and then recommends the following five actions (with additional info on each of the following)... But is that good advice?
GovHIT - Rick Kam - January14th, 2013
Healthcare laws in 2013 looked like New Year's morning in Times Square — rather bleak. The Affordable Care Act and its attendant security concerns, the release of the omnibus HIPAA final rule, and the HIPAA Audit Program gave healthcare providers a headache that put New Year's Day hangovers to shame.
No doubt that 2014 will also be a year of change, not only in regulations, but also the ways in which the industry struggles to comply with these laws. We conducted an informal poll of compliance, privacy, and information security officers on the frontlines for their predictions and wishes for 2014, and compliance worries and resources were the common theme.
PORTLAND, Ore. — January 8, 2014 —2013 proved to be a dizzying year for healthcare compliance, privacy, and information security: the Affordable Care Act, enforcement of the HIPAA Omnibus Final Rule, and ongoing investigations by the Office for Civil Rights (OCR). Not to mention the need for ongoing risk and incident management, C-Suite communication, managing business associates, breach notification, and investigations by the Office for Civil Rights (OCR). ID Experts asked healthcare compliance, privacy, and information security officers to share their predictions and provide their wish lists for a smoother and more compliant 2014.
GovHIT - Rick Kam - December 20th, 2013
It's December, the time of holiday cheer, but for victims of healthcare fraud and medical identity theft, the season is not a happy one. The news is full of dishonest people making patients sicker and healthcare costlier.
A quick scan of the headlines pulls up some stories that you have to read to believe.
1. Wanted: Medicaid number to rent
Linda Radeker, a mental-health practitioner enrolled with North Carolina Medicaid, "rented out" her Medicaid provider number to co-conspirators, keeping up to 50 percent of the fraudulent reimbursements. On the false claims, her cohorts in crime mainly used the Medicaid numbers of children whose parents believed were participating in after-school programs — programs owned and operated by these fraudsters. Radekar has been ordered to pay more than $6 million in restitution to Medicaid, according to the IRS.
Healthcare Infosec - Marianne Kolbasuk McGee - December 13th, 2013
A new government watchdog report says the use of electronic health records makes it easier for some healthcare providers to commit fraud. And healthcare fraud of all kinds costs $75 billion to $250 billion a year, the report notes.
The report highlights the need for hospitals to make broader use of the audit log function within EHRs to help detect fraud. But patients can play a role in detecting fraud as well.
For example, a new service aims to get patients more engaged in helping spot healthcare provider and other medical fraud sooner.
PHIprivacy.net - December 12th, 2013
There's a new commercially developed product that may help consumers detect medical ID theft or fraudulent use of their information promptly so it can be addressed. Given how research has shown that most people do not check their Explanation of Benefits statements and don't report discrepancies or anomalies when they do find them, this has the potential to be a great tool for consumers. From their press release, with additional comments/notes by me:
mHealth News - Tom Sullivan - December 12th, 2013
Consumers are so used to fraud detection tools outside of healthcare that they are hardly a competitive advantage anymore. Yet within healthcare the options are disconcertingly limited.
Regularly checking your Explanation of Benefits is about the only one, but most people do not even know what to do with EOBs, meaning that consumers are rarely effective in rooting out fraudulent claims, even ones made in their name.
Looking to engage consumers in the fight against abuse and fraud, ID Experts on Thursday unveiled MIDAS, which stands for Medical Identity Alert System, a service that sends SMS text or email alerts to smartphones when a healthcare transaction is submitted so a user can check that in what the company described as plain language and if it looks suspicious, the MIDAS team follows-up, effectively bridging the gap between patients and health plans to investigate whether it is a legitimate claim, or not.
PORTLAND, Ore. — December 12, 2013 — MIDAS™—Medical Identity Alert System—the latest software solution from ID Experts, was announced today, for health plans to engage consumers (health plan members) to monitor their healthcare transactions and take control of their medical identities. MIDAS was developed to lower healthcare costs through early detection and prevention of healthcare fraud by using mobile alerts, similar to proven approaches utilized by the financial services industry.
The Monthly Wrap Up - November 2013
GovHIT - Rick Kam - December 3rd, 2013
There is no question that health insurance exchanges are a new privacy and security frontier for the federal government, states, and the private sector.
With data that has been residing in a multitude of different places now being brought together, overall security will depend on the security practices of an unprecedented number of participating organizations, some of whom have only minimal training.
Under the new healthcare system, the Department of Health and Human Services (HHS) operates a central data hub that connects participating state health insurance exchanges with federal government agencies — such as the Treasury Department, Internal Revenue Service and other state agencies — to verify enrollees’ eligibility. While the government hub doesn’t store health data on individuals, personal data is stored and there is the risk that identity thieves could steal the ID of one participating organization to gain access through the hub to data held by another.
Search HealthIT - Don Fluckinger - November 12th, 2013
Meaningful use stage 2 rules foster patient engagement in a simple way: Physicians and hospitals receiving federal EHR incentive payments must motivate at least 5% of patients to view, download or transmit their digitized health data.
Let's call that patient engagement 1.0, a cute little hybrid subcompact driving down the highway. Hurtling right behind it is the 18-wheeler, semitrailer version 2.0, as powerful economic factors motivate patients to police their own records.
Healthcare IT leaders and their health information management (HIM) partners need to find ways to embrace this coming interactivity in order to harness its power for the benefit of their organizations' HIPAA compliance; patient safety and community outreach; and to compare favorably to their competitors. Right now. Later in the game, a reactionary approach could just get in the way of better health data security and good old-fashioned customer relationship management.
The Monthly Wrap Up - October 2013
Business First- Kevin Eigelbach - October 30th, 2013
You might think that once you die, you don’t have to worry about someone stealing your identity. Well, you might not have to worry about it, but your surviving relatives might.
Apprisen, a national nonprofit credit counseling agency, recently compiled a list of things you can do to prevent “ghosting,” the practice of stealing the identities of dead people to commit crimes. The IRS estimates the problem costs American taxpayers more than $5 billion dollars annually.
Dark Reading - October 16th, 2013
PORTLAND, Ore. -- October 9, 2013 -- Lost laptops and internal snafus happen. If they involve personal information of customers, employees or others--as they often do--organizations must act in accordance with Federal regulations and state data breach laws. Now that the HIPAA Omnibus Final Rule is in effect, healthcare organizations and their third parties are required to perform a risk assessment for every privacy and security incident that involves sensitive personal information.
The rise of data breaches in healthcare, combined with the highly scrutinized, regulatory environment, has forced the emergence of a new category: data incident management software. Organizations are turning to ID Experts' software, RADAR, to document and simplify the entire data incident management process. RADAR is a leader in this space, with customer adoption up 242% in one year. RADAR 3.0 takes the "guess work" out of compliance, by performing incident-specific risk assessments and offering incident response guidance.
GovHIT - Rick Kam - October 11th, 2013
Medical identity theft is up nearly 20 percent in the past year, according to a new study, making it the fastest-growing form of fraud in the United States.
The 2013 Survey on Medical Identity Theft, in fact, found that that an estimated 1.84 million people are victims of medical identity theft in the U.S. — costing victims an estimated $12.3 billion. While the extent of medical identity theft is surprising, even more alarming is its major cause: medical identity theft tends to run in families.
According to Larry Ponemon, chairman and founder of the Ponemon Institute, the research shows that a large percentage of the supposed identity thefts were actually caused by consumers sharing their personal or medical credentials with friends or family, who then use them to obtain medical services or treatments. Another major cause is family members taking and using the victims’ credentials without consent; in many of these cases, the victims are loathe to report theft by a family member. Almost 60 percent of the medical identity theft reported in the Ponemon study was due to misuse of medical credentials among family members.
PORTLAND, Ore. — October 9, 2013 — Lost laptops and internal snafus happen. If they involve personal information of customers, employees or others—as they often do—organizations must act in accordance with Federal regulations and state data breach laws. Now that the HIPAA Omnibus Final Rule is in effect, healthcare organizations and their third parties are required to perform a risk assessment for every privacy and security incident that involves sensitive personal information.
The rise of data breaches in healthcare, combined with the highly scrutinized, regulatory environment, has forced the emergence of a new category: data incident management software. Organizations are turning to ID Experts’ software, RADAR, to document and simplify the entire data incident management process. RADAR is a leader in this space, with customer adoption up 242 percent in one year. RADAR 3.0 takes the “guess work” out of compliance, by performing incident-specific risk assessments and offering incident response guidance.
The Monthly Wrap Up - September 2013
Wall Street Journal - Ben DiPietro - September 23rd, 2013
The grace period ends Monday for rules governing protection of a patient’s private health information, and rules governing what must be done if such information is breached or made public.
SC Magazine - Danielle Walker - September 23rd, 2013
Updated rules to the Health Insurance Portability and Accountability Act (HIPAA) expand the legal responsibilities of third-party organizations handling protected health information.
On Monday, the compliance grace period ended for the HIPAA Omnibus Rule (PDF), which formalized many of the statutory changes already made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). The changes took effect in March, but organizations have had the past six months to update their business practices to remain in compliance.
Amendments include measures that legally require “business associates” of covered entities to comply with security and privacy measures enforced by HIPAA, like breach notifications.
GovHIT - Mahmood Sher-Jan - September 20th, 2013
When the HIPAA Final Rule on Privacy and Security kicks in on September 23, the privacy game changes for HIPAA covered entities (CEs). But for their business associates (BAs), the stakes rise by a quantum leap.
For CEs, the effects of the Final Rule are mostly incremental because the compliance structure remains unchanged; the biggest change is a revised threshold (aka the compromise standard) for breach risk assessment and notification decision, but basic privacy and security requirements are the same.
For business associates, however, the Final Rule deadline raises the risks of non-compliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities, making them subject to HHS regulatory fines and corrective action plans, as well as civil monetary penalties.
GovHIT - Tom Sullivan- September 17th, 2013
If the healthcare providers that have been operating under HIPAA for nearly two decades were the only ones required to comply with the new rule on privacy and security, that would be challenging enough. But they’re not.
Instead, the business associates deemed covered entities beginning September 23 are entirely new to the law and that could open up a whole slew of problems.
“A lot of folks are real nervous about that,” said Brian Ahier, founder of Advanced Health Information Exchange Resources (AHIER). “Some are taking a wait-and-see approach.”
Ahier explained that among the healthcare organizations he has encountered most are at least prepared for the low-hanging fruit within the law, activities including updating notice of privacy practices, getting policy and legal experts involved, generally making sure they are set to meet new requirements.
Yet, those are the existing covered entities and, as such, they are more or less used to HIPAA — and even for them it will require major adjustments. But it’s the Business Associates (BAs), essentially partners, vendors, contractors and subcontractors or anyone who maintains protected health information (PHI) that have Rick Kam, president and co-founder of security vendor ID Experts, most concerned.
Dark Reading - Ericka Chickowski - September 16th, 2013
For five years now, a Ponemon Institute annual report has tried to put a number on the cost of data breaches. It creates benchmarks for direct costs such as regulatory fines and the cost of notifying customers, alongside estimates of indirect costs such as customer churn and lost business. In 2013, Ponemon pegged the cost of a data breach at $136 per lost record on average across the globe. Ponemon estimated the cost in the U.S. at $188 per record, and $277 per record when the breach came at the hands of malicious and criminal attacks such as outside hacking or insider theft.
TRAVERSE CITY, Mich. and WASHINGTON, D.C. — September 12, 2013 — Medical identity theft is a national healthcare issue with life-threatening and hefty financial consequences. According to the 2013 Survey on Medical Identity Theft conducted by Ponemon Institute, medical identity theft and “family fraud” are on the rise; with the number of victims affected by medical identity theft up nearly 20 percent within the last year. The survey, sponsored by the Medical Identity Fraud Alliance (MIFA) with support from ID Experts®, finds that medical identity theft affects an estimated 1.84 million people in the U.S.; with victims forking out more than $12 billion in out-of-pocket costs incurred by medical identity theft. For a free copy of the 2013 Survey on Medical Identity Theft, visit http://medidfraud.org/2013-survey-on-medical-identity-theft.
Becker's Hospital Review - Helen Gregg - September 6th, 2013
Recently, a man went to the emergency department at his local hospital, complaining of back pain. The on-call physician noticed an infection in his lymph node, and, after consulting the patient's chart, told the patient he was ordering a course of penicillin.
The patient became upset, demanding to know why the physician would order a drug to which the patient is severely allergic. The physician referenced the patient's chart, noting penicillin was administered during the patient's previous visit to the ED with no complications.
This was the patient's first trip to the small-town ED.
An investigation revealed the patient to be the victim of medical identity fraud — a growing issue in the United States. In 2012, 1.85 million Americans were affected by medical identity fraud and theft, up from 1.49 million in 2011, according to a survey conducted by the Ponemon Institute.
Dark Reading - Kelly Higgins- August 21st, 2013
A U.S. public-private alliance co-founded by Blue Cross/Blue Shield Association, AARP, the Identity Theft Resource Center and others, will officially launch next month to fight medical identity theft amid a sickening spike in this form of fraud.
The new Medical Identity Fraud Alliance (MIFA), whose other founders include the Consumer Federation of America, the National Healthcare Anti-Fraud Association, and ID Experts, is aimed at combating medical ID theft by getting key players together and establishing solutions and best practices, technologies, research, as well as educating and helping empower consumers to better protect their increasingly targeted health information. MIFA will also provide a venue for information- and attack intelligence-sharing.
Healthcare Informatics - David Raths - August 21st, 2013
Imagine going to the doctor's office for a checkup and finding procedures or prescriptions in your medical record that were a surprise to you. Just as with financial identity theft, an increasing number of Americans are finding themselves the victims of medical identity fraud, as thieves steal their health-insurance number, Social Security number and other personal information and resell them on the black market for use by other people.
Studies conducted by the Ponemon Institute (www.ponemon.org) indicate that the number of medical identity theft victims in the United States has grown from an estimated 1.4 million in 2010 to more than 1.8 million in 2012. Now a nonprofit public-private sector organization is being formed to unite stakeholders to develop best practices, solutions, and technologies for the prevention, detection and remediation of medical identity theft and fraud. Founding members of the Medical Identity Fraud Alliance (MIFA) (www.medifraud.org) include ID Experts, the Identity Theft Resource Center, the National Health Care Anti-Fraud Association, the BlueCross BlueShield Association, the Consumer Federation of America and AARP.
GovHIT - Rick Kam - August 14th, 2013
Scarcely a day passes when we don't hear about some new electronic gadget designed to make our lives more productive, convenient, healthy, or entertaining.
Take Google Glass, for example. Google's new wearable computer is among the current crop of technologies that may sound like science fiction, but they present real privacy risks. Here are a few developments that healthcare privacy professionals and organizations should be thinking about now.
American Medical News - Pamela Lewis Dolan - July 29th, 2013
During the past decade, the health care industry has adopted new practices and technology to protect against patient data breaches. But as protection of data becomes more sophisticated, so have the ways in which the data are exposed.
Data security firm ID Experts examined some of the biggest breach cases from the past decade and talked with data security experts to understand how the trends have changed during the past 10 years. The report identifies future threats to data security and gives advice on how organizations can respond to those threats.
PC Mag - Abigail Wang - July 13th, 2013
The more our personal information is digitized the more that information is at risk. A lot of people don't worry about protecting their sensitive data because they're under the impression that hackers wouldn't be interested in their accounts. If you think this, you're sadly mistaken. Even your personal email can be worth a lot depending on what information you have on it, like access to your online banking statement and details of your Amazon account. It's important to be aware of the danger your personal information is in if you don't properly protect it.
GovHIT - Rick Kam - July 22nd, 2013
Over the last decade, the scope of identity theft has widened from credit card and financial fraud to include widespread medical identity theft with potentially life-threatening consequences.
In that time, organizations have grown in awareness and readiness to combat identity theft. According to Larry Ponemon, chairman and founder of the Ponemon Institute, recent research shows that companies are doing a better job of detecting, containing, and responding to breach incidents than they were ten years ago.
HITECH Answers - July 11th, 2013
First identified as an industry issue a decade ago, data breaches are now part of the consumer vocabulary. Check out this infographic from ID Experts, A Decade of Data Breach…An Evolution. Data breaches have evolved from credit card fraud with financial consequences to medical identity theft with life-threatening implications. According to leading experts, the frequency, severity, and impact of data breaches are expected to escalate. Industry experts forecast top trends in data breach, privacy, and security:
PORTLAND, Ore. — July 10, 2013 — The security of personal information is at greater risk now than a decade ago. Financial identity theft and medical identity theft—with life-threatening implications—are impacting millions of people. In fact, experts estimate that an identity is stolen every three seconds. The infographic, Is Your Information Safe?, provides a snapshot of identity theft and data breach over the last decade; available for download at http://www2.idexpertscorp.com/is-your-information-safe/. According to leading experts, global networks and use of advanced sinister technologies are expected to escalate, threatening consumers’ information:
PORTLAND, Ore. — July 10, 2013 — First identified as an industry issue a decade ago, data breaches are now part of the consumer vocabulary. An infographic illustrating A Decade of Data Breach...An Evolution is available: http://www2.idexpertscorp.com/a-decade-of-data-breach/. Click to Tweet. Data breaches have evolved from credit card fraud with financial consequences to medical identity theft with life-threatening implications. According to leading experts, the frequency, severity, and impact of data breaches are expected to escalate. Industry experts forecast top trends in data breach, privacy, and security:
Ed Burns - TechTarget - June 25th, 2013
Identifying data breaches may seem like a relatively simple task. However, a number of factors can make breach assessment tricky, and with federal regulators stepping up enforcement of privacy laws, these pitfalls could land providers in hot water.
Rick Kam - GovHIT - June 17th, 2013
Medical identity theft can be fatal, especially to society's most vulnerable population, the elderly. Targeted by criminal groups and unscrupulous relatives alike, seniors tend to be more trusting of others and are less likely to report the crime because they don't want family members to think they can't maintain their independence, says the National Crime Prevention Council. Fighting this crime is a high priority for me, and it was a privilege to participate in an FTC panel on the subject in Washington, D.C. last month.
HIT Consultant - June 11th, 2013
Clinicians use 6.4 different mobile devices in a day on average according to IDC Healthcare Insights Study. Mobile health devices and BYOD policies provide healthcare professionals with the ability to facilitate smoother workflows, promote team collaboration and help boost productivity. However, with these benefits bring risks of security breaches. PwC Health Research Institute clearly identified that the need for mobile security one of the top ten issues hospitals will face in 2013. The report also found that 69% of the consumers surveyed said they were concerned about the privacy of their medical information if providers accessed it through their mobile devices.
John Moore - iHealthBeat - May 23rd 2013
Hospitals and other health care providers are beginning to purchase data breach insurance as the number of security incidents reported in the health care sector continues to grow.
Data breach insurance, sometimes called cyber liability insurance, provides some peace of mind for health care executives faced with the near inevitability of an intrusion. Insurance products in this field date back to the late 1990s and early 2000s, but demand has picked up over the last couple of years. Insurance brokers and security consultants report an uptick in interest in such policies among health care providers and their business associates.
Net-Security - May 22nd 2013
Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
Every transaction and health record is now collected, categorized, sorted, and analyzed—and can be hacked. Microcomputers that control aspects of everyday life—from heart rhythms and insulin levels, to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars—are increasingly at risk for data breach and can threaten public safety.
PORTLAND, Ore. — May 22, 2013 — It’s not a plot on a TV show. Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker. Every transaction and health record is now collected, categorized, sorted, and analyzed—and can be hacked. Microcomputers that control aspects of everyday life—from heart rhythms and insulin levels (see Hidden Hazards: The Computers Inside), to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars—are increasingly at risk for data breach and can threaten public safety. Industry experts offer insights on top hidden vulnerabilities that can cause data breach:
Rick Kam - GovHIT - May 13th 2013
We can learn a lot about risk from academia. University environments embody the whole data privacy world in microcosm. Colleges and universities handle a broad range of personal information — from students, staff, alumni, donors, and other community members — with their functions in financial services, food services and housing, student stores, and medical services.
On average, educational institutions report 1.3 million records compromised per year, based on statistics from Privacy Rights Clearinghouse. (Check out this infographic from Open Site, for an overview of data breaches in higher education.)
Nobody understands the privacy and security risks in the academic world better than Grace Crickette, chief risk officer for the University of California, a sprawling system that includes ten campuses and five medical centers. She shared her insights, which can be translated into 3 lessons on risk:
Report on Patient Privacy - May 2013
Although covered entities (CEs) have been required since 2009 to notify affected individuals and the government, when appropriate, of breaches of unsecured protected health information (PHI), the so called “harm” standard that triggers notice no longer exists under the new final regulations. Or does it?
Are CEs really starting over when it comes to assessing whether an incident is a reportable breach under the final regulations issued on Jan. 25, which have a compliance deadline of Sept. 23?
PORTLAND, Ore. — May 1, 2013 —Identity theft is the nation’s fastest-growing crime, claiming almost ten million victims per year, according to FBI statistics. Medical identity theft is the latest threat to affect patients—especially senior citizens. To address this growing epidemic, the Federal Trade Commission will host the educational forum
Don Fluckinger - SearchHealthIT - April 11th 2013
Speakers at the PHI Protection Network's recent forum in Cambridge, Mass. offered HIPAA data breach prevention strategies for health care IT leaders and privacy officers in attendance. They stressed that while technology is vital for preventing breaches, enforcing employee policies to use that technology is equally important.
First, understand that while you're building a culture of health data privacy and security, expect data breaches will happen. The goal of IT leaders, in concert with compliance staff, is to reduce the number of breaches, as well as act quickly to minimize consequences after the fact.
Don Fluckinger - SearchHealthIT - April 9th 2013
CAMBRIDGE, Mass. -- When a data breach happens and the healthcare organization hasn't thought through its internal response plan, many bad things can happen. First, the people involved write internal emails throwing each other under the bus and assigning blame -- and the emails then become a revealing part of the record for attorneys and federal investigators to sift through later.
Then, in a vacuum, managing the media response falls to whom? Marketing? Media relations? IT staff? What will come out of their mouths to the local television, newspaper, radio and Internet reporters? The worst-case scenario is when CEOs take matters into their own hands and call a press conference -- unprepared, perhaps unintentionally making factual errors or public promises the hospital can't keep regarding future data breaches -- or revealing evidence that later turns into pronouncements of willful neglect.
Rick Kam - GovHIT - April 9th 2013
HIPAA and HITECH. PHI in the cloud. BYOD policies. Meaningful use.
The industry is rife with buzzwords and acronyms surrounding patient privacy and data security. The most important word, however, is one that we often overlook: patients.
Yet, they’re the reason we do what we do.
Attorney Jim Pyles, who helped draft the HITECH Act, said, “I’ve been to literally hundreds of meetings in Washington when the patient was not mentioned once. Not one time … When [healthcare leaders say] that the patient ought to be at the center of the system, boy do I applaud that.”
Wired - Daniela Hernandaz - March 25th 2013
Eugene Vasserman is uneasy about his digital pedometer. The company that makes the thing doesn’t know his name, age, or gender, but it does track his every step and his location. “They know where I sleep. They know my address,” says the Kansas State University cybersecurity and privacy researcher.
Some might think he’s paranoid. But he hasn’t stopped using the device. It’s just that he sees the worst-case scenario — and he’s adamant that the rest of us should see it too. Once health data leaves your immediate possession, he explains, it’s out of your control.
“I’m aware of the tradeoff I’m making … [but] I don’t think people understand what they’re giving up by putting this data out there,” he says. “The direct repercussions are not quite clear because the definition of cloud — excuse the pun — is very nebulous.”
What we do know is that security breaches surrounding healthcare information have been on the rise, according to the Ponemon Institute. And according to the The Washington Post, there are “gaping security holes” in many of the systems that hold our healthcare data.
Health IT Exchange - Don Fluckinger - March 13th 2013
CAMBRIDGE, MA — Here at the Protected Health Information (PHI) Protection Network's first conference — attended by senior health system IT leadership, HIPAA legal authorities and vendor privacy executives — a theme is emerging in healthcare leaders' message: It's all about the patients.
Discussions at patient data security conferences usually revolve around hot new technologies, emerging threats, and common-sense technical safeguards and policies to protect healthcare businesses. Up until this security confab, we've heard health care leaders list their top reasons for HIPAA compliance as protecting a hospital's revenue stream, its reputation, and its hard-earned place as a trusted entity in a city or community in the face of these regulations that seemingly set them up for failure.
Patient advocacy — actively protecting patient interests by protecting their data — usually gets mentioned in passing, fourth or fifth on the list of reasons to shore up HIPAA compliance programs.
Privacy Journal - Doug Pollack & Mahmood Sher-Jan - March 2013
The HIPAA Final Omnibus Rule issued in January is landmark legislation for the healthcare industry. One of the key changes is the removal of the "harm threshold" as a standard for determining whether notification is required after a breach.
Issued on Sept. 23, 2009, the Interim Final Rule for Breach Notification noted that a breach crossed the harm threshold if it "posed a significant risk of financial, reputational, or other harm to the individual." Placing the burden of proof for determining this risk of harm on health-care providers ("covered entities") caused huge (subjective) variances in the definition of a breach that required notification to the public and government agencies and left affected individuals at risk for harm. Patient-privacy advocates perceived the harm threshold as subjective, and health-care organizations lacked clear guidance on how to conduct such an assessment.
GovHIT - Doug Pollack - March 12th, 2013
Cloud computing. It’s like having a butler for your data — managing them, securing them, and making them available when and where they’re needed. No wonder the cloud is attractive to organizations burdened with time and budget constraints.
But the cloud is not without its risks. The Cloud Security Alliance (CSA) recently released its “Notorious nine,” a list of the top threats associated with cloud computing. At the top of the charts for 2013: data breaches. With this threat at the forefront, healthcare organizations should determine when, if ever, is an optimal time for placing protected health information (PHI) and personally identifiable information (PII) in the cloud.
Business Insurance - Matt Dunning - March 6th, 2013
As if managing the risk of data breaches and losses isn't complicated enough, incorporating cloud-based data storage services can greatly exacerbate an organization's cyber security...
PORTLAND, Ore. — February 28, 2013 — Data breaches are a growing and alarming trend. Half of healthcare organizations experienced more than five data breaches of patient data during the past two years, according to the recent Ponemon Institute report. The must-attend industry forum, Turning PHI Security Into a Competitive Advantage—to be held March 12-13, 2013 in Boston—is tailored to healthcare organizations looking at ways to better protect the big data they manage and learn how to customize security initiatives to protect protected health information (PHI). Register now by visiting Turning PHI Security Into a Competitive Advantage or www.phiprotection.org. Friday, March 1 is the last day to register.
SC Magazine - Dan Raywood - February 27th, 2013
Breaches at third parties can be mitigated with due diligence and preparation, but often that is not a consideration at the first point.
In a debate on 'The killer next door – the devastating impact of third party breaches' at the RSA Conference in San Francisco, Michael Bruemmer, vice president of Experian, said that while you can plan up front and train employees, the threat grows dependant on how many people are involved with the chain of command and the number of outsourcers.
GovHIT - Rick Kam - February 21st, 2013
A difficult question, to be sure, but it's a critical one. Healthcare organizations' privacy programs are still understaffed and underfunded, even while millions of patients' (PHI) are compromised. Securing PHI is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the recent Third Annual Benchmark Study on Patient Privacy and Data Security.
Jim Pyles, principal at Powers, Pyles, Sutter and Verville, PC, points out that the changing healthcare industry means that liability risks around PHI privacy are continuing to escalate. He says that electronic data breaches are reaching what he calls "epidemic proportions," particularly with the growing use of electronic records and hard-to-secure mobile devices, as well as the growth of electronic health information systems.
Help Net Security - February 20th, 2013
Healthcare organizations’ privacy programs are still understaffed and underfunded, even while millions of patients’ protected health information (PHI) are compromised.
Securing PHI in healthcare is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security. Organizations face new challenges with the recent release of the HIPAA Final Omnibus Rule
PORTLAND, Ore. — February 19, 2013 — Healthcare organizations’ privacy programs are still understaffed and underfunded, even while millions of patients’ protected health information (PHI) are compromised. Securing PHI in healthcare is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security. Organizations face new challenges with the recent release of the HIPAA Final Omnibus Rule. At the upcoming forum, Turning PHI Security Into a Competitive Advantage, to be held March 12-13 in Boston, organizations will learn how to build, present, and defend a business case for PHI security. More than 20 industry experts will outline steps to protect against the organizational and financial repercussions of data breaches.
PORTLAND, Ore. — February 5th, 2013 — A lost laptop or lost paper files can put a healthcare organization in a tailspin, especially if they contain the protected health information (PHI) of thousands of patients. Is this an incident or a breach? Is there a probability of PHI being compromised? Will this require notification? RADAR 2.5™, the latest software tool from ID Experts, answers these questions for covered entities and business associates, by managing and tracking privacy and security incidents involving personally identifiable information (PII) and PHI. RADAR helps meet all compliance requirements with HIPAA federal and state data breach laws, including the Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS) on January 25, 2013.
GovHIT - Doug Pollack & Mahmood Sher-Jan - February 6, 2013
Few will mourn the loss of the ambiguous “harm threshold” requirement. Patient privacy advocates perceived the harm threshold to be subjective, which led “to inconsistent interpretations and results,” according to the HIPAA Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS).
Under the Breach Notification Interim Final Rule, a breach crossed the harm threshold if it “posed a significant risk of financial, reputational, or other harm to the individual.” The rule required healthcare organizations to perform an incident risk assessment to determine if a breach crossed the harm threshold standard and thus required notification.
SearchHealthIT - Ed Burns - January 23nd, 2013
Another major development out of the HIPAA omnibus is the premium that Office for Civil Rights (OCR) officials place on documenting privacy and security policies, as well as responses to breaches. In particular, the changes to the breach notification rule set the bar high for documentation, and covered entities that fail to keep adequate records could face enforcement actions, even when their general response to a breach is appropriate.
© Copyright 2014 ID Experts
A message from our lawyers. ID Experts, the ID Experts logo, and Breach HealthCheck are registered trademarks of ID Experts. RADAR, FraudStop, YourResponse, Breach Prevent, and Breach Respond are trademarks of ID Experts. All other trademarks used within the ID Experts website are the property of their respective owners.