PORTLAND, Ore. — May 22, 2013 — It’s not a plot on a TV show. Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker. Every transaction and health record is now collected, categorized, sorted, and analyzed—and can be hacked. Microcomputers that control aspects of everyday life—from heart rhythms and insulin levels (see Hidden Hazards: The Computers Inside), to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars—are increasingly at risk for data breach and can threaten public safety. Industry experts offer insights on top hidden vulnerabilities that can cause data breach:
Rick Kam - GovHIT - May 13th 2013
We can learn a lot about risk from academia. University environments embody the whole data privacy world in microcosm. Colleges and universities handle a broad range of personal information — from students, staff, alumni, donors, and other community members — with their functions in financial services, food services and housing, student stores, and medical services.
On average, educational institutions report 1.3 million records compromised per year, based on statistics from Privacy Rights Clearinghouse. (Check out this infographic from Open Site, for an overview of data breaches in higher education.)
Nobody understands the privacy and security risks in the academic world better than Grace Crickette, chief risk officer for the University of California, a sprawling system that includes ten campuses and five medical centers. She shared her insights, which can be translated into 3 lessons on risk:
Report on Patient Privacy - May 2013
Although covered entities (CEs) have been required since 2009 to notify affected individuals and the government, when appropriate, of breaches of unsecured protected health information (PHI), the so called “harm” standard that triggers notice no longer exists under the new final regulations. Or does it?
Are CEs really starting over when it comes to assessing whether an incident is a reportable breach under the final regulations issued on Jan. 25, which have a compliance deadline of Sept. 23?
ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.
PORTLAND, Ore. — May 1, 2013 —Identity theft is the nation’s fastest-growing crime, claiming almost ten million victims per year, according to FBI statistics. Medical identity theft is the latest threat to affect patients—especially senior citizens. To address this growing epidemic, the Federal Trade Commission will host the educational forum
Don Fluckinger - SearchHealthIT - April 11th 2013
Speakers at the PHI Protection Network's recent forum in Cambridge, Mass. offered HIPAA data breach prevention strategies for health care IT leaders and privacy officers in attendance. They stressed that while technology is vital for preventing breaches, enforcing employee policies to use that technology is equally important.
First, understand that while you're building a culture of health data privacy and security, expect data breaches will happen. The goal of IT leaders, in concert with compliance staff, is to reduce the number of breaches, as well as act quickly to minimize consequences after the fact.
Don Fluckinger - SearchHealthIT - April 9th 2013
CAMBRIDGE, Mass. -- When a data breach happens and the healthcare organization hasn't thought through its internal response plan, many bad things can happen. First, the people involved write internal emails throwing each other under the bus and assigning blame -- and the emails then become a revealing part of the record for attorneys and federal investigators to sift through later.
Then, in a vacuum, managing the media response falls to whom? Marketing? Media relations? IT staff? What will come out of their mouths to the local television, newspaper, radio and Internet reporters? The worst-case scenario is when CEOs take matters into their own hands and call a press conference -- unprepared, perhaps unintentionally making factual errors or public promises the hospital can't keep regarding future data breaches -- or revealing evidence that later turns into pronouncements of willful neglect.
Rick Kam - GovHIT - April 9th 2013
HIPAA and HITECH. PHI in the cloud. BYOD policies. Meaningful use.
The industry is rife with buzzwords and acronyms surrounding patient privacy and data security. The most important word, however, is one that we often overlook: patients.
Yet, they’re the reason we do what we do.
Attorney Jim Pyles, who helped draft the HITECH Act, said, “I’ve been to literally hundreds of meetings in Washington when the patient was not mentioned once. Not one time … When [healthcare leaders say] that the patient ought to be at the center of the system, boy do I applaud that.”
ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.
Wired - Daniela Hernandaz - March 25th 2013
Eugene Vasserman is uneasy about his digital pedometer. The company that makes the thing doesn’t know his name, age, or gender, but it does track his every step and his location. “They know where I sleep. They know my address,” says the Kansas State University cybersecurity and privacy researcher.
Some might think he’s paranoid. But he hasn’t stopped using the device. It’s just that he sees the worst-case scenario — and he’s adamant that the rest of us should see it too. Once health data leaves your immediate possession, he explains, it’s out of your control.
“I’m aware of the tradeoff I’m making … [but] I don’t think people understand what they’re giving up by putting this data out there,” he says. “The direct repercussions are not quite clear because the definition of cloud — excuse the pun — is very nebulous.”
What we do know is that security breaches surrounding healthcare information have been on the rise, according to the Ponemon Institute. And according to the The Washington Post, there are “gaping security holes” in many of the systems that hold our healthcare data.
Health IT Exchange - Don Fluckinger - March 13th 2013
CAMBRIDGE, MA — Here at the Protected Health Information (PHI) Protection Network's first conference — attended by senior health system IT leadership, HIPAA legal authorities and vendor privacy executives — a theme is emerging in healthcare leaders' message: It's all about the patients.
Discussions at patient data security conferences usually revolve around hot new technologies, emerging threats, and common-sense technical safeguards and policies to protect healthcare businesses. Up until this security confab, we've heard health care leaders list their top reasons for HIPAA compliance as protecting a hospital's revenue stream, its reputation, and its hard-earned place as a trusted entity in a city or community in the face of these regulations that seemingly set them up for failure.
Patient advocacy — actively protecting patient interests by protecting their data — usually gets mentioned in passing, fourth or fifth on the list of reasons to shore up HIPAA compliance programs.
Privacy Journal - Doug Pollack & Mahmood Sher-Jan - March 2013
The HIPAA Final Omnibus Rule issued in January is landmark legislation for the healthcare industry. One of the key changes is the removal of the "harm threshold" as a standard for determining whether notification is required after a breach.
Issued on Sept. 23, 2009, the Interim Final Rule for Breach Notification noted that a breach crossed the harm threshold if it "posed a significant risk of financial, reputational, or other harm to the individual." Placing the burden of proof for determining this risk of harm on health-care providers ("covered entities") caused huge (subjective) variances in the definition of a breach that required notification to the public and government agencies and left affected individuals at risk for harm. Patient-privacy advocates perceived the harm threshold as subjective, and health-care organizations lacked clear guidance on how to conduct such an assessment.
GovHIT - Doug Pollack - March 12th, 2013
Cloud computing. It’s like having a butler for your data — managing them, securing them, and making them available when and where they’re needed. No wonder the cloud is attractive to organizations burdened with time and budget constraints.
But the cloud is not without its risks. The Cloud Security Alliance (CSA) recently released its “Notorious nine,” a list of the top threats associated with cloud computing. At the top of the charts for 2013: data breaches. With this threat at the forefront, healthcare organizations should determine when, if ever, is an optimal time for placing protected health information (PHI) and personally identifiable information (PII) in the cloud.
Business Insurance - Matt Dunning - March 6th, 2013
As if managing the risk of data breaches and losses isn't complicated enough, incorporating cloud-based data storage services can greatly exacerbate an organization's cyber security...
ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.
PORTLAND, Ore. — February 28, 2013 — Data breaches are a growing and alarming trend. Half of healthcare organizations experienced more than five data breaches of patient data during the past two years, according to the recent Ponemon Institute report. The must-attend industry forum, Turning PHI Security Into a Competitive Advantage—to be held March 12-13, 2013 in Boston—is tailored to healthcare organizations looking at ways to better protect the big data they manage and learn how to customize security initiatives to protect protected health information (PHI). Register now by visiting Turning PHI Security Into a Competitive Advantage or www.phiprotection.org. Friday, March 1 is the last day to register.
SC Magazine - Dan Raywood - February 27th, 2013
Breaches at third parties can be mitigated with due diligence and preparation, but often that is not a consideration at the first point.
In a debate on 'The killer next door – the devastating impact of third party breaches' at the RSA Conference in San Francisco, Michael Bruemmer, vice president of Experian, said that while you can plan up front and train employees, the threat grows dependant on how many people are involved with the chain of command and the number of outsourcers.
GovHIT - Rick Kam - February 21st, 2013
A difficult question, to be sure, but it's a critical one. Healthcare organizations' privacy programs are still understaffed and underfunded, even while millions of patients' (PHI) are compromised. Securing PHI is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the recent Third Annual Benchmark Study on Patient Privacy and Data Security.
Jim Pyles, principal at Powers, Pyles, Sutter and Verville, PC, points out that the changing healthcare industry means that liability risks around PHI privacy are continuing to escalate. He says that electronic data breaches are reaching what he calls "epidemic proportions," particularly with the growing use of electronic records and hard-to-secure mobile devices, as well as the growth of electronic health information systems.
Help Net Security - February 20th, 2013
Healthcare organizations’ privacy programs are still understaffed and underfunded, even while millions of patients’ protected health information (PHI) are compromised.
Securing PHI in healthcare is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security. Organizations face new challenges with the recent release of the HIPAA Final Omnibus Rule
PORTLAND, Ore. — February 19, 2013 — Healthcare organizations’ privacy programs are still understaffed and underfunded, even while millions of patients’ protected health information (PHI) are compromised. Securing PHI in healthcare is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security. Organizations face new challenges with the recent release of the HIPAA Final Omnibus Rule. At the upcoming forum, Turning PHI Security Into a Competitive Advantage, to be held March 12-13 in Boston, organizations will learn how to build, present, and defend a business case for PHI security. More than 20 industry experts will outline steps to protect against the organizational and financial repercussions of data breaches.
PORTLAND, Ore. — February 5th, 2013 — A lost laptop or lost paper files can put a healthcare organization in a tailspin, especially if they contain the protected health information (PHI) of thousands of patients. Is this an incident or a breach? Is there a probability of PHI being compromised? Will this require notification? RADAR 2.5™, the latest software tool from ID Experts, answers these questions for covered entities and business associates, by managing and tracking privacy and security incidents involving personally identifiable information (PII) and PHI. RADAR helps meet all compliance requirements with HIPAA federal and state data breach laws, including the Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS) on January 25, 2013.
GovHIT - Doug Pollack & Mahmood Sher-Jan - February 6, 2013
Few will mourn the loss of the ambiguous “harm threshold” requirement. Patient privacy advocates perceived the harm threshold to be subjective, which led “to inconsistent interpretations and results,” according to the HIPAA Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS).
Under the Breach Notification Interim Final Rule, a breach crossed the harm threshold if it “posed a significant risk of financial, reputational, or other harm to the individual.” The rule required healthcare organizations to perform an incident risk assessment to determine if a breach crossed the harm threshold standard and thus required notification.
SearchHealthIT - Ed Burns - January 23nd, 2013
Another major development out of the HIPAA omnibus is the premium that Office for Civil Rights (OCR) officials place on documenting privacy and security policies, as well as responses to breaches. In particular, the changes to the breach notification rule set the bar high for documentation, and covered entities that fail to keep adequate records could face enforcement actions, even when their general response to a breach is appropriate.
eWeek - Brian Horowitz - January 22nd, 2013
An update to the Health Insurance Portability and Accountability Act (HIPAA) could make IT companies more liable for leaked health information, said industry experts. Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final "omnibus" rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17. Companies that produce electronic health record (EHR) software, offer billing and transcription applications, host data in the cloud or provide backup services will be responsible for health information leaks, according to Doug Pollack, chief marketing officer for ID Experts, which offers data breach prevention tools.
Turning PHI Security Into a Competitive Advantage
20+ Industry Experts to Provide Hands-On Information About How Organizations Can Make a Business Case for Protecting Protected Health Information (PHI)
PORTLAND, Ore. — January 16, 2013 — Securing protected health information (PHI) in healthcare is a growing problem, with 94 percent of healthcare organizations suffering data breaches, according to the recent Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute. Healthcare organizations need to protect against the organizational and financial repercussions of data breaches, but may not know how. At the workshop Turning PHI Security Into a Competitive Advantage, to be held March 12-13, 2013, participants will learn how to build, present and defend a business case for PHI security initiatives tailored exclusively for their organization.
Becker's Hospital Review - Kathleen Roney - January 8th, 2013
What should a hospital or health system include in its New Year's resolution? Completing preparations to protect patient records and reduce data breach stress.
The "Third Annual Benchmark Study on Patient Privacy & Data Security" by Ponemon Institute reports that data breaches in healthcare are growing; insider negligence is the root cause; and mobile devices pose threats to patients' protected health information. Despite the fact that 94 percent of healthcare organizations surveyed suffered data breaches in the report, data breaches don't have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. So, how can hospitals and health systems do this?
Naked Security - Lis Vaas - Jan 3, 2013
Competent healthcare providers are great at medical things, be it measuring fasting blood sugar to diagnose diabetes, swabbing the backs of our throats, or clearing plaque off our grubby molars.
Securing electronic devices or health records? Not so much.
That's the takeaway from a study from the Ponemon Institute, which surveyed 80 healthcare organisations in the US and found that 75% don't secure medical devices containing sensitive patient data, while 94% have leaked data in the last two years (mostly due to staff negligence).
Gigaom - Ki Mae Heussner - December 26th, 2012
As hackers look for an easy target, healthcare could be at the top of their list. According to a recent investigation by the The Washington Post, the rise of electronic health records, other digital health platforms and connected devices has made healthcare more vulnerable to security breaches than almost any other industry. Relative to other industries, including finance and the military, hospitals and medical facilities have been targeted by fewer hacks, the report said, but government officials have recently indicated growing concern. In May, the Department of Homeland Security released a notice warning that while wireless technology can bring efficiency and flexibility to healthcare, it also introduces security risks that the industry may not be ready to address.
Forbes - Eric Savitz - December 7th, 2012
Healthcare data breaches have become an everyday disaster. Ninety-four percent of healthcare organizations surveyed in the newly released Ponemon Institute study, Third Annual Benchmark Study on Patient Privacy & Data Security, suffered at least one data breach during the past two years. What’s more, 45 percent of organizations experienced more than five data breaches each during this same period.
The challenges to maintaining the privacy of confidential patient data continue to grow as more and more of this information is being entered into new electronic systems, as mandated by government regulations.
No cure exists for data breaches. Data breaches have entrenched themselves into the fabric of everyday business – like a bacteria – and these risks must be addressed at the highest levels. We believe healthcare organizations should restructure the information security function to report directly to the board. This would symbolize a commitment to data privacy and security, opening executives’ eyes to the real, constant, and costly threats
Becker's Hospital Review - Kathleen Roney - December 6th, 2012
Innovation and emerging technologies in information technology are both exciting and challenging for the healthcare field. These advances create efficiencies, eliminate waste and improve much-needed access to information. However, new concerns about security and privacy arise as these advances are implemented and utilized.
The uphill battle healthcare organizations face in stopping data breaches is evidenced in the "Third Annual Benchmark Study on Patient Privacy & Data Security," conducted independently by Ponemon Institute and sponsored by ID Experts.
According to Larry Ponemon, chairman and founder of Ponemon Institute, the study takes a deeper dive into healthcare organizations' struggle to deal with privacy and security data risks. "[Ponemon Institute] not only completes a survey, but observes what the organizations do. The research also includes conversations with members of the organization," says Mr. Ponemon. "This is the third time we are doing the study, and unfortunately, things seem to be getting worse."
InformationWeek - Michelle McNickle - December 6th, 2012
A majority of organizations polled for Ponemon and ID Expert's third annual benchmark study on privacy and security don't have the technologies, resources and trained personnel in place to take on modern-day privacy and data security risks.
Since beginning the benchmarking in 2010, Ponemon and ID Experts have found that threats to healthcare organizations have increased. The organizational costs for dealing with breaches are climbing as well, with the average price tag increasing from $2.1 million in 2010 to $2.4 million in 2012. The report projects that eventually the annual cost of continuous breaches for the industry "could potentially be as high as $7 billion."
Of the organizations participating in the study, 46% are part of a healthcare network, 36% part of an integrated delivery system, and 18% are standalone hospitals or clinics. This year, the study engaged 80 organizations and conducted 324 interviews. Respondents participating in the study were from all areas of an organization, including security, administration, privacy, compliance, finance and clinical.
GovHIT - Tom Sullivan - December 6th, 2012
Three out of five healthcare organizations are not allocating enough resources to protect patient data – and among the reasons is a simple fact that the industry has no way to place a value on that information.
That's according to Rick Kam, president and co-founder of ID Experts, which sponsored the Ponemon Institute's third annual benchmark "Study on Patient Privacy and Data Security," published on Dec.6.
Prior to the report's release, Government Health IT Editor Tom Sullivan spoke with Kam and Ponemon Institute Chairman Larry Ponemon about the survey's alarming statistics, the potential dangers of criminal social-engineering and why healthcare as an industry is so far behind in terms of safeguarding data.
Bloomberg - Jordan Robertson - December 6th, 2012
Your doctor’s office likely doesn’t have any digital security for its mammography machines, heart pumps and other devices that are vulnerable to hacking, according to a new study.
In a survey of 80 health care organizations in the U.S., the Ponemon Institute found that nearly three-quarters said they don’t secure their medical devices, even though they contain sensitive patient data. The organizations were not named.
“This finding may reflect the possibility that they believe it is the responsibility of the vendor — not the health care provider — to protect these devices,” said the report by Ponemon, an independent research organization.
There's good news and worrying news on the healthcare privacy front. The Ponemon Institute has just released the results of its third annual study on patient privacy and data security, and the report shows that while healthcare organizations have made progress towards protecting patient information, the frequency, costs, and impacts of data breaches and medical identity theft continue to rise. As in previous studies, respondents express concern that privacy and data security efforts in their organizations are understaffed and underfunded, even as the health and welfare of millions of patients are compromised by medical identity theft. The evidence is clear: organizations need to recognize that patient privacy is a fundamental component of caring for the health of the patient and the organization.
FierceHealthIT - Julie Bird - November 28th, 2012
Risk assessment to determine the safety of health IT systems has three components: privacy, security and incident response testing.
Rick Kam and Mahmood Sher-Jan, executives at Portland, Ore.-based ID Experts, note that risk assessment involves identifying threats, internal and external vulnerabilities, the harm that could come from exploiting vulnerabilities, and the probability that harm will occur.
Errors and Cyber Attacks Are Culprits; Mobile and Cloud Threats Loom; Patients at Risk for Medical Identity Theft
TRAVERSE CITY, Mich. and PORTLAND, Ore. — December 6, 2012 — The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts®, reports that healthcare organizations face an uphill battle in their efforts to stop data breaches. Ninety-four percent of healthcare organizations surveyed suffered at least one data breach during the past two years; and 45 percent of organizations experienced more than five data breaches each during this same period. Data breach is an ongoing operational risk. Based on the experience of the 80 healthcare organizations participating in this research, data breaches could be costing the U.S. healthcare industry an average of $7 billion annually. Leading causes were lost devices, employee mistakes, third-party snafus, and criminal attacks. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices—such as mammogram imaging and insulin pumps—which hold patients’ protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, especially as mobile and cloud technology become pervasive in healthcare.
For a free copy of the Third Annual Benchmark Study on Patient Privacy & Data Security, visit http://www2.idexpertscorp.com/ponemon2012/.
For the data breach infographic visit http://www2.idexpertscorp.com/ponemon2012/Infographic/.
Becker's Hospital Review - Kathleen Roney - November 14, 2012
According to a USA Healthcare Privacy Claim Trends report by ACE Group — a global insurance organization — in 2012, the healthcare industry sees 58 percent of all reported data breaches. Hospitals and health systems are high risk because of the type of data they work with: patient personal information, financial information, Social Security numbers, names, addresses, birth dates, etc.
For these reasons, it is important for hospital executives to understand emerging trends in data breaches, the costs associated and proactive steps for minimizing risks. Part of being proactive involves knowing what options are available, such as privacy and security insurance coverage.
Bloomberg - Jordan Robertson - November 8th, 2012
Arnold Salinas knows a lot about the person who stole his identity.
He’s 5-foot-9, 190 pounds. He pays for pizzas with forged checks, defaulted on a $17,000 car loan and has traveled the country, racking up speeding tickets and thousands of dollars in unpaid taxes, according to Salinas and a firm he’s hired to clean up the mess.
But the worst part is: The imposter is sick.
Salinas, a 53-year-old maintenance worker, is fighting the nastiest form of identity theft — someone has taken out medical care in his name. Among the strange bills that have arrived at his Fresno, California, home over the past decade are debt-collection notices for extensive radiology and other treatments at four hospitals in Kansas and Texas.
KETCHConsulting, November 7th, 2012
In times of crisis, it's crucial for hospitals to be prepared. If patient injuries mount, nurses and other emergency personnel need to know the precise plan for keeping operations controlled.
This blog recently reported on how well a comprehensive risk management assessment could benefit medical organizations in dire situations. After Hurricane Sandy, East Coast facilities were able to keep track of patient data and ensure that proper care was given, even as certain locations had to be evacuated.
HealthIT Security - Patrick Ouellette - October 29th, 2012
Beazley cyber insurance certainly has the potential to boost a provider's data management plan, but there are some stipulations that these providers should be aware of.
In a recent blog post on IDexpertscorp.com, Doug Pollack of IDExperts said that he had a chance to weigh the benefits of the Beazley system during a Cyber Liability Panel at American Society for Healthcare Risk Management (ASHRM) in Washington, D.C. While Pollack's company specializes in privacy and data breach solutions and could be called a Beazley competitor, he raises some good points about cyber insurance.
Becker's Hospital Review - Kathleen Roney - October 23nd, 2012
The risk of a data breach to hospitals and health systems is on the rise. According to data from ID Experts, there have been 498 breaches of 500 or more records and 55,000 breaches of less than 500 records since September 2009. That means more than 21 million healthcare records have been breached in the last three years. Ninety-six percent of hospitals had a data breach in 2011, and 60 percent of hospitals experienced multiple data breaches, said Mahmood Sher-Jan, vice president of product management for ID Experts. The potential organizational impact of a data breach incident for a hospital can be enormous. For this reason, the need for strong, effective data breach response plans is on the rise as well.
In a webinar hosted by ID Experts, Cris Ewell, PhD, chief information security officer for Seattle Children's Hospital, Research & Foundation, shared his organization's experience and model for managing information security incidents.
InformationWeek - Michelle McNickle - October 19th, 2012
Someone has to be accountable for every part of managing a data breach incident, according to Cris Ewell, chief information security officer at Seattle Children's Hospital.
"It's bigger than privacy and security … it's about involving everyone in the organization at the highest level down to the help desk level [people] who are inputting calls into the system," he said. In a recent webinar hosted by ID Experts, Ewell said that in addition to accountability, there needs to be a shift in organizational culture to combat breaches.
GovHIT - Chris Apgar & Mahmood Sher-Jan - October 2nd, 2012
An MIT professor once said there is zero correlation between intelligence and wisdom. Intelligence abounds throughout any healthcare organization. When faced with a potential data breach or other incident that can potentially harm organizations and their customers, an incident response plan, or IRP, converts that knowledge into usable wisdom that protects an organization’s patients, customers, and reputation.
Required for covered entities and now because of the HITEHC Act, business associates under the HIPAA Security Rule, an IRP provides organizations with a step-by-step guide for responding to security incidents.
Information Week- Michelle McNickle - September, 20th 2012
The recent data breach at Massachusetts Eye and Ear Infirmary (MEEI) and Massachusetts Eye and Ear Associates once again screams the message: Encryption, encryption, encryption!
The provider has agreed to pay a $1.5 million fine to the Department of Health and Human Services (HHS), after allegations were made that Mass. Eye and Ear failed to comply with certain requirements of the Health Insurance Portability and Accountability Act (HIPAA) standards that govern the security of individually identifiable health information.
Portland, Ore. - September 12, 2012
Data breaches are growing in frequency and magnitude, and have a tremendous financial, legal, operational and reputational impact to the breached organization, whether it’s a financial institution, a hospital, a retailer, a university, a company, a government entity, or a social network. With 174 million compromised records in 2011, according to Verizon, assessing, managing, and publicly responding to a data breach involving medical records, financial information and Social Security Numbers, can be overwhelming and often beyond the scope of an organization’s expertise. In order to provide organizations with an end-to-end blueprint for addressing a privacy incident, ID Experts developed YourResponse™ —a patented, trusted breach resolution method, seven years in the making — to help companies achieve the most positive outcomes for everyone affected in a data breach.
Advisen Cyber Liability Journal - Doug Pollack & Jeremy Henley - August, 2012
Sony, Nasdaq, Epsilon, RSA, Some big names suffered big data breaches in 2011. And they're not alone. Each year, hundreds of data breaches compromise sensitive information on tens of millions of individuals. At an average cost of $5.5 million per breach, according to the Ponemon Institute's seventh annual U.S. Cost of a Data Breach, organizations can't afford to be lax in their breach protection measures.
But how do you manage such diverse risks?
Every organization and each data breach has unique risk factors based on industry, regulatory, customer, and technical circumstances. To reduce the likelihood of a data breach, you must understand your specific risks and address them before a breach occurs. You must also plan ahead to ensure an appropriate, rapid breach response to reduce your chances for regulatory actions and litigation.
Healthcare Informatics- David Raths - August 21, 2012
Working with ID Experts, HFHS crafted a new approach to breach response. Under the name “Code B Alert,” they created a rapid response team that would be activated whenever HFHS has a breach.
The team, led by the chief privacy officer and chief information security officer, includes representation from legal, public relations, human resources, risk management, and business unit leaders. The Code B Alert program includes internal communication to the work force and external communication to the media, patients and the HHS Office for Civil Rights.
In 2011, HFHS got a chance to test the new system when an employee lost a Flash drive in a McDonald’s parking lot. Data on 3,000 patients was involved. Using the Code B Alert system, HFHS was able to take the 56-day response time down to 18 days. “We thought that was remarkable,” Phillips said. “But even though the response time was decreased and the communication plan was effective, we found another concern: portable storage devices.”
Bloomberg- Jordan Robertson- August 10, 2012
As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.
The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.
Forbes - Doug Pollack - August 01, 2012
Can you limit access to the psychiatric notes in your chart once they have been entered into your provider’s new Electronic Health Record system?
Does your podiatrist need access to your reproductive health history?
It sounds absurd, but the adoption of electronic health records and Health Information Exchanges, could enable this level of access in the future. The goal with these initiatives is to provide access to each American’s medical records in order for physicians to better provide treatment.
Government HealthIT - Rick Kam - July 30, 2012
You have greater privacy rights regarding the size of a shirt you purchased online than you do about information in your mental health records under the Consumer Privacy Bill of Rights, issued by the White House in February 2012. At least that’s the position of James C. Pyles, an attorney specializing in patient privacy rights. He authored the forthcoming Health Information Privacy Bill of Rights, an initiative to provide at least the same level of rights to patients as are offered to consumers under the Consumer Privacy Bill of Rights
Forbes - Bob Gregg - July 02, 2012
The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.
Smart Money - Tania Karas - June 19th, 2012
Few health care trends have gotten as much press of late as the mad rush into electronic health records. Physicians, driven by the promise of better care, cost savings and nearly $23 billion in new federal incentive payments, are racing to turn their scribbled medical records into digital files. Thirty-five percent of hospitals now use such systems, more than double the share two years ago, according to U.S. government figures. But for all the hype about electronic records, little attention has been paid to what some say is a serious weak spot: When those sensitive bits and bytes fall into the wrong hands, it's often patients who feel the pain.
Government Health IT - Rick Kam - June 18th, 2012
Mobile devices have become notorious for unintended exposure of protected health information (PHI).
Between September 22, 2009, and May 8, 2011, for instance, mobile devices were the cause of exposing the PHI of more than 1.9 million patients, a statistic cited in The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, a seminal report by the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA).
by Kyle Muprhy, PhD - June 12, 2012 - EHR Intelligence
Ensuring that a patient's protected health information (PHI) or personally identifiable information (PII) is secure requires both large and small healthcare organizations to navigate an ever changing and oftentimes conflicting landscape of state and federal laws regarding patient privacy. The proliferation of these laws creates a significant challenge for providers, who must remain compliant with the Health Information Portability and Accountability Act (HIPAA) as well as any state laws protecting patient information.
Portland, Ore. - June 13th, 2012
Mobile devices—thumb drives, smartphones, external hard drives, tablets and laptops—are increasingly exposing protected health information (PHI) in the healthcare space, with threat risks growing, according to the Department of Homeland Security. Mobile devices pose significant risks for privacy incidents for healthcare organizations, providers and entities responsible for safeguarding protected health information (PHI) under Federal HITECH and HIPAA regulations. Since patient data can be moved, processed and shared via personal cell phones and tiny USB flash drives, the Bring-Your-Own-Device phenomenon can wreak havoc on a hospital. To assist healthcare entities reduce privacy incidents resulting from mobile risks, 13 experts—representing legal, data breach prevention, technology, healthcare IT, and security—offer these top tips for healthcare organizations:
Portland, Ore. - June 7th, 2012
ID Experts RADAR™ was named one of "The Best Privacy Technologies of 2012" at the 2nd annual International Summit on the Future of Health Privacy, in Washington, D.C., where more than 40 leading health-privacy experts gathered to discuss urgent privacy issues facing the industry and affecting patients. More than 20,000,000 individuals have been impacted by the epidemic of health information breaches in healthcare systems. Sensitive patient health data is a prime target for thieves, with medical identity theft affecting 1.5 million people in the U.S. annually. The sheer scale of data breaches undermines patient trust in the health system, placing patients' lives and reputations at risk. RADAR was selected as an effective tool to help organizations meet their regulatory and ethical responsibilities to promptly notify individuals when a privacy or security incident occurs.
by Jeremy Simon - May 31, 2012 - Texas Enterprise
It's the nightmare scenario: A hacker who is able to remotely access your pacemaker — and shut it off.
Pacemakers are programmed via wireless connections with a computer. That reliance on wireless signals, however, leaves pacemakers vulnerable to attack by hackers, who could drain the device battery and turn off therapies.
by Michelle McNicle - May 30th, 2012 - Healthcare IT News
A recent Healthcare IT News survey found 48 percent of respondents planning to incorporate cloud computing into their health IT endeavors; 33 percent had already taken the plunge. But 19 percent answered with a "no," and according to Rick Kam, president and co-founder of ID Experts, one of their biggest fears could very well be security issues surrounding the cloud.
by Kathleen Roney - May 22, 2012 - Becker Hospital Review
As society becomes increasingly electronic, data breaches are a major problem for many organizations. Concern for data breaches in the healthcare industry is especially prevalent because of the variety of protected information hospitals and health systems handle. In addition, healthcare data breaches are on the rise. From 2010 to 2011, the number of data breaches affecting healthcare organizations rose 32 percent, according to research by Ponemon Institute. Along with the loss of patient personal and protected health information, data breaches can diminish productivity and cause severe financial consequences for a hospital or health system.
by Joseph Goedert - May 09, 2012 - Health Data Management
Digital forensics-the use of scientific methodology to introduce computer data into actual or potential litigation-relies on "using the best computer techniques in a way that you could go to court and clearly and irrefutably explain what you did," says Winston Krone, managing director at Kivu Consulting, which specializes in investigative, discovery and analysis services. "It's also preserving evidence and making sure that the procedures you do don't change the evidence."
by Michelle McNickle - May 8, 2012 - Healthcare IT News
Data breaches have increased dramatically within the past few years, giving way to new trends within the healthcare space. Given their unpredictable nature, data breaches are hard to budget for, but according to a recent report by ID Experts, one aspect of an overall risk management strategy is becoming increasingly important worth exploring: cyber insurance.
May 2, 2012 - Becker's Hospital Review
In 2011, 419 data breaches were publicly disclosed exposing a total of 22.9 million records, according to a study from the Identity Theft Resource Center. One of the reasons data breaches are so prevalent is because healthcare data increasingly exists in a less stable environment. The push to digitize, the outsourcing of data processing to cloud providers and the increase in mobile devices to conduct business has all contributed. The result has been a substantial increase in the visibility of the breaches and the costs associated with these incidents.
by Rick Kam - May 02, 2012 - Government Health IT
For all of its benefits, cloud computing poses very real dangers to covered entities responsible for safeguarding protected health information (PHI).
The cloud model, which the IT industry has been embracing for its up-front cost savings and efficiencies for years now, is more recently being recognized by the healthcare realm for its potential to serve as an ideal infrastructure for Health Information Exchange (HIE) — a main component of the Electronic Health Records (EHR) meaningful use initiatives. What's more, the cloud can provide easy, affordable access to the latest medical applications, such as e-prescribing or leading-edge diagnostic tools.
by Michelle McNicle - April 30th, 2012 - Healthcare IT News
With the prevalence of data breaches rising, the industry is slowly yet surely realizing they're no laughing matter. And with price tags circulating around the billions, more organizations are starting to take the steps necessary to protect themselves against a costly breach of sensitive information.
Yet, breaches remain common, and as best practices continue to develop around how to handle them, one tool is proving to be invaluable: forensics.
by Michelle McNicle - April 27th, 2012 - Healthcare IT News
It's one thing to know which hot buttons can trigger a visit from OCR. But according to Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar & Associates, organizations should also know what to expect if they're chosen to undergo an audit -- and know how to prepare for one.
Apgar and Sher-Jan outline six things to know about an OCR/HIPAA audit.
April 26, 2012 - Health Data Management
Information security firms FairWarning and ID Experts have integrated their products to offer services to prepare for data breaches, detect them, and manage the investigation and resolution of a breach.
Portland, Ore. - April 26, 2012 -
With healthcare now the top-breached industry, healthcare organizations and providers are challenged by the complexities of auditing, assessing, documenting, and reporting these privacy incidents. To help simplify healthcare privacy incident detection, incident assessment and reporting in order to comply with Federal and state data breach laws, ID Experts has successfully completed FairWarning® Ready for Compliance and Reporting Certification for RADAR 2.0. With ID Experts as a FairWarning® Ready certified partner, the integrated products offer healthcare organizations a simplified solution for the detection of healthcare data breaches and compliance with HITECH Act and states obligations.
by Michelle McNicle - April 24th, 2012 - Healthcare IT News
This past November, the healthcare industry got its first taste of the new spot-check audits performed by the Office of Civil Rights to enforce HIPAA compliance efforts. Now, in the midst of the OCR pilot program, many providers are wondering if they'll be among the unlucky few to undergo an OCR audit.
By Nicole Lewis - April 11, 2012 - Information Week
A new tally of files stored on a server that contained Medicaid information at the Utah Department of Technology Services (DTS) reveals that 780,000 individuals have been affected by the theft of sensitive information. That's far worse than initial estimates.
By Rick Kam & Mahmood Sher-Jan - April 11, 2012 - Government Health IT
Healthcare organizations, or covered entities under HIPAA, are legally responsible for the protected health information (PHI) they hold. Because of the HITECH Act, that responsibility now carries downstream to their business associates — claims processing, administration, data analysis, billing, benefits management — and could potentially extend to subcontractors.
By Rick Kam & Jeremy Henley - Mar 28, 2012 - PropertyCasualty360
Data breaches are like lighting: one never knows when or where they'll strike—or how much damage they will cause. Given their unpredictable nature, data breaches are difficult to budget for. Cyber insurance can help offset these unexpected costs, but keep in mind that it is not a substitute for implementing good data privacy and security practices. In addition, cyber insurance does not cover all expenses, such as diminished reputation or customer churn.
By Rick Kam & Jeremy Henley - Mar 20, 2012 - PropertyCasualty360
Data breaches are notorious for the financial, legal, and reputational damage they can inflict on an organization and its customers. The unintentional exposure of a social security number or financial information raises the risk for identity theft and increases organization vulnerability for lawsuits, fines and lost business.
By S. Joe Bhatia and Rick Kam - Mar 20, 2012 - Forbes
You don’t want your personal health information to spread virally around the Internet. Save that for the talking baby videos on YouTube.
The truth is, the electronic health information of millions of patients can be breached in a matter of seconds. As the industry moves from paper records to electronic health records (EHR), protected health information (PHI) is now more susceptible to exposure than ever.
By Judy Greenwald - Mar 19, 2012 - Business Insurance: Cyber Risks
A careful assessment of an organization's cyber risks is critical to both protecting it from data breaches and effectively responding should a breach occur.
And while these assessments often are required by federal and state laws, they also may help firms obtain favorable coverage terms. These surveys should be conducted at least once a year, with more frequent updates as called for, cyber risk experts say.
By Rick Kam & Jeremy Henley - Mar 14, 2012 - PropertyCasualty360
Cyber insurance is growing in popularity as a means to mitigate the costs and risks associated with a data breach. Given the growing prevalence of data breaches in all industries, companies are seeking help. Industries with large volumes of high-value data—bank accounts and medical records to name a few—are particularly vulnerable to data breaches. Thieves value big data for its profit potential—often reselling it to other thieves or using it for multi-million-dollar healthcare fraud schemes.
By Michelle McNickle - Mar 12, 2012 - PhysBizTech
The risk of protected health information (PHI) being breached has grown dramatically within the past few years. The HIPAA Security Rule was created to address such threats by providing organizations with administrative, physical and technical guidelines to safeguard their electronic PHI.
The Information Age. The Digital Age. The Computer Age. Whichever name you use, we’re in an era where many companies’ most valuable asset is information, from consumer buying habits to patient diagnoses to scientific data. At the same time, this asset also comes with a burden: companies are responsible for safeguarding the information they hold. Given the almost immeasurable amount of information produced today—something often called “Big Data”—the task can become overwhelming.
The adoption of electronic health records (EHRs) is making protected health information (PHI) more susceptible than ever to exposure, loss, or theft. What were once localized records are now transmitted across the healthcare ecosystem, from the front desk to the cloud, from healthcare plans to downstream subcontractors. Despite the increased risks of exposure, healthcare organizations lack the resources and, in some cases, the sense of urgency, at the boardroom level, that would make protecting PHI a high priority.
Insufficient funding and lack of executive support are mainly responsible for security breaches involving patients’ electronic health records, a study found.
Executives at health-care companies and providers must improve cost assessments to include payments from class-action lawsuits, said the report released today in Washington by the nonprofit American National Standards Institute. Its members include Kaiser Permanente and data-security sellers such as Microsoft Corp. (MSFT) as well as the U.S. Defense Department and theFood and Drug Administration.
It’s essential to take the steps necessary to prepare against a data breach, but after one does occur, knowing how to respond can make all the difference.
Mahmood Sher-Jan, vice president of product management at ID Experts, offers five steps to take once a breach has happened.
By Michelle McNickle, Web Content Producer, Published on Healthcare IT News
Created February 16, 2012
Last year, health data breaches were up 97 percent, with all 50 states experiencing some sort of breach and 385 incidents affecting more than 19 million people. Experts agree: If ever there were a time to protect and prepare against breaches, that time is now.
PORTLAND, Ore. — February 15, 2012 — Healthcare has become one of the most-breached industries, placing hospitals, clinics and health plans under scrutiny of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and State Attorneys General (AG). To help healthcare organizations navigate the maze of inconsistent federal and 46 states’ different patient privacy laws, ID Experts announced RADAR 2.0 today—a patent pending, web-based software tool—to help standardize, centralize and simplify the assessment, documentation and reporting process of privacy or security incidents involving personally identifiable information (PII) and protected health information (PHI).
By Robin Erb, Detroit Free Press
DETROIT – Walk into a doctor's office and chances are that some of your most private information -- from your Social Security number to the details of your last cervical exam and your family's cancer history -- is stored electronically.
Your doctor might access the information on a cell phone that could slip into the wrong hands. The staff might take it home on a laptop or a flash drive.
As Detroit-area health care providers take multimillion-dollar steps toward electronic records, they're talking about more than efficiency and better care. They're talking security, too.
By Rick Kam and Christine Arevalo, February 8, 2012, Government Health IT
Healthcare fraud is costing American taxpayers up to $234 billion annually, based on estimates from the FBI. It’s no wonder that a stolen medical identity has a $50 street value, according to the World Privacy Forum – whereas a stolen social security number, on the other hand, only sells for $1.
One form of healthcare fraud, known as medical identity theft, has its own staggering statistics: 1.42 million Americans were victims of medical identity theft in 2010, according to a 2011 study on patient data privacy and security by the Ponemon Institute. The report estimates the annual economic impact of medical identity theft to be $30.9 billion.
By Michelle McNickle, Web Content Producer, Published on Healthcare IT News (http://www.healthcareitnews.com)
It’s one thing to prepare your organization with a solid defense against a potential privacy breach. Add in an HHS/OCR audit or investigation, and it becomes crucial that organizations take the necessary steps to comply with the HIPAA Privacy, Security, and Breach Notification rules.
PORTLAND, Ore. — February 1, 2012 —Apgar & Associates and ID Experts have partnered to offer healthcare organizations complete services, tools and resources for compliance with federal and state privacy, security and breach notification laws, including HIPAA and HITECH; breach prevention, incident assessment; and post-breach incident response. Their combined offerings—including “Mock OCR HIPAA Audits”—will provide organizations the assistance needed to prepare for the audits by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as mandated by the HITECH Act. Throughout 2012, KPMG on behalf of OCR will conduct random compliance reviews of 20 pilot audits and 150 healthcare providers, health plans and health care clearinghouses—also referred to as covered entities under HIPAA. These audits could result in a corrective action plan, civil penalties/monetary settlements or both, with civil penalties up to $50,000 per incident up to a maximum $1.5 million per calendar year for the same type of incident.
By Rebecca Herold and Mahmood Sher-Jan, HCCA Compliance Today, January 2012
It is often said that if you can’t measure something, you can’t improve it. The same can be said about how an organization manages its information security and privacy program compliance activities. The goal isn’t just measuring compliance with federal and states’ regulations, but equally important is protecting the organization’s reputation and its customers.
IT Business Edge
The health care sector will be one of the most active areas in all of IT in 2012. With the advent of electronic health care records and greater enforcement of compliance rules, the pressure on health care IT professionals is going to rise exponentially in 2012.
The folks at ID Experts, a provider of data breach security and compliance management tools, have put together a list of some of the things IT health care professionals should specifically be watching for in 2012.
By Michelle McNickle, Healthcare IT News January 06, 2012
Mobile devices, data breaches and patient privacy rights were some of the most talked-about topics in health IT in 2011, and according to expert opinions complied by ID Experts, 2012 won’t be any different.
In fact, experts continue to predict an upswing in mobile and social media usage, response plans, and even reputation fallout. Eleven industry experts outlined healthcare data trends to look for in 2012.
By Nicole Lewis InformationWeek January 09, 2012
According to experts in healthcare law and information privacy and security, healthcare IT managers can expect to see more patient data breaches in 2012, along with more lawsuits filed by patients as the availability of patient information exchanged over social media sites and mobile devices grows.
These conclusions, published by ID Experts, offer a glimpse into what health CIOs can expect as they seek to protect patient data during a year that promises more of the same challenges they faced last year.
Hospitals and healthcare organizations will need more than a couple of aspirin to ready themselves for 2012.
Industry experts representing healthcare law, privacy, security, regulatory and data breach were asked to forecast healthcare data trends for 2012. The overall forecast? Protecting patients’ protected health information (PHI) should be viewed as a patient safety issue.
By Rick Kam and Christine Arevalo, January 6, 2012, Government Health IT
Happy Leap Year! We’re jumping into a challenging 12 months — lawsuits are up, budgets are down, and advances in technology have made protecting medical data a whole lot harder. Our list of top trends in 2012 reveals difficulties ahead; read and proceed with caution.
January 05, 2012 Eric Wicklund, Editor, mHIMSS
Access to healthcare data on mobile devices will be on the minds of many a healthcare executive this year, according to industry experts gauging the top trends in 2012.
Compiled by ID Experts, a Portland, Ore.-based provider of data breach solutions, “Top 11 Trends for 2012 in Healthcare Data” includes several references – both positive and critical – to the fast-growing mHealth industry.
A Look Ahead Points to Increased Risks; Regulatory Expectations; Reputational Fallout
PORTLAND, Ore. — January 5, 2012 — Hospitals and healthcare organizations will need more than a couple of aspirin to ready themselves for 2012. Industry experts representing healthcare law, privacy, security, regulatory and data breach were asked to forecast healthcare data trends for 2012. The overall forecast? Protecting patients’ protected health information (PHI) should be viewed as a patient safety issue. If the right actions are not taken, experts predict healthcare data breach will reach epidemic proportions this year.
By Rick Kam and Christine Arevalo, December 22, 2011 Government Health IT
Forget the hospital dramas on TV. Our top 10 list of this year’s trends in healthcare privacy and security has excitement to rival any show. 2011 has been the year of the policing of the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) police, mobile technology and massive-scale data breaches:
By Pamela Lewis Dolan, amednews.com, December 19, 2011
The number of physicians using smartphones has reached a near-saturation point. Meanwhile, the number of data breaches is going up.
Coincidence? Leading experts think not.
Recent reports by Manhattan Research have found more than 81% of physicians use a smartphone, up from 72% in 2010.
By Michael Vizard, ITBusinessEdge, December 9, 2011
Most folks involved IT in health care organizations would generally agree that security is important; it just seems to be getting harder to build a consensus about whether it's getting better or not.
By Nicole Lewis, Information Week, December 7, 2011
The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.
HDM Breaking News, December 1, 2011
The second year of a benchmark survey to track progress in securing protected health information finds improved policies and staff training, but also increased frequency of breaches, rising incidents of identity theft, poor control over mobile devices, and two-thirds of organizations don't provide protection services for breach victims.
By: Brian T. Horowitz , 2011-12-01, Health Care IT News
The Ponemon Institute, a research firm that advises organizations on data security and privacy, has released a new survey of the health care industry showing a 32 percent increase in data breaches.
Data security consulting firm ID Experts sponsored Ponemon's report, the second-annual "Benchmark Study on Patient Privacy and Data Security," announced on Dec. 1. ID Experts provides assessment tools and response plans to help organizations deal with data security issues.