Mobile health IT security: Bolstering technology with policy

HealthIT Security - Patrick Ouellette - April 15th, 2014

One way or another, mobile devices are finding their way into healthcare organizations' four walls and onto their networks. Each organization's mobile needs vary based on size and available resources and many have come a long way with mobile security policies and protocols, but gaps still remain within healthcare. Based on the most recent Ponemon Patient Privacy & Data Security Study results, 40 percent of respondents said that their biggest security concern was with mobile devices. Further, more than half are not confident that the personally-owned mobile devices or BYOD are secure and only 23 percent require that anti-virus/anti-malware software resides on the mobile device prior to connection.

Help wanted: Day-to-day data breach incident management

Privacy warriors face a daily battle over how to manage and assess incidents or disclosures of regulated data. Ever-changing regulations and the unique nature of each incident make it almost impossible to nail down a strategy that works all the time, every time.

The Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy and Data Security reveals how healthcare organizations continue to struggle with incident management and compliance, despite modest progress since the HIPAA Final Rule's enforcement date.

The Monthly Wrap Up - March 2014

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

ID Experts® and Enquiron™ Announce Virtual Privacy Expert™

PORTLAND, Ore. and BOSTON — April 3, 2014 — One in three companies now has cyber insurance to protect against the threat of data breach, according to Marsh LLC, an insurance brokerage firm. In the wake of high-profile breaches, such as Target and Neiman Marcus, and 100 percent growth in cyber attacks targeting the healthcare industry since 2010, according to the latest Ponemon report, binding of cyber insurance policies is growing exponentially. As a result, insurance carriers need tools to help their clients mitigate data breach risks and protect their bottom line. To meet that opportunity, ID Experts, the leader in data breach software and services, has developed Virtual Privacy Expert, an online, one-stop resource to equip cyber insurance carriers with hands-on tools and information to minimize cyber risks. ID Experts has collaborated with Enquiron TM, an insurance industry leader in proactive risk management solutions with proven claims reduction results for insurance carriers, to include Virtual Privacy Expert as part of its value-add risk management services.

Hospital on defense for cyber attacks

Boston Herald- Marie Szaniszlo - April 1st, 2014

The Internet connection serving all Boston-area hospitals is attacked about every seven seconds, prompting Beth Israel Deaconess Medical Center to block about 98 percent of incoming emails, the hospital’s chief information officer said yesterday.

“You get a lot of the sort of junk that’s on the Internet trying to get into server after server after server,” Dr. John Halamka said in an interview on Boston Herald Radio. “Most often, people do this in Eastern Europe and China because they want to use it as a spam relay.”

Of much greater concern, Halamka said, is organized crime — much of it also originating in Eastern Europe — involving the theft and sale of electronic medical records to people who may be uninsured and use those records to pay for operations and treatment.

Healthcare Organizations Struggle to Manage Security Incidents of “Regulated Data”

PORTLAND, Ore. — March 31, 2014 — There is a new reality facing healthcare organizations in maintaining the privacy of patient information. The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts—announced earlier this month—reveals what’s keeping healthcare organizations up at night. The list includes the myriad of complex regulations and expanding threats to regulated patient data. The new risks—resulting from the Affordable Care Act, criminal attacks on healthcare security up 100 percent, employee negligence, unsecured mobile devices rampant in the workplace, and lack of trust of business associates—are bewitching, bothering, and bewildering HIPAA covered entities and their privacy, security, and compliance officers.

CNBC Report on Medical ID Theft

March 21, 2014 - NBR Staff

The latest type of identity theft you need to know about- medical ID theft- including cyber attacks on all your medical records and data from health care companies. It’s a growing problem, with 50 million reported data breaches each year.

Healthcare Data Security: Focus On ‘Business Associates’

InformationWeek - Alison Diana - March 18th, 2014

With regulators seeking tighter control over the role of external contractors in assuring healthcare privacy and security, other third parties are offering to help audit those relationships with services from the cloud.

Under the Department of Health and Human Services (HHS) HIPAA Final Omnibus Rule, contractors and subcontractors who work with healthcare providers, insurers, or other services that process patient health information (PHI) must meet HIPAA privacy rules. Referred to by regulators as "business associates," these external parties also include IT service providers. Despite the mandate that business associates meet HIPAA requirements, 40% of healthcare professionals are "not confident" and 33% are only "somewhat confident" in their partners' capacity to manage patients' sensitive data, according to Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy & Data Security, released on March 13.

Is HIPAA lulling health orgs into a false sense of security?

GovHIT -  Tom Sullivan - March 18th, 2014

With the first anniversary of the omnibus HIPAA Final Rule on Privacy and Security just days away the question of whether the rule is making healthcare organizations less prone to security problems — or actually more so — has arisen.

“We live in this daze where many people think if they’re complying with rules then they’re okay,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “But security is a lot more complicated than that.”

Indeed, HIPAA is “a federal floor of safeguards” that “does not guarantee data protection is maximized,” said Deborah Wolf, principal at Booz Allen Hamilton.

Why ‘leaky bucket’ approach to managing security threats will never work

GovHIT -  Rick Kam - March 17th, 2014

You manage one security threat, and up pops another. And another. It's like a bucket filled with water and holes. The water keeps spurting out. Every time you patch a hole, a new one forms.

This reactive approach of patching old and new security threats is overwhelming and never-ending for healthcare organizations. Unfortunately, these threats keep advancing, as revealed in the newly released Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute.

It's no surprise then, that 90 percent of healthcare organizations are still experiencing breaches, and 38 percent report that they have had more than five incidents in the last two years.

Some of the key threats the Ponemon study found are:

Health care reform law increases security, privacy threats: Survey

Business Insurance -  Judy Greenwald - March 12th, 2014

The Patient Protection and Affordable Care Act is a contributing factor in new and expanded threats to the security and privacy of patient information in the U.S. health care system, according to a study released Wednesday.

Websites with documented security issues as well as database and health information exchanges that are "highly vulnerable to insider and outsider threats" are among the issues, according to the study conducted by the Traverse City, Mich.-based Ponemon Institute L.L.C. and sponsored by Portland, Ore.-based ID Experts Corp.

More pressure is being put on stakeholders in the health care system as "millions more" people get health ID Experts President Rick Kam said in an interview with Business Insurance.

Study: Health care orgs see modest decline in incidence, cost of data breaches

SC Magazine - Danielle Walker - March 12th, 2014

An annual study revealed that data breaches at health care organizations are, on average, less costly and occurring less frequently than in the previous year.

On Wednesday, the “Fourth Annual Benchmark Study on Patient Privacy and Data Security” was released, and highlighted that the economic impact of data breaches was $2 million for health care entities, marking a nearly $400,000 decrease since last year's study.

In addition to the 17 percent decline in data breach-related costs, the study found that 38 percent of health care organizations had more than five breaches in a two-year period – accounting for a subtle drop in incidents.

Health care system’s $5.6 billion security problem

CNBC -  Herb Weisbaum - March 12th, 2014

Health-care organizations are under attack.

Criminals are stealing patient records in order to commit medical identity theft. And the Affordable Care Act (ACA) has made the situation worse, according to a new report from the Ponemon Institute.

Ponemon estimates that these breaches cost the industry about $5.6 billion a year.

The survey found the overall number of reported data breaches at health-care organizations declined slightly last year, but criminal attacks on health-care providers increased dramatically—up 100 percent since 2010.

Criminal Attacks on Healthcare Organizations Increase 100 Percent

TRAVERSE CITY, Mich. and PORTLAND, Ore. — March 12, 2014 — As millions of new patients enter the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals. The Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, sponsored by ID Experts®, reveals new security and privacy threats to hospitals and the patient records they manage. One of the key threats is the unproven security in the health insurance marketplaces, created as a result of the Affordable Care Act. According to the report, other top threats include: criminal attacks, employee negligence, unsecured mobile devices (smartphones, laptops, and tablets), and third parties—causing organizations to scramble. For a free copy of the Fourth Annual Benchmark Study on Patient Privacy and Data Security, visit www2.idexpertscorp.com/ponemon.

The Monthly Wrap Up - February 2014

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

6 takeaways from the Target data breach

GovHIT-  Rick Kam - February 11th, 2014

You almost feel sorry for Target. The breach of up to 110 million records — theoretically 34 percent of the U.S. population — is the stuff of unfortunate legend.

Chances are slim that a healthcare organization will suffer a Target-sized breach. But, as the 2013 Survey of Medical Identity Theft by Ponemon Institute shows, the breach of protected health information (PHI) creates significantly more risk for harm than the exposure of financial data: loss of insurance coverage, misdiagnosis, mistreatment, and more.

With that in mind, healthcare organizations can learn valuable lessons from the Target data breach — lessons that protect patients and other vulnerable people.

Target’s “Second-Rate” Fix for Hacking Victims May Leave Customers Vulnerable

Mother Jones  -  Dana Liebelson - February 11th, 2014

Last year up to 110 million Target customers had their sensitive personal information stolen over the holidays in one of the largest data thefts in retail history. After stolen credit cards began to flood black market websites, Target offered all of its US customers one year of free daily credit monitoring to help them fend off identity theft. But credit experts and Consumer Reports say that this service is misleading victimized customers by providing incomplete monitoring—and advertising comprehensive reports for a fee.

Six Lessons We Can Learn from the Target Data Breach

You almost feel sorry for Target. The breach of up to 110 million records—theoretically 34 percent of the U.S. population—is the stuff of data breach legend.

Chances are slim that a healthcare organization will suffer a Target-sized breach. But, as the 2013 Survey of Medical Identity Theft by Ponemon Institute shows, the breach of protected health information (PHI) creates significantly more risk for harm than the exposure of financial data: loss of insurance coverage, misdiagnosis, mistreatment, and more.

The Monthly Wrap Up - January 2014

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

Five steps to take if you’ve become a victim of ID theft

Office of Inadequate Security  -  Dissent - January 28th, 2014

Over on CreditSesame.com, Kimberly Rotter wrote a tips article, “5 Steps to Take Immediately If You’ve Been a Victim of Identity Theft.” The article was also reproduced on Lifehacker.  To briefly summarize the article, it lists some examples of identity theft and then recommends the following five actions (with additional info on each of the following)... But is that good advice?

Privacy and security compliance wish list 2014

GovHIT - Rick Kam -  January14th, 2013

Healthcare laws in 2013 looked like New Year's morning in Times Square — rather bleak. The Affordable Care Act and its attendant security concerns, the release of the omnibus HIPAA final rule, and the HIPAA Audit Program gave healthcare providers a headache that put New Year's Day hangovers to shame.

No doubt that 2014 will also be a year of change, not only in regulations, but also the ways in which the industry struggles to comply with these laws. We conducted an informal poll of compliance, privacy, and information security officers on the frontlines for their predictions and wishes for 2014, and compliance worries and resources were the common theme.

Healthcare Security and Privacy Pros Wish for A Compliance Fairy To Aid with Regulatory Woes in 2014

PORTLAND, Ore. — January 8, 2014 —2013 proved to be a dizzying year for healthcare compliance, privacy, and information security: the Affordable Care Act, enforcement of the HIPAA Omnibus Final Rule, and ongoing investigations by the Office for Civil Rights (OCR). Not to mention the need for ongoing risk and incident management, C-Suite communication, managing business associates, breach notification, and investigations by the Office for Civil Rights (OCR). ID Experts asked healthcare compliance, privacy, and information security officers to share their predictions and provide their wish lists for a smoother and more compliant 2014.

The Monthly Wrap Up - December 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

5 not-so-merry tales of healthcare fraud dark side

GovHIT - Rick Kam -  December 20th, 2013

It's December, the time of holiday cheer, but for victims of healthcare fraud and medical identity theft, the season is not a happy one. The news is full of dishonest people making patients sicker and healthcare costlier.

A quick scan of the headlines pulls up some stories that you have to read to believe.

1. Wanted: Medicaid number to rent
Linda Radeker, a mental-health practitioner enrolled with North Carolina Medicaid, "rented out" her Medicaid provider number to co-conspirators, keeping up to 50 percent of the fraudulent reimbursements. On the false claims, her cohorts in crime mainly used the Medicaid numbers of children whose parents believed were participating in after-school programs — programs owned and operated by these fraudsters. Radekar has been ordered to pay more than $6 million in restitution to Medicaid, according to the IRS.

Insights on Detecting Healthcare Fraud

Healthcare Infosec - Marianne Kolbasuk McGee -  December 13th, 2013

A new government watchdog report says the use of electronic health records makes it easier for some healthcare providers to commit fraud. And healthcare fraud of all kinds costs $75 billion to $250 billion a year, the report notes.

The report highlights the need for hospitals to make broader use of the audit log function within EHRs to help detect fraud. But patients can play a role in detecting fraud as well.

For example, a new service aims to get patients more engaged in helping spot healthcare provider and other medical fraud sooner.

New Medical Identity System Alerts Consumers to Fraud and Theft

PHIprivacy.net - December 12th, 2013

There's a new commercially developed product that may help consumers detect medical ID theft or fraudulent use of their information promptly so it can be addressed. Given how research has shown that most people do not check their Explanation of Benefits statements and don't report discrepancies or anomalies when they do find them, this has the potential to be a great tool for consumers. From their press release, with additional comments/notes by me:

Like credit monitoring for PHI

mHealth News - Tom Sullivan - December 12th, 2013

Consumers are so used to fraud detection tools outside of healthcare that they are hardly a competitive advantage anymore. Yet within healthcare the options are disconcertingly limited.

Regularly checking your Explanation of Benefits is about the only one, but most people do not even know what to do with EOBs, meaning that consumers are rarely effective in rooting out fraudulent claims, even ones made in their name.

Looking to engage consumers in the fight against abuse and fraud, ID Experts on Thursday unveiled MIDAS, which stands for Medical Identity Alert System, a service that sends SMS text or email alerts to smartphones when a healthcare transaction is submitted so a user can check that in what the company described as plain language and if it looks suspicious, the MIDAS team follows-up, effectively bridging the gap between patients and health plans to investigate whether it is a legitimate claim, or not.

New Medical Identity System Alerts Consumers to Fraud and Theft

PORTLAND, Ore. — December 12, 2013 — MIDAS™—Medical Identity Alert System—the latest software solution from ID Experts, was announced today, for health plans to engage consumers (health plan members) to monitor their healthcare transactions and take control of their medical identities. MIDAS was developed to lower healthcare costs through early detection and prevention of healthcare fraud by using mobile alerts, similar to proven approaches utilized by the financial services industry.

The Monthly Wrap Up - November 2013

The Monthly Wrap Up - November 2013

4 pillars of trust for the new health insurance exchanges

GovHIT - Rick Kam - December 3rd, 2013

There is no question that health insurance exchanges are a new privacy and security frontier for the federal government, states, and the private sector.

With data that has been residing in a multitude of different places now being brought together, overall security will depend on the security practices of an unprecedented number of participating organizations, some of whom have only minimal training.

Under the new healthcare system, the Department of Health and Human Services (HHS) operates a central data hub that connects participating state health insurance exchanges with federal government agencies — such as the Treasury Department, Internal Revenue Service and other state agencies — to verify enrollees’ eligibility. While the government hub doesn’t store health data on individuals, personal data is stored and there is the risk that identity thieves could steal the ID of one participating organization to gain access through the hub to data held by another.

‘Patient engagement 2.0’ to make meaningful use look like tiddlywinks

Search HealthIT - Don Fluckinger - November 12th, 2013

Meaningful use stage 2 rules foster patient engagement in a simple way: Physicians and hospitals receiving federal EHR incentive payments must motivate at least 5% of patients to view, download or transmit their digitized health data.

Let's call that patient engagement 1.0, a cute little hybrid subcompact driving down the highway. Hurtling right behind it is the 18-wheeler, semitrailer version 2.0, as powerful economic factors motivate patients to police their own records.

Healthcare IT leaders and their health information management (HIM) partners need to find ways to embrace this coming interactivity in order to harness its power for the benefit of their organizations' HIPAA compliance; patient safety and community outreach; and to compare favorably to their competitors. Right now. Later in the game, a reactionary approach could just get in the way of better health data security and good old-fashioned customer relationship management.

The Monthly Wrap Up - October 2013

The Monthly Wrap Up - October 2013

Four ways to keep your identity from getting ghosted

Business First- Kevin Eigelbach - October 30th, 2013

You might think that once you die, you don’t have to worry about someone stealing your identity. Well, you might not have to worry about it, but your surviving relatives might.

Apprisen, a national nonprofit credit counseling agency, recently compiled a list of things you can do to prevent “ghosting,” the practice of stealing the identities of dead people to commit crimes. The IRS estimates the problem costs American taxpayers more than $5 billion dollars annually.

ID Experts Rolls Out New Version Of RADAR

Dark Reading - October 16th, 2013

PORTLAND, Ore. -- October 9, 2013 -- Lost laptops and internal snafus happen. If they involve personal information of customers, employees or others--as they often do--organizations must act in accordance with Federal regulations and state data breach laws. Now that the HIPAA Omnibus Final Rule is in effect, healthcare organizations and their third parties are required to perform a risk assessment for every privacy and security incident that involves sensitive personal information.

The rise of data breaches in healthcare, combined with the highly scrutinized, regulatory environment, has forced the emergence of a new category: data incident management software. Organizations are turning to ID Experts' software, RADAR, to document and simplify the entire data incident management process. RADAR is a leader in this space, with customer adoption up 242% in one year. RADAR 3.0 takes the "guess work" out of compliance, by performing incident-specific risk assessments and offering incident response guidance.

The surprising truth about medical ID thieves

GovHIT - Rick Kam - October 11th, 2013

Medical identity theft is up nearly 20 percent in the past year, according to a new study, making it the fastest-growing form of fraud in the United States.

The 2013 Survey on Medical Identity Theft, in fact, found that that an estimated 1.84 million people are victims of medical identity theft in the U.S. — costing victims an estimated $12.3 billion. While the extent of medical identity theft is surprising, even more alarming is its major cause: medical identity theft tends to run in families.

According to Larry Ponemon, chairman and founder of the Ponemon Institute, the research shows that a large percentage of the supposed identity thefts were actually caused by consumers sharing their personal or medical credentials with friends or family, who then use them to obtain medical services or treatments. Another major cause is family members taking and using the victims’ credentials without consent; in many of these cases, the victims are loathe to report theft by a family member. Almost 60 percent of the medical identity theft reported in the Ponemon study was due to misuse of medical credentials among family members.

Healthcare & Insurance Entities Turn to ID Experts’ RADAR™ for Data Incident Management

PORTLAND, Ore. — October 9, 2013 — Lost laptops and internal snafus happen. If they involve personal information of customers, employees or others—as they often do—organizations must act in accordance with Federal regulations and state data breach laws. Now that the HIPAA Omnibus Final Rule is in effect, healthcare organizations and their third parties are required to perform a risk assessment for every privacy and security incident that involves sensitive personal information.

The rise of data breaches in healthcare, combined with the highly scrutinized, regulatory environment, has forced the emergence of a new category: data incident management software. Organizations are turning to ID Experts’ software, RADAR, to document and simplify the entire data incident management process. RADAR is a leader in this space, with customer adoption up 242 percent in one year. RADAR 3.0 takes the “guess work” out of compliance, by performing incident-specific risk assessments and offering incident response guidance.

The Monthly Wrap Up - September 2013

The Monthly Wrap Up - September 2013

Grace Period Over for HIPAA Rules

Wall Street Journal - Ben DiPietro - September 23rd, 2013

The grace period ends Monday for rules governing protection of a patient’s private health information, and rules governing what must be done if such information is breached or made public.

Compliance deadline on HIPAA rules brings expanded responsibilities for third parties handling data

SC Magazine - Danielle Walker - September 23rd, 2013

Updated rules to the Health Insurance Portability and Accountability Act (HIPAA) expand the legal responsibilities of third-party organizations handling protected health information.

On Monday, the compliance grace period ended for the HIPAA Omnibus Rule (PDF), which formalized many of the statutory changes already made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). The changes took effect in March, but organizations have had the past six months to update their business practices to remain in compliance.

Amendments include measures that legally require “business associates” of covered entities to comply with security and privacy measures enforced by HIPAA, like breach notifications.

4 steps for business associates to comply with omnibus HIPAA

GovHIT - Mahmood Sher-Jan - September 20th, 2013

When the HIPAA Final Rule on Privacy and Security kicks in on September 23, the privacy game changes for HIPAA covered entities (CEs). But for their business associates (BAs), the stakes rise by a quantum leap.

For CEs, the effects of the Final Rule are mostly incremental because the compliance structure remains unchanged; the biggest change is a revised threshold (aka the compromise standard) for breach risk assessment and notification decision, but basic privacy and security requirements are the same.

For business associates, however, the Final Rule deadline raises the risks of non-compliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities, making them subject to HHS regulatory fines and corrective action plans, as well as civil monetary penalties.

Omnibus HIPAA: BAs, breaches will get worse before better

GovHIT - Tom Sullivan- September 17th, 2013

If the healthcare providers that have been operating under HIPAA for nearly two decades were the only ones required to comply with the new rule on privacy and security, that would be challenging enough. But they’re not.

Instead, the business associates deemed covered entities beginning September 23 are entirely new to the law and that could open up a whole slew of problems.

“A lot of folks are real nervous about that,” said Brian Ahier, founder of Advanced Health Information Exchange Resources (AHIER). “Some are taking a wait-and-see approach.”

Ahier explained that among the healthcare organizations he has encountered most are at least prepared for the low-hanging fruit within the law, activities including updating notice of privacy practices, getting policy and legal experts involved, generally making sure they are set to meet new requirements.

Yet, those are the existing covered entities and, as such, they are more or less used to HIPAA — and even for them it will require major adjustments. But it’s the Business Associates (BAs), essentially partners, vendors, contractors and subcontractors or anyone who maintains protected health information (PHI) that have Rick Kam, president and co-founder of security vendor ID Experts, most concerned.

How To Cushion The Impact Of A Data Breach

Dark Reading - Ericka Chickowski - September 16th, 2013

For five years now, a Ponemon Institute annual report has tried to put a number on the cost of data breaches. It creates benchmarks for direct costs such as regulatory fines and the cost of notifying customers, alongside estimates of indirect costs such as customer churn and lost business. In 2013, Ponemon pegged the cost of a data breach at $136 per lost record on average across the globe. Ponemon estimated the cost in the U.S. at $188 per record, and $277 per record when the breach came at the hands of malicious and criminal attacks such as outside hacking or insider theft.

New Research Reveals Medical Identity Theft is Up, Affects 1.84 Million U.S. Victims

TRAVERSE CITY, Mich. and WASHINGTON, D.C. — September 12, 2013 — Medical identity theft is a national healthcare issue with life-threatening and hefty financial consequences. According to the 2013 Survey on Medical Identity Theft conducted by Ponemon Institute, medical identity theft and “family fraud” are on the rise; with the number of victims affected by medical identity theft up nearly 20 percent within the last year. The survey, sponsored by the Medical Identity Fraud Alliance (MIFA) with support from ID Experts®, finds that medical identity theft affects an estimated 1.84 million people in the U.S.; with victims forking out more than $12 billion in out-of-pocket costs incurred by medical identity theft. For a free copy of the 2013 Survey on Medical Identity Theft, visit http://medidfraud.org/2013-survey-on-medical-identity-theft.

Industrywide Coalition Forms to Combat Medical Identity Fraud

Becker's Hospital Review - Helen Gregg - September 6th, 2013

Recently, a man went to the emergency department at his local hospital, complaining of back pain. The on-call physician noticed an infection in his lymph node, and, after consulting the patient's chart, told the patient he was ordering a course of penicillin.

The patient became upset, demanding to know why the physician would order a drug to which the patient is severely allergic. The physician referenced the patient's chart, noting penicillin was administered during the patient's previous visit to the ED with no complications.

This was the patient's first trip to the small-town ED.

An investigation revealed the patient to be the victim of medical identity fraud — a growing issue in the United States. In 2012, 1.85 million Americans were affected by medical identity fraud and theft, up from 1.49 million in 2011, according to a survey conducted by the Ponemon Institute.

The Monthly Wrap Up - August 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

New Consortium Formed To Cure Rise In Medical ID Fraud

Dark Reading - Kelly Higgins- August 21st, 2013

A U.S. public-private alliance co-founded by Blue Cross/Blue Shield Association, AARP, the Identity Theft Resource Center and others, will officially launch next month to fight medical identity theft amid a sickening spike in this form of fraud.

The new Medical Identity Fraud Alliance (MIFA), whose other founders include the Consumer Federation of America, the National Healthcare Anti-Fraud Association, and ID Experts, is aimed at combating medical ID theft by getting key players together and establishing solutions and best practices, technologies, research, as well as educating and helping empower consumers to better protect their increasingly targeted health information. MIFA will also provide a venue for information- and attack intelligence-sharing.

New Organization Targets Medical ID Fraud

Healthcare Informatics - David Raths - August 21st, 2013

Imagine going to the doctor's office for a checkup and finding procedures or prescriptions in your medical record that were a surprise to you. Just as with financial identity theft, an increasing number of Americans are finding themselves the victims of medical identity fraud, as thieves steal their health-insurance number, Social Security number and other personal information and resell them on the black market for use by other people.

Studies conducted by the Ponemon Institute (www.ponemon.org) indicate that the number of medical identity theft victims in the United States has grown from an estimated 1.4 million in 2010 to more than 1.8 million in 2012. Now a nonprofit public-private sector organization is being formed to unite stakeholders to develop best practices, solutions, and technologies for the prevention, detection and remediation of medical identity theft and fraud. Founding members of the Medical Identity Fraud Alliance (MIFA) (www.medifraud.org) include ID Experts, the Identity Theft Resource Center, the National Health Care Anti-Fraud Association, the BlueCross BlueShield Association, the Consumer Federation of America and AARP.

Google Glass and other devices presenting new crop of privacy risks

GovHIT - Rick Kam - August 14th, 2013

Scarcely a day passes when we don't hear about some new electronic gadget designed to make our lives more productive, convenient, healthy, or entertaining.

Take Google Glass, for example. Google's new wearable computer is among the current crop of technologies that may sound like science fiction, but they present real privacy risks. Here are a few developments that healthcare privacy professionals and organizations should be thinking about now.

The Monthly Wrap Up - July 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

Health data breaches usually aren’t accidents anymore

American Medical News - Pamela Lewis Dolan - July 29th, 2013

During the past decade, the health care industry has adopted new practices and technology to protect against patient data breaches. But as protection of data becomes more sophisticated, so have the ways in which the data are exposed.

Data security firm ID Experts examined some of the biggest breach cases from the past decade and talked with data security experts to understand how the trends have changed during the past 10 years. The report identifies future threats to data security and gives advice on how organizations can respond to those threats.

Infographic: Is Your Information Safe from Data Breaches?

PC Mag - Abigail Wang - July 13th, 2013

The more our personal information is digitized the more that information is at risk. A lot of people don't worry about protecting their sensitive data because they're under the impression that hackers wouldn't be interested in their accounts. If you think this, you're sadly mistaken. Even your personal email can be worth a lot depending on what information you have on it, like access to your online banking statement and details of your Amazon account. It's important to be aware of the danger your personal information is in if you don't properly protect it.

Why healthcare must operationalize data breach response

GovHIT - Rick Kam - July 22nd, 2013

Over the last decade, the scope of identity theft has widened from credit card and financial fraud to include widespread medical identity theft with potentially life-threatening consequences.

In that time, organizations have grown in awareness and readiness to combat identity theft. According to Larry Ponemon, chairman and founder of the Ponemon Institute, recent research shows that companies are doing a better job of detecting, containing, and responding to breach incidents than they were ten years ago.

Top 12 Trends in Data Breach, Privacy and Security

HITECH Answers - July 11th, 2013

First identified as an industry issue a decade ago, data breaches are now part of the consumer vocabulary. Check out this infographic from ID Experts, A Decade of Data Breach…An Evolution. Data breaches have evolved from credit card fraud with financial consequences to medical identity theft with life-threatening implications. According to leading experts, the frequency, severity, and impact of data breaches are expected to escalate. Industry experts forecast top trends in data breach, privacy, and security:

The Monthly Wrap Up - June 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

11 Dangers to Personal Information; Is Your Information Safe?

PORTLAND, Ore. — July 10, 2013 — The security of personal information is at greater risk now than a decade ago. Financial identity theft and medical identity theft—with life-threatening implications—are impacting millions of people. In fact, experts estimate that an identity is stolen every three seconds. The infographic, Is Your Information Safe?, provides a snapshot of identity theft and data breach over the last decade; available for download at http://www2.idexpertscorp.com/is-your-information-safe/. According to leading experts, global networks and use of advanced sinister technologies are expected to escalate, threatening consumers’ information:

12 Trends in Privacy, and Security

PORTLAND, Ore. — July 10, 2013 — First identified as an industry issue a decade ago, data breaches are now part of the consumer vocabulary. An infographic illustrating A Decade of Data Breach...An Evolution is available: http://www2.idexpertscorp.com/a-decade-of-data-breach/. Click to Tweet. Data breaches have evolved from credit card fraud with financial consequences to medical identity theft with life-threatening implications. According to leading experts, the frequency, severity, and impact of data breaches are expected to escalate. Industry experts forecast top trends in data breach, privacy, and security:

Many factors complicate data breach assessment and reporting

Ed Burns - TechTarget - June 25th, 2013

Identifying data breaches may seem like a relatively simple task. However, a number of factors can make breach assessment tricky, and with federal regulators stepping up enforcement of privacy laws, these pitfalls could land providers in hot water.

8 ways to fight medical ID theft

Rick Kam - GovHIT - June 17th, 2013

Medical identity theft can be fatal, especially to society's most vulnerable population, the elderly. Targeted by criminal groups and unscrupulous relatives alike, seniors tend to be more trusting of others and are less likely to report the crime because they don't want family members to think they can't maintain their independence, says the National Crime Prevention Council. Fighting this crime is a high priority for me, and it was a privilege to participate in an FTC panel on the subject in Washington, D.C. last month.

3 Do’s and Don’ts of Effective HIPAA Compliance for BYOD & mHealth

HIT Consultant - June 11th, 2013

Clinicians use 6.4 different mobile devices in a day on average according to IDC Healthcare Insights Study. Mobile health devices and BYOD policies provide healthcare professionals with the ability to facilitate smoother workflows, promote team collaboration and help boost productivity. However, with these benefits bring risks of security breaches. PwC Health Research Institute clearly identified that the need for mobile security one of the top ten issues hospitals will face in 2013. The report also found that 69% of the consumers surveyed said they were concerned about the privacy of their medical information if providers accessed it through their mobile devices.

The Monthly Wrap Up - May 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

Market for Data Breach Insurance Heats Up

John Moore - iHealthBeat - May 23rd 2013

Hospitals and other health care providers are beginning to purchase data breach insurance as the number of security incidents reported in the health care sector continues to grow.

Data breach insurance, sometimes called cyber liability insurance, provides some peace of mind for health care executives faced with the near inevitability of an intrusion. Insurance products in this field date back to the late 1990s and early 2000s, but demand has picked up over the last couple of years. Insurance brokers and security consultants report an uptick in interest in such policies among health care providers and their business associates.

Experts highlight top data breach vulnerabilities

Net-Security - May 22nd 2013

Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.

Every transaction and health record is now collected, categorized, sorted, and analyzed—and can be hacked. Microcomputers that control aspects of everyday life—from heart rhythms and insulin levels, to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars—are increasingly at risk for data breach and can threaten public safety.

10 Data Breach Vulnerabilities Revealed

PORTLAND, Ore. — May 22, 2013 — It’s not a plot on a TV show. Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker. Every transaction and health record is now collected, categorized, sorted, and analyzed—and can be hacked. Microcomputers that control aspects of everyday life—from heart rhythms and insulin levels (see Hidden Hazards: The Computers Inside), to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars—are increasingly at risk for data breach and can threaten public safety. Industry experts offer insights on top hidden vulnerabilities that can cause data breach:

3 lessons on risk: What higher ed can teach health IT

Rick Kam - GovHIT - May 13th 2013

We can learn a lot about risk from academia. University environments embody the whole data privacy world in microcosm. Colleges and universities handle a broad range of personal information — from students, staff, alumni, donors, and other community members — with their functions in financial services, food services and housing, student stores, and medical services.

On average, educational institutions report 1.3 million records compromised per year, based on statistics from Privacy Rights Clearinghouse. (Check out this infographic from Open Site, for an overview of data breaches in higher education.)

Nobody understands the privacy and security risks in the academic world better than Grace Crickette, chief risk officer for the University of California, a sprawling system that includes ten campuses and five medical centers. She shared her insights, which can be translated into 3 lessons on risk:

Harm Standard: Gone But Not Forgotten? New Factors Mimic Current Breach Regs

Report on Patient Privacy - May 2013

Although covered entities (CEs) have been required since 2009 to notify affected individuals and the government, when appropriate, of breaches of unsecured protected health information (PHI), the so called “harm” standard that triggers notice no longer exists under the new final regulations. Or does it?

Are CEs really starting over when it comes to assessing whether an incident is a reportable breach under the final regulations issued on Jan. 25, which have a compliance deadline of Sept. 23?

The Monthly Wrap Up - April 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

FTC Panel Highlights Growing Problem of Medical Identity Theft, Especially Among Senior Citizens

PORTLAND, Ore. — May 1, 2013 —Identity theft is the nation’s fastest-growing crime, claiming almost ten million victims per year, according to FBI statistics. Medical identity theft is the latest threat to affect patients—especially senior citizens. To address this growing epidemic, the Federal Trade Commission will host the educational forum

HIPAA data breach prevention tips for health care IT leaders

Don Fluckinger - SearchHealthIT - April 11th 2013

Speakers at the PHI Protection Network's recent forum in Cambridge, Mass. offered HIPAA data breach prevention strategies for health care IT leaders and privacy officers in attendance. They stressed that while technology is vital for preventing breaches, enforcing employee policies to use that technology is equally important.

First, understand that while you're building a culture of health data privacy and security, expect data breaches will happen. The goal of IT leaders, in concert with compliance staff, is to reduce the number of breaches, as well as act quickly to minimize consequences after the fact.

For the best data breach response, name a crisis manager now

Don Fluckinger - SearchHealthIT - April 9th 2013

CAMBRIDGE, Mass. -- When a data breach happens and the healthcare organization hasn't thought through its internal response plan, many bad things can happen. First, the people involved write internal emails throwing each other under the bus and assigning blame -- and the emails then become a revealing part of the record for attorneys and federal investigators to sift through later.

Then, in a vacuum, managing the media response falls to whom? Marketing? Media relations? IT staff? What will come out of their mouths to the local television, newspaper, radio and Internet reporters? The worst-case scenario is when CEOs take matters into their own hands and call a press conference -- unprepared, perhaps unintentionally making factual errors or public promises the hospital can't keep regarding future data breaches -- or revealing evidence that later turns into pronouncements of willful neglect.

3 ways to make data protection more patient-centric

Rick Kam - GovHIT - April 9th 2013

HIPAA and HITECH. PHI in the cloud. BYOD policies. Meaningful use.

The industry is rife with buzzwords and acronyms surrounding patient privacy and data security. The most important word, however, is one that we often overlook: patients.

Yet, they’re the reason we do what we do.

Attorney Jim Pyles, who helped draft the HITECH Act, said, “I’ve been to literally hundreds of meetings in Washington when the patient was not mentioned once. Not one time … When [healthcare leaders say] that the patient ought to be at the center of the system, boy do I applaud that.”

The Monthly Wrap Up - March 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

World’s Health Data Patiently Awaits Inevitable Hack

Wired - Daniela Hernandaz - March 25th 2013

Eugene Vasserman is uneasy about his digital pedometer. The company that makes the thing doesn’t know his name, age, or gender, but it does track his every step and his location. “They know where I sleep. They know my address,” says the Kansas State University cybersecurity and privacy researcher.

Some might think he’s paranoid. But he hasn’t stopped using the device. It’s just that he sees the worst-case scenario — and he’s adamant that the rest of us should see it too. Once health data leaves your immediate possession, he explains, it’s out of your control.

“I’m aware of the tradeoff I’m making … [but] I don’t think people understand what they’re giving up by putting this data out there,” he says. “The direct repercussions are not quite clear because the definition of cloud — excuse the pun — is very nebulous.”

What we do know is that security breaches surrounding healthcare information have been on the rise, according to the Ponemon Institute. And according to the The Washington Post, there are “gaping security holes” in many of the systems that hold our healthcare data.

At executive conference, PHI security experts preaching patient advocacy

Health IT Exchange - Don Fluckinger - March 13th 2013

CAMBRIDGE, MA — Here at the Protected Health Information (PHI) Protection Network's first conference — attended by senior health system IT leadership, HIPAA legal authorities and vendor privacy executives — a theme is emerging in healthcare leaders' message: It's all about the patients.

Discussions at patient data security conferences usually revolve around hot new technologies, emerging threats, and common-sense technical safeguards and policies to protect healthcare businesses. Up until this security confab, we've heard health care leaders list their top reasons for HIPAA compliance as protecting a hospital's revenue stream, its reputation, and its hard-earned place as a trusted entity in a city or community in the face of these regulations that seemingly set them up for failure.

Patient advocacy — actively protecting patient interests by protecting their data — usually gets mentioned in passing, fourth or fifth on the list of reasons to shore up HIPAA compliance programs.

Complying With New HIPAA Rule Redefining Breach Notices

Privacy Journal - Doug Pollack & Mahmood Sher-Jan - March 2013

The HIPAA Final Omnibus Rule issued in January is landmark legislation for the healthcare industry. One of the key changes is the removal of the "harm threshold" as a standard for determining whether notification is required after a breach.

Issued on Sept. 23, 2009, the Interim Final Rule for Breach Notification noted that a breach crossed the harm threshold if it "posed a significant risk of financial, reputational, or other harm to the individual." Placing the burden of proof for determining this risk of harm on health-care providers ("covered entities") caused huge (subjective) variances in the definition of a breach that required notification to the public and government agencies and left affected individuals at risk for harm. Patient-privacy advocates perceived the harm threshold as subjective, and health-care organizations lacked clear guidance on how to conduct such an assessment.

5 steps to managing data security risks in the cloud

GovHIT - Doug Pollack - March 12th, 2013

Cloud computing. It’s like having a butler for your data — managing them, securing them, and making them available when and where they’re needed. No wonder the cloud is attractive to organizations burdened with time and budget constraints.

But the cloud is not without its risks. The Cloud Security Alliance (CSA) recently released its “Notorious nine,” a list of the top threats associated with cloud computing.  At the top of the charts for 2013: data breaches. With this threat at the forefront, healthcare organizations should determine when, if ever, is an optimal time for placing protected health information (PHI) and personally identifiable information (PII) in the cloud.

Cloud-based storage greatly increases cyber security exposures: Panel

Business Insurance - Matt Dunning - March 6th, 2013

As if managing the risk of data breaches and losses isn't complicated enough, incorporating cloud-based data storage services can greatly exacerbate an organization's cyber security...

The Monthly Wrap Up - February 2013

ID Experts Monthly Wrap Up of privacy and data breach stories from around the web.

How to Protect “Big Data” in Healthcare:

PORTLAND, Ore. — February 28, 2013 — Data breaches are a growing and alarming trend. Half of healthcare organizations experienced more than five data breaches of patient data during the past two years, according to the recent Ponemon Institute report. The must-attend industry forum, Turning PHI Security Into a Competitive Advantage—to be held March 12-13, 2013 in Boston—is tailored to healthcare organizations looking at ways to better protect the big data they manage and learn how to customize security initiatives to protect protected health information (PHI). Register now by visiting Turning PHI Security Into a Competitive Advantage or www.phiprotection.org. Friday, March 1 is the last day to register.

RSA Conference: Problems of third party breaches highlighted

SC Magazine - Dan Raywood - February 27th, 2013

Breaches at third parties can be mitigated with due diligence and preparation, but often that is not a consideration at the first point.

In a debate on 'The killer next door – the devastating impact of third party breaches' at the RSA Conference in San Francisco, Michael Bruemmer, vice president of Experian, said that while you can plan up front and train employees, the threat grows dependant on how many people are involved with the chain of command and the number of outsourcers.

What is your PHI worth?

GovHIT - Rick Kam - February 21st, 2013

A difficult question, to be sure, but it's a critical one. Healthcare organizations' privacy programs are still understaffed and underfunded, even while millions of patients' (PHI) are compromised. Securing PHI is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the recent Third Annual Benchmark Study on Patient Privacy and Data Security.

Jim Pyles, principal at Powers, Pyles, Sutter and Verville, PC, points out that the changing healthcare industry means that liability risks around PHI privacy are continuing to escalate. He says that electronic data breaches are reaching what he calls "epidemic proportions," particularly with the growing use of electronic records and hard-to-secure mobile devices, as well as the growth of electronic health information systems.

Tips to overcome PHI security obstacles

Help Net Security -  February 20th, 2013

Healthcare organizations’ privacy programs are still understaffed and underfunded, even while millions of patients’ protected health information (PHI) are compromised.

Securing PHI in healthcare is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security. Organizations face new challenges with the recent release of the HIPAA Final Omnibus Rule

6 Tips to Overcome PHI Security Obstacles

PORTLAND, Ore. — February 19, 2013 — Healthcare organizations’ privacy programs are still understaffed and underfunded, even while millions of patients’ protected health information (PHI) are compromised. Securing PHI in healthcare is an obstacle, with 94 percent of healthcare organizations suffering data breaches in the past two years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security. Organizations face new challenges with the recent release of the HIPAA Final Omnibus Rule. At the upcoming forum, Turning PHI Security Into a Competitive Advantage, to be held March 12-13 in Boston, organizations will learn how to build, present, and defend a business case for PHI security. More than 20 industry experts will outline steps to protect against the organizational and financial repercussions of data breaches.

Healthcare Entities Manage Privacy and Security Incidents with RADAR™ 2.5

PORTLAND, Ore. — February 5th, 2013 — A lost laptop or lost paper files can put a healthcare organization in a tailspin, especially if they contain the protected health information (PHI) of thousands of patients. Is this an incident or a breach? Is there a probability of PHI being compromised? Will this require notification? RADAR 2.5™, the latest software tool from ID Experts, answers these questions for covered entities and business associates, by managing and tracking privacy and security incidents involving personally identifiable information (PII) and PHI. RADAR helps meet all compliance requirements with HIPAA federal and state data breach laws, including the Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS) on January 25, 2013.

4 risk factors to understand since HIPAA final rule on privacy and security

GovHIT - Doug Pollack & Mahmood Sher-Jan - February 6, 2013

Few will mourn the loss of the ambiguous “harm threshold” requirement. Patient privacy advocates perceived the harm threshold to be subjective, which led “to inconsistent interpretations and results,” according to the HIPAA Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS).
Under the Breach Notification Interim Final Rule, a breach crossed the harm threshold if it “posed a significant risk of financial, reputational, or other harm to the individual.” The rule required healthcare organizations to perform an incident risk assessment to determine if a breach crossed the harm threshold standard and thus required notification.

New breach notification rules demand documentation

SearchHealthIT - Ed Burns - January 23nd, 2013

Another major development out of the HIPAA omnibus is the premium that Office for Civil Rights (OCR) officials place on documenting privacy and security policies, as well as responses to breaches. In particular, the changes to the breach notification rule set the bar high for documentation, and covered entities that fail to keep adequate records could face enforcement actions, even when their general response to a breach is appropriate.

HIPAA Update Tightens Data Breach Liability Risks for IT Companies

eWeek - Brian Horowitz - January 22nd, 2013

An update to the Health Insurance Portability and Accountability Act (HIPAA) could make IT companies more liable for leaked health information, said industry experts. Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final "omnibus" rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17. Companies that produce electronic health record (EHR) software, offer billing and transcription applications, host data in the cloud or provide backup services will be responsible for health information leaks, according to Doug Pollack, chief marketing officer for ID Experts, which offers data breach prevention tools.

PHI Protection Workshop To Be Held March 12-13:

Turning PHI Security Into a Competitive Advantage

20+ Industry Experts to Provide Hands-On Information About How Organizations Can Make a Business Case for Protecting Protected Health Information (PHI)

PORTLAND, Ore. — January 16, 2013 Securing protected health information (PHI) in healthcare is a growing problem, with 94 percent of healthcare organizations suffering data breaches, according to the recent Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute. Healthcare organizations need to protect against the organizational and financial repercussions of data breaches, but may not know how. At the workshop Turning PHI Security Into a Competitive Advantage, to be held March 12-13, 2013, participants will learn how to build, present and defend a business case for PHI security initiatives tailored exclusively for their organization.

11 Data Security Tips From Industry Experts

Becker's Hospital Review - Kathleen Roney - January 8th, 2013

What should a hospital or health system include in its New Year's resolution? Completing preparations to protect patient records and reduce data breach stress.

The "Third Annual Benchmark Study on Patient Privacy & Data Security" by Ponemon Institute reports that data breaches in healthcare are growing; insider negligence is the root cause; and mobile devices pose threats to patients' protected health information. Despite the fact that 94 percent of healthcare organizations surveyed suffered data breaches in the report, data breaches don't have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. So, how can hospitals and health systems do this?

Report: 94% of US hospitals suffered data breaches, and 45% had quintuplets

Naked Security - Lis Vaas - Jan 3, 2013

Competent healthcare providers are great at medical things, be it measuring fasting blood sugar to diagnose diabetes, swabbing the backs of our throats, or clearing plaque off our grubby molars.

Securing electronic devices or health records? Not so much.

That's the takeaway from a study from the Ponemon Institute, which surveyed 80 healthcare organisations in the US and found that 75% don't secure medical devices containing sensitive patient data, while 94% have leaked data in the last two years (mostly due to staff negligence).

Healthcare needs a lesson in cybersecurity 101, report says

Gigaom - Ki Mae Heussner - December 26th, 2012

As hackers look for an easy target, healthcare could be at the top of their list. According to a recent investigation by the The Washington Post, the rise of electronic health records, other digital health platforms and connected devices has made healthcare more vulnerable to security breaches than almost any other industry.  Relative to other industries, including finance and the military, hospitals and medical facilities have been targeted by fewer hacks, the report said, but government officials have recently indicated growing concern. In May, the Department of Homeland Security released a notice warning that while wireless technology can bring efficiency and flexibility to healthcare, it also introduces security risks that the industry may not be ready to address.

Why Healthcare Data Breaches Are a C-Suite Concern

Forbes - Eric Savitz - December 7th, 2012

Healthcare data breaches have become an everyday disaster. Ninety-four percent of healthcare organizations surveyed in the newly released Ponemon Institute study, Third Annual Benchmark Study on Patient Privacy & Data Security, suffered at least one data breach during the past two years. What’s more, 45 percent of organizations experienced more than five data breaches each during this same period.

The challenges to maintaining the privacy of confidential patient data continue to grow as more and more of this information is being entered into new electronic systems, as mandated by government regulations.

No cure exists for data breaches. Data breaches have entrenched themselves into the fabric of everyday business – like a bacteria – and these risks must be addressed at the highest levels. We believe healthcare organizations should restructure the information security function to report directly to the board. This would symbolize a commitment to data privacy and security, opening executives’ eyes to the real, constant, and costly threats

4 Recommendations to Fight Rising Prevalence, Cost of Hospital Data Breaches

Becker's Hospital Review - Kathleen Roney - December 6th, 2012

Innovation and emerging technologies in information technology are both exciting and challenging for the healthcare field. These advances create efficiencies, eliminate waste and improve much-needed access to information. However, new concerns about security and privacy arise as these advances are implemented and utilized.

The uphill battle healthcare organizations face in stopping data breaches is evidenced in the "Third Annual Benchmark Study on Patient Privacy & Data Security," conducted independently by Ponemon Institute and sponsored by ID Experts.

According to Larry Ponemon, chairman and founder of Ponemon Institute, the study takes a deeper dive into healthcare organizations' struggle to deal with privacy and security data risks. "[Ponemon Institute] not only completes a survey, but observes what the organizations do. The research also includes conversations with members of the organization," says Mr. Ponemon. "This is the third time we are doing the study, and unfortunately, things seem to be getting worse." 

Patient Data Breaches: Future Looks Grim

InformationWeek - Michelle McNickle - December 6th, 2012

A majority of organizations polled for Ponemon and ID Expert's third annual benchmark study on privacy and security don't have the technologies, resources and trained personnel in place to take on modern-day privacy and data security risks.

Since beginning the benchmarking in 2010, Ponemon and ID Experts have found that threats to healthcare organizations have increased. The organizational costs for dealing with breaches are climbing as well, with the average price tag increasing from $2.1 million in 2010 to $2.4 million in 2012. The report projects that eventually the annual cost of continuous breaches for the industry "could potentially be as high as $7 billion."

Of the organizations participating in the study, 46% are part of a healthcare network, 36% part of an integrated delivery system, and 18% are standalone hospitals or clinics. This year, the study engaged 80 organizations and conducted 324 interviews. Respondents participating in the study were from all areas of an organization, including security, administration, privacy, compliance, finance and clinical.

Q&A: Health orgs don’t protect patient data for reasons going ‘back to the industrial revolution’

GovHIT - Tom Sullivan - December 6th, 2012

Three out of five healthcare organizations are not allocating enough resources to protect patient data – and among the reasons is a simple fact that the industry has no way to place a value on that information.

That's according to Rick Kam, president and co-founder of ID Experts, which sponsored the Ponemon Institute's third annual benchmark "Study on Patient Privacy and Data Security," published on Dec.6.

Prior to the report's release, Government Health IT Editor Tom Sullivan spoke with Kam and Ponemon Institute Chairman Larry Ponemon about the survey's alarming statistics, the potential dangers of criminal social-engineering and why healthcare as an industry is so far behind in terms of safeguarding data.

Many Doctors Don’t Secure Medical Devices From Hackers, Study Finds

Bloomberg - Jordan Robertson - December 6th, 2012

Your doctor’s office likely doesn’t have any digital security for its mammography machines, heart pumps and other devices that are vulnerable to hacking, according to a new study.

In a survey of 80 health care organizations in the U.S., the Ponemon Institute found that nearly three-quarters said they don’t secure their medical devices, even though they contain sensitive patient data. The organizations were not named.

“This finding may reflect the possibility that they believe it is the responsibility of the vendor — not the health care provider — to protect these devices,” said the report by Ponemon, an independent research organization.

2012 Ponemon Research Report: Patient Privacy Equals Patient Care

There's good news and worrying news on the healthcare privacy front. The Ponemon Institute has just released the results of its third annual study on patient privacy and data security[1], and the report shows that while healthcare organizations have made progress towards protecting patient information, the frequency, costs, and impacts of data breaches and medical identity theft continue to rise. As in previous studies, respondents express concern that privacy and data security efforts in their organizations are understaffed and underfunded, even as the health and welfare of millions of patients are compromised by medical identity theft. The evidence is clear: organizations need to recognize that patient privacy is a fundamental component of caring for the health of the patient and the organization.

Experts: Risk assessment looks at privacy, security and incident response

FierceHealthIT - Julie Bird - November 28th, 2012

Risk assessment to determine the safety of health IT systems has three components: privacy, security and incident response testing.

Rick Kam and Mahmood Sher-Jan, executives at Portland, Ore.-based ID Experts, note that risk assessment involves identifying threats, internal and external vulnerabilities, the harm that could come from exploiting vulnerabilities, and the probability that harm will occur.

Ponemon Study Reveals Ninety-Four Percent of Hospitals Surveyed Suffered Data Breaches

Errors and Cyber Attacks Are Culprits; Mobile and Cloud Threats Loom; Patients at Risk for Medical Identity Theft

TRAVERSE CITY, Mich. and PORTLAND, Ore. — December 6, 2012 — The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts®, reports that healthcare organizations face an uphill battle in their efforts to stop data breaches. Ninety-four percent of healthcare organizations surveyed suffered at least one data breach during the past two years; and 45 percent of organizations experienced more than five data breaches each during this same period. Data breach is an ongoing operational risk. Based on the experience of the 80 healthcare organizations participating in this research, data breaches could be costing the U.S. healthcare industry an average of $7 billion annually. Leading causes were lost devices, employee mistakes, third-party snafus, and criminal attacks. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices—such as mammogram imaging and insulin pumps—which hold patients’ protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, especially as mobile and cloud technology become pervasive in healthcare.

For a free copy of the Third Annual Benchmark Study on Patient Privacy & Data Security, visit http://www2.idexpertscorp.com/ponemon2012/.

For the data breach infographic visit http://www2.idexpertscorp.com/ponemon2012/Infographic/.

Handle Hospital Data Breaches With Care: 5 Issues to Consider

Becker's Hospital Review - Kathleen Roney - November 14, 2012

According to a USA Healthcare Privacy Claim Trends report by ACE Group — a global insurance organization — in 2012, the healthcare industry sees 58 percent of all reported data breaches. Hospitals and health systems are high risk because of the type of data they work with: patient personal information, financial information, Social Security numbers, names, addresses, birth dates, etc.

For these reasons, it is important for hospital executives to understand emerging trends in data breaches, the costs associated and proactive steps for minimizing risks. Part of being proactive involves knowing what options are available, such as privacy and security insurance coverage.

How Medical Identity Theft Can Give You a Decade of Headaches

Bloomberg - Jordan Robertson - November 8th, 2012

Arnold Salinas knows a lot about the person who stole his identity.

He’s 5-foot-9, 190 pounds. He pays for pizzas with forged checks, defaulted on a $17,000 car loan and has traveled the country, racking up speeding tickets and thousands of dollars in unpaid taxes, according to Salinas and a firm he’s hired to clean up the mess.

But the worst part is: The imposter is sick.

Salinas, a 53-year-old maintenance worker, is fighting the nastiest form of identity theft — someone has taken out medical care in his name. Among the strange bills that have arrived at his Fresno, California, home over the past decade are debt-collection notices for extensive radiology and other treatments at four hospitals in Kansas and Texas.