Smartphones blamed for increasing risk of health data breaches

The number of physicians using smartphones has reached a near-saturation point. Meanwhile, the number of data breaches is going up.

Coincidence? Leading experts think not.

Recent reports by Manhattan Research have found more than 81% of physicians use a smartphone, up from 72% in 2010. Also on the rise have been data breaches, which, according to research released in December by Ponemon Institute, have risen 32% in the past year. Ponemon found that 96% of all health care organizations surveyed said they had experienced at least one data breach in the past two years.

http://www.ama-assn.org/amednews/2011/12/19/bil21219.htm

Loma Linda hospital worker fired for taking home private records

The private medical records belonging to some 1,300 patients and/or their guarantors at Loma Linda University Medical Center in California were compromised when a former hospital employee violated policy and brought the data home.
What was the response? The worker was fired, and the hospital is investigating. Victims will receive one year of credit monitoring services.
http://www.scmagazine.com/loma-linda-hospital-worker-fired-for-taking-home-private-records/article/221841/

Federal agency could investigate online security breach of Lawrence Memorial Hospital

Officials at the US Lawrence Memorial Hospital said they are anticipating a federal investigation and possible fine after an online security breach potentially compromised 8,000 patients’ financial information.


Officials from the Lawrence Memorial Hospital also believe there was a way to access a database that contained information on every patient who had used the online bill pay system since it was first offered in 2005 from that portal. 


The hospital learned about the security breach on 28 October. And guess how: a patient using Google to search her husband’s name found his own financial information online. 


http://eeiplatform.com/6525/fbi-to-investigate-security-breach-in-hospital-e-billing-system/

HHS Audits the 1% … and the Rest: First HIPAA Privacy and Security Audits Begin

By Adam H. Greene
12.13.11
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun the process of notifying covered entities that they are among the unlucky few who have been selected for the first Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security audits under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The selected entities represent a cross sample of the health care industry—from billion-dollar health care systems to small physician practices. Audited entities will undergo comprehensive reviews of their privacy and security policies and procedures, documentation, and operations.

While the first twenty covered entities have been selected, approximately another 130 remain in this audit round. HHS has indicated that it hopes to continue with proactive audits in the future and expects to become more aggressive in its enforcement of complaints.
http://www.dwt.com/LearningCenter/Advisories?find=450543

NIST: New FREE HIPAA Tool Helps Organizations Meet Security Requirements

From NIST Tech Beat: November 22, 2011

Contact: Evelyn Brown
301-975-5661

A new tool, developed by the National Institute of Standards and Technology (NIST) and offered for free, can help public and private organizations, large and small, to understand and implement the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Congress enacted HIPAA to, among other things, promote efficiency in the health care industry through the use of standardized electronic transactions, while protecting the privacy and security of health information.

The Secretary of Health and Human Services (HHS) published the HIPAA Security Rule, a national set of standards for protecting electronic protected health information (EPHI) that is created, transmitted, or maintained by covered entities and their business associates. HHS recognizes the value of NIST's information security standards and guidelines, and has recommended these as valuable resources for organizations to consider as they implement the HIPAA Security Rule.

The law requires "covered entities" and business associates to follow the HIPAA Security Rule. Covered entities include government agencies involved in health records, health care providers, health plans such as health insurance issuers and Medicaid and Medicare programs, health care clearinghouses and Medicare prescription drug card sponsors. "Our HIPAA Security Rule Toolkit is designed to help organizations of all sizes and with varying levels of security expertise to better protect electronic health information," says NIST information security specialist Kevin Stine. "It leverages many existing security resources and tailors them for use within the context of HIPAA security." He emphasizes that the application is meant as a self-assessment tool, and does not indicate HIPAA Security Rule compliance.

The toolkit is intended to be a resource that organizations can use to support their risk assessment processes by identifying areas where security safeguards may be needed to protect EPHI, or where existing security safeguards may need to be improved. The self-assessment tool presents a series of questions in groups related to each of the HIPAA Security Rule standards and implementation specifications. For simplicity, the toolkit follows the established HIPAA structure of administrative, physical and technical safeguards, organizational requirements, and policies, procedures and documentation requirements.

The target audience includes HIPAA-covered entities and business associates, and organizations that provide Security Rule implementation, assessment and compliance services. Target user organizations can range in size from a large nationwide health plan with vast information technology (IT) resources to a small two-doctor health care provider with limited access to IT expertise.

The free toolkit comes with a comprehensive User Guide and a self-contained, stand-alone software application that can run on Windows, Mac and Linux operating systems. It is available at http://scap.nist.gov/hipaa . Funding for the toolkit was provided by the American Recovery and Reinvestment Act of 2009.

http://www.nist.gov/itl/csd/20111122_hipaa_tools.cfm

Sutter Health Hit With $1B Class-Action Lawsuit

Miaoulis Note: Hospitals better take extra care, like many profession, Attorney's are aware of this lawsuit and will be evaluating similar type cases.  Many questions can be asked, but my first question is why is this much data on a DESKTOP computer and not in the computer room. 

Conduct your risk analysis now, that starts with knowing where your data is located.  That is the key, identify data on Desktops, Laptops, Flash Drives, Home Computers, Business Associates, Servers, Cell Phones and within application systems and then create strategies to minimize the risks to this data.
------------------
SACRAMENTO, Calif. (KCRA) -- A class-action complaint was filed Monday in Sacramento Superior Court on behalf of Karen Pardieck and 944,000 other patients, KCRA 3 learned Tuesday.

A desktop computer was stolen from a Sutter Medical Foundation administrative office Oct. 15.

Stolen Sutter Computer Has Millions of Patients' Info

It contained a patient database with information including names, addresses, birthdays, email addresses, phone numbers and descriptions of medical diagnoses and procedures.

The lawsuit cites a “failure to safeguard and secure patients’ private information” and “negligent storage practices” that led to an increased risk of a serious information breach.

Sutter has admitted the information lost was unencrypted.

Read more: http://www.kcra.com/news/29835846/detail.html#ixzz1f6i7o4GI

25 "Worst Passwords" of 2011

If you see your password below, STOP!
Do not finish reading this post and immediately go change your password -- before you forget. You will probably make changes in several places since.....................

Here is a lists compiled by SplashData: http://www.splashdata.com/
1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passwOrd
19. shadow s
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
http://finance.yahoo.com/news/25-worst-passwords-2011-revealed-202955980.html

MIAOULIS NOTES: Passwords are one of the two most critical access controls (not logging off is the other) that users must understand to assist their organizations in protecting information (ePHI). 

Many organizations have decided (statisticians) that to prevent the above type passwords, that you should change your password every 60-90 days, have a different password for every system you access, have a length between 8 and 12, not allow you to use previous passwords (10 is a common number), require caps, numbers and special characters to force users to use stronger passwords.  The problem is that users often use passwords such as their last name and #1.  If my password was Miaoulis#1 and I am forced to change it in 60 days, many users simple change the last character Miaoulis#2.  This of course defeats the controls that security admininstrators are trying to implement.  Some systems require you to change more than a certain number of characters. 

Although these technical measures help, it is TRAINING that can change human behavior.  HIPAA requires training on passwords, but are employees trained on how to select a good password or just on what NOT to do?
------------------------------------------------------------------------
MIAOULIS NOTE: ONE TECHNIQUE FOR SELECTING A PASSWORD:
There are many ways to select good passwords.  One technique that I have used is take a sentence and use the first letter of each word, add a special character and a number.
 
Bill loves to play golf every day
Becomes BLTPGED#4
There are other techniques such as combining words and mispelling words in combination with the rules.
------------------------------------
Microsoft offers these hints on selecting a strong password:

http://www.microsoft.com/security/online-privacy/passwords-create.aspx

Create strong passwords:
A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:

Length. Make your passwords long with eight or more characters.

Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."

Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.

Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.

UCLA - warns patients personal information was stolen

November 05, 2011

By Anna Gorman, Los Angeles Times

Officials say the data, from 2007 through 2011, included first and last names as well as some birth dates, medical record numbers, addresses and medical information. It did not include Social Security numbers, credit card numbers or insurance details.


The UCLA Health System is warning thousands of patients that their personal information was stolen and they are at risk of possible identity theft, officials said in a statement released Friday.

Officials don't believe the information has been accessed or misused but are referring patients to a data security company if their name and credit are affected.
http://articles.latimes.com/2011/nov/05/local/la-me-ucla-medical-data-20111105

OCR Launches Privacy and Security Audits (Announcement)

November 8, 2011

The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.

More information regarding OCR’s Pilot Audit Program is available on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

MIAOULIS NOTE: The link is a must read for everyone.  Major components are provided below.
--------------------------------------

Program Objectives: The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.
----------------------------------
Who Will Be Audited?
Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.

Business Associates will be included in future audits.
---------------------------------
When Will Audits Begin?
The pilot audit program is a three step process. The first step entailed developing the audit protocols. Next, a limited number of audits will be conducted in an initial wave to test these protocols. OCR expects the initial audits to begin in November 2011.The results of the initial audits will inform how the rest of the audits will be conducted. The last step will include conducting the full range of audits using revised protocol materials. All audits in this pilot will be completed by the end of December, 2012.

-------------------
How Will the Audit Program Work?
The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity

Co-worker Looking at Records Leads to Notification Letters

MIAOULIS NOTE: What steps are you taking to prevent authorized users from viewing records?  You need strong policies, sanctions and regular review of system activity (HIPAA Requirements). 
------------------------------------
On October 31, 2011, notification letters were sent to 175 persons whose Deaconess Health System medical records were inappropriately accessed by a now former employee.

The accesses occurred from April through September of 2011. The problem was discovered September 12, 2011, when a department manager reported that an employee may have made inappropriate access to the record of a co-worker. An initial audit confirmed this and other improper accesses, and the employee was terminated. Deaconess continued its investigation by auditing all electronic record activity by the employee for the duration of her employment. This led to the finding of 175 inappropriately accessed records.

Information viewed by the employee included name, address, dates of birth, last four digits of the Social Security Number and, where available, portions of the clinical records of the affected patients.

http://www.deaconess.com/body.cfm?id=3351

Leak of Emory patient records could affect thousands

Nine Emory Healthcare patients have become victims of identity theft in a case that could affect the records of thousands, Channel 2 Action News reported Monday.

The hospital bills of 32 patients at Emory’s orthopedic clinic were taken, and the Social Security numbers, dates of birth and other confidential information were used to file fraudulent tax returns in nine patients’ names, the hospital confirmed.

"Because of the heightened level of importance Emory Healthcare places on the protection of private patient data, we have taken the additional measure of notifying by letter more than 7,300 other patients of this situation -– although we have no reason to believe any of these individuals have been impacted in any way," Emory spokesman Lance Skelley said in a prepared statement.

In September, Emory sent a letter out to about 7,000 people -- all of the orthopedic clinic patients from 2008 -- notifying them about the breach of security. The letter advised patients to be vigilant about monitoring their credit and personal data.

"This issue is in no way a breach of Emory’s electronic medical records system, but rather a human failure to properly follow Emory Healthcare’s prescribed duties and responsibilities for protecting private patient information," Skelley said in the prepared statement.

http://www.ajc.com/news/dekalb/leak-of-emory-patient-1209097.html

Monroeville Man Sentenced To Probation For HIPAA Violation

PITTSBURGH, Pa. - In the first HIPAA prosecution in the Western District of Pennsylvania, a resident of Monroeville, Pa., has been sentenced in federal court to one year of probation on his conviction of knowingly disclosing patient health information to another person in violation of law, United States Attorney David J. Hickton announced today.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) law passed by Congress provides for national standards for electronic health care transactions, and protects patients from the unauthorized disclosure of personal medical information without their consent.

Senior United States District Judge Maurice B. Cohill, Jr. imposed the sentence on Paul C. Pepala, 35.

According to information presented to the court, Pepala disclosed the names and social security numbers of patients at Shadyside Hospital, many of which were then used by other persons to file unauthorized form 1040 electronic tax returns in 2008, in which the filers sought tax refunds.

Prior to imposing sentence, Judge Cohill considered the remorsefulness of the defendant and that the maximum sentence was only one year in prison for the HIPAA violation.

Assistant United States Attorney Gregory C. Melucci prosecuted this case on behalf of the government.

United States Attorney Hickton commended the United States Postal Inspection Service, Internal Revenue Service and Secret Service for the investigation leading to the successful prosecution of Pepala.

http://www.justice.gov/usao/paw/news/2011/2011_october/2011_10_20_01.html

FBI Investigating Florida Hospital Breach

CELEBRATION, Fla. -- Osceola County deputies on Wednesday identified three people accused of stealing private information from patients at Florida Hospital in Celebration, which is now being investigated by the FBI.


Former hospital employees April Baker and Katrina Munroe, and her husband, Dale Munroe, were fired after 2,252 patients, mostly victims of car accidents, had their information siphoned to an attorney referral service, deputies said.

The breach started in January 2010, however, the hospital did not notify the public until September when it took out a small ad in the Orlando Sentinel.

Now, the FBI is investigating.

“The Orlando FBI office recently received information alleging that patient records may have been compromised and we are coordinating with Florida Hospital representatives to investigate the matter,” an FBI spokesman said in a statement.

Investigators said Wednesday that they could not find anything criminal, because privacy laws prevent the hospital from releasing patients' personal information. So far, the hospital has not found any cases of fraud. It has also restricted office workers from getting access to patient records.
 
http://www.clickorlando.com/health/29535235/detail.html

Stanford Hospital sued $20M over data breach

Twenty million dollars for 20,000 patients: That's how much Stanford Hospital & Clinics stands to owe if the patients win the class-action lawsuit against the leading hospital. Stanford is vowing to fight the lawsuit filed by the patient, who represents thousands of patients whose information was exposed online for almost an entire year, reports Palo Alto Daily News.

The data breach was discovered on Aug. 22, and the information was removed the next day when Stanford Hospital began an "aggressive investigation," according to a Stanford press release.

Stanford pointed to the billing contractor (and co-defendant) Multi-Specialty Collection Services LLC (MSCS) as the culprit for mishandling patients' data. The hospital sent the encrypted data to MSCS, according to Stanford Hospital. MSCS's executive vice president allegedly created an unencrypted electronic spreadsheet and sent it to an unauthorized person to create bar graphs and charts. The unnamed third party allegedly posted it to the public Student of Fortune, a homework help site.

Read more: Stanford Hospital sued $20M over data breach, faults billing contractor - FierceHealthcare http://www.fiercehealthcare.com/story/stanford-hospital-sued-20m-over-data-breach-faults-billing-contractor/2011-10-07#ixzz1c6QcGZdb

Subscribe: http://www.fiercehealthcare.com/signup?sourceform=Viral-Tynt-FierceHealthcare-FierceHealthcare

TRICARE breach puts 4.9M military clinic, hospital patients at risk

FAllS CHURCH, VA – TRICARE, which provides civilian health benefits for military personnel, military retirees and their dependents, announced on Wednesday that Science Applications International has reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients.


The breach was reported by SAIC on Sept. 14 and involved backup tapes from an electronic healthcare record used in the military health system (MHS) to capture patient data from 1992 through Sept. 7, 2011, from patients who received care in the San Antonio area military treatment facilities (including the filling of pharmacy prescriptions) and others whose laboratory workups were processed in these same facilities even though the patients were receiving treatment elsewhere.

http://healthcareitnews.com/news/tricare-breach-puts-49m-milatry-clinic-hospital-patients-risk