Friday, May 14, 2010

HHS / OCR Risk Analysis Guidance

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf

The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.1 (45 C.F.R. §§ 164.302 – 318.) This series of guidances will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI). The guidance materials will be developed with input from stakeholders and the public, and will be updated as appropriate.

MIAOULIS NOTE:  Risk analysis and risk management are the foundation of an information security program.  We all do risk analysis everyday, the difference is that you need a documented risk analysis.  Start by identifying every risks you know (lost laptops, employees looking at records, hackers, viruses, unpatched servers, weak passwords, etc. etc.), determine the impact and the likelyhood and derive a risk (Very High, High, Medium or Low).  Create a plan to reduce risk and work the plan.

Wednesday, May 5, 2010

22 Computers Stolen- Encryptions Project Underway

Security Breach in Orange County – St. Jude Heritage Healthcare Has 22 Computers Stolen And 22,000 Members Notified
St. Jude Heritage Healthcare in Fullerton has notified about 22,000 patients that their personal health data might have been accessed after five computers were stolen.

Heritage, which is affiliated with St. Jude Medical Center, sent letters about the theft last week, according to hospital spokeswoman Dru Ann Copping.

The stolen data was password protected but not encrypted. Patient information might have included Social Security numbers, date of birth and diagnosis. Heritage is offering fraud monitoring services to those patients, who are also urged to put fraud alerts on their credit files.

Fullerton police are investigating. In all, 22 computers were stolen, but only five contained patient records. Earlier this year, Heritage started encrypting medical data, but the process hasn't been completed.
http://www.ocregister.com/articles/medical-246434-jude-data.html

MIAOULIS NOTE:  Just another reminder that organizations need to encrypt data and that the time to start was yesterday.  The sooner you encrypt the better you will be.

BioMedical Device Breach - Mammography Suite

Hard drive containing data of 5,418 patients stolen from Kentucky hospital

BOWLING GREEN, KY – A medical center in Kentucky is notifying 5,418 patients of a data breach that occurred when computer equipment, containing information on patients who underwent bone density testing, was stolen from its mammography suite. Hospital officials reported that the information on the hard drive was not encrypted, but was maintained in a locked, non-public, private area.

Officials at The Medical Center at Bowling Green said the stolen piece of equipment held the data of patients who had bone density testing done between 1997 and 2009.
http://www.healthcareitnews.com/news/hard-drive-containing-data-5418-patients-stolen-kentucky-hospital

MIAOULIS NOTE:  Just a reminder that it is not just computers, laptops, servers, cell phones, flash drives, but also all equipment that stores PHI that must be protected and are reportable breach candidates.

Kentucky psychiatric hospital loses sensitive flash drive

A flash drive containing personal patient information recently went missing from Our Lady of Peace, a 278-bed psychiatric hospital in Louisville, Ky.  How many victims? 24,600.

What type of personal information? The flash drive may have included patient names, room numbers, date of assessment, date of birth, insurance company names, along with admission and discharge dates. It did not include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses
http://www.scmagazineus.com/kentucky-psychiatric-hospital-loses-sensitive-flash-drive/article/169352/
 
MIAOULIS NOTE:  Just another area that organizations must secure.  Securing USB ports and using encrypted flash drives should be on everyone's list of risks.

Monday, May 3, 2010

Health worker is first HIPAA privacy violator to get jail time

A former UCLA Health System employee, apparently disgruntled over an impending firing, has been sentenced to four months in federal prison after pleading guilty in January to illegally snooping into patient records, mainly those belonging to celebrities.
Huping Zhou, 47, of Los Angeles, who was sentenced Tuesday, now has the dubious distinction of being the first person to ever receive prison time for violating the privacy stipulations under Health Insurance Portability and Accountability Act (HIPAA), according to the U.S. Attorney's Office for the Central District of California
http://www.scmagazineus.com/health-worker-is-first-hipaa-privacy-violator-to-get-jail-time/article/168894/
MIAOULIS NOTE:  This certainly changes things.  This may be the first to receive jail time, but I would predict it will not be the last time someone goes to jail for HIPAA violations.