Miaoulis Note: Hospitals better take extra care, like many profession, Attorney's are aware of this lawsuit and will be evaluating similar type cases. Many questions can be asked, but my first question is why is this much data on a DESKTOP computer and not in the computer room.
Conduct your risk analysis now, that starts with knowing where your data is located. That is the key, identify data on Desktops, Laptops, Flash Drives, Home Computers, Business Associates, Servers, Cell Phones and within application systems and then create strategies to minimize the risks to this data.
------------------
SACRAMENTO, Calif. (KCRA) -- A class-action complaint was filed Monday in Sacramento Superior Court on behalf of Karen Pardieck and 944,000 other patients, KCRA 3 learned Tuesday.
A desktop computer was stolen from a Sutter Medical Foundation administrative office Oct. 15.
Stolen Sutter Computer Has Millions of Patients' Info
It contained a patient database with information including names, addresses, birthdays, email addresses, phone numbers and descriptions of medical diagnoses and procedures.
The lawsuit cites a “failure to safeguard and secure patients’ private information” and “negligent storage practices” that led to an increased risk of a serious information breach.
Sutter has admitted the information lost was unencrypted.
Read more: http://www.kcra.com/news/29835846/detail.html#ixzz1f6i7o4GI
Tuesday, November 29, 2011
Saturday, November 26, 2011
25 "Worst Passwords" of 2011
If you see your password below, STOP!
Do not finish reading this post and immediately go change your password -- before you forget. You will probably make changes in several places since.....................
Here is a lists compiled by SplashData: http://www.splashdata.com/
1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passwOrd
19. shadow s
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
http://finance.yahoo.com/news/25-worst-passwords-2011-revealed-202955980.html
MIAOULIS NOTES: Passwords are one of the two most critical access controls (not logging off is the other) that users must understand to assist their organizations in protecting information (ePHI).
Many organizations have decided (statisticians) that to prevent the above type passwords, that you should change your password every 60-90 days, have a different password for every system you access, have a length between 8 and 12, not allow you to use previous passwords (10 is a common number), require caps, numbers and special characters to force users to use stronger passwords. The problem is that users often use passwords such as their last name and #1. If my password was Miaoulis#1 and I am forced to change it in 60 days, many users simple change the last character Miaoulis#2. This of course defeats the controls that security admininstrators are trying to implement. Some systems require you to change more than a certain number of characters.
Although these technical measures help, it is TRAINING that can change human behavior. HIPAA requires training on passwords, but are employees trained on how to select a good password or just on what NOT to do?
------------------------------------------------------------------------
MIAOULIS NOTE: ONE TECHNIQUE FOR SELECTING A PASSWORD:
There are many ways to select good passwords. One technique that I have used is take a sentence and use the first letter of each word, add a special character and a number.
Bill loves to play golf every day
Becomes BLTPGED#4
There are other techniques such as combining words and mispelling words in combination with the rules.
------------------------------------
Microsoft offers these hints on selecting a strong password:
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
Create strong passwords:
A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:
Length. Make your passwords long with eight or more characters.
Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."
Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.
Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.
Do not finish reading this post and immediately go change your password -- before you forget. You will probably make changes in several places since.....................
Here is a lists compiled by SplashData: http://www.splashdata.com/
1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passwOrd
19. shadow s
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
http://finance.yahoo.com/news/25-worst-passwords-2011-revealed-202955980.html
MIAOULIS NOTES: Passwords are one of the two most critical access controls (not logging off is the other) that users must understand to assist their organizations in protecting information (ePHI).
Many organizations have decided (statisticians) that to prevent the above type passwords, that you should change your password every 60-90 days, have a different password for every system you access, have a length between 8 and 12, not allow you to use previous passwords (10 is a common number), require caps, numbers and special characters to force users to use stronger passwords. The problem is that users often use passwords such as their last name and #1. If my password was Miaoulis#1 and I am forced to change it in 60 days, many users simple change the last character Miaoulis#2. This of course defeats the controls that security admininstrators are trying to implement. Some systems require you to change more than a certain number of characters.
Although these technical measures help, it is TRAINING that can change human behavior. HIPAA requires training on passwords, but are employees trained on how to select a good password or just on what NOT to do?
------------------------------------------------------------------------
MIAOULIS NOTE: ONE TECHNIQUE FOR SELECTING A PASSWORD:
There are many ways to select good passwords. One technique that I have used is take a sentence and use the first letter of each word, add a special character and a number.
Bill loves to play golf every day
Becomes BLTPGED#4
There are other techniques such as combining words and mispelling words in combination with the rules.
------------------------------------
Microsoft offers these hints on selecting a strong password:
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
Create strong passwords:
A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:
Length. Make your passwords long with eight or more characters.
Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."
Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.
Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.
Thursday, November 10, 2011
UCLA - warns patients personal information was stolen
November 05, 2011
By Anna Gorman, Los Angeles Times
Officials say the data, from 2007 through 2011, included first and last names as well as some birth dates, medical record numbers, addresses and medical information. It did not include Social Security numbers, credit card numbers or insurance details.
The UCLA Health System is warning thousands of patients that their personal information was stolen and they are at risk of possible identity theft, officials said in a statement released Friday.
Officials don't believe the information has been accessed or misused but are referring patients to a data security company if their name and credit are affected.http://articles.latimes.com/2011/nov/05/local/la-me-ucla-medical-data-20111105
By Anna Gorman, Los Angeles Times
Officials say the data, from 2007 through 2011, included first and last names as well as some birth dates, medical record numbers, addresses and medical information. It did not include Social Security numbers, credit card numbers or insurance details.
The UCLA Health System is warning thousands of patients that their personal information was stolen and they are at risk of possible identity theft, officials said in a statement released Friday.
Officials don't believe the information has been accessed or misused but are referring patients to a data security company if their name and credit are affected.http://articles.latimes.com/2011/nov/05/local/la-me-ucla-medical-data-20111105
Wednesday, November 9, 2011
OCR Launches Privacy and Security Audits (Announcement)
November 8, 2011
The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.
More information regarding OCR’s Pilot Audit Program is available on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
MIAOULIS NOTE: The link is a must read for everyone. Major components are provided below.
--------------------------------------
Program Objectives: The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.
----------------------------------
Who Will Be Audited?
Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.
Business Associates will be included in future audits.
---------------------------------
When Will Audits Begin?
The pilot audit program is a three step process. The first step entailed developing the audit protocols. Next, a limited number of audits will be conducted in an initial wave to test these protocols. OCR expects the initial audits to begin in November 2011.The results of the initial audits will inform how the rest of the audits will be conducted. The last step will include conducting the full range of audits using revised protocol materials. All audits in this pilot will be completed by the end of December, 2012.
-------------------
How Will the Audit Program Work?
The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity
The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.
More information regarding OCR’s Pilot Audit Program is available on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
MIAOULIS NOTE: The link is a must read for everyone. Major components are provided below.
--------------------------------------
Program Objectives: The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.
----------------------------------
Who Will Be Audited?
Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.
Business Associates will be included in future audits.
---------------------------------
When Will Audits Begin?
The pilot audit program is a three step process. The first step entailed developing the audit protocols. Next, a limited number of audits will be conducted in an initial wave to test these protocols. OCR expects the initial audits to begin in November 2011.The results of the initial audits will inform how the rest of the audits will be conducted. The last step will include conducting the full range of audits using revised protocol materials. All audits in this pilot will be completed by the end of December, 2012.
-------------------
How Will the Audit Program Work?
The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity
Tuesday, November 8, 2011
Co-worker Looking at Records Leads to Notification Letters
MIAOULIS NOTE: What steps are you taking to prevent authorized users from viewing records? You need strong policies, sanctions and regular review of system activity (HIPAA Requirements).
------------------------------------
On October 31, 2011, notification letters were sent to 175 persons whose Deaconess Health System medical records were inappropriately accessed by a now former employee.
The accesses occurred from April through September of 2011. The problem was discovered September 12, 2011, when a department manager reported that an employee may have made inappropriate access to the record of a co-worker. An initial audit confirmed this and other improper accesses, and the employee was terminated. Deaconess continued its investigation by auditing all electronic record activity by the employee for the duration of her employment. This led to the finding of 175 inappropriately accessed records.
Information viewed by the employee included name, address, dates of birth, last four digits of the Social Security Number and, where available, portions of the clinical records of the affected patients.
http://www.deaconess.com/body.cfm?id=3351
------------------------------------
On October 31, 2011, notification letters were sent to 175 persons whose Deaconess Health System medical records were inappropriately accessed by a now former employee.
The accesses occurred from April through September of 2011. The problem was discovered September 12, 2011, when a department manager reported that an employee may have made inappropriate access to the record of a co-worker. An initial audit confirmed this and other improper accesses, and the employee was terminated. Deaconess continued its investigation by auditing all electronic record activity by the employee for the duration of her employment. This led to the finding of 175 inappropriately accessed records.
Information viewed by the employee included name, address, dates of birth, last four digits of the Social Security Number and, where available, portions of the clinical records of the affected patients.
http://www.deaconess.com/body.cfm?id=3351
Subscribe to:
Posts (Atom)