Tag Archives: HIPAA

[ISN] EHR audit catches snooping employee

http://www.healthcareitnews.com/news/ehr-audit-catches-snooping-employee By Erin McCann Managing Editor Healthcare IT News January 26, 2015 Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients’ confidential information, as one California hospital has observed this past week. Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients’ medical data for an entire year. The incident was discovered after the hospital conducted an EHR audit back in October 2014, when it was first discovered only 14 individuals had had their PHI compromised. Following an “expanded investigation,” hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having there information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Healthcare Security Will Benefit From Collaboration

http://healthitsecurity.com/2014/12/08/healthcare-security-will-benefit-collaboration/ By Elizabeth Snell Health IT Security December 8, 2014 With cyber threats on the rise, healthcare security systems must keep pace in order to best protect patient data, as well as their own clinical information. One of the best ways to do that is with organizations working together and communicating strategies to one another, according to Lynne Dunbrack, research president of IDC Health Insights. Dunbrack authored the recent IDC “Business Strategy: Thwarting Cyber Threats and Attacks Against Healthcare Organizations” report, and discussed the findings with HealthITSecurity.com. “You’re as strong as your weakest link,” Dunbrack said. “It means you’re sharing data more and there are more opportunities for data breaches if it’s not well-secured. There is a balance that healthcare organizations need to seek.” With more medical records being implemented into EHRs and more facilities using health information exchanges (HIEs) and other innovations, it’s crucial for organizations to balance healthcare security with new technology. As facilities make investments they also need to ensure they have the appropriate business associate agreements (BAAs) in place, Dunbrack said. Moreover, it’s important to monitor risk assessments and that all covered entities and their connected business associates (BAs) are complying with HIPAA privacy and security requirements. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Health Data Security Still Has Catching Up To Do

http://healthitsecurity.com/2014/11/17/health-data-security-still-catching/ By Elizabeth Snell Health IT Security November 17, 2014 There is no question that the healthcare industry and its subsequent health data security options have made great strides over the last several years. However, with cyber thieves more interested than ever before in medical information, it is essential for healthcare organizations to go beyond the standard HIPAA compliance standards. Mark Ford, Principle of Deloitte Cyber Risk Services, specializes in the healthcare industry and discussed the current cyber threats and health data security issues with HealthITSecurity.com. According to Ford, the healthcare sector has come a long way in the last five years alone. However, the industry is still behind others – such as manufacturing and financial services – in terms of implementing the necessary cyber risk prevention measures. “What I’ve seen over time is the industry is making progress,” Ford said. “It’s still kind of slow, it’s more reactive, and has a more compliant focus still. There’s a pretty significant gap between where they are today and where they ultimately need to be. The only way to close that gap is to obviously understand what it is and does to make sure they can lift themselves up to another level of maturity in the future.” For example, Ford explained that from the mid-1990s to the early 2000s, approximately 70 percent of the online threats to the healthcare industry were from insider threats. The rest was relegated to hacker threats. However, that has shifted as there are now different types of hackers. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Email hack makes for HIPAA breach

http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack By Erin McCann Associate Editor Healthcare IT News October 14, 2014 An academic medical center in California is notifying patients of a HIPAA breach after officials discovered a physician’s email account had been hacked by an outside source. University of California Davis Health System has notified 1,326 patients that their protected health information, which was contained on this physician’s email account, was compromised. The breach, which occurred at UC Davis Medical Center, was discovered Sept. 26, according to patient notification letters mailed out. The email incident had occurred one day earlier. “Our IT team has undertaken a review of the event, but the exact root cause of the incident remains unknown. We do not see evidence of a phishing attack,” said Shara Merritt Reed, privacy program director at UC Davis Health System, in an emailed statement. “We hesitate to speculate but deduce the credentials were obtained by other means in order to utilize the account.” In a letter mailed to affected patients Reed explained that UC Davis providers use their emails for patient care purposes, specifically, for example, upcoming appointments, or patient care exchange for a consultation or referral. “When this happens, limited amounts of patient information may be included in the provider’s email account,” she explained in the letter. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How are hospitals handling medical device security?

http://healthitsecurity.com/2014/09/30/how-are-hospitals-handling-medical-device-security/ By Patrick Ouellette Health IT Security September 30, 2014 Dale Nordenberg, moderator of the medical device security panel discussion at this year’s HIMSS Privacy and Security Forum, made an interesting point in saying that medical devices fit somewhere between BioMed, IT and security. Given the likelihood that they fall through the cracks, what are are the best ways for healthcare organizations to monitor the risks associated with these devices? Nordenberg, a medical device expert, discussed security experiences and safeguard tactics with panelists Kristopher Kusche, VP of Information Services, Technology Services at Albany Medical Center, and Darren Lacey, Chief Information Security Officer (CISO) of Johns Hopkins University and Johns Hopkins Medicine. The first major topic of conversation was the manner in which Kusche approaches risk assessments for medical devices. Kusche said he had 20,000 medical devices across two hospitals, which outnumbers the 18,000 managed IT products, such as computers, the organization has on the network. As a Joint Commission accredited hospital, he said that Albany Medical Center has been assessing every device for risk for a long time because it was a Joint Commission requirement. The only major difference now is the addition of cybersecurity to that risk assessment. “When the FDA released its cybersecurity recommendations in June 2013, we took them to heart,” he said. “After having done full cybersecurity assessments for our IT components and systems for HIPAA, the next logical step was to perform assessments on medical devices.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Developers want mHealth security talks

http://www.healthcareitnews.com/news/developers-want-mhealth-HIPAA-security-talks By Eric Wicklund Editor, mHealthNews September 18, 2014 App developers, who say they are being left out of important mHealth privacy and security conversations, are calling on the federal government to give them a little more transparency around the issues. In a letter to Congressman Tom Marino, R-Pa., several developers and the 5,000-member ACT/The App Association have asked to be brought up to date on mHealth regulations. They’ve also requested changes to the Health Insurance Portability and Accountability Act, or HIPAA, to make it more in tune with current technology. Specifically, the letter calls on the government to make existing regulations more accessible to developers, improve outreach to new companies in the mHealth space, and update “Security Rule Guidance Material” to help developers stay abreast of mobile implementations and standards. The letter was signed by ACT/The App Association, AirStrip, AngelMD, Aptible, CareSync and Ideomed. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] New HIPAA breach details remain vague

http://www.healthcareitnews.com/news/new-hipaa-breach-details-remain-vague By Erin McCann Associate Editor Healthcare IT News August 26, 2014 Cedars-Sinai Health System is notifying its patients of a HIPAA breach, after an unencrypted hospital laptop containing patient medical data and Social Security numbers was stolen from an employee’s home. Despite saying they were mailing breach notification letters this week, hospital officials said they didn’t know how many patients were affected by the June 23 HIPAA breach. CS officials launched an investigation into the theft more than two months ago. Multiple requests for the number have been unsuccessful. The laptop stolen contained patient diagnoses, treatment data, lab tests, Social Security numbers in many cases, patient ID numbers and other personal information. According to Cedars-Sinai officials, the employee used the unencrypted laptop to troubleshoot software and worked outside of normal business hours, which was why the laptop was taken home. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Identifying and mitigating healthcare IT security risks

http://healthitsecurity.com/2014/08/19/identifying-and-mitigating-healthcare-it-security-risks/ By Patrick Ouellette Health IT Security August 19, 2014 Being proactive in healthcare IT security means picking out risks before incidents occur, not after the fact. But the challenge is that potential risks are spread across a variety of areas within a healthcare organization. Blair Smith, Ph.D. Dean, Informatics-Management-Technology (IMT) at American Sentinel University, spoke with HealthITSecurity.com about security considerations for healthcare organizations. Smith was a professional IT consultant for a number of years and for the last 15 years was with the University of Phoenix, including the last five as the Dean of Information Systems prior to joining American Sentinel. With heavy experience in disaster recovery planning and said he always considered security a heavy risk area. What are some major security risks within healthcare at the moment? When I look at IT security for healthcare organizations, it’s not that much different from what many other retail or manufacturing organizations in that it’s a prominent topic. The key is to understand and identify areas of risk and potential exposure, and it’s where the HIPAA rules for risk assessment become very important. BYOD, for example, has its risks and benefits but from an industry perspective, the access to data housed [on the device] would be a concern. Similarly, cloud security opens another external pathway for data to possibly be exposed to a number of different risks such as inappropriate data access and loss. As we use more mobile devices, whether it’s a smart phone or tablet, those types of things really present a wide range of issues for security personnel. And what we’re seeing today is more hackers and outside threats bringing exposure and risks to organizations. For example, there’s the subject of single sign on (SSO) and how to have effective security controls while maintaining convenience. The idea is to move beyond prevention security to proactive response technology. How do we quickly mitigate and take care of any exposures. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail