Healthcare organizations seeking to maximize the number of patient records they can expose through a given security breach should consider contracting for professional help.
I'm only being partially facetious.
Let's look at the facts.
Read more »
Permalink | Post a Comment
It's been said, “There's no melon like a snitched melon.”
Is there something about sneaking into someone else's patch and purloining a plump one that makes it taste sweeter?
The pathology of snitched melons came to mind last week while thinking about CVS and the pharmacy chains and why they were squaring off with the Office for Civil Rights at HHS.
The pharmacies have expressed their distaste for a section of the omnibus privacy rule that OCR wrote and released in January and will enforce after its Sept. 23 compliance date.
Read more »
Permalink | Post a Comment
It's fashionable these days to call every cluster of U.S. Senators a gang.
The Gang of Six. The Gang of Eight.
This week, six Republican senators, having formed their own grouping—let's call it the Gang of Carp—released what they called a “white paper.” In it, they carped about problems with the management and direction of several federal health information technology programs funded by the American Recovery and Reinvestment Act of 2009. They said we need to “reboot” the program, as if it had crashed. That assessment was unbalanced and unfair.
Also this week, a group of 10 healthcare IT cognoscenti—let's call them the Gang of Good Cheer—put out their own “discussion paper,” finding bliss in healthcare IT. Pangloss would have beamed at their grand vision of “an exponential rate of progress in the use of health and health-related data” as if there weren't serious shortcomings thus far. Their paper, too, was unbalanced; cheerleading bordering on euphoria.
Read more »
Permalink | Post a Comment
Here's a thought. When it comes to privacy and security, all patient information is equal.
This isn't a new idea, of course.
I have a copy of the Oath of Hippocrates on my wall. It says, “Whatever … I may see or hear … which ought not be spoken abroad I will not divulge, as reckoning that all such should be kept secret.”
In the U.S., however, that's all Greek to the feds and many states. They have created legal gradations of health information sensitivity. Patient information about mental health, drug and alcohol abuse treatment and HIV/AIDs, for example, is earmarked for special treatment, particularly when it comes to health information exchange.
Typically, U.S. laws specifically require patient consent before “sensitive” information can be shared, even between doctors and hospitals, whereas, under the 2002 HHS-revised HIPAA privacy rule, patient consent is no longer required for most data sharing of other health data types.
So, it was refreshing to visit with Dr. David Levin last week at a health IT leadership forum here in Chicago hosted by Microsoft.
“I'm a little bit of a contrarian,” said Levin, a board certified family practitioner and full-fledged geek doc. He is the chief medical information officer at the Cleveland Clinic.
Read more »
Permalink | Post a Comment
Before the release of the omnibus privacy rule earlier his year, or passage of the more stringent privacy provisions of the American Recovery and Reinvestment Act of 2009, or even the main federal health information privacy law, the Health Insurance Portability and Accountability Act of 1996, there were state, federal and common law provisions in full force about the handling of particularly sensitive patient information.
That special class of patient information includes patient records about treatment for drug and alcohol abuse, mental health, HIV/AIDs and sickle cell.
A workgroup of the federally chartered Health IT Policy Committee spent the better part of an hour Tuesday going over its recommendations on how to handle the legal and ethical privacy concerns over the exchange of digitized patient records. The gnarliest problem, evidenced by the longest discussion, related to the exchange of these particularly sensitive types of patient information, some with unique legal protections that are far more stringent than the rather lax restrictions under the current HHS interpretation of HIPAA.
Recommendations to the HITPC by its privacy and security tiger team, as the workgroup is officially called, were formally accepted for two of three classes of exchange. From there, they will be forwarded to the Office of the National Coordinator for Health Information Technology at HHS. The HITPC was created by the American Recovery and Reinvestment Act of 2009 to give such advice to the ONC.
Approved were recommendations on routine, “targeted” exchanges between providers with established relationships, exchanges in the paper world long since covered by HIPAA. In these transactions, after a 2002 HHS rewrite of the HIPAA privacy rule, patient consent is no longer required when the exchange occurs for treatment, payment and—this is where the laxity comes in—a host of “other healthcare operations.”
Read more »
Permalink | Post a Comment
Professionally speaking, I am a connoisseur of a certain kind of crankiness.
I like to listen to people who don't like the deal we've been handed and are willing to grump about it.
Decorum may make the world turn smoothly, but noisy people make it change. Often, they also make my job more fun.
A lot of people in leadership pay lip service to the ideal that they're open to new ideas, but we all know from experience that many are not.
In the magazine this week are short profiles on four of the squeakiest wheels in healthcare information technology—three physicians and a researcher with a doctorate in sociology. They are Dr. Lawrence Weed, Dr. Scot Silverstein, Dr. Deborah Peel, and Ross Koppel, Ph.D.
Each are self-professed fans of health information technology, but each have bones to pick with current systems and practices.
Read more »
Permalink | Post a Comment
Privacy, security rule update coming soon—honest.
The Office for Civil Rights at HHS is about to release its omnibus final rule on health information technology privacy and security—this time for sure.
“Stay tuned,” said Leon Rodriguez, director of the Office for Civil Rights, in a recent telephone interview. His office is the chief federal enforcement agency of privacy and security rules under the Health Insurance Portability and Accountability Act, and the lead rule writer for HHS of the HIPAA privacy and security rule amendments required under the American Recovery and Reinvestment Act of 2009.
“Stay really tuned,” Rodriguez said. “I would really watch closely in the coming weeks.”
But haven't we seen this movie?
Back in March 2012, the civil rights office shipped off its ARRA-mandated privacy and security rule update to the White House for what was then believed to have been only a perfunctory once-over by its Office of Management and Budget before its imminent release.
Read more »
Permalink | Post a Comment
It should be an outrageous number—80,000 breaches—but crazy as it seems, that huge number might be a sign of progress.
I interviewed a group of health IT security specialists last week for a story we published about breaches and encryption.
Read more »
Permalink | Post a Comment
A million and a half dollars here, a million and a half dollars there, and pretty soon, you're talking real money—even in the healthcare industry.
The Office for Civil Rights at HHS on Monday announced a settlement agreement for $1.5 million with a venerable Massachusetts healthcare organization, Boston-based Massachusetts Eye and Ear Infirmary and its affiliated medical group, Massachusetts Eye and Ear Associates, over alleged HIPAA security-rule violations. They involve the reported theft of an unencrypted laptop bearing the records of 3,621 individual patients back in 2010.
I did a quick check of the OCR's "wall of shame" website and found MEEI was getting whacked on its second trip to the rodeo.
The privacy and security enforcers at the OCR, after a long, long period of quiescence, appear to be stepping up their enforcement efforts and availing themselves of the stiffer penalties that Congress provided in the American Recovery and Reinvestment Act's revisions to the Health Insurance Portability and Accountability Act's privacy and security rules.
And while the OCR is allowing MEEI to pay the fine on the installment plan, even $500,000 a year is a lot of money—a point not lost on MEEI itself.
In a statement, MEEI said that because no one appears to have been harmed, it was "disappointed with the size of the fine, especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines."
I'll bet.
But it's hard to know what the government was supposed to do other than to take out its proverbial 2x4 and start whacking to get the healthcare industry's attention.
Read more »
Permalink | Post a Comment
It was déjà vu for data security expert Michael "Mac" McMillan when he heard a hacker had tried to extort money from an Illinois medical group whose patient records and e-mail messages the intruder had accessed and encrypted.
"This is classic," McMillian said. "We saw this countless times in the 1990s with community banks. They would get access to the accounts with people's data and send the bank director a ransom note."
McMillan is the founder and CEO of CynergisTek, an Austin, Texas-based security consulting firm serving the healthcare industry.
He hasn't heard of another incidence in the healthcare industry in which encryption was used to hold a provider's data hostage—at least not yet—but "it doesn't surprise me that it's happened," he said.
When other industries computerized their business processes, security trailed, McMillan said. "They all went through these phases, where the big guys at the top did it first and the little guys dragged their feet."
In healthcare, "with all this digitization and data-sharing, you become more and more vulnerable to threats from the Internet," he said.
The hack job on the computer system of three surgeons in Libertyville, Ill., a northwest suburb of Chicago, was discovered in June but wasn't publicly revealed until recently. The investigation was turned over to the Secret Service—an agency most widely known for its work protecting the U.S. president, but that possesses other skills, too.
"The Secret Service is the organization within the federal government that has executive agency over computer security crimes," McMillan said. "Typically, when they get involved, there is some form of interstate extortion or threat or something big that can cross state lines or international boundaries."
Read more »
Permalink | Post a Comment
It was déjà vu for data security expert Michael "Mac" McMillan when he heard a hacker had tried to extort money from an Illinois medical group whose patient records and e-mail messages the intruder had accessed and encrypted.
"This is classic," McMillian said. "We saw this countless times in the 1990s with community banks. They would get access to the accounts with people's data and send the bank director a ransom note."
McMillan is the founder and CEO of CynergisTek, an Austin, Texas-based security consulting firm serving the healthcare industry.
He hasn't heard of another incidence in the healthcare industry in which encryption was used to hold a provider's data hostage—at least not yet—but "it doesn't surprise me that it's happened," he said.
When other industries computerized their business processes, security trailed, McMillan said. "They all went through these phases, where the big guys at the top did it first and the little guys dragged their feet."
In healthcare, "with all this digitization and data-sharing, you become more and more vulnerable to threats from the Internet," he said.
The hack job on the computer system of three surgeons in Libertyville, Ill., a northwest suburb of Chicago, was discovered in June but wasn't publicly revealed until recently. The investigation was turned over to the Secret Service—an agency most widely known for its work protecting the U.S. president, but that possesses other skills, too.
"The Secret Service is the organization within the federal government that has executive agency over computer security crimes," McMillan said. "Typically, when they get involved, there is some form of interstate extortion or threat or something big that can cross state lines or international boundaries."
Read more »
Permalink | Post a Comment
