Healthcare organizations seeking to maximize the number of patient records they can expose through a given security breach should consider contracting for professional help.
I'm only being partially facetious.
Let's look at the facts.
Read more »
Permalink | Post a Comment
Here's a thought. When it comes to privacy and security, all patient information is equal.
This isn't a new idea, of course.
I have a copy of the Oath of Hippocrates on my wall. It says, “Whatever … I may see or hear … which ought not be spoken abroad I will not divulge, as reckoning that all such should be kept secret.”
In the U.S., however, that's all Greek to the feds and many states. They have created legal gradations of health information sensitivity. Patient information about mental health, drug and alcohol abuse treatment and HIV/AIDs, for example, is earmarked for special treatment, particularly when it comes to health information exchange.
Typically, U.S. laws specifically require patient consent before “sensitive” information can be shared, even between doctors and hospitals, whereas, under the 2002 HHS-revised HIPAA privacy rule, patient consent is no longer required for most data sharing of other health data types.
So, it was refreshing to visit with Dr. David Levin last week at a health IT leadership forum here in Chicago hosted by Microsoft.
“I'm a little bit of a contrarian,” said Levin, a board certified family practitioner and full-fledged geek doc. He is the chief medical information officer at the Cleveland Clinic.
Read more »
Permalink | Post a Comment
Before the release of the omnibus privacy rule earlier his year, or passage of the more stringent privacy provisions of the American Recovery and Reinvestment Act of 2009, or even the main federal health information privacy law, the Health Insurance Portability and Accountability Act of 1996, there were state, federal and common law provisions in full force about the handling of particularly sensitive patient information.
That special class of patient information includes patient records about treatment for drug and alcohol abuse, mental health, HIV/AIDs and sickle cell.
A workgroup of the federally chartered Health IT Policy Committee spent the better part of an hour Tuesday going over its recommendations on how to handle the legal and ethical privacy concerns over the exchange of digitized patient records. The gnarliest problem, evidenced by the longest discussion, related to the exchange of these particularly sensitive types of patient information, some with unique legal protections that are far more stringent than the rather lax restrictions under the current HHS interpretation of HIPAA.
Recommendations to the HITPC by its privacy and security tiger team, as the workgroup is officially called, were formally accepted for two of three classes of exchange. From there, they will be forwarded to the Office of the National Coordinator for Health Information Technology at HHS. The HITPC was created by the American Recovery and Reinvestment Act of 2009 to give such advice to the ONC.
Approved were recommendations on routine, “targeted” exchanges between providers with established relationships, exchanges in the paper world long since covered by HIPAA. In these transactions, after a 2002 HHS rewrite of the HIPAA privacy rule, patient consent is no longer required when the exchange occurs for treatment, payment and—this is where the laxity comes in—a host of “other healthcare operations.”
Read more »
Permalink | Post a Comment
It should be an outrageous number—80,000 breaches—but crazy as it seems, that huge number might be a sign of progress.
I interviewed a group of health IT security specialists last week for a story we published about breaches and encryption.
Read more »
Permalink | Post a Comment
This year, it seems, the Healthcare Information and Management Systems Society is taking a more subtle approach to lobbying for privacy and security regulation.
During its annual Health IT Week lobbying push earlier this month, HIMSS presented just three "asks" to Congress. Two dealt with privacy and security issues.
One asked legislators to study patient identification. A two-page letter from HIMSS spent a lot of verbiage discussing the history of a national patient identifier and how Congress has, since 1999, banned federal funds from being used to "promulgate or adopt" one.
Nonetheless, HIMSS is looking for wiggle room.
Its statement pondered whether studying a patient identifier is verboten, then postulated that a "lack of clear congressional intent . . . poses a huge impediment to the optimal adoption of health information exchange."
That's a slight softening of focus. In 2006, HIMSS and another organization it helped create, the National Alliance for Health Information Technology, pushed for a national patient identifier.
In another "ask" this year, HIMSS is lobbying Congress to support "harmonization" of federal and state privacy laws—again, an apparent softening of its position.
Read more »
Permalink | Post a Comment
A million and a half dollars here, a million and a half dollars there, and pretty soon, you're talking real money—even in the healthcare industry.
The Office for Civil Rights at HHS on Monday announced a settlement agreement for $1.5 million with a venerable Massachusetts healthcare organization, Boston-based Massachusetts Eye and Ear Infirmary and its affiliated medical group, Massachusetts Eye and Ear Associates, over alleged HIPAA security-rule violations. They involve the reported theft of an unencrypted laptop bearing the records of 3,621 individual patients back in 2010.
I did a quick check of the OCR's "wall of shame" website and found MEEI was getting whacked on its second trip to the rodeo.
The privacy and security enforcers at the OCR, after a long, long period of quiescence, appear to be stepping up their enforcement efforts and availing themselves of the stiffer penalties that Congress provided in the American Recovery and Reinvestment Act's revisions to the Health Insurance Portability and Accountability Act's privacy and security rules.
And while the OCR is allowing MEEI to pay the fine on the installment plan, even $500,000 a year is a lot of money—a point not lost on MEEI itself.
In a statement, MEEI said that because no one appears to have been harmed, it was "disappointed with the size of the fine, especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines."
I'll bet.
But it's hard to know what the government was supposed to do other than to take out its proverbial 2x4 and start whacking to get the healthcare industry's attention.
Read more »
Permalink | Post a Comment
It was déjà vu for data security expert Michael "Mac" McMillan when he heard a hacker had tried to extort money from an Illinois medical group whose patient records and e-mail messages the intruder had accessed and encrypted.
"This is classic," McMillian said. "We saw this countless times in the 1990s with community banks. They would get access to the accounts with people's data and send the bank director a ransom note."
McMillan is the founder and CEO of CynergisTek, an Austin, Texas-based security consulting firm serving the healthcare industry.
He hasn't heard of another incidence in the healthcare industry in which encryption was used to hold a provider's data hostage—at least not yet—but "it doesn't surprise me that it's happened," he said.
When other industries computerized their business processes, security trailed, McMillan said. "They all went through these phases, where the big guys at the top did it first and the little guys dragged their feet."
In healthcare, "with all this digitization and data-sharing, you become more and more vulnerable to threats from the Internet," he said.
The hack job on the computer system of three surgeons in Libertyville, Ill., a northwest suburb of Chicago, was discovered in June but wasn't publicly revealed until recently. The investigation was turned over to the Secret Service—an agency most widely known for its work protecting the U.S. president, but that possesses other skills, too.
"The Secret Service is the organization within the federal government that has executive agency over computer security crimes," McMillan said. "Typically, when they get involved, there is some form of interstate extortion or threat or something big that can cross state lines or international boundaries."
Read more »
Permalink | Post a Comment
Encryption is a standard security procedure for moving patient information over the Internet, but not so much for patient records just sitting there on a computer not going anywhere.
So one thing that jumps out in the CMS' new Stage 2 meaningful-use rule is the increased emphasis on encryption for so-called data at rest—that is, patient-identifiable records on servers, hard drives and portable devices.
Under Stage 1 rules, providers are required to perform a risk assessment, as they are required to do under the security provisions of Health Insurance Portability and Accountability Act.
Now under Stage 2, they must give serious consideration to encrypting that data (PDF, see pages 132-136).
Why the change in emphasis?
Read more »
Permalink | Post a Comment
HHS certainly backed up the old regulatory dump truck and pulled the lever, spilling out 1,354 pages of legalese in three separate health information technology-related rules.
One was the CMS' long awaited Stage 2 meaningful-use final rule affecting providers, running a sumo-sized 672 pages.
Another was a companion rule from the Office of the National Coordinator for Health Information Technology, coming in at a hefty 474 pages and targeting IT developers on certification criteria for electronic health-record systems.
Finally, the third rule, also from the CMS and weighing in at a comparatively svelte heavyweight 208 pages, does three things. It pushes back to 2014 the compliance deadline for ICD-10, tweaks an earlier rule on the national provider identifiers, and—after 16 years—establishes a set of health plan identification numbers first called for in the Health Insurance Portability and Accountability Act of 1996.
Like many of you, I'll be spending the weekend poring over the new rules, and I'll be giving you my take on them in the coming weeks.
A few things come to mind right now, one being that perhaps the feds got a few things right, based on the mixed criticism that quickly emanated from healthcare industry leaders tracking—and lobbying—the federal rulemakers.
For example, the American Hospital Association quickly fired off a summary, praising the feds and the CMS in particular for "a shorter meaningful-use reporting period for 2014," but quickly adding expression of disappointment "that this rule sets an unrealistic date by which hospitals must achieve the initial meaningful-use requirements to avoid penalties." The AHA also said that CMS "complicated the reporting of clinical quality measures and added to the meaningful use objectives, creating significant new burdens."
Read more »
Permalink | Post a Comment
As medical records breaches proliferate, most folks in the health IT security community think of encryption as a defensive measure, not a technology to be defended against.
Better think again.
A unit of the Homeland Security Department—created to investigate attacks on critical national infrastructures—is on the cyber trail of a hacker who cracked into the computer server of three northern Illinois surgeons, locking them out of more than 7,000 of their patients' medical records by encrypting them and demanding payment for the decryption key.
Read more »
Permalink | Post a Comment
As medical records breaches proliferate, most folks in the health IT security community think of encryption as a defensive measure, not a technology to be defended against.
Better think again.
A unit of the Homeland Security Department—created to investigate attacks on critical national infrastructures—is on the cyber trail of a hacker who cracked into the computer server of three northern Illinois surgeons, locking them out of more than 7,000 of their patients' medical records by encrypting them and demanding payment for the decryption key.
Read more »
Permalink | Post a Comment
