Health Insurance Portability and Accountability Act

Onsite Health Diagnostics suffers data breach

August 4th, 2014

Onsite Health Diagnostics (OHD), a Tennessee government subcontractor, suffered data breach when its scheduler was accessed inappropriately. OHD has notified the affected local government employees about the breach. According to the reports, online scheduler was accessed by unknown entity.

Around 60,582 employees’ data, such as name, date of birth, address, email address, phone number and gender was accessed. Information related to financial information, Social Security numbers or medical data was not included in the breach.

According to the OHD statements:

OHD and investigating authorities are unaware of any identity theft related to this incident, but out of an abundance of caution, OHD has mailed letters to the affected health plan members to ensure that they are aware of the incident and can take steps to protect their information. OHD will provide one free year of identity theft protection to affected group health plan members.

While this information did not contain any diagnosis or medical information, the state has determined that, because it is related to our members’ health benefits, the disclosure of name, address, email address, phone number and gender does fall under the HIPAA definition of a breach of protected health information. The state has notified the Secretary of HHS of a Breach of Unsecured PHI.

After the breach, OHD has collaborated with experts to determine the flaws in the system. It was also observed that OHD had implemented new procedures and systems for more secure operations.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Indian Health Services folder causes data breach

July 27th, 2014

Indian Health Services (IHS) suffered data breach when an employee mistakenly left a folder out in a public area. According to the reports, the incident related information can be provided as –

  • All together 620 patients were affected by the incident.
  • Folder contained information which includes patient names, Social Security numbers and enrollment information.
  • Indian Health Service Rosebud Service Unit sent out breach notification letters to the affected clients.
  • Information was not for the reason behind the presence of folder in Rapid City.
  • According to the IHS, information is not misused or accessed inappropriately.
  • IHS has agreed to improve its HIPAA privacy and security training among employees.

The most common question heard and the one that need to be answered is: “Why was that information in Rapid City to begin with?

William Bear Shield, the chairman of the Rosebud Sioux Tribal Health board and a veteran of Desert Storm said, “I represent a community in Gregory County, 90 miles east of Rosebud, so what was my information doing up there?” He said. “Why was it in possession of an individual in Rapid City?”

Bear Shield said he asked employees at the Rosebud Service Unit why information was in Rapid City, but he said no one would give him a straight answer.

“How can I know if someone didn’t find that information and write down my Social Security number and just wait a year before using it?” he asked.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

 

Tools for Compliance management which can boost security

June 24th, 2014

HIPAA has certain set of rules when it comes for compliance management. Compliance requirements are many times seen as an unnecessary burden but if proper procedures are followed then it can protect your organization even from data breach. Moreover it can also protect you from lawsuits to corporate espionage. The risk associated with compliance failures can include financial impact or fines, data loss, lost business or even a suspension of operations.

Below is the list of compliance management tools –

  • www.glpi-project.org: A free, open source tool, GLPI offers IT and asset management capabilities. After all, a good inventory is the first step in seeing what needs to be secured.
  • www.ptatechnologies.com: A free toolset that is driven by the methodology of effectively managing operational and infosec risks in complex systems using calculative threat analysis and threat modeling.
  • www.somap.org: The ORICO Framework and Tool are two projects in one, offering risk management and the toolset to build a reference implementation of a security framework.
  • sourceforge.net/projects/assetmng: An open source IT asset management system that provides identification, valuation and risk assessments.
  • http://openfisma.org : An open source framework that is designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

IT managers may need to build their own solutions and integrate off-the-shelf products with other solutions. Luckily for those choosing a path of self-development, several free tools can become part of an integrated solution.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Largest ever violation settlement by NYP and CU

May 10th, 2014

The Department of Health and Human Services (HHS) has issued $4.8 million worth of HIPAA fines to New York and Presbyterian Hospital (NYP) and Columbia University (CU). Earlier NYP and CU had violated both the HIPAA Privacy and Security Rules which resulted in electronic Protected Health Information (ePHI) of 6800 patients to data breach. NYP and CU learned of the breach when a deceased patient’s partner found the former patient’s ePHI on the internet.

Breach occurred when the application developer for the affiliate organizations tried deactivating a personally owned computer server on the network which held the data. Soon the ePHI become accessible on the internet search engines after the process of server deactivation.

NYP and CU had submitted a joint breach report after ePHI held on their network suffered data breach. EPHI included patient status, vital signs, medications, and laboratory results.  NYP paid OCR $3,300,000 and CU had to give $1,500,000, with both agreeing to complete corrective action plans. It includes risk analyses, developing risk management plans, revising policies and procedures, staff training, and providing OCR with progress reports.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

According to the hhs.gov website,

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

– See more at: http://blog.alertsec.com/#sthash.4Btkgtu7.dpuf

Enhanced by Zemanta

Stolen laptop of Coordinated Health may affect 700 patients

April 22nd, 2014

Coordinated health breach may impact around 700 patients as laptop was stolen containing PHI information. It was observed that laptop belonged to one of their employee. Laptop contained Protected Health Information (PHI) such as patient names, dates of birth, addresses, insurance information, appointment dates and physician names as well as their Social Security numbers.

Breach can be considered as HIPAA violation. Incident of stolen laptop occurred when an employee left the laptop in car. According to release from the Coordinated Health, the device was password protected but it appeared that laptop was unencrypted. The laptop was stolen from the car of an employee in Bethlehem. The incident was immediately reported to local authorities with a formal police report filed.

According to release of Coordinated Health –

Coordinated hired a forensic investigator to conduct a full review of the content on the computer. While the laptop was password protected, the investigation revealed that the device may have contained an email with an attached file of 733 CH patient files, their social security numbers and their protected health information including (PHI): name, date of birth, address, insurance, appointment date and physician name.

This is the second breach reported by Coordinated Health within the past month. In the first incident, Whitehall township office had been robbed and patient information and cash were stolen. In this incident around 70 patients were affected. The patient information included the last four digits of patients’ credit cards and Social Security numbers, as well as names, birth dates, phone numbers and some health information.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Data breach affects 1,144 patients of University Urology of Tennessee

April 18th, 2014

University Urology of Tenn. released data breach statement which involves 1,144 affected patients. Data breach information was limited to names and addresses. According to website statement social Security Numbers, financial account information, clinical information were not exposed.

This particular data breach incident involved an administrative assistant who gathered patient’s data in bid to sell to a competing provider for winning patients business. Incident came to notice when patients started receiving calls from competing provider. Patients began calling university to alert about unsolicited phone calls.

Peggy Kares, HIPAA Security Officer at University Urology, P.C. said, “We understand that any breach of protected health information is a concern for our patients. We sincerely regret this situation occurred.”

University took following action after the breach – It terminated the employment, revoked access to protected health information (PHI), changed internal passwords and agreed with the competing organization to destroy received patients information.

According to website statement,
University Urology, P.C. is notifying by mail the patients impacted by this breach. While it appears that the information subject to the breach was to be used for patient solicitation and there is absolutely no indication that the information may be used for purposes of identity theft, patients may choose to monitor their credit card, bank, or other financial statements for signs of fraud and identity theft.

The information consisting of patient names and addresses is considered protected health information and is protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

LewisGale Regional Health System reports data breach

April 15th, 2014

 

LewisGale Regional Health System of Salem, Va.  notifies a multi state data breach to 400 affected patients. Around 40 of patients were under LewisGale’s care. Information related to patient names, addresses, insurance information and social security numbers were all potentially exposed.

Incident of breach occurred at LewisGale’s billing department due to former employee accessing patients data. Report stated that former employee is being investigated related to identity theft. It was found that they allegedly obtained credit, opened accounts, and even leased apartment with other people’s information.

Jim Clendenen received the letter related to data breach. “We’re retired now and everything we got is taking care of. I’d hate to have somebody stumble in there and take care of everything that we’ve worked all these years for,” Clendenen said.

He continued “Wondering how and why they would let an employee have access to something that he had no reason to have.” and “I just hope maybe something can be done to prevent you or someone else going through what I’m going through right now.”

LewisGale website excerpts are as bellow –

LewisGale Regional Health System was recently informed that a former employee, whose job function required access to Patient Health Information protected by HIPAA, is under investigation for misuse of that information related to approximately 40 of our patients. All of these patients have been notified in writing and provided complimentary credit monitoring through a national credit reporting agency. We have also established a toll-free call center for patients with questions, as well as an email address to which they may submit written communications.

 

We are fully committed to the security of Patient Health Information and the privacy of our patients. The employee in question has been terminated and we support this person’s prosecution to the fullest extent of the law.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Unique case where concerned entity didn’t violate HIPAA regulations

March 30th, 2014

 

Major task of HIPAA is to keep track on data breaches and government penalties for compliance failure. It covers entities that handle patient data in some form. Incident involved Monroeville, Pa. when its 911 dispatch centre from five fire stations gave easy access for patient medical records to unauthorized users. Information which was accessible included names, driver’s license numbers, birth dates and medical histories.

Monroeville is a community of about 28,000 with a vibrant business corridor, a convention center and two busy hospitals. The Pittsburgh Post-Gazette was covering this incident for last two years and found that Monroeville, Pa didn’t breached HIPAA regulations. Investigation was carried out by Department of Health and Human Services (HHS).

HHS learned that municipality failed to maintain the database properly and soon after the discovery of the breach unauthorized access was terminated. According to Office for Civil Rights, ‘Monroeville, its dispatch center, police department or fire department are all not covered under the provisions of the privacy law, which mainly related to health care providers and insurers.’

Two Monroeville council members said they were pleased by the government’s findings. Tom Wilson said, “I was happy that they didn’t find any violations, and the folks that were falsely accused, that took the brunt of the accusations, were completely exonerated.”

Linda Gaydos said,” “I am absolutely overjoyed for the employees of our police department, our dispatch center, our EMS and our fire departments and their families, to have this put behind them,” She added, “We had a group of people in Monroeville that worked against Monroeville, and they smoke-screened and they tried to keep stirring the pot and they tried to scare people and make it worse. They’ve made it a very, very bad, uncomfortable situation for a lot of people, and I’m hoping this will put an end to it.”

Municipal Manager Timothy Little said, “I think it lifts a cloud off of Monroeville, and specifically the public safety aspect of the municipality, that there wasn’t any wrongdoing with respect to [health privacy law] violations,”

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption

.

Enhanced by Zemanta

HIMSS Privacy and Security director discusses ‘Hidden Pitfalls with Cloud, Mobile Technology and Mobile Data’ at HIMSS14

February 24th, 2014

 

Lee Kim will review practices of healthcare organization examining vendor contracts, such as business associate agreements (BAAs) with cloud vendors maintaining HIPAA compliance. Kim assists HIMSS with government relations, federal affairs, and state affairs in terms of evaluating privacy and security laws and regulations.

 

She believes that organizations have been doing risk assessments to find holes in their information systems.
They’re definitely going through risk assessments for their systems and I’m predicting that organizations, including providers will be more focused on risk remediation. Its one thing to assess risk, determining high-level vulnerabilities, but the real value you get out of a risk assessment is what you do about it and take action. Providers can do this by actually mitigating those risks both inside and outside of their organizations.
Kim believes that there must be strong program to have processes in place. Kim mentioned that health industry is unique as it’s trusted with patient information and can affect patients’ lives.
Ensuring the patient information is both private as well as secure is certainly paramount. Not only do organizations need to comply with HIPAA, they need to have a holistic approach to keeping bad actors away from patient data. Unfortunately, these bad actors can be inside or outside an organization. Or it may even be an individual who doesn’t have bad intent but is exceeding the scope of their authorized access and cause a breach out of negligence.
Kim also stated that there are many cloud users who are not completely aware of it.
In terms of where we’re going with information technology, it just seems as though there’s more of a dependence on cloud-based solutions. For example, a provider may contract with a cloud provider or use a hosted EHR solution. More health IT stakeholders are seeking these outsourced solutions such as cloud.
Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Hospitals focus on IT security audits

February 20th, 2014

After healthcare organization makes decisions on security audit strategies, some aspect has to be considered such as potential impact on daily workflow and the amount of time that elapses between catching an abnormality and resolving the issue. Mark Combs, West Virginia University Hospitals Chief Information Security Officer (CISO) mentioned about the steps to find internal security threats.

Mark Combs mentioned that audit report can stop larger breach. He mentioned about the situation in Florida where a healthcare organization was alerted by federal investigators that one of its employees was filing false tax claims.

“Obviously, we’ve found instances where employees were doing inappropriate things, but we were able to catch them soon enough so that they didn’t grow into one of those larger issues,” Combs said. “Luckily, we haven’t had one yet where federal authorities alert us of an incident.” He further added organizations set their policies as best practices and they need applications in place to enforce those policies.

Combs and West Virginia University Hospitals made decision for use of Iatric Systems’ Security Audit Manager (SAM) product. Rob Rhodes, Senior Director of Patient Privacy Solutions for Iatric Systems said that the integration works well with SAM because it reaches out to any of organization’s systems with PHI and allows us to pull the audit logs and aggregate them in the SAM.

“Once it’s aggregated in SAM, we then run proactive reports and alerts,” he said. “Users can set those up so the algorithms we have go out and look for potential privacy violations. SAM has incident tracking as well.”

West Virginia recently incorporated a policy change when it switched from a legacy system to Epic HER.

We did that to comply with the HIPAA Security Rule, as we were concerned that people would use their access to look at and potentially harm the integrity of their own record if they make mistake. We put “same last name” auditing in place, which is a report that’s native to SAM. Not only were we able to use that in Epic, but for our other half-dozen or so systems as well.  As we contacted managers telling them they weren’t complying with the policy, we saw a huge reduction in people looking at their own accounts through work access.

To get perfect audit reports encryption software for laptops are essential. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta