by Doug Pollack

Recent events have highlighted the issue of insider access to private information and associated security within healthcare organizations. The access to Octomom’s health records by numerous hospital employees illustrates a serious and broad problem. It also is notable in that it is the first case where California has assessed penalties for such behavior.

Kirk Nahra, Partner with Wiley Rein, a leading law firm in the privacy arena, notes that:

“…the Bellflower Hospital in California was fined $250,000 after 23 employees of the hospital and affiliated companies accessed these medical records without authorization. The government finding in the case indicated that the breaches extended beyond the specific hospital in question, to other hospitals in the same corporate family, and continued even after initial reports to the state regulators about the breach. The state regulators also found that the security efforts to protect patient privacy were insufficient.”

With the passage of the HITECH Act, such situations are likely to become all the more visible given the requirement to report any such data breach incidents to the US Department of Health and Human Services. Healthcare organizations must take a serious look at how and to whom they provide access to personal health information of their patients in order to avoid the up to $1.5MM penalties that are prescribed by HITECH for such incidents.

by Doug Pollack

Amit Yoran, former National Cyber Security Czar, concluded during a recent address at a security conference in Boston reported by Information Security Magazine that the “traditional models used by organizations to calculate risk are fundamentally broken.”

Empirical evidence would support his claim. Despite growing investments in security technology, the incidence of data breach events is rising. For every Heartland Payments Systems that is in the news, there are thousands of other data breaches that go undiscovered or unreported.

Privacy professionals note that many of today’s organizations do not have accurate inventories of the personal identity and health information (PII/PHI) that they store, manipulate and access. Nor have many performed data breach risk assessments nor put in place cross-functional data breach response plans. And fewer still have budgets for implementing technologies and procedures for reducing their risk of data breach, since it isn’t as prominent an industry “category” as say “intrusion detection” or “antivirus protection”.

“Yoran would like organizations to refocus their energy, and determine the impact of loss of data, rather than concentrate on system or infrastructure security. For too long, he said, security has focused on availability of service rather than focusing on the value of data and keeping it confidential.”

Seems like good advice.

by Doug Pollack

An article published by the Wall Street Journal titled “Are Your Medical Records at Risk; Amid Spate of Security Lapses, Health-Care Industry Weighs Privacy Against Quality Care” discusses the growing incidents of data breaches and contributing factors within the health care world.

The article highlights the extent of this problem as follows:

“In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised. The incidents have included the theft of an unencrypted laptop from an employee of the National Institutes of Health and the inadvertent posting of personal data unsecured on the Web from insurers WellCare Health Plans Inc. and WellPoint Inc.”

The premace here is that the health care industry is inclined to have greater incidence of data breaches due to the broader access to private patient information by employees and health care workers. This was illustrated in recent weeks by the highly publicized access to medical records of Britney Spears by works at the UCLA medical center.

“Health care isn’t the only industry whose slip-ups can upset consumers or expose them to identity theft. But hospitals are notable for the sheer number and types of employees — including billing staff, nurses, doctors, researchers and lab technicians — who have quick access to individuals’ private information.”

But there seem to be structural requirements for patient record access, dictated by the need to ensure high quality and emergency medical care, that will make it difficult to reduce the risks of data intrusion and breach.

“Many hospitals are reluctant to control access to data too tightly for fear that it will create red tape in emergency situations. “We have to be able to take care of patients, too,” says Wendy Mangin, president of the American Health Information Management Association and director of medical records and privacy officer at Good Samaritan Hospital, in Vincennes, Ind., which audits clinical staff’s access to medical data but doesn’t block it. ”

Unfortunately, it would appear that we will be seeing more rather than fewer data breaches within the health care industry for the foreseeable future.