As was required under the Health Information Technology for Clinical and Economic Health (HITECH) Act, the US Department of Health and Human Services (HHS) released an Interim Final Rule for data breach notification provisions that went into effect earlier this year.

As noted by Healthcare IT News, “this coming May, HHS will also issue new proposed rules that will address additional privacy, security and enforcement requirements for HIPAA covered entities and their business associates that acquire and handle protected health information (PHI).

“The rule also toughens related provisions in the Health Insurance Portability and Accountability Act (HIPAA) as the adoption of electronic health records and health information exchange expands the number of organizations that may have access to personal data.

The proposed rule focuses on the liability of business associates of healthcare providers and plans; new limitations on the sale of protected health information; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information, HHS has said.”

These rules will continue to expand what has become a daunting regulatory environment during 2010 for healthcare organizations to that must digest numerous requirements for securing the privacy of patient health records.

Given that healthcare organizations are now obligated to report all data breaches that affect over 500 individuals to the Office of Civil Rights at HHS for posting on their website, for the first time we will be able to get a window into the actual volume and nature of data breach incidents that are occurring in healthcare. At least this should be the case, once covered entities and their business associates develop sound processes and technologies for detecting data breach incidents as required under HITECH.

Given that data breach incidents in healthcare are moving in the wrong direction, they are on the rise, it behooves all organizations entrusted with PHI to have a comprehensive data breach incident response plan in place and to have business contracts with all organizations with whom they share this data that ensure compliance with privacy rules and determine who will bear the costs of data breach notification if/when such incidents do occur.

by Doug Pollack

Network World recently published an article titled “Federal Workers Notified after SRA Virus Breach” about SRA, a 6,600 person federal government contractor, who recently reported a data breach.The breach was caused by a virus in their computer systems that exposed personal information including employee names, addresses, Social Security numbers, dates of birth and healthcare provider information as communicated by the company said in a notification posted at the Maryland Attorney General’s Web site.

“The breach is embarrassing for SRA, a 6,600-employee technology consulting company that sells cybersecurity and privacy services to the federal government. The company wouldn’t say which federal agencies were affected by the breach, but in U.S. Securities and Exchange Commission filings it lists intelligence agencies and those such as the U.S. Department of Defense, the U.S. Department of Homeland Security and the U.S. National Guard among its clients.”

While unfortunate for SRA and the federal workers whose personal information was compromised, this continues to provide a wake up call for organizations of all sizes that current security approaches and technologies are not a guarantee against the eventuality of a data breach. Organizations are increasingly turning to an outside privacy risk assessment to get an independent view as to their real risks of data breach.

By Rachel James

A new method of scams, as described by this article, from IT World, called “Why you can’t trust ‘friends’ on Facebook”, is another example of the risks that social networking exposes us to:

Step 1: Request to be “friends” with a dozen strangers on MySpace . Let’s say half of them accept. Collect a list of all their friends.

Step 2: Go to Facebook and search for those six people. Let’s say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you’re already an established friend.

Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send “friend” requests to your victims on Facebook.

As a bonus, others who are friends of both your victims and your fake self will contact you to be friends and, of course, you’ll accept. In fact, Facebook itself will suggest you as a friend to those people.

(Think about the trust factor here. For these secondary victims, they not only feel they know you, but actually request “friend” status. They sought you out.)

Step 4: Now, you’re in business. You can ask things of these people that only friends dare ask.

“Let’s meet for drinks — bring your new car!”

“I’m in Nigeria on vacation, got robbed and need $500 to get home!”

by Doug Pollack

PriceWaterhouseCoopers recently published a survey on the information security sector titled “Safeguarding the new currency of business“. Given the continued grow in corporate data breach events, the survey is particularly timely and provides valuable insights to corporate security and privacy officers.

One key conclusion surrounds the investment being made in security technologies during 2008. They noted “double digit advances in implementing new security technologies across virtually every security domain, from prevention to detection.”

Given this, it still begs the question of “why enterprise-wide visibility into the crucial details of actual security incidents is so clouded?” Not only is it difficult to clearer assess data breach events, but technology still does not stem data breaches caused by human error. The proverbial “lost laptop”.

They note appropriately that “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.”

This may presage the priorities that we may see taken on in corporate America to address the on-going security breach issues that continue to be so commonplace.