HIPAA Breaches | EMR and HIPAA

URMC Faces Third HIPAA Breach

The University of Rochester Medical Center has seen a third HIPAA breach, this one caused by the loss of an unencrypted USB drive by a physician, reports Healthcare IT News. The drive, which belonged to a resident, contained protected health information on 537 patients.

Officials with URMC say they have notified the 537 former orthopedic patients whose information was lost on the drive. Lost information included patients’ names, genders, ages, dates of birth, telephone numbers, medical record numbers, and more, though it didn’t include addresses, Social Security numbers or insurance information.

According to Healthcare IT News, the resident’s unencrypted, unprotected drive runs counter to URMC’s campus-wide policy. URMC requires physicians and staff to use only encrypted drives — the only kind which are stored in its on-campus computer center. The latest URMC security policy also requires all mobile devices to be password protected, encrypted, and to have a time-out if unattended.

In an effort to make sure further security breaches don’t occur, the health organization is re-educating its faculty and staff on its security policy, and plans an annual education series to reinforce this training, a hospital spokesperson told Healthcare IT News.

This is URMC’s third data breach involving more than 500 patients reported to HHS, the magazine reports. The previous two breaches, which involved PHI for nearly 3,500 patients, both took place in 2010. One of the two involved the loss of an encrypted portable electronic device.

Post a Comment(1)

May 7, 2013 I Written By Katherine Rourke

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Tags:Healthcare IT News HIPAA Violation University of Rochester Medical Center URMC

Health Data Hacking Likely To Increase

Written by: Katherine Rourke

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act. The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.

Problems EMRs Don’t (Necessarily) Cause

Written by: Katherine Rourke

In publications like this one, we spend a lot of time and energy clubbing EMRs and EMR vendors for the problems they cause. That’s all well and good, but it’s also worth remembering that some of the big problems surrounding medical operations may not be due to EMR use:

* HIPAA carelessness: When someone shouts private medical information across a room, or loses a flash drive or tablet with records on it, or leaves patient records in a public place, you’ve probably got a nasty HIPAA violation. But the EMR almost certainly had nothing to do with it.

* Clumsy office workflow: Sure, introducing an EMR into a clinical setting can screw up existing workflow. But was it working well in the first place? For those whose business falls apart post-EMR, I’d argue “no.” Businesses that don’t do well after an install had jury-rigged processes in place already, I’d argue.

* Patient care slowing down: As with staff workflow, clinical workflow can be discombobulated — badly — by an EMR installation. Learning to fit practice patterns to the system is a big job for most clinicians, and they may slow down significantly for a while. But if the patient care flow stays “broken” it’s likely that there were aspects of the pre-EMR system that didn’t work.

I realize that I might get flamed for saying this, but I’m pretty confident that a goodly number of problems that are laid at the feet of dysfunctional EMRs don’t belong there. And that’s not a good thing.

After all, there are enough poorly designed, trouble-ridden EMRs out there to keep us busy critiquing them for a century or two. Why distract ourselves by adding more to the pile when the real issues may be elsewhere?

EMRs May Be The Next Hacker’s Prize

Written by: Katherine Rourke

Black-hat hackers are beginning, slowly but at an increasing pace, to lock down and encrypt medical data, then demand a ransom fee before they’ll turn over the data in usable form again.

While reports of such activity are scattered and few at the moment, my guess is that we’re at the beginning of a wave of such attacks, especially attacks targeting small medical practices with unsophisticated security set-ups.

Consider what happened recently to a clinic in Queensland, Australia. Over one weekend, a server holding seven years of patient records was breached and the data encrypted with “military-grade” tools, according to blog Naked Security.

The attackers, who seem to be based in Eastern Europe or Russia, are demanding $4,000 AUD for the release of the records, the blog reports. The clinic is attempting to avoid paying by bringing in its own security experts, but the experts retained by the clinic are apparently fairly doubtful that they can break the encryption scheme.

Such attacks have begun to occur in the U.S. as well, all targeting smaller medical practices with minimal security support. It’s little wonder that such practices are being targeted; even if they have decent, industry-standard firewalls, antivirus software and password-protected servers — as the Aussie clinic did — such protections are child’s play to defeat if you’re a professional cybercriminal who’s done this kind of thing many times before.

Even if the practice has tougher security in place than usual, how likely is it to have good security hygiene, such as frequently updated and patched firewalls and strong, regularly switched out passwords? Without security staff on board, not too likely.

Given the devastating consequences that can occur if a medical practice is unable to regain its data, it seems to me that it’s time the entire healthcare industry take an interest in this problem. Smaller practices need help, and we’ve got to figure out how to make sure they get it.

Post a Comment(1)

December 14, 2012 I Written By Katherine Rourke

Filed Under: EHR Electronic Health Record Electronic Medical Record EMR EMR Security HIPAA Breaches Medical Privacy Security Rule

Tags:EHR Security EMR Data Breach EMR Hacking Medical Practices

BYOD And HIPAA Compliance: Can You Have Both?

Written by: Katherine Rourke

With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?

On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs. Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.

But the pressures on hospitals to corral BYOD security gaps are growing. Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2. And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.

Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work. But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.

BYOD on the mobile side is if anything a riskier proposition. For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information. And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.

Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to get worse, not better.

Hospital Forced To Provide EMR Data Access By Court

Written by: Katherine Rourke

A New Hampshire hospital has been forced by the state’s Superior Court to provide public health officials with access to its EMR so they can further investigate a major hepatitis C outbreak.

Exeter Hospital had been ordered by the state’s Division of Public Health Services to release patient records, but had challenged the order, arguing that it would be violating state and federal law if it provided free access to EMR records.

The issue dates back to July, when a lab technician formerly employed by the hospital was arrested in connection of a hep C outbreak affecting more than 30 patients. The lab tech, who has hep C, allegedly stole fentanyl-filled syringes from the hospital, injected the fentanyl, then refilled the dirty syringes with another substance.

The hospital sought guidance from the courts in an effort to learn just how much access it would have to provide without running afoul of HIPAA and state privacy laws. (If I were running Exeter Hospital I certainly would have done the same thing; otherwise, one would think it’d be wide-open liable to suits by patients who objected to the data sharing.)

Now, it seems, the hospital is satisfied that patients involved in the outbreak are adequately protected. From its official statement on the matter:

The Court pointed out that the State needs to follow very specific, CDC-sanctioned protocols in collecting data from Exeter Hospital’s electronic medical record system and can only obtain the minimum amount of information necessary to complete its investigation. The Court has also emphasized that the information collected by the State cannot be re-published which helps to protect the privacy of patients.

For both the patients’ and Exeter’s sake, let’s hope that the public health authorities involved handle such explosive data with extreme care. A data breach at this point would not only have devastating consequences — particularly if the hepatitis C sufferers’ names were made public — it would also plunge all involved into a legal nightmare. For their sake, I’m hoping for the best.

Doctors Increasingly Texting, But HIPAA Protection Lacking

Written by: Katherine Rourke

A new study of physicians working at pediatric hospitals has concluded what we might have assumed anyway — that they prefer the use of SMS texting via mobile phone to pagers. What’s worrisome, however, is that little if any of this communication seems to be going on in a HIPAA-secure manner.

The study, by the University of Kansas School of Medicine at Wichita, asked 106 doctors at pediatric hospitals what avenues they prefer for “brief communication” while at work. Of this group, 27 percent chose texting as their favorite method, 23 percent preferred hospital-issued pagers and 21 percent face to face conversation, according to a report in mHealthWatch.

What’s interesting is that text-friendly or not, 57 percent of doctors said they sent or got work-related text messages. And 12 percent of pediatricians reported sending more than 10 messages per shift.

With all that texting going on, you’d figure hospitals would have a policy in place to ensure HIPAA requirements were met. But in reality, few doctors said that their hospital had such a policy in place.

That’s particularly concerning considering that 41 percent of respondents said they received work-related text messages on a personal phone, and only 18 percent on a hospital-assigned phone. I think it’s fair to say that this arrangement is rife with opportunities for HIPAA no-nos.

It’s not that the health IT vendor world isn’t aware that this is a problem; I know my colleague John has covered technology for secure texting between medical professionals and he’s also an advisor to secure text messaging company docBeat. However, not much is going to happen until hospitals get worried enough to identify this as a serious issue and they realize that secure text message can be just as easy as regular text along with additional benefits.

In the mean time, doctors will continue texting away — some getting 50-100 messages a day, according to one researcher — in an uncertain environment. Seems to me this is a recipe for HIPAA disaster.

Post a Comment(1)

November 2, 2012 I Written By Katherine Rourke

Filed Under: EHR Electronic Health Record Electronic Medical Record EMR Healthcare Devices HealthCare IT HIPAA Breaches HIPAA General HIPAA Lawsuits Medical Privacy mHealth Security Rule

Tags:docBeat EHR Electronic Health Record Electronic Medical Record EMR HIPAA Risks Medical Privacy Secure Mobile Messaging Secure Text Message

HIPAA Infographic

Written by: John Lynn

Who doesn’t like a good infographic? My favorite part of this HIPAA infographic is the last section where it breaks out the number of healthcare organizations that are being investigated for HIPAA violations and the results of those investigations.

Infographic authored by Inspired eLearning, a leading provider of online HIPAA compliance training solutions. To view the original post, check out the original HIPAA violation infographic.

The Immortal Life of Healthcare IT, Secure Texting Scam, and iPhone Heart Rate — Around Health Care Scene

Written by: Katie

EMR and EHR

The Immortal Life of Healthcare IT

Patient engagement has evolved in many ways in the past century. While patients used to rely on doctors for any information regarding health care, it’s now common for patients to “diagnose” themselves, before even stepping foot into a doctor’s office. “The Immortal Life” by Henrietta Lacks, and the authors thoughts, are compared and contrasted to life nowadays.

Interview with Verizon Wireless’ Arthur Lane

A leader for mobile health solution development for Verizon’s Connected Health, Arthur Lane, was interviewed over at EMR and EHR this past week. He focuses his work on developing solutions that help with Verizon’s wireless, cloud, and security. The interview focuses on Health IT and mHealth, and what is in the works at Verizon. He discussed the benefits of mHealth, and what is to come in the future.

Hospital EMR and EHR
What Won’t Happen in #HIT By September 2013

There’s a lot going on with Health Care IT, and it seems as if we’re always hearing about the latest and greatest innovation. However, despite the leaps and bounds that are being made, we can’t expect everything in the EMR industry to be perfect by next year. Anne Zeigler talks about things that won’t be happening in #HIT over the next year, including lack of major growth in remote monitoring and no high penetration HIE.

Meaningful Healthcare It News With Neil Versel

Sampling of opinions on meaningful use Stage 2

The meaningful use Stage 2 final rules have caused quite a bit of discussion across the web since they were announced. Some good, some bad. Neil Versel compiled some of the opinions and thoughts he has discovered over the past few weeks, and created this post with some of them.

Wired EMR and EHR Doctor

The Secure Texting Scam

Medical practices may be getting offers from companies that offer “secure texting,” that won’t violated HIPAA standards. However, how secure can texting be? Dr. Michael Koriwchak talks about the “secure texting scam,” and talks about the reasons why secure texting can fail. Don’t get caught in this trap, and end up paying a large amount for a product that might not deliver what you think.

Smart Phone Health Care

Detect Heart Rate With iPhone Camera – #HITsm Chat Discovery

Finding out your heart rate is now easier than ever — simply by using the camera on your iPhone. This new way to detect heart rate requires no special equipment, beyond an iPhone 4. The app tracks the information and allows the user to view changes over time, among other features.

A Smart Approach To Medicine And Social Media

Written by: Katherine Rourke

It’s always a pleasure to touch base with the thoughtful blog (33 Charts) written by pediatric gastroenterologist Dr. Bryan Vartabedian. This time, I caught a piece on how Dr. Vartabedian handles social media communication with patients, and I thought it was well worth a share.

While your mileage may vary, here’s some key ways Dr. Vartabedian handles medical contact online with consumers:

* He never answers patient-specific questions from strangers

As he notes, people generally ask two kinds of questions, patient-specific and non-patient specific. While he’s glad to answer general questions, he never answers patient-specific ones from strangers, as it could be construed that he’s created a professional relationship with the person asking the question.

* He guides patients he’s treating offline

If an existing patient messages Dr. Vartabedian, he messages back that he’d be happy to do a phone call. He then addresses their concern via phone, while explaining to patients how both he and they could face serious privacy issues if too much comes out online. Oh, and most importantly, he documents the phone encounter, noting that the patient who reached out in public.

* He flatly turns down requests for info from people he loosely knows

The only exception he makes is for family and very close friends. In those cases he arranges evening phone time and spends 45 minutes getting facts so he can offer high-quality direction.

I really like the way Dr. Vartabedian has outlined his options here — it’s clear, simple, and virtually impossible to misunderstand. It’s hard to imagine anyone being offended by these policies, or more importantly, having their privacy violated. Good to see!

If you’re a doctor how do you handle your social media interactions with patients?

Post a Comment(1)

August 29, 2012 I Written By Katherine Rourke