Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Are You A Sitting Duck for HIPAA Data Breaches? – Infographic

Posted on November 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The people at DataMotion, cloud based HISP providers, sent me the following infographic covering the HIPAA data breaches. It’s a good reminder of the potential for data breaches in healthcare. As Marc Probst recently suggested, we should be focusing as much attention on things like security as we are on meaningful use since the penalties for a HIPAA violation are more than the meaningful use penalties.

Are You A Sitting Duck for HIPAA Data Breaches Infographic

Chinese Hackers Reportedly Access 4.5 Million Medical Records

Posted on August 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The headline of a tech startup blog I read pretty regularly caught my attention today, “Another day, another Chinese hack: 4.5M medical records reportedly accessed at national hospital operator“. The title seems to say it all. It’s almost like the journalist sees the breach as the standard affair these days. Just to be clear, I don’t think he thinks breaches are standard in healthcare, I think he thinks breaches are standard in all IT. As he says at the end of the article:

Community Health Systems joins a long list of large companies suffering from major cybersecurity breaches. Among them, Target, Sony, Global Payment Systems, eBay, Visa, Adobe, Yahoo, AOL, Zappos, Marriott/Hilton, 7-Eleven, NASDAQ, and others.

Yes, healthcare is not alone in their attempt to battle the powers of evil (and some not so evil, but possibly dangerous) forces that are hacking into systems large and small. We can certainly expect this trend to continue and likely get worse as more and more data is stored electronically.

For those interested in the specific story, Community Health Systems, a national hospital provider based in Nashville reported the HIPAA breach in their latest SEC filings. Pando Daily reported that “Chinese Hackers” used a “highly sophisticated malware” to breach Community Health Systems between April and June. What doesn’t make sense to me is this part of the Pando Daily article:

The outside investigators described the breach as dealing with “non-medical patient identification data,” adding that no financial data was stolen. The data, which includes patient names, addresses, birth dates, telephone numbers, and Social Security numbers, was, however, protected under the Health Insurance Portability and Accountability Act (HIPPA).

I’m not sure what they define as financial data, but social security numbers feel like financial data to me. Maybe they meant hospital financial data, but that’s an odd comment since a stack of social security numbers is likely a lot more valuable than some hospital financial data. The patient data they describe could be an issue for HIPAA though.

As is usually the case in major breaches like this, I can’t imagine a chinese hacker is that interested in “patient data.” In fact, from the list, I’d define the data listed as financial data. I’ve read lots of stories that pin the value of a medical record on the black market as $50 per record. A credit card is worth much less. However, I bet if I were to dig into the black market of data (which I haven’t since that’s not my thing), I bet I’d find a lot of buyers for credit card data tied to other personal data like birth date and addresses. I bet it would be hard to find a buyer for medical data. As in many parts of life, something is only as valuable as what someone else is willing to pay for it. People are willing to pay for financial data. We know that.

We shouldn’t use this idea as a reason why we don’t have to worry about the security and privacy of healthcare data. We should take every precaution available to create a culture of security and privacy in our institutions and in our healthcare IT implementations. However, I’m just as concerned with the local breach of a much smaller handful of patient data as I am the 4.5 million medical record breach to someone in China. They both need to be prevented, but the former is not 4.5 million times worse. Well, unless you’re talking about potential HIPAA penalties.

HIPAA Fines and Penalties in a HIPAA Omnibus World

Posted on July 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.

For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.

To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.

This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.

Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”

I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.

The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.

Be Sure That Business Associates Are HIPAA-Prepared, Or Else

Posted on June 6, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Sure, most readers will know that it’s important to have business associates who know how to handle potential HIPAA concerns.  I’d wager, however, given the outbreak of partner-related data losses of late, many facilities and medical practices aren’t subjecting their business partners to severe enough scrutiny.

There’s many, many ways a business associate can drop the ball, especially if you’re not keeping them informed.  For example, consider the case of South Shore Hospital of South Weymouth, MA, which lost boxes of unencrypted backup tapes en route to associate Archive Data Solutions.  The tapes stolen included HIPAA-protected ePHI (SSNs, names, financial account numbers and diagnoses).

While the business associate may have done wrongly, it was the hospital which was fined a total of $475,000 over the incident, which affected over 800,000 individuals. The state’s Attorney General slapped the hospital with these fines because it hadn’t done due diligence to make sure the associate had appropriate safeguards in place.

So, how do you protect yourself in your relationship with data management associates?  The following list of criteria, supplied by Thu Pham, seem likely to do the trick:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

I might also ask them how they train their workers, as all of this preparation might be worth a lot less if policies are loose.  Now, over to you. Do you think this list is sufficient to protect your institution?  Are there items you’d add or clarify?