Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Consumers Fear Theft Of Personal Health Information

Posted on February 15, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Probably fueled by constant news about breaches – duh! – consumers continue to worry that their personal health information isn’t safe, according to a new survey.

As the press release for the 2017 Xerox eHealth Survey notes, last year more than one data breach was reported each day. So it’s little wonder that the survey – which was conducted online by Harris poll in January 2017 among more than 3,000 U.S. adults – found that 44% of Americans are worried about having their PHI stolen.

According to the survey, 76% of respondents believe that it’s more secure to share PHI between providers through a secure electronic channel than to fax paper documents. This belief is certainly a plus for providers. After all, they’re already committed to sharing information as effectively as possible, and it doesn’t hurt to have consumers behind them.

Another positive finding from the study is that Americans also believe better information sharing across providers can help improve patient care. Xerox/Harris found that 87% of respondents believe that wait times to get test results and diagnoses would drop if providers securely shared and accessed patient information from varied providers. Not only that, 87% of consumers also said that they felt that quality of service would improve if information sharing and coordination among different providers was more common.

Looked at one way, these stats offer providers an opportunity. If you’re already spending tens or hundreds of millions of dollars on interoperability, it doesn’t hurt to let consumers know that you’re doing it. For example, hospitals and medical practices can put signs in their lobby spelling out what they’re doing by way of sharing data and coordinating care, have their doctors discuss what information they’re sharing and hand out sheets telling consumers how they can leverage interoperable data. (Some organizations have already taken some of these steps, but I’d argue that virtually any of them could do more.)

On the other hand, if nearly half of consumers afraid that their PHI is insecure, providers have to do more to reassure them. Though few would understand how your security program works, letting them know how seriously you take the matter is a step forward. Also, it’s good to educate them on what they can do to keep their health information secure, as people tend to be less fearful when they focus on what they can control.

That being said, the truth is that healthcare data security is a mixed bag. According to a study conducted last year by HIMSS, most organizations conduct IT security risk assessments, many IT execs have only occasional interactions with top-level leaders. Also, many are still planning out their medical device security strategy. Worse, provider security spending is often minimal. HIMSS notes that few organizations spend more than 6% of their IT budgets on data security, and 72% have five or fewer employees allocated to security.

Ultimately, it’s great to see that consumers are getting behind the idea of health data interoperability, and see how it will benefit them. But until health organizations do more to protect PHI, they’re at risk of losing that support overnight.

Are These Types of Breaches Really Necessary?

Posted on December 28, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Over the past couple of days, I took the time to look over Verizon’s 2015 Protected Health Information Data Breach Report.  (You can get it here, though you’ll have to register.)

While it contained many interesting data points and observation — including that 90% percent of the industries researchers studied had seen a personal health information breach this year — the stat that stood out for me was the following. Apparently, almost half (45.5%) of PHI breaches were due to the lost or theft of assets. Meanwhile, issue of privileges and miscellaneous errors came in at distant second and third, at just over 20% of breaches each.

In case you’re the type who likes all the boxes checked, the rest of the PHI breach-causing list, dubbed the “Nefarious Nine,” include “everything else” at 6.7%, point of sale (3.8%), web applications (1.9%), crimeware, (1.4%), cyber-espionage (0.3%), payment card skimmers (0.1%) and denial of service at a big fat zero percent.

According to the report’s authors, lost and stolen assets have been among the most common vectors for PHI exposure for several years. This is particularly troubling given that one of the common categories of breach — theft of a laptop — involves data which was not encrypted.

If stolen or lost assets continue to be a problem year after year, why haven’t companies done more to address this problem?

In the case of firms outside of the healthcare business, it’s less of a surprise, as there are fewer regulations mandating that they protect PHI. While they may have, say, employee worker’s compensation data on a laptop, that isn’t the core of what they do, so their security strategy probably doesn’t focus on safeguarding such data.

But when it comes to healthcare organizations — especially providers — the lack of data encryption is far more puzzling.

As the report’s authors point out, it’s true that encrypting data can be risky in some situations; after all, no one wants to be fumbling with passwords, codes or biometrics if a patient’s health is at risk.

That being said, my best guess is that if a patient is in serious trouble, clinicians will be attending to patients within a hospital. And in that setting, they’re likely to use a connected hospital computer, not a pesky, easily-stealable laptop, tablet or phone. And even if life-saving data is stored on a portable device, why not encrypt at least some of it?

If HIPAA fears and good old common sense aren’t good enough reasons to encrypt that portable PHI, what about the cost of breaches?  According to one estimate, data breaches cost the healthcare industry $6 billion per year, and breaches cost the average healthcare organization $3.5 million per year.

Then there’s the hard-to-measure cost to a healthcare organization’s brand. Patients are becoming increasingly aware that their data might be vulnerable, and a publicly-announced breach might give them a good reason to seek care elsewhere.

Bottom line, it would be nice to see out industry take a disciplined approach to securing easily-stolen portable PHI. After years of being reminded that this is a serious issue, it’s about time to institute a crackdown.

Health Data Hacking Likely To Increase

Posted on February 15, 2013 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act.  The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any  broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.

Email Archiving in the Healthcare Industry – Guest Post

Posted on July 29, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: email archiving software.

In today’s business environment, where litigation is an increasingly common way for disputes to be settled, compliance is included in every business plan, and regulations are reaching into business processes everywhere. Email admins must concern themselves with far more than just whether or not email is flowing. They must ensure that messaging meets the various regulations under which their business falls. They may also have to deal with legal holds, compliance reviews, discovery motions, and internal policy enforcement.

An email archiving solution can assist with all of these tasks, and nowhere is this more important than in the Healthcare industry. Email is becoming the preferred method to communicate, and since there are so many ways in which the Health Insurance Portability and Accountability Act (HIPPA) of 1996 can come into play with data sharing between providers and communications with patients, email archiving can be a very important, and potentially far reaching, service you can add to your email system.

PHI data in email communications

HIPAA requirements are unique to the healthcare industry, but the scope of these requirements can extend well beyond the boundaries of the doctor’s office or hospital. Both the burden and the potential penalties for non-compliance have been increased by HITECH. Enterprises that deal with healthcare providers, including professional services companies like accountants, law firms and IT consulting practices, will find themselves subject to provisions of HIPAA and HITECH as soon as they take on a healthcare provider as a client.

One of the trickier aspects for messaging is that HIPAA specifically addresses the need to encrypt Personal Health Information (PHI) in email communications. It is very rare for healthcare providers to send PHI by email as most of them use specialized messaging systems to do this. However, this doesn’t mean healthcare providers are not sending or receiving email that, indirectly, affects the relationship between healthcare provider and the patient or that between the staff and their patients.

There are other items that could be relevant for an investigation. For example, appointment reminders/confirmations (thus validating that the patient was notified); internal email discussions among doctors/nurses (not directly referencing a patient, but talking about treatments or scheduling); and even general HR emails that a doctor was absent due to illness (if the doctor was away when a claim is made that a patient was misdiagnosed, then they would be cleared of wrongdoing) and so on.

Many organizations, not only in healthcare, underestimate the importance of email in terms of content and intellectual property and being able to refer to emails sent six months earlier or last year can be of great benefit. Email archiving is not specifically called for within the text of HIPAA, but by maintaining a copy of every internal email message or any that was sent to or received from partners, vendors, and clients, you can prove conclusively that messages sent contained no PHI, and that any messages that did contain PHI were sent through the proper and encrypted channels.

Some people argue that email archiving is a double-edged sword – damned if you do, damned if you don’t. This is a rather naïve way of looking at email archiving. If you do archive your email, you have assurance that you comply with any regulations in place and if you are subject to legal requests for information that may be traced through an email, you have the ability to find it.

Now the counter argument would be, ‘well, if I don’t have an email archived, I can’t be condemned because the evidence is not there’. Wrong. If you don’t have the email, someone else certainly does and suddenly you’ve found yourself in a worse situation once the evidence is presented.

Proving that you made the effort at attaining compliance is preferable to doing nothing at all.

Document retention

With email archiving, you can also meet the document retention requirements specified within HIPAA. There is a six year retention period for information related to PHI which is mandated by HIPAA. That can be six years from the creation of a message, or the last date on which the message can be considered relevant. As more communications move from in-person, telephone, and facsimile, to email, patient requests and Healthcare professionals’ responses will follow suit. An email archiving solution makes it easy to retain these communications for the six year timeframe, as well as to automatically purge out those communications which are older than six years or tagged as no longer relevant.

Search and discovery

An email archiving solution is also an excellent way to access the repository of information contained within the combined emails of a company. Consider how much of your own email is saved because it contains data or instructions that simply don’t exist anywhere else. An email archiving solution can empower a user to search their own archived messages for all content related to a search string, such as a patient’s name; it can also enable an authorized user to search across all users’ email for information related to a patient, a condition, a particular medicine, or any other topic. There may well come a day when you must do this in response to a legal order, but there will also be plenty of times when you need to find a key piece of information, or simply want to spot check to ensure that all users are following the policies in place to protect patients’ PHI.

With an email archiving solution in place, healthcare providers not only position themselves to show compliance, review users’ actions, and meet current document retention requirements, they are able to build up a historical repository to meet future needs. The health care provider is also able to take advantage of the many benefits of an email archiving solution that are common across all enterprises, including storage, search, and business continuity.

All product and company names herein may be trademarks of their respective owners.

Full Disclosure: GFI Software Ltd. is an advertiser on EMR and HIPAA.