Impact and Implications of health Care Data Breaches

Impact and Implications of health Care Data Breaches

Data breaches in the Health Care Delivery Systems cost more to remediate than in other sectors. This may be because such incidents affect Thousands of people. Experts advocate fast response to Cybersecurity breaches is important.

On March 19, 2015, Health IT Security reported that the “Associated Dentists in Minnesota are notifying patients that their information may have been compromised” due to recent “incident in which two laptops were stolen.” In this incident, “one of the devices was encrypted, while the other was password-protected but not encrypted.” The report said the information on the devices included: “Names, Addresses, Birthdays, and Social Security numbers. It was also believed that such information that may have been compromised “included: Email addresses, Diagnosis, Insurer names and policy numbers, Physician names and information, and Procedure and billing information.”  Health IT Security reported that about “500 individuals’ information may have been affected.” “Under HHS rules, such notification is required if the breach affects at least 500 individuals” (Snell, Health IT Security, 5/19).

Another health care data breach was reported by Health Data Management on November 2013. Beacon Health System in Indiana notified that “220,000 patients were affected due to unauthorized multiple access at the delivery system via phishing attack” The attack affected two hospitals and affiliated physicians. According to iHealthBeat.com, the following information were compromised: “Names, Birthdays, Diagnosis, Driver’s license numbers, Patient Identification numbers, Physician names, Service dates, Treatments, Patient statuses, and other medical information”

Also on February 19, 2014, Health IT Security reported that Buffalo Heart Group in New York notified of breach in information as a result of unauthorized third party access to health information. The compromised information included: Addresses, Appointment schedules, Bill information, Dates of birth, Names; and Telephone numbers.

Unity Recovery Group notified the state’s attorney general on April 2014 of a data breach as a result of unauthorized disclosure of patient’s personal information. The information breach related to: Names, Addresses, Dates of birth, E-mail addresses, Insurance Information, health-related information, telephone numbers and Social Security numbers (iHealthBeat.org.2015, June 1).

Further, Consolidated Tribal Health Project in California, Jersey City Medical Center in New Jersey (1,400 patient’s information were accidentally sent in spreadsheet to an unauthorized recipient), New York City health and Hospitals (90,000 patients health information were compromised when a former staff transferred files that contained protected health information to her personal email account (Becker’s Health IT & CIO Review, beckershospitalsreview.com, 2015, May- 21).

The impact of these health data breaches is rising cost of health care delivery. For example, according to iHealthBeat.org (2015 May-29), in a study released by Ponemon Institute (Modern Healthcare), “the cost of a health care data breach is $363 per exposed personally identifiable record, as compared to $154 per exposed record across all industries.” The implication is that health care goes beyond the reach of the common man.

The remedy is for better risk/threat management. Information Security Personal in the Health Care Delivery System have to ensure that the InfoSec policy, regulations, and procedures are constantly being followed. In addition, with the increasing innovation in IT network devices, applications, resources and migration to mobile platforms in the medical sector, there’s need for health care providers to involve IT Security Professionals and Managers to help plan, manage and secure their systems and operations from attacks.   

References

Newly reported Health Care Data Breaches Could Affect Thousands. June 1, 2015. December 18, 2015. Retrieved from: http://www.ihealthbeat.org/articles/2015/6/1/newly-reported-health-care-data-breaches-could-affect-thousands

Elizabeth, Snell. Possible Health Data Breaches from Theft, Unauthorized Access. May 19, 2015. December 18, 2015. Retrieved from: http://healthitsecurity.com/news/possible-health-data-breaches-from-theft-unauthorized-access

Becker’s Health IT & CIO Review. May 21, 2015. December 18, 2015. Retrieved from: http://www.beckershospitalreview.com/healthcare-information-technology/new-york-city-hhs-reports-possible-phi-disclosure-of-90-000-patients.html

Virtual Medical Consultation: IT Security Implication

Week 2 Blog:

Virtual medical consultation: IT Security Implication

The benefits of virtual health or health videoconferencing make it so attractive to health practitioners and patients. The migration of IT network and services from PC’s to mobile devices is driving medical consultation into videoconferencing. It’s affordable, no contract, wide equipment support, 24/7 services by some providers, makes it irresistible to consumers and providers (HIPAA-compliant Secure videoconferencing, 2015).

But, with the volume, and privacy of patient’s health information involved how secure is it to transmit such important data through public webmail, for example, yahoo mail, Gmail, rediff mail, etc. According to David Winder (February 21, 2011), “survey data suggests that as many as half of GPs who have already provided medical advice by email did so via just such personal email addresses on the patient side. Worse, only 12% used any form of encryption. Yet at the same time, some 90% of patients sending email to their GPs include confidential medical information within those messages.”

 While Winder is more concerned with the security of medical data transmitted through web mail, and medical diagnosis or consultation by mail, the use of videoconferencing to diagnose seem to take care of issues, such as identity management, face-to-face consultation, and personal touch. Winder identified some of the security measures for email general consultation to include back-end security, data encryption, pass wording, digital signature, identity management, and ensuring that our PC’s and mobile devices having one’s medical records are not stolen. With the drive by NHS to follow the mobile IT migration trend of medical consultation, appointment scheduling, prescription ordering or reordering, patients medical record, and test results, it’ll be begging the question, how prepared are IT security professionals and managers to handle the security implication?

With cloud computing, health systems providers with large volume of patient’s data, may choose to use either public cloud for health information storage and management or obtain their own cloud computing equipment. “From an enterprise point of view, there are some security benefits to a private cloud. Your information lives behind your firewall (unless you've co-located your servers somewhere else, and even then, you can add some firewall protection). Here are some other benefits:

• Your data also can live behind your own locked doors
• You don't have to connect to the internet and can completely isolate your data infrastructure
• You know exactly where your data lives
• You design the architecture for your exact needs
• You know exactly who is granted physical access
• There is absolute clarity of ownership
• There is no risk if your cloud provider shuts down
  On the other hand, there are some disadvantages as well:

• Your employees have physical access
• You are on your own when defending attacks
• You are subject to the whims of nature
• You are subject to the whims of your ISP
• You are subject to the whims of your local power grid
• Your security is entirely your responsibility.
  Now let's contrast that with the security benefits of keeping your data in a public cloud:

• Your data lives behind an enterprise-class firewall
• Your data lives in a very secure facility, often with multiple degrees of physical security
• Thieves intent on stealing your data may not know where your data lives
• Your gear is not at risk from disgruntled employees
• You gain security expertise from your vendor
• You are not alone when defending against DDoS
• You are protected from hardware failures
• You are protected from sudden surges in demand.
  But as we've discussed, there are also some security disadvantages of using a public cloud. These include:

• Access can be granted from anywhere
• Your data must travel "in the wild" over the open internet to your cloud provider
• Your vendor might grant physical site access to other tenants
• You may be subject to jurisdictional issues, especially when you're dealing with international issues
• There is very little established case law
• You are dependent on the responsiveness of vendor
• You are dependent on the whims or quality of vendor.” (ZDNet, 2015)
  
  
  References
  HIPAA-compliant Secure videoconferencing. December 13, 2015. Retrieved from http://www.securevideo.com/
  Microsoft Health. Sidewinder. David Winder targets security. December 13, 2015. Retrieved from.http://www.microsoft.com/health/en-gb/articles/Pages/How-secure-is-your-virtual-GP.aspx

ZDNet. December 11, 2015. Retrieved form. http://www.zdnet.com/article/security-implications-of-public-vs-private-clouds/

Protecting Patient Privacy in Healthcare Delivery Information Systems

Understanding the Issues of Information Security in healthcare delivery systems

Blog #1:

Protecting Patient Privacy in Healthcare Delivery Information Systems

Introduction: In the upcoming blogs, I will be examining the scenarios in healthcare InfoSec management which help map variations in business practices and policies. More specifically, the domain of privacy and security. This will include the following policy measures and security controls as outlined by Robert Kolodner (M.D., Office of the National Coordinator for Health IT [ONC], U.S. Department of Health and Human resources) in his address to the Oversight and Government Reform committee, Subcommittee on Information Policy, Census and National Archives, U.S. House of representatives, 2007:  

• user and entity authentication and;
• authorization and access control;
• patient and provider identification;
• transmission security;
• information protection;
• information audits;
• administrative and physical safeguards;
• use and disclosure policy

Dr. Robert’s concluding statement to the house committee on Information Policy, Census and National Archive informs my interest in this topics. Here is the full text:

“Health IT privacy and security policies and their associated technological solutions cannot be developed in a vacuum.  A key component for assuring that appropriate privacy and security protections are in place is to assure that these efforts develop in tandem and that coordination is consistent throughout these efforts.  This is the role of ONC.  We have a conscientious, experienced, and passionate staff that works together closely on these activities and other privacy and security related activities throughout HHS and the other Departments and Agencies to ensure that health IT policy decisions and technology solutions are appropriately coordinated and addressed.

Protecting health information is of the utmost importance and essential to the success of interoperable electronic health information exchange.  Proper policies that instill confidence and trust must evolve with technology advancements and vice versa.  Not letting one get too far ahead of the other is a concern we share and are working hard to continue to manage.  As a leader in this area HHS has invested in multiple coordinated initiatives to ensure health information will be protected as we enter this new era of health and care.

Mr. Chairman, thank you for the opportunity to submit testimony today.”

The healthcare provider I work for, in complying with federal and state healthcare privacy and confidentiality regulations, has as a countermeasure policy implementation that require us to have in place Discarded Customers Information (DCI) boxes at some secure location properly labelled that holds disused customer information. When these boxes get filled up, they are retained for a period of three years before securely sent to corporate office for final.

References:

Robert Kolodner, 2007: Protecting Patient Privacy in Healthcare Information Systems. Testimony. Department of Health & Human Services. From www.hhs.gov