HIPAA Compliance for Medical Practices
62.2K views | +16 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Privacy Workgroup Prepares ‘Big Data’ Recommendations

Privacy Workgroup Prepares ‘Big Data’ Recommendations | HIPAA Compliance for Medical Practices | Scoop.it
The Privacy and Security Workgroup of the Health IT Policy Committee is preparing a set of recommendations about how the Office of the National Coordinator for Health IT should approach “big data” issues for both HIPAA-covered entities as well as for the marketplace outside the HIPAA sphere. 
 
At a June 8 meeting, Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, LLP and the workgroup’s chair, led a discussion of draft recommendations to identify gaps in law and regulation around issues including data de-identification and security as well as areas for further inquiry.
 
McGraw noted that outside the HIPAA-covered space, there is not a clearly defined right for patients to access data collected about them. She said there has been a debate with respect to medical devices, such as one patient who made a public argument that he had the right to access data from his pacemaker. The workgroup proposes to remind ONC that outside the HIPAA space, voluntarily adopted codes of conduct can be enforced by the Federal Trade Commission, and many of those codes are under development. 
 
During the meeting there was discussion of, but not agreement about, what it would mean to ask for greater transparency about the algorithms healthcare organizations use to make decisions about individuals and populations, and whether provisions of the Federal Credit Reporting Act could be applied to give consumers more access and help promote trust. Several committee members mentioned that the algorithms themselves could be accurate and valid, yet still be used for discriminating against specific populations or individuals. They also said there would be resistance to opening up proprietary analytics systems for inspection. 
 
“All of this rests on a presumption of data quality,” said Gil Kuperman, director of interoperability informatics at New York-Presbyterian Hospital. “If you have poor quality data, your model could be wrong. Or the model could be good, but if the input data is wrong, you get a poor prediction. To me the quality of the data is still a challenge around ‘big data’ approaches.”
 
McGraw admitted the workgroup has more questions than obvious answers and no consensus about areas of potential harm to consumers. She said there is a need for more inquiry to understand the scope of the issue and where there are gaps in legal protections. There was a general reluctance among workgroup members to suggest that Congress act, given its questionable track record legislating about complex health IT issues. 
 
The workgroup is drafting language to call on the HHS Office for Civil Rights to be a better “steward” of HIPAA de-identification standards and conduct ongoing review of the methodologies and policies and seek assistance from third-party experts, such as NIST. But it is still not clear how big a problem data re-identification is. Noting that the workgroup was not made aware of any HIPAA de-identified data set that has been re-identified, McGraw said, “It is never good to regulate a problem that doesn’t exist yet.”
more...
No comment yet.
Scoop.it!

Biggest Health Data Breaches in 2014

Biggest Health Data Breaches in 2014 | HIPAA Compliance for Medical Practices | Scoop.it

The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.


The Department of Health and Human Services' Office for Civil Rights adds breaches to its "wall of shame" tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain's systems.

The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.

However, in September, following a court hearing, the state and Xerox reached an agreed order for the vendor to retain the disputed documents and data until a hearing in January. Texas HHSC in a statement tells Information Security Media Group that the state "believes there was a low risk that client information was compromised and that the information will be protected" by Xerox as the court case continues.

Another top five health data breach in 2014 involved both a business associate and a more familiar culprit - stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services - L.A. County's vendor - affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.


The fifth largest breach of the year occurred at the Indian Health Services, an HHS agency. That incident, which affected 214,000 individuals, involved an unauthorized access or disclosure involving a laptop computer, according to the tally.

Shifting Trends

The largest health data breaches in 2014 highlight some shifting trends compared with previous years.

"In our opinion, hacker attacks are likely to increase in frequency over the next few years," says Dan Berger, CEO of security services firm Redspin. "Personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes." That trend puts a spotlight in the need to do comprehensive penetration testing, as well as taking other steps to bolster security, he says. "If I was a hospital executive ... I'd want to know the most likely means by which a hacker can break in."

Nonetheless, while incidents involving hackers in the healthcare sector appear to be on an uptick, insiders still pose the biggest threat to most entities, says Michael Bruemmer, vice president of Experian Data Breach Resolutions.

"Of all the incidents we service, regardless of the vertical [market], 80 percent of the root cause is employee negligence," he says. That includes such mistakes as losing laptops or clicking on a phishing e-mails. "Employees are still the weakest link," he says in a recent interview with Information Security Media Group, calling for the ramping up job-specific privacy and security training.

Meanwhile, incidents such as the Texas Medicaid/Xerox breach also highlight the need for organizations to bring more scrutiny to their business associate relationships. Business associates, as well as their subcontractors, are directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect in 2013.

The breach tally also illustrates the need for HIPAA covered entities and business associates alike to strengthen their security risk management programs.

"The data tells us that a HIPAA security risk analysis, while mandatory, is necessary but not sufficient. The remediation plan is even more important," Berger says.

"Too often healthcare organizations do not allocate enough resources to fix the problems identified in the risk analysis. We also see a need for more frequent vulnerability analysis, Web application assessments and social engineering testing. Stated another way, the healthcare information security programs need to mature."


more...
No comment yet.