Healthcare security stuck in Stone Age

April 22, 2014 Erin McCann | Healthcare IT News

Healthcare has a few things to do differently in the privacy and security arena — one of them being: Start taking it seriously. This according to Verizon’s annual breach report released today.

The new 2014 Verizon Data Breach Investigations Report highlights a concerning carelessness regarding privacy and security, specific to the healthcare industry.

“They seem to be somewhat behind the curve as far as implementing the kinds of controls we see other industries already implemented,” said Suzanne Widup, senior analyst on the Verizon RISK team, in an interview with Healthcare IT News discussing report findings.

The industry’s biggest misstep? Encryption, encryption, encryption.

To view the full story, please visit Healthcare security stuck in Stone Age

Biggest Data Security Threats Come From Inside

PCWorld shared details about a new report showing that “insiders” are the top source of breaches over the last 12 months: 36% of breaches result from “inadvertent misuse of data by employees.” The article goes on to say that, “Obviously, the issue here is ignorance” due to lack of proper training on how to remain secure at work. Additionally, businesses must be able to see what’s happening with their networks; they must pay attention to what’s happening within the company and going out, as well as what’s happening outside the company and coming in.

Bottom line: People need guidance, prevention is key, and patients must have a way to see who all has accessed their information and when it’s been disclosed.  (Read more about PPR’s comments on Accounting of Disclosures here.)

Read the full article here.

Cloud Computing: HIPAA’s Role

The below excerpts are taken from the GOVinfoSecurity.com article Cloud Computing: HIPAA’s Role written by Marianne Kolbasuk McGee after the January 7, 2013 Panel in Washington D.C.: Health Care, the Cloud, & Privacy.

“While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.

Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group…

…Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services’ Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud (see: Cloud Computing: Security a Hurdle).

“The letter … asks that [HHS] look at the key problems in cloud … and what practitioners should know and understand about security and privacy of health data in the cloud,” Peel said during the panel.”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The below excerpt is from the Bloomberg BNA article OCR Could Include Provision in Forthcoming Omnibus HIPAA Rule written by Alex Ruoff. The article is available by subscription only.

“The final omnibus rule to update Health Insurance Portability and Accountability Act regulations, expected to come out sometime early this year, could provide guidance for health care providers utilizing cloud computing technology to manage their electronic health record systems, the chief privacy officer for the Office of the National Coordinator for Health Information Technology said Jan. 7 during a panel discussion on cloud computing.

The omnibus rule is expected to address the health information security and privacy requirements for business associates of covered entities, provisions that could affect how the HIPAA Privacy Rule affects service providers that contract with health care entities, Joy Pritts, chief privacy officer for ONC, said during the panel, hosted by the consumer advocacy group, Patient Privacy Rights (PPR).

PPR Dec. 19 sent a letter to Health and Human Services’ Office for Civil Rights Director Leon Rodriguez, asking the agency to issue guidance on cloud computing security. PPR leaders say they have not received a response…

…Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information.”