Don’t Let EHR Vendors Own Your Data

“In a recent blog posting, John Moore and Rob Tholemeier of Chilmark Research ask the question: ‘Who’s Data is it Anyway?’ Your electronic health records data is not the property of your vendor and there are things you can do about it, they contend.”

To view the full article, please visit: Don’t Let EHR Vendors Own Your Data

Biggest Data Security Threats Come From Inside

PCWorld shared details about a new report showing that “insiders” are the top source of breaches over the last 12 months: 36% of breaches result from “inadvertent misuse of data by employees.” The article goes on to say that, “Obviously, the issue here is ignorance” due to lack of proper training on how to remain secure at work. Additionally, businesses must be able to see what’s happening with their networks; they must pay attention to what’s happening within the company and going out, as well as what’s happening outside the company and coming in.

Bottom line: People need guidance, prevention is key, and patients must have a way to see who all has accessed their information and when it’s been disclosed.  (Read more about PPR’s comments on Accounting of Disclosures here.)

Read the full article here.

FTC Files Complaint Against LabMD for Failing to Protect Consumers’ Privacy

The public would be surprised how little thought or money healthcare businesses put into data security.  LabMD is probably just one of thousands of healthcare businesses that don’t encrypt patient data and whose employees who use file-sharing apps to download music, etc, exposing patient records online.

We need new laws that require businesses that hold health data to be audited to prove they protect it.

Shouldn’t businesses have to prove they use tough data security protections before they are allowed to handle sensitive health information?

To view the full article, please visit: http://www.ftc.gov/opa/2013/08/labmd.shtm

Re: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

In response to the Security Week article: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

The US is facing an unprecedented privacy crisis. The healthcare industry is extremely negligent about protecting data security and privacy (patient consent). At the same time 3/4 of the healthcare industry further risks patient privacy by selling or intending to sell data for secondary uses. Data theft and sales are driven in large part because, “Digitized health data is becoming one of the most highly valued assets in the health industry.”

  • Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers, and 38 percent or providers currently share information externally. Of those organizations that share data externally, only two in five pharmaceutical and life sciences companies (43 percent) and one in four insurers (25 percent) and providers (26 percent) have identified contractual, policy or legal restrictions on how the data can be used.
  • Most corporations using patient data lack an effective consent process, “Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients’ consent for how their information can be used.”

It’s a double whammy—not only is sensitive health information at high risk of misuse, sale, and breach INSIDE healthcare organizations, it’s also sold to OUTSIDE organizations that lack effective security and privacy measures.

  • “Nearly three quarters (74 percent) of healthcare organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.”

PriceWaterhouseCoopers surveyed 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies. Data security and privacy practices were abysmal despite new enforcement efforts by the Administration, and despite hundreds of major data breaches compromising the privacy of millions of Americans.

Why aren’t Congress and the public outraged that the privacy and security of health information is so bad? If the banking industry operated like this there would be MAJOR oversight hearings and new laws.

The idea that today’s electronic healthcare systems and data exchanges safeguard health data is simply wrong. Clearly federal and state oversight and penalties for failure to protect the most sensitive personal data on earth need to be increased.

Re: HIPAA Auditor Involved in Own Data Breach

OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.

You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”

KPMG absolved itself of doing any harm:

  • “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
  • “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”

Then KPMG prescribed its own remedy:

  • “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.

This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.

Time for Congressional oversight?