Privacy experts: Health data security efforts too reactive

Privacy experts spoke about their data breach experiences Thursday at the Healthcare Privacy Summit in Washington, D.C., agreeing that what they’ve experienced likely is just the beginning for what’s possible in security fissures at healthcare organizations.

Omar Khawaja, a global project manager for Verizon, noted that 61 percent of breaches his group finds are for payment card information, and pointed out that the reactive system presently in place for combating such breaches is problematic.

“What does 911 look like in cyberspace? Who do you call when you have a breach?” Khawaja asked. “It takes months just to contain the breach.”

Bill Turner, Chief Privacy and Security Officer of Brookfield, Wis.-based Allium Healthcare, a technology consulting and staffing firm, said that most of the privacy errors he sees stem from human error. Turner recalled a story about a hospital having in its records that he had passed away, when it was really a man listed above him in the hospital’s logs.

Panel: Big data’s role in healthcare remains unclear

Big data is an enigma when it comes to healthcare, as described by a panel on Wednesday at the third annual Health Privacy Summit in Washington, D.C., hosted by Patient Privacy Rights. On one hand, according to Deloitte principal Deborah Golden, there are infinite positive possibilities for big data use, such as improving patient safety via openly available medication information.

On the other hand, according to Harvard professor Latanya Sweeney, big data also represents big privacy issues.

“A lot of our problems come from giving data away,” Sweeney said.

Much of the conversation focused on those problems, particularly as they related to data being used without patient consent–or knowledge that they gave consent.

“In the U.S., we tend to take a sector-specific approach to privacy regulation,” David Jacobs, an attorney with the Electronic Privacy Information Center, said. “We’re nowhere near where we should be as far as consumer access to their own medical information to find out where it does and to exercise control over it.”

States’ Hospital Data for Sale Puts Privacy in Jeopardy

Before speaking at the 3rd Annual Summit on the Future of Health Privacy, Jordan Robertson did extensive research with Latanya Sweeney, PhD and theDataMap.org team to expose a nationwide privacy problem. MANY states are selling de-identified hospital records, which can be easily re-identified by using your local newspaper. Using other publicly available information makes re-identification even easier.

From Jordan Robertson’s article in Bloomberg News: States’ Hospital Data for Sale Puts Privacy in Jeopardy

Hospitals in the U.S. pledge to keep a patient’s health background confidential. Yet states from Washington to New York are putting privacy at risk by selling records that can be used to link a person’s identity to medical conditions using public information.

Consider Ray Boylston, who went into diabetic shock while riding his motorcycle in rural Washington in 2011. He careened off the road and was thrown into the woods, an accident that was covered only briefly, in the local newspaper. Boylston disclosed his medical condition and history to a handful of loved ones and the hospital that treated him.

After Boylston’s discharge, Washington collected the paperwork of his week-long stay from Providence Sacred Heart Medical Center in Spokane and added it to a database of 650,000 hospitalizations for 2011 available for sale to researchers, companies and other members of the public. The data was supposed to remain anonymous. Yet because of state exemption from federal regulations governing discharge information, Boylston could be identified and his medical background exposed using only publicly available information.

UofL professor wins health information privacy award

Patient Privacy Rights, a leading health privacy advocacy organization, will award one of its two annual Louis D. Brandeis Privacy Awards to University of Louisville professor Mark A. Rothstein on June 5 in conjunction with the Third International Summit on the Future of Health Privacy at the Georgetown University Law Center in Washington.

Established in 2012, the award is given with the approval of the Brandeis family and recognizes significant intellectual, cultural, legal, scholarly, and technical contributions to the field of health information privacy.

Rothstein holds the Herbert F. Boehl Chair of Law and Medicine at the UofL School of Medicine, and he also teaches at UofL’s Brandeis School of Law. The award’s ties to Brandeis make it especially meaningful to him, he said.

Health privacy issues can be resolved without obstructing care

See the full article at FierceHealthIT.com

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices…

…Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.

A study recently published in Health Affairs documents the extent to which five California healthcare organizations follow principles for protection of patient information that were developed by consumer groups and other stakeholders. Although the healthcare providers took privacy and security seriously, the report said, “none of the organizations did much to educate consumers about the data available about them or to enable them to control their data.””

Report from first health care privacy conference

Andy Oram, editor at O’Reilly Media, was also a Rapporteur and part of the Planning Committee for the First International Summit on the Future of Health Privacy.

You can view his recap and thoughts from the Summit here: Report from first health care privacy conference

Strange that a conference on health privacy has never been held before, so I’m told. Privacy in health care is the first topic raised whenever someone talks about electronic health records–and dominates the discussion from then on–or, on the other hand, is dismissed as an overblown concern not worthy of criticism. But today a conference was held on the subject, prepared by Patient Privacy Rights and the University of Texas’s Lyndon B. Johnson School of Public Affairs, and held just a few blocks from the Capitol building at the Georgetown Law Center as a pre-conference to the August Computers, Freedom & Privacy conference.

Privacy Risk Calculator

Is your sensitive health information at risk of being exposed and sold?

Take the following quick quiz to see if your health privacy is at risk.

Please Note:
Keep track of the total points earned by each answer
to calculate your health information’s privacy risk.

BEGIN THE PRIVACY QUIZ RISK CALCULATOR