Targeted attacks cost companies an average of $200k

See the full article at SC Magazine: Targeted attacks cost companies an average of $200k

It always costs more to repair than to prevent. The curious thing is that federal law mandated basic security protections in HIPAA, but industry never bothered because the law was never enforced.

Here we are 12 years after the HIPAA Privacy Rule was implemented:

· the Coalition for Patient Privacy got MUCH tougher security rules and enforcement into HITECH

· breaches are rampant

· 80% of hospitals still don’t encrypt data

What’s wrong with this picture? Register for the 2nd International Summit on the Future of Health Privacy June 6-7 in Washington, DC–attending or watching via live streamingvideo is free: http://tiny.cc/p4fqew Security technologies are critical for privacy—see top US computer scientists discuss “ideal” technologies for health data privacy and security.

Health records lost, stolen or revealed online

From the Chicago Tribune Article: Health records lost, stolen or revealed online

“Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.

Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.

One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation’s health program for military members, their families and retirees.

Some breaches have resulted in personal information being revealed online. The names and diagnosis codes of almost 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., were posted on a commercial website for nearly a year before it was discovered in September and taken down…

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, a consumer group, would like to see more help for those whose information is breached and tougher punishment for those responsible. The BlueCross BlueShield of Tennessee settlement amounted to “roughly a dollar per breach record, which is nothing,” she said.

Health privacy issues can be resolved without obstructing care

See the full article at FierceHealthIT.com

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices…

…Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.

A study recently published in Health Affairs documents the extent to which five California healthcare organizations follow principles for protection of patient information that were developed by consumer groups and other stakeholders. Although the healthcare providers took privacy and security seriously, the report said, “none of the organizations did much to educate consumers about the data available about them or to enable them to control their data.””

Press Release: Registration is Open for the 2012 Health Privacy Summit

February 28th, 2012

FOR IMMEDIATE RELEASE

Contact:
Deborah C. Peel, MD
dpeelmd@localhost:8888/pprold

(512)732-0033 or (512)820-6415

Announcing the 2nd International
Summit on the Future of Health Privacy
Is There an American Health Privacy Crisis?

Austin, TX – Patient Privacy Rights announces registration is open for the 2nd International Summit on the Future of Health Privacy: Is There an American Health Privacy Crisis?

We invite you to register for the Summit now.

The Summit will be held on June 6th-7th, 2012 at the Georgetown University Law Center. The O’Neill Institute at Georgetown Law is an academic partner, along with the Harvard Data Privacy Lab, RTI International, The University of Cambridge Computer Laboratory, and the University of Texas School of Information.

We are pleased to announce Ross Anderson PhD, FRS, will be a keynote speaker at the Summit. Anderson is a Professor in Security Engineering at the University of Cambridge Computer Laboratory as well as a researcher, writer, and industry consultant and expert in security engineering.

The 2nd International Summit on the Future of Health Privacy is the first and only international venue for serious discussions by experts and thought leaders on the urgent privacy issues raised by health technologies and architectures (including mHealth and ‘clouds’), by law and regulations, data exchange, secondary uses of health data, and social media platforms. The summit will also explore health privacy through the lens of US and international policies about health information privacy, such as the recent Consumer Bill of Privacy Rights and the EU Draft Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

The 1st International Summit on the Future of Health Privacy successfully created the first global public forum on the future of health privacy. The panels on urgent issues included health privacy experts from academia, industry, technology, consumer advocacy, top government officials, and international experts. Learn more about the 2011 Summit here. Videos are available.

Please register early, seating is limited. Registrants will be updated regularly on the agenda and new speakers and sessions in the coming weeks.

###

Patient Privacy Rights is the nation’s leading bipartisan health privacy organization and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit http://patientprivacyrights.org.

Re: Sizing Up the Family Gene Pool

In response to the New York Times article: Sizing Up the Family Gene Pool

This story is about the fact that genetic testing companies sell people’s test results, compromising families’ and descendants’ future jobs and opportunities. “The NYTimes Ethicist” confirmed a questioner’s fears:

“As for the privacy issue, your concern is well founded. Many of these companies do use customers’ data for medical research or commercial applications, or they sell it to third parties whose interests you might never know. Legally they can’t do that without your consent, but the fine print on those consent forms goes by so quickly that it can be hard to follow.”

Americans’ lack of control over sensitive personal health information in electronic systems is a true national disaster. Not everyone knows this yet, but President Obama does.

On Feb 22, the he introduced historic new privacy principles to guide the use of personal data in the global digital economy. He recognized the lack of privacy in current networked technologies and systems has severe economic consequences. See story on the White House Initiative: http://patientprivacyrights.org/2012/02/wh-initiative-consumer-privacy-bill-of-rights/

President Obama’s new principles address the causes of the privacy violation in the story:

  • Current federal law does not protect the right to health information privacy or the right of consent to use health data
  • neither HIPAA nor Genetic Information Non-Discrimination Act (GINA) prevent the systemic corporate business practice of selling Americans’ highly sensitive personal health information (like genetic test results)

He laid out an historic, tough new Consumer Privacy Bill of Rights to stop the data mining and data theft industries. The first principle is that of individual control: “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Key quotes from the Administration’s new “Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”:

  • “Strong consumer data privacy protections are essential to maintaining consumers’ trust in the tech­nologies and companies that drive the digital economy.”
  • The President concluded, “It [privacy] has been at the heart of our democracy from its inception, and we need it now more than ever.”

The only way we can trust the Internet and have a vibrant global digital economy is if individuals control personal information online and in electronic systems. The right of informed consent before personal information is collected or used must be restored.

When will the health IT industry, Congress, and lawmakers across the US act to restore the right to privacy and control over personal information?

911 Broadcasts: A Privacy Invasion?

See the full article on GovInfoSecurity.com: 911 Broadcasts: A Privacy Invasion?

The extensive news media coverage of a 911 emergency call about actress Demi Moore is calling attention to an important issue: The need to protect privacy…

…Daniel Solove, professor at the George Washington University Law School, wrote in a blog that the release of 911 calls violates the constitutional right to privacy. He also argues that although 911 call centers are not HIPAA-regulated, like a hospital or a physician, they often provide healthcare advice.

Solove writes: “If the call from Demi Moore’s home had been to a hospital or a doctor or any other type of healthcare provider, public disclosure of the call would be forbidden. Why isn’t a 911 call seen in the same light?” And that, indeed, is a good question.

Deborah Peel M.D. of Patient Privacy Rights argues that release of a 911 tape or transcript should be considered a HIPAA violation because the 911 operators “are in effect working on behalf of hospitals and emergency centers as part of the patient’s treatment team.”

Peel highlights another risk involved in publicizing 911 calls: “If the public realizes that 911 calls can be made public, then anyone with a medical emergency they don’t want the information to be seen by the local media or read by everyone in the city or state will stop calling and risk their lives.”

A HIPAA Violation?

So why are audio tapes of 911 calls broadcast so commonly on TV? Well, technically, 911 services aren’t covered entities under HIPAA because they don’t directly deliver or bill for healthcare, says attorney Robert Belfort of Manatt, Phelps & Phillips LLP.

Stanford Hospital investigating how patient data ended up on homework help website

A key conclusion from the audience of experts at the first summit on the future of health privacy was HIPAA has not been effective at protecting patient privacy. Jaikumar Vijayan quoted Deborah C. Peel, MD, founder and chair of Patient Privacy Rights, on the problems with HIPAA and the need to restore patient control over health information in this story. See videos of the summit at: www.healthprivacysummit.org

“Stanford University Hospital in Palo Alto, Calif. is investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up publicly available for nearly one year on a homework help site for students.

The spreadsheet first became available on the site last September as an attachment to a question supposedly posed by a student on Student of Fortune, a website that lets students solicit help with their homework for a fee. The question sought help on how the medical data in the attachment could be presented as a bar graph, The New York Times reported on Thursday.

A Stanford Hospital & Clinics representative told Computerworld in a statement that the hospital discovered the file on August 22, and took action to see it was removed within 24 hours.

“A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information,” the statement said…

The breach shows yet again how ineffective HIPAA has been in getting organizations that handle healthcare data, to take better care of it, said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation .

Much of the problems stem from the indiscriminate sharing of sensitive personal information among “legions of secondary users”, she said. The average hospital has between 200 and 300 outside vendors and partners with access to patient data, Peel said.

“We do not have an effective federal health privacy law. HIPAA was gutted in 2002 when control over who can see and use patient data for all routine uses was eliminated,” she said.

The only way to really get a grip on the problem is to allow patients to exert more control over who has access to their data. “Data should be used for a single purpose after the patient gives consent such as consent to use the data to pay a claim or send to a consultant.”

“Consent should be obtained for any secondary or new uses of data,” she said. All organizations that handle health data, including third parties should be certified to adhere to the highest standards of data security, Peel said.

Re: Top 100 – Under Their Influence

This is in response to the article in Modern Healthcare By Andis Robeznieks: “Under their influence, Washington insiders hold sway over our ‘100 Most Influential’ ranking, but real change seems to be coming from elsewhere.”

“The Politics of Privacy” is one of four key areas in Modern Healthcare’s story about the “100 Most Influential People in Healthcare” in 2011. Privacy was highlighted because the expectation to control personal health data is a truly bipartisan, trans-partisan issue.

The historic first-ever summit on the future of health privacy co-sponsored by Patient Privacy Rights (PPR) and the UT LBJ School in June was highlighted (see www.healthprivacysummit.org to watch videos of the sessions).

The story recognizes the crucial importance of PPR’s leadership on building patients’ rights to control use of the most sensitive personal information into the healthcare system up front, so patients will use and trust health IT systems and data exchanges.

Unfortunately, many of the new consumer privacy protections the Obama Administration supported in the stimulus bill (HITECH) are being implemented by federal agencies in ways that do not comply with HITECH and other existing federal regulations.

If industry and key government rule makers continue to ignore the American people’s expectations for control over the use of sensitive personal health data, the stimulus billions will be wasted on systems that can’t be trusted and the tremendous potential benefits health IT can bring to treatment and research may never be realized.

Re: HIPAA Auditor Involved in Own Data Breach

OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.

You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”

KPMG absolved itself of doing any harm:

  • “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
  • “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”

Then KPMG prescribed its own remedy:

  • “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.

This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.

Time for Congressional oversight?

Your Health Information Isn’t Secure But Don’t Blame EHRs

There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.

Your Doctor Isn’t the Only Person Who Knows Your Diagnosis

Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.

Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.

Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.