Hospitals underrate malicious intent in data breaches

Hospitals generally are well aware of what they have to do under the Health Insurance Portability and Accountability Act to ensure the security of patient data. They are also aware that their own employees might be the ones who breach that security.

However, hospitals generally underestimate the malicious intent and the financial damage involved in data breaches and are unaware they’re being targeted by perpetrators wishing to commit identity theft or medical fraud.

Nearly half of data breaches not disclosed: report

Only 10% of healthcare leaders in a recent survey indicated their organizations would notify patients in the event of a data breach affecting them, but 56% of those respondents whose organizations actually had experienced a data breach indicated their patients were notified of the security lapse.

This according to a report issued Tuesday by HIMSS Analytics, a data-analysis unit of the Chicago-based Healthcare Information and Management Systems Society and Kroll Fraud Solutions, a unit of Kroll Inc., which is a wholly owned subsidiary of Marsh & McLennan Cos., New York.

The report was based in part on a survey of 263 healthcare industry sources—including information technology professionals (50%), health information management professionals (21%) and chief security officers (12%)—that was conducted by phone in January. Only one respondent per organization was allowed to participate.

Of them, 13% indicated there had been an actual security breach at their organization in the prior 12 months. Most commonly compromised were the patient’s name (65%) and “high level patient information, such as diagnosis,” (62%) the report said.

The authors note that “loopholes” in current federal privacy and security rules, including the Health Insurance Portability and Accountability Act of 1996, the Sarbanes-Oxley Act of 2002 and others “have enabled breach cases to go unreported, preventing an accurate report on frequency.”

But that period of grace is ending.

State legislatures are expected to once again follow the lead of California in the privacy and security area by mandating that data security breaches involving healthcare information become reportable events, the report said.

Since July 2003, California law has required that any government agency, person or business that maintains computerized data “shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is, reasonably believed to have been, acquired by an unauthorized person.”

Under the 2003 law, personal information was defined as a person’s Social Security number, driver’s license number or California identification card, as well as an account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account. Since then, about 40 states have passed similar data-breach notification laws.

Effective this January, however, California upped the ante, expanding the definition of personal information covered by its mandatory reporting law to include both medical information, such as a person’s medical history, treatment or diagnosis, mental or physical health condition; and what the law differentiates as “health information,” such as a person’s health insurance policy or subscriber number, application and claims history, as well as appeals records.

According to the HIMSS/Kroll report, recognizing that California regulations have inspired other states to introduce similar notification laws in the past, the enactment of a law extending reporting requirements to medical and insurance information “may reasonably be viewed as a harbinger of changes to come across the country.”

Under the new California law, “Virtually any loss or compromise of patient data will require patient notification,” the report said.

Medical information, it said, “is the most valuable and content-rich for fraudulent use and profitability.”

“In addition to name, Social Security number and date of birth (the golden combination), records in these facilities also contain mailing address, insurance policy information, medical history, and, in some cases, credit card and financial information to expedite billing and payment—more data in one record than those of any other source such as banks, schools or HR departments,” the report said.

Study Finds Gaps Between Doctors’ Standards and Actions

Physicians Think They Should Report Errors and Incompetence — but Say They Often Do Not

Physicians are among the most trusted professionals in America, but a new survey shows that when it comes to dealing with colleagues’ mistakes or incompetence, many doctors abandon the high standards they espouse.

The first-of-its-kind survey of more than 1,600 physicians, published today in the Annals of Internal Medicine, found that 45 percent said they did not always report an incompetent or impaired colleague to the appropriate authorities — even though 96 percent agreed that doctors should turn in such people.

Survey: 1 in 3 IT staffers snoop

When it comes to prying into personal information of fellow company employees, many information-technology professionals could qualify for a black belt in snooping, a new survey found.
The survey, which claims to reveal “the hidden scandal of IT staff snooping,” is from Cyber-Ark Software Inc., a Newton firm specializing in password protection; its Enterprise Password Vault solution is designed for securing and managing privileged passwords.
The firm said its survey was conducted at a recent security conference in London, where more than 200 IT professionals submitted written response cards or were interviewed.
According to Cyber-Ark, one in three IT employees admitted to snooping through company systems and peeking at confidential information such as private files, wage data, personal e-mails, and human resources data; they were able to conduct such activities because they knew administrative passwords that gave them anonymous access to company systems.
{Snooping in personnel records has always been a “no no”; now that we have electronic records, it is inexcusable that there are not safeguards in place that audit or prevent IT Professionals from doing spying.  Companies, such as Cyber-Ark, have developed software that secures and manages administrator passwords but many companies are not electing to use them.  It must not be very reassuring to the medical patients or consumers, when today there are innumerable secret databases containing private health records created and used by the over 4 million health-related businesses that have open access to electronic health data. Not only has a gutted HIPPA allowed commercial interests unfettered access to this data but snooping co-workers now have access too.  Unfortunately, unless Congress acts immediately and gives medical patients and consumers true privacy protection, this trend will only worsen with time.  ~ Dr. Deborah Peel, Patient Privacy Rights}

California HealthCare Foundation: National Consumer Health Privacy Survey 2005

In 1999, the California HealthCare Foundation (CHCF) released a groundbreaking study of Americans’ attitudes and behaviors concerning health privacy. The study found that nearly three out of four Americans had significant concerns about the privacy and confidentiality of their medical records. Six years later, following implementation of national privacy protections under the Health Insurance Portability and Accountability Act (HIPAA) and the President’s push to adopt electronic medical records, a CHCF survey plumbs consumers’ attitudes about the privacy of their health information.

Conducted by Forrester Research, the survey reveals that — despite federal protections under HIPAA — two in three Americans are concerned about the confidentiality of their personal health information and are largely unaware of their privacy rights.

In addition, one in eight patients reportedly engages in behavior to protect personal privacy, presenting a potential risk to their health. More than half (52%) of respondents are concerned that employers may use health information to limit job opportunities, highlighting the implications of the privacy issue.

Yet despite these concerns, consumers report a favorable view of new health technology, with a majority (59%) willing to share personal health information when it could result in better medical treatment.

As efforts to develop a nationwide health information network proceed, unaddressed concerns about personal privacy could have major implications.