Oh by the way – lest I forget..... We will talk about what some simple technologies could have done to have prevented this crisis
There are basically 7 relevant HIPAA rules surrounding technology. The third one is where a lot of companies fail
Largest percentage of “hacks” are done by disgruntled employees – or untrained employees making mistakes
Ok – let me take a poll of the people we have here. How many of you are from large organizations with 50 – 100 people or more? How many from small organizations with less than 50? A lot of what I’m talking about
This does require that you have a user account and password established on
But even still – you cannot simply throw this stuff over the wall. You have to be responsible for the data even after it leaves your shop. Run audits on your business partners to ensure compliance and reporting as well.
Audit account management – This will audit each event that is related to a user managing an account. Creating a user account Adding a user to a group, Renaming a user account, Changing a password for a user account - Really important to “watch the watchers”
These are the free tools. They work but they are a little cumbersome to use if you’re not a “techie” Especially DumpEvt Can give example – if time.
Now these are for the hardcore geeks and do it yourselfers.
For everyone else there are professional tools
Technologies and Procedures for HIPAA Compliance Jack L. Shaffer, Jr. CIO – Community Health Network of West Virginia
Sample products and techniques for auditing/monitoring
Hopefully a sense of urgency
In the News - a.k.a. “data loss du jour” March 11, 2005 Kaiser Permanente (Oakland, CA) A disgruntled employee posted informaton on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web. UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information. Jan. 25, 2006 Providence Home Services (Portland, OR) Stolen backup tapes and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen. UPDATE: (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs. Feb. 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen) (Lewiston, NY) Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey. Aug. 4, 2006 PSA HealthCare (Norcross, GA) A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. Aug. 7, 2006 U.S. Dept. of Veteran's Affairs through its contractor Unisys Corp. (Reston, VA) Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations. Aug. 11, 2006 Madrona Medical Group (Bellingham, WA) On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested.
Feb. 2, 2007 U.S. Dept. of Veteran's Affairs, VA Medical Center (Birmingham, AL) An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers. UPDATE (2/10/07): VA increases number of affected veterans to 535,000, included in the total below. UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below. UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations. UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of nearly a million physicians and VA patients.
Most of the data losses occurred because of lack of policies and procedures OR the lack of auditing and monitoring of existing policies and procedures.
“Data loss du jour” October 23, 2007 State info on 200,000 missing A computer tape containing personal information on about 200,000 current and past participants in state insurance programs was lost during shipment, the Public Employees Insurance Agency said Monday. The data file contained full names (including birth names), addresses, phone numbers, Social Security numbers and martial status for 200,000 people insured by the Public Employees Insurance Agency, the Children’s Health Insurance Program and Access West Virginia. The data was reported missing last week while being shipped via United Parcel Service to a data processing center in Pennsylvania, Department of Administration spokeswoman Diane Holley said Monday. She said UPS officials reported on Oct. 16 that the package containing the tape had broken open, and that the tape was missing. However, she said UPS officials believe the tape is somewhere in the distribution center in Louisville, Ky., and asked for time to conduct a search. With the tape still missing as of Monday, PEIA executives decided to send letters to all 200,000 people to notify them of the disappearance of the tape containing their personal data. She said the letters will provide information about identify theft, and will explain to recipients how they can place fraud alerts and security freezes on their credit reporting agency files, in the event their personal data is compromised. A security freeze blocks the credit reporting agencies from releasing information in an individual’s file, which could be used to obtain credit cards or other lines of credit, without that person’s authorization. The tape does not contain any information about individuals’ medical histories, or medical or prescription claims, Holley said. She said that, even if the tape were stolen, it cannot be “read” without access to specialized computer equipment. “It is a specialized computer tape,” she said. “It looks like an eight-track tape.” She said PEIA will operate a call center that people affected can call for updates on the status of the missing tape, or more information about protecting against credit fraud.
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
164.308(a)(4)(i) – Information Access Management
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
164.308(a)(5)(i) – Security Awareness and Training
Implement a security awareness and training program for all members of its workforce (including management).
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
164.310(c) – Workstation Security
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
164.312(3)(1) – Transmission Security
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.