Thursday, October 13, 2011

There Are Some Ways That We Can Assist in Reducing Data Breaches In the Health System.

It does seem the US is an endless source of revelations regarding loss of private electronic health information.
A couple of recently reported examples include:

Florida Hospital privacy breach: Workers accessed ER patient information

3 employees terminated; more than 2,000 patients notified by mail of breach

By Kate Santich and David Breen, Orlando Sentinel
7:51 PM EDT, September 30, 2011
Florida Hospital tried to reassure patients Friday that a breach of its electronic medical records spanning 20 months was limited to certain patients and not used for identity theft.
Instead, the intent of the breach — which targeted emergency-room patients who were involved in motor-vehicle accidents — appears to have been to pass the information on to an attorney-referral service. However, neither the hospital nor the Osceola County Sheriff's Office, which continues to investigate the incident, could confirm the motive.
The problem came to the hospital's attention, according to hospital spokeswoman Samantha O'Lenick, when a woman who had been in a car accident complained that she had been contacted by a lawyer referral service — and there apparently was no other way for the service to have obtained her personal information.
The breach occurred between January 2010 and Aug. 15, 2011, O'Lenick said. All 2,252 patients whose records were subject to "inappropriate access" are being contacted by mail.
The hospital has fired the three employees involved, all of whom were nonmedical personnel whose records indicated no previous disciplinary actions. On Sept. 6 the matter was referred to both the Osceola County Sheriff's Office and the FBI. The hospital did not further publicize the situation until Friday, when it took out a public notice to alert patients who might overlook the news in their mailbox.
Lots more here:
and another recent summary comment report here

Stolen patient records call for better communication

October 5, 2011 — 10:08pm ET | By Marla Durben Hirsch - Contributing Editor
It's very disconcerting that TRICARE contractor Science Applications International Corporation (SAIC) lost unencrypted backup tapes from an electronic health care record containing the personally identifiable and protected health information impacting almost 5 million military clinic and hospital patients. The tapes, which included 19 years worth of patient data, were stolen from the car of an SAIC employee.
Even more disconcerting: Not only was this kind of security breach--theft of patient information from a contractor's car--not an isolated incident, but with a little communication, it likely was easily avoidable.
In August, Saint Barnabas Health Care System in New Jersey and Cook County Health and Hospitals System in Chicago both reported that they were affected by a breach involving the theft of an external hard drive from the car of an employee of MedAssets, a business associate of the two hospital systems that provided revenue management and supply chain services. The breach involved the records of 82,000 patients. The hard drive was neither password protected nor encrypted. 
The SAIC employee in the TRICARE breach valued his stolen car stereo system at $300; meanwhile, the stolen Tricare backup tapes were valued only at $100.
According to a recent Ponemon Institute report, however, it now costs the victim of a security breach $214 per compromised record and an average of $7.2 million per data breach event. A large part of the problem is that some business associates, although relatively familiar with HIPAA's privacy rule, still are not as well versed in HIPAA's security rule and the security breach notification requirements.
More here:
The risk is indeed very real. (see the first paragraph below).

The 6 tips for avoiding data breaches

September 30, 2011 | Michelle McNickle, Web content producer
According to a Department of Health & Human Services (HHS) tally of data breaches since 2009, about 260 incidents occurred that went on to affect more than 10 million patients. And, it gets worse -- the second largest breach occurred not because of a hacked password but when computer back-up tapes were stolen from the back of a truck.
Security within the industry is changing, and health data breaches are a significant issue. According to Rick Kam, president and co-founder of ID Experts, now is a critical time in determining the future of health security. 
"We're at the convergence of technology becoming more pervasive in healthcare," he said. "Patients want to share information and have multiple providers. This includes more sophisticated criminals as well as healthcare reform. Coming on the horizon in the area of healthcare, you could say we're at the crux of a potential data breach disaster -- if not within the next few months, within the next year you’ll see a data breach oil spill, so to speak."
"We operate with three core values," added Christine Arevalo, director of healthcare identity management at ID Experts. "One is the importance of taking preventative action. The second is doing the right thing for patients and the data you're entrusted with; the system as a whole is based on the trust patients have in physicians and safeguarding their sensitive information. And the third is being compliant -- it's a regulatory matter that can’t be ignored. We’re seeing a lot more of those rules being enforced, specifically data breach notifications. Companies can't hide from those issues anymore."
With that said, Kam and Arevalo shared six ways to plan for, mitigate and protect against health data breaches. 
1. Perform a risk assessment.
2. Inventory your PHI.
3. Develop PHI security strategy.
4. Train employees.
5. Implement processes, technologies and polices.
6. Have an incident response plan ready.
The full article is here - explaining each of the points (note PHI stands for Protected Health Information):
The reason I raise all this is in the context of the planned legislation for the PCEHR.
(The following is an expansion of my Draft Submission BTW)
On page 29 of the Companion to the Exposure Draft we read:
“Certain participants in the PCEHR system must notify certain matters such as data breaches or risk of being in contravention of the Draft Bill with potential civil penalties to apply to those contraventions.
Entities such as the System Operator, a registered repository or registered portal provider have obligations to report matters to the System Operator, or in certain circumstances both the System Operator and the Information Commissioner.
In addition to the notification, the entity must do the followings things:
  • contain the contravention and undertake a preliminary analysis;
  • evaluate the associated risks;
  • if the entity is the System Operator – consider notifying the affected consumers;
  • if the entity is not the System Operator – ask the System Operator to consider notifying the affected consumers.
In addition, the entity must take steps to prevent or mitigate the effects of further contraventions, events or circumstances in relation to the unauthorised collection, use or disclosure of health information included in a person’s PCEHR.
A further civil penalty provision in the Draft Bill provides that a registered repository operator or a registered portal operator must not contravene the PCEHR Rules that apply to that operator or portal.”
Can I suggest this is just not good enough. The legislation should make it clear that the release or breach of any personally identifiable information should be notified to the individual concerned and additionally any breach that involves more than 100 individuals should be notified to the public with an analysis of what caused the breach.
Of course notification is bolting the door after the horse has gone and clearly the legislation should also make it clear, as it does to some extent, that to prevent breaches in the first place is required and to not take reasonable preventative steps is also an offence.
The US compulsion to notify is, of course, the reason we know how it bad it is over there and we need the same here!
Pretty simple really.

No comments: