May 11 2010

OCR draft guidelines for security risk analysis

Category: hipaa,Security Risk AssessmentDISC @ 12:42 am

US Department of Health & Human Services
Image by veeliam via Flickr

The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.

The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS’ Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.

Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said

OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.

OCR dratf guigelines details

Information Security Risk Analysis, Tom Peltier

Tags: Business, Civil and political rights, Health care, health insurance, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, Optical character recognition, Security

Apr 12 2010

Healthcare ID theft may rise with digital records

Category: hipaa,Information SecurityDISC @ 12:25 pm

By Margaret Collins BLOOMBERG NEWS

Sierra Morgan was billed $12,000 on her health care credit card in November for liposuction, a procedure she never requested or received.

“It’s depressing to know that someone used my name and knows so much about me,” said Morgan, 31, a respiratory therapist from Modesto, Calif.

There were more than 275,000 cases in the U.S. last year of medical information theft, twice the number in 2008, according to Javelin Strategy & Research, a market research firm. The average fraud cost $12,100, Javelin said.

“A trend we’ve seen over the past few years is using stolen information to file false claims,” said Louis Saccoccio, executive director of the National Health Care Anti-Fraud Association, a nonprofit research group.

Criminals set up fake clinics to bill for phony treatments, said Pam Dixon, founder of the World Privacy Forum, a nonprofit consumer-research group based in San Diego, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, as in Morgan’s case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The digital files will improve care and help lower costs, the government said, without projecting savings.

“Once files are in electronic form, the crime scales up quickly,” said Dixon, whose group analyzed a decade of consumer data from the Federal Trade Commission and medical identity theft cases from the Department of Justice.

“There are cases where someone has walked out with thousands and thousands of files on a thumb drive,” she said. “You can’t do that with paper files.”

Patients’ medical records are altered to reflect diseases or treatments they never had, which can be life-threatening if they receive the wrong treatment or find their health insurance exhausted, Dixon said. A thief may change the billing address for a victim’s insurance so they’re unaware of charges, she said.

“Once you aggregate and put data in one place, it’s easier for you to see it, but it’s also easier for a criminal to see and use it,” said Scott Mitic, chief executive of TrustedID, a consumer data-protection firm. “The digitization of medical records over the next years is certainly going to make this more of an issue.”

Fraud at a high cost

Brandon Sharp, 38, found more than $100,000 of unpaid medical bills on his credit report when he went to buy a home. The charges included $19,501 for a life-flight helicopter trip and emergency room visits he never used, said Sharp, a project manager for a Houston-based oil company.

“I’m as healthy as they come,” he said.

Sharp said he spent six to nine months correcting his medical files, outstanding charges and credit report.

Medical identity theft is about 2½ times more costly than other types of ID frauds, said James Van Dyke, president of Javelin, in part because criminals use stolen health data an average of four times longer than other identity crimes before the theft is caught.

The average fraud involving health information was $12,100, compared with $4,841 for all identity crimes last year, and consumers spent an average of $2,228 to resolve it, or six times more than other identity fraud, according to Javelin.

“It’s becoming the credit card with a $1 million limit,” said Jennifer Leuer, general manager of, an identity-protection service provided by Experian PLC, a credit reporting firm. “If the health insurance is valid, they’ll treat you and not always check your ID.”

Insurers are improving technology to spot false claims, said Tom McGraw, a senior vice president at Ingenix, a subsidiary of UnitedHealth Group Inc. McGraw leads a group focusing on fraud involving Medicaid and Medicare, the two government-sponsored health programs for the poor and the elderly, he said. The company can now track distances between providers and beneficiaries to identify whether physicians are treating patients who don’t live nearby, he said.

Legislation passed last year requires doctors and hospitals to notify patients when their information has been exposed from a security breach, said Randy Sabett, co-chairman of the Internet and data protection practice at Sonnenschein Nath & Rosenthal, based in the law firm’s Washington office.

To read the remaining article

Tags: Credit card, Health care, health insurance, identitytheft, medicaid, medicare, National Health Care Anti-Fraud Association, Scott Mitic, Sierra Morgan, Sonnenschein Nath & Rosenthal, UnitedHealth Group

Nov 19 2009

Health Net healthcare data breach affects1.5 million

Category: hipaa,Security BreachDISC @ 2:10 pm

Health Net, Inc.
Image via Wikipedia

Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.

Contact DISC for any question or high level risk assessment.

The Practical Guide to HIPAA Privacy and Security Compliance

By Robert Westervelt, News Editor
19 Nov 2009 |

Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.

The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients.

The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30.

Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.

“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Blumenthal said the hard drive also contained financial data, including bank account numbers. He is seeking coverage for comprehensive, long-term identity theft protection for those customers affected by the breach.

Health Net provides medical coverage for approximately 6.6 million people and its subsidiaries operate in all 50 states. In a statement, the company said the breach took place in its Connecticut office. So far there have not been any reports of fraud tied to the missing data..

“Health Net will provide credit monitoring for over two years – free of charge – to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” the company said.

It is the second time in a month that a healthcare provider lost customer data. Anthem Blue Cross and Blue Shield of Connecticut reported a stolen laptop was to blame for a breach compromising the personal information of 850,000 doctors, therapists and other healthcare professionals.

Security experts have long been advocating that enterprises deploy encryption on laptops and other devices that contain sensitive data. Still, all the technology in the world won’t end employee mistakes and carelessness, said Mike Rothman an analyst with Security Incite.

“You can do full disk encryption and all sorts of things to protect the device, but you are still fairly constrained by user sophistication,” Rothman said. “You have to start asking questions from a process standpoint relative to why this stuff was on an external drive in the first place.”

In reality you could turn off all USB ports on your devices, but that could hinder employee productivity, Rothman said. Security always gets back to making sure you have the right processes and policies in place and the right training and awareness so that employees understand what those policies are and ways to audit those processes, he said.

Experts say encryption should be used as a last resort when all other security policies and processes fail. While many enterprises have focused on encrypting laptops at the endpoint, encryption can be a bit trickier for portable hard drives and other removable media. If the drive is being shared between different systems people need to have some way to access the key, said Ramon Krikken, an analyst at the Burton Group.

“A lot of these portable hard drives are older without built-in encryption and to the extent to which you can easily deploy encryption has been a challenge for enterprises,” Krikken said.

Some USB makers market the devices with built-in encryption software. In 2008, Seate Technology extended full disk encryption technology to all its enterprise-class hard drives. The company also began pushing for standards for hard drive encryption in storage systems.

Nagraj Seshadri, head of product marketing at Utimaco the encryption software division of Sophos Plc, said healthcare organizations need to be just as responsible as financial firms when it comes to protecting data.

Perhaps healthcare management still doesn’t realize that they might be potentially liable for lack of reasonable safeguards to protect organization assets. Do you think it’s time for healthcare management to take information security seriously as a potential business risk?

Reblog this post [with Zemanta]

Tags: arra and hitech, data loss prevention, data security, disk encryption and file encryption, Health care, Health Insurance Portability and Accountability Act, Identity Theft, identity theft and data security breaches, Personally identifiable information, Security, security awareness training

Nov 03 2009

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Category: hipaaDISC @ 6:22 pm

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey, sponsored by Symantec

CHICAGO (November 3, 2009) – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

  • Security budgets remain low
  • Organizations often don’t have a response plan for threats or a security breach
  • A designated Chief Security Officer or Chief Information Security Officer is not in place
  • In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

    “Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

    Other key survey results include:

    Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

    Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

    Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

    Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

    Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

    Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

    Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

    Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

    Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

    Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

    “Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

    Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.

    About Symantec
    Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at

    About HIMSS
    The Healthcare Information and Management Systems Society (HIMSS) is a comprehensive healthcare-stakeholder membership organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded in 1961 with offices in Chicago, Washington D.C., Brussels, Singapore, and other locations across the United States, HIMSS represents more than 23,000 individual members, of which 73% work in patient care delivery settings. HIMSS also includes over 380 corporate members and nearly 30 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems. HIMSS frames and leads healthcare public policy and industry practices through its educational, professional development, and advocacy initiatives designed to promote information and management systems’ contributions to ensuring quality patient care. Visit for more information.

    For more information, contact:
    Joyce Lofstrom/HIMSS
    312-915-9237 –

    Pamela Reese/Symantec
    424-750-7858 –

    Reblog this post [with Zemanta]

    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", Chief Information Security Officer, Chief security officer, Computer security, Health care, Healthcare Information and Management Systems Society, hipaa laws, Information Technology, Security, status of arra and hitech, Symantec

    Mar 04 2009

    HIPAA accountability and security program

    Category: hipaa,Security Risk AssessmentDISC @ 7:34 pm

    Logo of the United States Department of Health...
    Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

    World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victims’ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

    HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

    Risk Management Process:

    Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.


    Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

    Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

    A Five-step Roadmap to HIPAA Security Compliance

    Related videos by youtube

    Reblog this post [with Zemanta]

    Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services