Monthly Archives: May 2014

Vendor Sacked for HIPAA Breach Blunder

Vendor Sacked for HIPAA Breach Blunder


Data Misuse Concerns

The site in question, used by physicians for patient notes, didn’t show signs of access by any unauthorized personnel, and the patient records did not include financial information or social security numbers. However, the potential for accessing personal information such as prescriptions and medical history was still very much a possibility.

All of the impacted individuals were notified, and Boston Medical Center immediately discontinued their decade-long business association with the medical transcription company. The website was taken down the same day the incident was reported, although it’s not clear how long the patients’ unprotected data was live on the site prior to that date.

It’s clear that MDF Transcription was not following the HIPAA protocol as they should have. The fact that it doesn’t appear as if any of the information was used or accessed inappropriately, HIPAA is not just about fully realized cyber-attacks. Instead, the guidelines set in place by HIPAA are intended to be proactive and preventative, protecting not only against the misuse of data but also unauthorized access of any kind.

The Future of PHI

Ongoing discussions over protected health information (PHI) have led to a recent Blue Ribbon Panel for further discussion on how to best respond to the increasing complexities involved with privacy and security enforcement within the healthcare industry. From the Office for Civil Rights (OCR) to the Federal Trade Commission and even the Securities and Exchange Commission, a number of organizations are getting more involved with the education and enforcement of the HIPAA compliance process.

Perhaps more relevant for companies like MDF, the OCR is taking a more aggressive stance when it comes to imposing financial penalties on those organizations that have neglected to meet even baseline expectations for PHI standards and HIPAA compliance. Overall, the mood is one of very little patience toward companies that continue ignoring mandatory standards, and a heavy emphasis on the right of the individual to expect (and receive) a certain level of privacy assurance when it comes to his or her own health and medical records.

How to Minimize Data Exposure Risks

How to Minimize Data Exposure Risks

Recently, HIPAA reported one of the largest ever security breaches in the healthcare industry: namely, the theft of over 400,000 individuals’ protected health information (PHI) from a Texas healthcare system. The breach, which occurred in December 2013, spanned three days and resulted in the loss of social security numbers, addresses and birth dates for employees as well as patients, along with more detailed medical information. How can such an attack impact the affected parties, and what can be done to prevent future vulnerabilities of a similar nature?

Information and Identity Theft

The access to personal records like dates of birth and social security numbers gathered with the initial data theft is really only the first stage for hackers. This sensitive information can then be leveraged into accessing accounts that have additional levels of protection in place. For example, many online bank accounts and credit card accounts require a two-step verification process that begins with a user name and password, and then adds another qualifying factor such as a PIN or answer to a secret question.

After hackers are armed with medical records and employee information, it’s much easier to decipher passwords, PINs and other verification methods. For example, many people may use their birth year or anniversary date as their PIN, or as part of their password. Additionally, information like full legal name plus social security number can allow the hacker to open lines of credit in the victim’s name, file fraudulent tax returns in order to gain access to refund money and other forms of identity theft. The original hackers may perform these operations themselves, or may opt to sell the stolen information to the highest bidder for use by other cybercriminals.

Adding Protection

While user education—on issues like how to generate more secure passwords and practice other sensible precautions online—is an important step in limiting personal loss even if a breach of this type occurs, the impacted organizations themselves can provide a better first line of defense as well. For example, data encryption would help to prevent data exposure, as would the implementation of a monitoring plan that would identify and analyze potential breach points. Regular scans and analysis would help IT security personnel recognize a potential breach on the network much sooner, allowing more time for preventative measures to be taken.

There’s never just one finger with which to point blame on the occasion of this or any other successful hack. Instead of looking around for who may or may not be guilty, energies are far better spent on ensuring that a more secure infrastructure is put into place that will better protect organizations and individuals against cyber-attacks in the future.

20 Myths About eDiscovery

20 Myths About eDiscovery

eDiscoveryDespite the prevalence of digital information in our daily lives, the legal community continues struggling under a number of myths surrounding electronic discovery (eDiscovery). Instead of allowing long-standing misconceptions to inform legal action, here’s a closer look at the facts behind them.

1. You don’t need to think about eDiscovery unless you’re involved in litigation.

A well-planned, well-executed information governance (IG) plan is essential for any enterprise, and the sooner this occurs before potential litigation, the better.

2. eDiscovery is overly complicated.

In knowledgeable hands, eDiscovery efforts aren’t necessarily any more complex than traditional discovery.

3. Only big cases benefit from eDiscovery.

Since very few cases are conducted that don’t involve at least some type of electronically stored information (ESI), cases of any size may require eDiscovery.

4. EDiscovery costs a fortune.

By keeping data in digital format, all parties will see significant savings in the long-term as a result of the elimination of significant hard copy expenses such as printing, scanning, shipping, storing, coding and Bates numbering.

5. Traditional discovery provides more than enough evidence to win a case.

With the majority of business communication occurring digitally (for example, via email), traditional discovery alone is becoming insufficient for modern litigation.

6. All law firms know the most successful eDiscovery strategies.

Like any learned skill, there are all different levels of expertise when it comes to eDiscovery. For the best results, choose an experienced litigation support team that specializes in eDiscovery.

7. No one really uses eDiscovery yet.

Even as recently as a few years ago, this myth might have been true. However, as with any new technological advancement, adoption has been rapid and widespread.

8. The more data, the better.

Courts only want to hear about relevant data. Broad collections of ESI are frowned upon as unnecessary expenditures of time and billable hours.

9. Deleted ESI is gone for good.

Unless ESI is deleted by someone who’s extremely tech-savvy, a computer forensics specialist can retrieve nearly any type of deleted or corrupted data.

10. Existing IT staff already know how to collect and document ESI.

eDiscovery involves both technical skill and legal knowledge, so expertise in both areas is essential for the best eDiscovery strategy.

11. EDiscovery is cost-prohibitive for smaller law firms.

Today’s pricing models are making eDiscovery more affordable than ever, making tools accessible to firms of all sizes.

12. To stay on the safe side, companies should keep all data whenever possible.

Every gigabyte of irrelevant data counts toward total eDiscovery expenditures. Instead of saving everything, organizations should develop a more streamlined IG policy.

13. Predictive coding is too faulty to work properly.

Predictive coding in its current form is extremely helpful for early case assessment. Although it’s not a perfect system, it’s far more efficient than manual assessment.

14. The other side isn’t going to want to deal with eDiscovery.

More and more often, both parties in any given case will need to produce some level of eDiscovery during litigation.

15. eDiscovery only applies to ESI like computer files.

eDiscovery applies to all ESI, including social media profiles, personal email, text messages and any other ESI that may have relevant case info.

16. Metadata isn’t that important.

Metadata tags are useful for sorting and organizing large volumes of electronic data.

17. Keyword searches are more cost-effective than concept searches.

As technology becomes more intuitive, concept searches may soon be far more efficient than looking for a single keyword or phrase.

18. All ESI is important.

Not all data is created equal, and most has a definitive shelf life since information is often only relevant to the specific task at hand.

19. eDiscovery will end up replacing humans.

Although eDiscovery can tremendously improve the discovery process as a whole, humans are still essential for interpretation and clarification.

20. Lawyers don’t really need to understand eDiscovery. That’s what IT is for.

Understanding the possibilities of eDiscovery efforts can be a huge contributing factor in determining the winning strategy for your next big case.

$2M Laptops? Unencrypted Stolen Computers Cost Organizations

$2M Laptops? Unencrypted Stolen Computers Cost Organizations

Unencrypted Stolen Computers The federal government isn’t exactly known as an entity that commonly takes quick and decisive action. We like to bemoan our do-nothing Congress and the stifling layers of bureaucracy that stand between leadership and actual legislation. Yet in some cases, the feds like to keep us on our toes; such is the story with recent hefty fines levied against a couple of healthcare entities found guilty of playing fast and loose with patient information.

For those healthcare providers still resistant to upgrading their IT security practices, consider yourselves warned: the grand total in fines for these two entities and their violations of HIPAA Privacy and Security Rules came to nearly two million dollars. If you still think no one is paying attention to what healthcare institutions are doing to guarantee patient privacy and healthcare information security, think again.

Crimes and Punishments

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) levied the fines. Speaking on behalf of OCR, Susan McAndrew, deputy director of health information privacy, stated: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

The incidents that led to these hefty fines involved stolen unencrypted laptops. In the first incident, discovered by OCR during a HIPAA compliance review of a physical therapy program administered by Concentra Health Services in Springfield, Missouri. Here are the facts:

  • Concentra conducted a number of risk analysis studies and discovered that unencrypted laptops, desktops, and other mobile devices such as laptops all contained sensitive patient information.
  • Concentra failed to take any significant action to guard patient information against these admitted points of vulnerability.
  • As a result of their failure to take action to resolve the security risks and a finding of generally insufficient patient information security, Concentra will have to write a $1,725,220 check. That’s enough to make anyone need physical therapy.

In the other incident, Arkansas-based QualChoice QCA Health Plan, Inc. reported theft of an unencrypted laptop containing the sensitive patient information of nearly 150 people. The laptop in question was stolen from a QCA employee’s car. Hindsight being 20/20, QCA took immediate action to encrypt the remainder of their devices, but OCR determined that in this case it was just too little, too late. QCA settled with OCR for $250,000 and must also submit a healthcare technology security risk analysis and corresponding plan to guard itself against any discovered points of IT security weakness.

Taking Action

So, if your organization is behind the times with regard to healthcare information security, you may also be behind the 8-ball of federal HIPAA enforcement efforts. If your institution is still working on unencrypted devices, here are a few immediate steps to take:

  • Perform a thorough risk analysis of your healthcare IT security
  • Address any discovered chinks in your infosec armor
  • Retrain staff on meeting current standards
  • Keep thorough records of steps taken to improve healthcare IT security in the event that you find yourself under investigation following a breach

Health and Human Services’ OCR offers a number of training programs for healthcare providers. Designed to help personnel understand HIPAA Privacy and Security Rules and ensure compliance, these programs are free with Continuing Medical Education credits available. For more information, visit OCR’s training site.

Crazy Claims Kicked Out of Court

Crazy Claims Kicked Out of Court

Do you remember any of these?

This infographic from DRB Capital depicts eight irrational (and ridiculous) compensation claims that got kicked out of court. Many more have gone through the court system, but these eight are unforgettable. Did they miss any? Share your favorites in the comment section below!

Crazy Claims Kicked Out of Court

Explore more visuals like this one on the web’s largest information design community – Visually.
10 Quick Tips About Data Security

10 Quick Tips About Data Security

Data SecurityThe recent security breach at Target served as yet another reminder that companies aren’t necessarily safe from hackers just because they’re large and established. Data security impacts users at all levels, whether as individuals or owners of small- and mid-sized businesses. Here are 10 quick tips that can help you better protect sensitive information.

1. Check Your Password

Know what the most commonly used password is? “Password.” Followed closely by “123456” (or “12345678”). Even an entry-level hacker could break that code. There are a number of unsafe password practices that, if corrected, can greatly improve data security at the most basic point of entry. Remember to use strong passwords and change them often.

2. Invest in Anti-Virus

Any type of anti-malware protection is a must-have for private computers as well as computer networks. If viruses, spyware and other bugs sneak into your system, performance can degrade rapidly, along with an increased risk of data breach.

3. Keep Systems Updated

No one should ignore all those warnings that updates need to be installed. Software updates provide critical patches to repair known vulnerabilities against newly uncovered threats. Take time daily to download and install updates for your operating system, anti-virus software and other programs and apps on your network.

4. Install a Firewall

A firewall adds another layer of protection against potentially dangerous intrusions from hackers, viruses and malicious programs. A firewall can be software- or hardware-based (like those built into network routers), but the hardware-based firewalls offer a higher level of security.

5. Know What Needs Protecting

It’s important to know what type of information (like personal account numbers or customer credit card data) falls under “sensitive” in order to customize your security efforts accordingly. Take the time to identify this data, and document where it’s currently stored.

6. Segregate Sensitive Data

After identifying the data that needs the most protection, it’s a good idea to separate the storage of that information from daily operations and prevent needless duplication of such items whenever possible. The less data there is, the easier protecting that data becomes.

7. Practice Encryption

Encrypting data translates it into an unreadable code, so even if hackers were to access the network at large, the stolen information would still be in an unusable format. Encryption is particularly key for mobile data.

8. Secure Your Connections

Sensitive data should only be transmitted over secure connections, so that it’s protected during transit from possible access. While firewalls and anti-virus can keep data secure while in storage, secure connections help extend that security as data moves from computer to computer.

9. Limit Access

The more accessible sensitive data is, the greater the risk that a breach could occur. By limiting access to information to only those parties for whom access is essential, vulnerabilities are reduced. Setting up an access log ensures that all interactions are documented for future reference.

10. Use Common Sense

Honestly, if this list had to be trimmed down to just one tip, it would be this: practice common sense. Be smart about passwords, network security and online habits. Don’t share info with others, and take all the necessary steps to ensure that any sensitive data is protected from inception all the way through archiving.

The impact of corruption on women, strategies for change (Part 3)

The impact of corruption on women, strategies for change (Part 3)

Public Services Labour Independent Confederation (PSLINK)


In order to fight everyday corruption, transparency and accountability within the government are key. However, sometimes this is easier said than done. Even if funding may be in place, corrupt politicians may divert resources elsewhere.

In the final portion of this series, examples are given on how women and public service groups have fought corruption on the grassroots level. Many of these organizations or groups of women exposed the violations taking place through the media – the public then took notice at a national, and sometimes worldwide, level.

It is no doubt a dangerous feat to expose the government’s wrongdoings, but these women have shown fearlessness in the face of corruption. We encourage you to read more about these issues on the FCPA blog and to learn more about what you can do to help.

7 Ways to Use ICD-10 as an Opportunity

7 Ways to Use ICD-10 as an Opportunity



Though Congress recently passed a merciful one-year delay to the impending deadline for ICD-10 compliance, we’re here to tell you that the deferment doesn’t make it any less inevitable. The massive paradigm shift that will be required along with the doubtlessly complex technological upgrades and new training for billing and coding personnel may instill fear in the hearts of healthcare professionals everywhere.

However, it helps to look on the bright side; there are as many or more benefits that will arise from the switchover to ICD-10 as there are headaches. If you’re suffering from an as-yet-unidentified (or coded!) anxiety disorder because you dread the impending implementation of ICD-10, here are seven ways to use the upcoming upgrade as an opportunity, not an obstacle.

1. Improved Insights

Better data means better asset allocation, more informed clinical decisions, and increased financial savings.

2. Proactive Policy Setting

ICD-10 provides richer, more dynamic data resources so that healthcare policymakers can make smarter decisions. Better healthcare regulations mean both patients and providers benefit.

3. Coding Clarity

When coding errors or discrepancies delay payment or lead to rejected claims, providers are left high and dry. An upgraded coding system will help increase coding accuracy and speed up the claims approval and payment processes.

4. Improved EMR Compatibility

As paper medical records go the way of the 8-track, the healthcare industry needs to upgrade across the board. ICD-10 provides more detailed and precise coding as well as opportunities for better compatibility with new EMR software platforms; these factors may reduce costly and time-consuming requests from payers for copies of medical records.

5. Improved Asset Allocation

Clearer, more detailed codes mean better asset allocation – both from a human resources and physical assets perspective.

6. International Exchange

Once the US healthcare system makes the switch to ICD-10, it can better participate in the global exchange of healthcare ideas and research information. International collaboration leads to innovation and improved outcomes for research trials.

7. Public Health Profits

ICD-10 will allow for more clarity in public health research and reporting. Better information leads to more effective management of infectious disease outbreaks and clearer healthcare communication during crises.

From Obstacle to Opportunity

It’s clear that the new economy requires healthcare organizations and professionals to stay on the crest of the technological and regulatory waves. Smart organizations see innovations like ICD-10 as another opportunity to reconsider old approaches and upgrade to more efficient, electronic business models.

When quality care is a priority, the most accurate information delivered in the timeliest manner is absolutely vital. For this reason, developments like ICD-10 should be thought of as exciting opportunities rather than exasperating obstacles. This simple paradigm shift will help make the necessary technological shift to a new system a more manageable movement.

The impact of corruption on women, strategies for change (Part 2)

The impact of corruption on women, strategies for change (Part 2)



What can, or is being done to prevent corruption against women specifically?

While The United Nations Convention against Corruption (UNAC) has 144 state signatories and is legally binding, it does not directly address the relationship between gender and corruption. However, there are two mandates (Convention on the Elimination of All Forms of Discrimination against Women and the Beijing Platform for Action) that are in support and address the advantages of a gender-sensitive government.

In this second part of the series, strategies that can be used to help women avoid corruption are discussed, such as access to information and the media and gender-responsive budgeting. Both require transparency and cooperation from the government. When women are given opportunities to participate, it has been proven that communities (not just individuals) are better off as a whole.

We encourage you to read more on the FCPA blog and look for Part 3 of the series.

Click here to read Part 2

The impact of corruption on women, strategies for change

The impact of corruption on women, strategies for change

Bribery India


Corruption knows no limitations. It can be found in developing countries, as well as in places like the United States. Women and children are especially at risk to face corrupt practices such as bribery and fraud. The size and scope may be different depending on the situation, but the lasting impact is the same.

In a recent blog series posted on the FCPA (Foreign Corrupt Practices Act) blog, statistics from October 2012 United Nations Development Programme (UNDP) survey are reviewed and discussed. This blog series specifically focuses on women’s perspectives on corruption and how it impacts them.

For example, bribery was the most common term women associated with “corruption.” This is also what they experienced most often. In the survey 63% of women reported they have been asked to pay a bribe, typically to gain access to public goods and services.

At iBridge, we believe in the impact and importance of social responsibility as a company and have helped women and children at risk by setting up two data processing centers in an economically disadvantaged zone in India. We encourage you to read more on the FCPA blog and look for Part 2 of the series.

Click here to read Part 1