Monthly Archives: June 2014

Text Message Preservation Issues Causing You a Headache? Take Another Aspirin and Start Thinking About Instant Message Preservation Issues.

Text Message Preservation Issues Causing You a Headache? Take Another Aspirin and Start Thinking About Instant Message Preservation Issues.

The use of instant messaging for business purposes continues to increase. Does your company allow employees to engage in business communications via instant messaging? If so, have the implications been fully considered?

One such implication is the company’s duty to preserve ESI (Electronically Stored Information) when litigation is threatened or commenced. Courts have held that this duty applies to instant messages just as it does to email and text messages. See, e.g., UPMC v. City of Pittsburgh, Civil Action No. 13-563 (WD PA October 25, 2013).

Bottom line, and with apologies to Gertrude Stein, ESI is ESI is ESI.

And courts can certainly sanction parties failing to preserve instant messages. See, e.g.,Southeastern Mechanical Services, Inc. v. Brody, 657 F Supp 1293 (MD FLA 2009).

Image via freedigitalphotos.net/sippakorn

Image via freedigitalphotos.net/sippakorn

Another implication is the tendency of some employees to say things by instant message they wouldn’t say otherwise. They often do not understand that a less-than-well-thought-out instant message might end up as Exhibit A in some break-the-company lawsuit.

Instant messaging is only getting more prevalent. Rather than reacting after the harm has been done, a wise company will think ahead and mitigate risk by taking measures such as adoption of policies covering the issue, careful management, and employee education.

Next: Send any sensitive information via email? Have email encryption? No? Uh-oh.

3 Tips for Healthcare Data Security

3 Tips for Healthcare Data Security

While IT security is challenging in any business, the healthcare industry carries its own unique set of obstacles and high standards. This is due to a number of different factors, ranging from the obvious (HIPAA and other regulatory guidelines) to the subtle (the best way to handle long-term data storage of medical records). Here are three tips that can help you improve your healthcare data security overall.

1. Risk Analysis Done Right

Image via freedigitalphotos.net/Stuart Miles

Image via freedigitalphotos.net/Stuart Miles

Arguably the most important item of documentation required as part of an Office of Civil Rights audit, a risk analysis shows the steps your organization has taken in terms of both technical and physical data security, as well as looking at employee education efforts and other administrative factors. From uptraining and promoting awareness among staff to ensuring that satellite devices like company-issued laptops are just as secure off-site as on, every detail of your data security can be revealed with a risk analysis. With the OCR going as far back as five years for their audits, showing just the most current version is no longer enough; they’re looking now at how your security strategy has evolved over the years, and if you’re making ample efforts in the right directions.

2. Encrypt, Encrypt, Encrypt

Speaking of company-issued laptops, are yours encrypted? Because physical theft and loss of unprotected data remains the biggest problem currently facing healthcare data security. In fact, OCR data shows that the majority of HIPAA privacy and security breaches—60 percent—are due to the theft or loss of unencrypted laptops and other devices. If this equipment were encrypted, unauthorized access to the data they contained would be severely limited or even prevented entirely. While the per-user costs seem significant to enable encryption initially (sources estimate somewhere between $200-$400), the financial impact of a data breach that occurs from a failure to encrypt is exponentially higher.

3. Educate Your Employees

Of course, all the rules and policies in the world aren’t going to make a bit of difference if your employees remain unaware of them… or worse, decline to follow them. Employees have to be educated about the risks—not just of how a data breach could impact employees and patients, but also the importance of encryption, why safe browsing and computing habits matter, the difference between a strong and weak password and so on. IT security doesn’t happen in a vacuum; privacy and protection are dependent on every individual who interacts with sensitive data, and at every step of the workflow.

Call in the Experts

If you’re feeling generally overwhelmed by the big picture of healthcare IT security—or the multitude of just as important yet easily overlooked tiny safety details—you may want to look into working with a third party vendor who specializes in the field of ensuring IT security for healthcare organizations. From data analysis to implementing encryption and working to develop a comprehensive employee education program, an outside voice of expertise can provide a much-needed level of guidance to ensure that your organization and your patients are well-protected.

Are Small Hospitals More Vulnerable to Data Breaches?

Are Small Hospitals More Vulnerable to Data Breaches?

Small hospitals and healthcare practices often think they’re not as vulnerable to hackers as their larger peers, and for seemingly logical reasons. In theory, they present less of a motivation for hackers (since the payoff wouldn’t be nearly as impressive), and their size probably makes them less well-known compared to a larger facility, too. Yet, the realty is that what these healthcare providers read in the news is just the tip of the iceberg. There are a few reasons why smaller healthcare organizations may actually be a more enticing target than healthcare executives realize.

Size Relative to Security

Image via freedigitalphotos.net/Stuart Miles

Image via freedigitalphotos.net/Stuart Miles

When it comes to security, size should never be relative. That is, smaller facilities shouldn’t skimp on protection just because they have less extensive databanks or fewer patients. Unfortunately, this is exactly the misassumption some healthcare executives make: that protection really isn’t all that critical. Just as unfortunately, a lot of hackers know that this attitude is prevalent in small practices, which makes those less extensive databases ripe for the plucking.

Another place where size is deceptive lies on the development side of the healthcare industry. Healthcare-related apps are convenient little things, thought of as generally hobby-based and innocuous. This combination of qualities means that security is often overlooked here, too, leading to many health and fitness apps that sorely lack in adequate protection of patient privacy.

Steps to Take

No matter how insignificant your healthcare practice may seem in comparison to larger, fancier or sleeker facilities, one man’s trash is another man’s treasure, as the saying goes. Just because you imagine that your limited information couldn’t possibly be valuable to hackers doesn’t mean that the jackpot isn’t just as satisfying if cybercriminals gain unauthorized access to your system…and that means your patients—and their privacy—remain very much at risk.

There are a few steps that can help limit these vulnerabilities:

  • Beef up security: Don’t let anything go unprotected, even (perhaps especially) medical records. Hackers aren’t just after payment information; don’t assume that just because you don’t maintain records of credit card authorizations that there’s nothing in your circuits that could interest a seasoned cybercriminal. Health data is its own gold mine.
  • Regular check-ups: Even if a breach does occur, an early diagnosis is key to limiting potential damages. Something as simple as keeping an eye on your access logs so you recognize any anomalies can make a huge impact in rendering hackers powerless.
  • Don’t forget the small stuff: There really is no “too small” when it comes to hackers. From health-related apps to insulin pumps to the most remote rural practice, anything that houses, transmits or records medical information requires the utmost protection.

If there’s only one takeaway here, let it be that developing awareness of the very real danger of medical identity theft—regardless of practice size—is of the utmost importance to protecting patient information. Take the right steps to protect your practice and your patients, and you’ll become a much less tempting target.

How Can Less Tech-Savvy Hospitals Move Forward with EHR?

How Can Less Tech-Savvy Hospitals Move Forward with EHR?

In urban areas, it’s typical and even expected that larger healthcare organizations and hospitals are already using the latest medical breakthroughs and technological advances, including making (or having already made) the transition to electronic health records (EHR). Yet, rural practices are often stuck years behind their big city counterparts in a number of ways, and EHR adoption is no exception. How can smaller medical practices and hospitals catch up, let alone move forward?

Pipeline Problems

There are a lot of things people living in larger metropolitan areas take for granted, like 24-hour grocery stores or extensive public transportation. Smaller communities are faced with a number of unique challenges related to their relatively remote, isolated locations.

This dynamic is reflected in the healthcare industry as well. When it comes to making tech upgrades, the problems an urban hospital faces are most often related to issues like figuring out the best way to transform a large volume of paper records into digital format, or how to rearrange the budget to pay for the transition. In rural areas, though, complications occur at a much more fundamental level.

The question that smaller practices face isn’t necessarily how to schedule the time or the best way reprioritize the budget, but may instead be as basic as how can they find a technician or vendor to perform the service at all. Facilities that only have a couple dozen beds to begin with may have trouble even getting the latest medical equipment, and definitely don’t have access to the expert guidance they need to install and implement the hardware and software that’s necessary to build and maintain effective electronic records management.

Lack of funding in general is another serious issue facing rural practices. On average, the nation’s 2000 or so rural hospitals already run at an eight percent loss, so the question of finding the necessary investment to adopt EHR—often in the range of about a million dollars—can feel impossible. Yet, these changes need to be on track in order to comply with the mandatory 2015 deadline, so an answer has to be found.

Joining Forces

The solution adopted by increasing number of smaller practices involves a trade-off: giving up their independence in exchange for being absorbed into a larger nearby healthcare organization. Rural hospitals can align or merge with the nearest large metropolitan area hospital system and receive the benefits of more generous financial backing, along with superior access to the necessary technical support. Often, the urban facilities are already using EHR, so making the upgrade is a fairly streamlined—and less financially strapped—process. While some small hospitals remain stubbornly independent and are determined to find funding somehow on their own, others are benefiting in a big way from creatively joining forces with other healthcare providers.

Image via freedigitalphotos.net/2nix

Is Your Healthcare IT Security Stuck in The Stone Age?

Is Your Healthcare IT Security Stuck in The Stone Age?

It has been more than a decade since HIPAA’s security rule was introduced. In the intervening years, the field of healthcare IT security has evolved dramatically. However, not all practices and providers have gone along for the ride.
Are you part of an organization running a Flintstones-era healthcare infosec operation? If so, you may be playing fast and loose not only with patient welfare but also federal regulations. With the impending implementation of IDC-10 and the ongoing shift to fully electronic medical records, chinks in your healthcare IT security armor may leave both your patients and your organization vulnerable to costly and compromising breaches.

Head in the Cloud?Image via freedigitalphotos.net/ddpavumba

Cloud computing has lifted physicians’ abilities to communicate, collaborate, and compare patient information into the stratosphere. Developments in cloud computing technology put staggering amounts of useful information in the hands of healthcare providers in both megacities and small municipalities.

But for all the benefits that come from this open access platform, there is also great risk involved. Managing data across multiple platforms and great distances exposes sensitive patient information to huge numbers of eyes. If you haven’t made security a priority, you may inadvertently – and unknowingly – be exposing patient reports, EMRs, and images to nefarious individuals or entities. Be sure any outsourced firms with which your organization or practice contracts has a top-of-the-line IT security system and federal approval for capturing and storing confidential patient information.

Security Alphabet Soup

When swimming in a sea of EHR/EMR, HIPAA, HITECH and many other acronyms, it’s easy to let information security fall to the bottom of your list of compliance priorities. However, the federal government is ramping up efforts to monitor and intervene in even the smallest of HIPAA breaches. In a world of rogue “hacktivists” and ever-changing security threats and standards, how can you be sure you’re doing everything possible to keep patient information secure? Here’s a hint: if you don’t know what “hacktivists” are, you may be in the middle of a Stone Age healthcare IT security situation.

In the new cyber economy, even small- to medium-sized businesses and practices face security threats more commonly associated with institutions on an enterprise-level scale. Putting healthcare IT security higher on your list of priorities shouldn’t even be up for debate.

Top Healthcare IT Security Threats

A few of the most vulnerable points for IT security include:

  • Providers and contractors with multiple, untraceable, unencrypted mobile devices – Constantly upgraded operating systems make these ubiquitous devices are especially vulnerable to cyber hacking and viruses.
  • The shift from desktop systems to cloud-based servers – The ability to use multiple applications from one virtualized “desktop” saves hardware dollars but exposes private health information to a wider array of infosec threats.
  • Social media vulnerability – It’s nearly impossible to restrict employee access to social media, but these networks are also rife with quickly-spreading viruses and security bugs.

Healthcare Security for the Modern Age

If you aren’t sure whether your healthcare security processes and procedures are up-to-date, they’re most likely behind the times. Get smart with your healthcare IT security policies in order to ensure both federal compliance and patient privacy. Leaving your practice and patients vulnerable to cyber infection is as great a charge as the cause of improving physical health. To guarantee the security of both patient data and your vital business information, make IT security a top priority. Doing so may require enlisting an outside contractor with the expertise to make your healthcare IT security completely airtight.

Image via freedigitalphotos.net/ddpavumba

The Frightening Truth About Data Brokers

The Frightening Truth About Data Brokers

A recent report released by the Federal Trade Commission only confirms what many in the know have suspected for quite a while: information is the latest and most valuable form of currency in the business world. This has led the FTC to call for greater transparency from data brokers and their information harvesting practices, particularly when it comes to consumer health information.

Data Brokers Under Scrutiny

Although the practice of data mining in general is now under the microscope, the FTC particularly looked at the tactics of nine well-known data brokers:

  • Acxiom: Acxiom’s databases house information on around 700 million consumers from around the world, which enables them to deliver consumer data and analytics for use in everything from marketing campaigns to fraud detection.
  • Corelogic: With databases that hold property information, including historical records of property transactions and mortgage applications, Corelogic is able to provide records for more than 99 percent of residential properties in the U.S. for use in analytics by government and businesses.
  • Datalogix: Businesses need marketing data to target the right audiences, and Datalogix excels in providing that data. Datalogix recently partnered with Facebook in an effort to examine the effectiveness of advertising via social media.
  • eBureau: Marketers, online retailers, financial services companies and others turn to eBureau for analytics services and predictive scoring. eBureau’s services help analysts better predict which demographic segment is most likely to transform into profitable consumers.
  • ID Analytics: Identity theft and consumer fraud can be minimized through the services of a company like ID Analytics, which works to verify consumers’ identities through comparison against unique identity elements and data points.
  • Intelius: An accessible online database for private individuals and businesses alike, Intelius enables background checks against public record information… over twenty billion records’ worth.
  • PeekYou: PeekYou uses patented technology to analyze social media content, blog platforms and various other sources in order to provide their clients with comprehensive consumer profiles.
  • Rapleaf: Rapleaf provides information to flesh out existing email lists by contributing additional demographic info on email address owners’ age, gender and many other data points.
  • Recorded Future: Through the capture of past data on the habits of companies and consumers, future behaviors can be better predicted as well. Currently, Recorded Future gathers information from across half a million different websites.

Although the FTC report uncovered many unsettling findings, one of the most troubling is the fact that the vast majority of consumers have no idea that their data is being harvested without their knowledge or permission.

Data Brokers and Health Data

Despite the stringent guidelines laid forth by HIPAA to go the extra mile in protecting patients’ health records, data brokers are not liable under the same rules. This means that data brokers are able to collect information on personal details such as over-the-counter medication purchases, consumer preference on issues like medical care, and even track online searches for health conditions and prescription information, yet aren’t bound by the same strict standards as any other agency that collects or retains this data.

This presents an even greater concern when taking into consideration the fact that most citizens expect a reasonable degree of privacy, particularly when it comes to their physical and mental health. As a result, the FTC is now urging Congress to set forth guidelines that would ensure a higher degree of accountability by data brokers and their clients, including requiring consumer consent beforehand.

Image via freedigitalphotos.net/cooldesign

3 Reasons Why Law Firms Need to Take Extra Steps for Data Protection

3 Reasons Why Law Firms Need to Take Extra Steps for Data Protection

Regardless of specialization, lawyers everywhere are familiar with the concept of attorney-client privilege, and the closely related need to protect client confidentiality. Yet, a recent survey conducted by LexisNexis indicates that very few firms are actually taking steps to increase protection of sensitive data. Here are three reasons that needs to change.

1. Email Is Vulnerable

It’s a common misassumption to believe that because email accounts require passwords to log in at both ends of transmission (from both the sender’s account and the recipient’s), that email is a protected means of communication. In reality, however, emails that are sent without encryption are completely vulnerable to hackers. Although the LexisNexis survey mentioned above indicates that only a minority of firms are currently using encryption for their privileged communications, doing so would be a small step for many firms that could make a big difference in data security.

2. File Sharing Is Gaining Popularity

As the volume of data exchanged daily continues to increase, the concept of file sharing grows in popularity too. Unfortunately, the majority of respondents to the LexisNexis survey report that their preferred method of “file sharing” is—again—simply sending everything back and forth by unencrypted email. There are encrypted file sharing services and programs available that could offer an additional layer of security to sensitive data, offering greater peace of mind to attorney and client alike.

3. Confidentiality Isn’t Real Protection

A staggering number of firms—77 percent to be exact—say that they rely on the confidentiality statement at the bottom of every email as their primary defense. While this may offer some level of protection to the firm itself, the clients themselves are rarely protected by any confidentiality disclaimer… not to mention, a few sentences about privileged information doesn’t actually mean that the information contained in the email is protected in any real way from outside threats, which is a concern that needs to take on a higher priority.

Future Protection

Both clients and their attorneys need to recognize the need for heightened security when it comes to data protection. When 89 percent of firms report that their use of unencrypted email is their primary means of client communication as well as internal information exchange, the concern quickly becomes apparent. No matter what your signature line may read, the truth is that promising not to share privileged data isn’t even close to the same thing as protecting that same data against unauthorized access. It’s time for law firms to get serious about data protection in an effort to truly safeguard themselves and their clients.

Image via FreeDigitalPhotos.net/thanunkorn

Are Security Concerns Holding Back eHealth?

Are Security Concerns Holding Back eHealth?

Despite the ever-growing integration of technology into the average person’s daily life, there’s still one frontier that many remain resistant to when it comes to going virtual: health care. According to a recent Ponemon Institute study called “Risk & Rewards of Online & Mobile Health Services: Consumer Attitudes Explored,” many consumers still feel uncomfortable about sharing information about their health online. Are these concerns holding back the potential for a more fully developed approach toward electronic health records and other eHealthcare possibilities?

What Holds Consumers Back

The study, sponsored by Experian Data Breach Resolution, looked at the way consumers use online health services and portals as compared to other online services that involve potentially sensitive data as well, such as online banking or making purchases from smartphones.

The study included nearly a thousand participants, many of whom described themselves as regular Internet and mobile app users. Yet, 52% of respondents said that they do not currently use eHealth services, for three main reasons:

  • Mistrust that their online health information would not be fully removed upon request
  • Questions over the respect for privacy—for example, whether users would be tracked online
  • Whether complete online anonymity could be assured

Add to this the common public perception that online healthcare services or portals are not as secure as they should be, and it’s easy to see the challenges facing eHealth industries today.

What Does the Future of eHealth Hold?

With such clear reluctance from the general population, even those who are otherwise fairly tech-savvy, what future developments can be expected in the field of eHealth services? First, it’s important to recognize that there are many benefits to electronically-stored healthcare information as well as many other health-related applications.

  • Microsoft’s HealthVault lets families organize their healthcare records, and share that data with physicians or other agencies (such as children’s schools for their records). HealthVault also integrates with many popular health-related fitness apps.
  • An app called MedTracker gives patients reminders about when to take medications, but this capability is available in electronic pillboxes as well.
  • Other online-based tools, platforms and apps are already in use for nearly every aspect of healthcare, from medical billing to electronic health records and other resources.

Despite hesitance from consumers, healthcare systems are definitely making the shift toward digitally-managed healthcare, both as a solution for improving patient care and safety, and as a cost-saving measure. In fact, the Affordable Care Act was in part written to encourage and promote these technologies in order to lower health care costs overall.

The prime takeaway here is the persistent impression consumers have that their health-related data is less secure to access online than their bank accounts or credit card transactions. In order for this perception to be changed, consumers must feel reassured that the systems and products they’re using are securely encrypted; securing healthcare information is vital for encouraging the widespread adoption of eHealth services in the future.