Why is eDiscovery a Mystery to Attorneys?

Why is eDiscovery a Mystery to Attorneys?

One of the legal profession’s most powerful tools, eDiscovery, is also among the most poorly understood by attorneys. Surveys show that many attorneys are not knowledgeable about the proper use of eDiscovery tools and technology-assisted review (TAR). With electronic documents becoming ever more prevalent in business and government, attorneys who do not know how to properly use eDiscovery tools are doing their clients a disservice. At worst, they are being negligent in their duties.

Electronic documents are not going away; we may yet see the day when most businesses and government agencies are truly paperless, with the entire lifecycle of every document stored in electronic form. Traditional discovery tools (printing everything out using regular office software and reviewing each document by hand) will be woefully inadequate for reviewing these documents, especially compared with software tools that can automatically catalog, index and flag documents, separating the irrelevant ones from those that deserve closer human inspection.E71C920079

The other advantage that eDiscovery and TAR have over traditional review methods is that the software tools prevent spoliation. Reading an email in a standard email client such as Microsoft Outlook changes the metadata, or information about that email, such as the date accessed. Such metadata could be important evidence in a trial. By not using a robust eDiscovery tool, the attorney has compromised the integrity of the document, potentially making it useless in a trial.

Attorneys not up to speed on eDiscovery tools and practices may damage their own clients’ cases, especially if their opponents are knowledgeable and can show a jury that the evidence has been tainted. Such attorneys are risking their practices to claims of incompetence or worse.

Why are so many attorneys so slow on the uptake? Opinions vary, but they mostly boil down to institutional inertia and a lack of education regarding the tools and techniques. The subject is not frequently taught in law schools, and schools that teach it have done so only recently. Attorneys not making the effort to educate themselves, and who expect the techniques they learned in law school to continue to serve them well, will be left behind.

The solution? There are amendments being considered for the Federal Rules of Civil Procedure to address eDiscovery, but continuing education of attorneys is necessary. Every litigation attorney has a duty to his or her clients to provide competent representation. Those who fail to do so by not keeping themselves up to date will find themselves on the losing side of too many cases, and will find clients taking their business elsewhere.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter CTAContract Management eBook CTA

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security numbers (SSNs) are a great way to identify people; almost every U.S. citizen, even babies, has one, and each is unique. However, collecting, storing and using them outside of approved contexts not only can put you on the wrong side of state and federal laws, it can also make you a target for hackers.

In the beginning of the U.S. Social Security program, the now-familiar XXX-XX-XXXX number was used to track workers’ contributions and benefits, and nothing else. Over the years, governments at all levels, schools, hospitals, lenders and myriad other organizations found it was convenient to use these numbers to uniquely identify people, for many purposes. There was a time when SSNs were used for tax IDs, student IDs, employee IDs, insurance IDs, and much more. Many even had them printed on bank checks without thinking twice.

Then the Internet happened.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Almost overnight, the convenience that made SSNs so broadly used became a liability. Someone with your SSN and not much else could open credit accounts in your name, assume your identity and ruin you financially. Because they were everywhere, SSNs were easy for fraudsters to get. And the Internet, coupled with lax data security practices, made it easy to obtain, distribute, and misuse them.

Governments and businesses got wise and started putting restrictions on the collection and use of SSNs and rules on how they were to be protected. The federal government and over 40 states now have laws that prescribe how, and for what purposes, SSNs may be collected, stored and used by businesses and governments. The laws vary from state to state, but boil down to prohibiting businesses from asking for SSNs except for employment, taxation, background checks and medical treatment. Some states further require businesses that can collect SSNs to meet certain security standards for storing them. Many states also restrict the use of SSNs on printed or electronic documents.

If your business—or a business you deal with—collects SSNs, you should be asking why. If to identify people, the liability you are opening yourself up to outweighs the convenience. Find another way to identify people; most computer systems are good at this.

If you have a legitimate need to collect and store SSNs (and check the laws on what constitutes “legitimate,” not only for your state, but for other states you do business in, plus the federal laws), you had better make sure they are protected. The rules published by the Payment Card Industry (PCI) group for protecting credit card numbers provide good guidance for protecting SSNs and other forms of personally identifiable information as well. Some states also require SSN-collecting businesses to have written policies in place to inform customers how and why their SSNs are being collected and used; you may need an attorney to help draft these policies.

The consequences of falling afoul of these laws can be severe, plus the civil and reputational liabilities incurred if a data breach occurs. Reduce your risk by examining your SSN collection and use practices and get rid of any that are not legitimately needed.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Underestimating the threat of security and data breaches may leave patients more at peril after they’ve left the hospital than when they’re in the ICU. With the U.S. Department of Health and Human Services reporting in August that major breaches alone – that is, incidents affecting upwards of 500 people – now number nearly one thousand. That is 30.1 million Americans to date who have had their personal health information (PHI) severely compromised.

What’s being done to stop the flood of PHI being snatched, leaked or even willingly served to hackers and cybercriminals primed to do just about anything they want with it? Isn’t HIPAA privacy enough protection to prevent exactly these kinds of incidents?

Source: freedigitalphotos.net

HIPAA

It’s dangerous to underestimate the crucial importance of the HIPAA privacy law because it brought a new national awareness to the importance of protecting patient data. The legislation secured sensitive health information such as test results and to prevent unauthorized disclosures of pre-existing conditions and diagnoses. Now, patients see HIPAA-related paperwork at every office visit, at least they have investment in the privacy of their information.

For the medical community, HIPAA requires that practices and practitioners invest in reducing risk. They must think through some scary “what if” situations and create contingency plans to help reduce the impact of a breach. But is following HIPAA enough to keep PHI safe and secure?

Security Measures

It turns out just about any IT professional or security expert will say “No.” HIPAA is a good starting point, but it will not seal an already leaky dam. The onus is on hospitals and private practices to implement key security technologies designed to secure networks powered by the most personal details about every patient. Important steps include:

  • Firewalls
  • Spam and spyware protection
  • Improved sign-on requirements, including single sign-on authentication with stricter security standards
  • Encryption

In a recent article in the “New England Journal of Medicine,” the executive director of Harvard Medical School’s Center for Biomedical Informatics, Eric Perakslis, said healthcare is in the crosshairs and “is being aggressively and specifically targeted.”

The Outlook

The question of healthcare information security cannot be answered with only one tool. Taming this rather ferocious beast will require an entire platform of strategies for security success. Perhaps what will be most interesting is whether the public – the patients whose information is being so “aggressively targeted” – will rise to this challenge by demanding stronger action by both the government and industry. Without a singular commitment to this partnered approach, including both HIPAA provisions and purposed security actions, healthcare information will remain ripe for the hackers’ picking.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

At certain points in history, it becomes apparent that the only way to solve a major question or overcome a monumental challenge is to change our governing perspectives on the matter. These paradigm shifts are sparked by discoveries like the roundness of the earth and the centrality of the sun within the solar system. The concept is astonishingly simple: once we change the way we look at a problem, we may find the key to solving it. Such a paradigm shift might serve the complex and increasingly chaotic realm of healthcare data security.

Source: freedigitalphotos.net/ddpavumba

Beyond the Security Team

In a recent interview posted at Healthcare & IT News to prepare for his upcoming keynote appearance at Boston’s Privacy & Security Forum, Texas Health Resources CIO Ed Marx explains his organization’s macro-focus on healthcare privacy and security as taking the stand that security is “everyone’s responsibility.”

Instead of taking a laissez-faire approach to the issue and trusting that the IT department is running interference for the entire 25-hospital healthcare system, Marx asks his 24,000-strong workforce to look at security as an all-in proposition. Texas Health is fostering an atmosphere of vigilance amongst the entire employee team, not just the security professionals. This “culture of security” requires yearly training sessions and proficiency tests to drive home the company-wide commitment of increasing security and protecting patient records.

Never Break the Chain

This revolutionary approach to protecting personal health information goes beyond just enlisting workers in the common cause. Besides this initiative, Marx also overhauled the chains of command within his organization and formed a security task force with reporting duties to the health system’s board of directors.

Visibility and accountability are primary drivers to security at Texas Health: “We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee.” Marx continues, “When we need support, we get it because we have this governance council for security and straight access to the board.” It’s obvious that Marx and his team mean business, a mindset that patients should appreciate considering the risky state of security affairs at many other healthcare organizations nationwide.

At such a crucial time in the healthcare security realm, when many organizations lack direction while risk to consumer personal health information grows increasingly higher, perhaps this thinking will inspire a much-needed healthcare security paradigm shift.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

New Survey Finds Law Firms Face eDiscovery “Watershed”

New Survey Finds Law Firms Face eDiscovery “Watershed”

In the legal realm, large firms are currently facing a major “watershed” moment with reference to the way they service e-discovery tasks charged by their corporate clients. One need look no further than the imminent collapse of newspaper journalism in the face of emergent digital media to see that just like the Borg warned us: “resistance is futile.”

According to a July 2014 survey conducted by Ari Kaplan Advisors and sponsored by RVM Enterprises Inc., today’s firms are revolutionizing the way that e-discovery functions within their operations. Many firms are absorbing a greater share of the e-discovery workload and making it a more in-house function in response to rising demand for greater transparency from outside counsel coupled with a desire to control counsel costs.

Key Conclusions

Source: freedigitalphotos.net/imagerymajestic

The survey found that 100 percent of the attorneys polled, all of whom primarily function as outside e-discovery counsel for corporate legal departments, said they currently recommend both e-discovery software and vendors to their clients from the corporate world. Survey respondents agreed unanimously that they’re seeing major tidal changes in their client’s expectations with reference to practice support technology.

  • 89 percent of respondents theorized that these changing expectations reflect rising technology costs and a need to control mushrooming legal expenses.
  • Beyond technology costs, they pointed to the incessantly increasing speed of data created by the modern corporate client as wired employees generate uncontrollable volumes of potentially “e-discoverable” information.

Here’s where things get dicey: today’s legal counsel faces resistance from clients when they bill separately for e-discovery because clients think it should be included in existing operating costs. How can firms raise awareness among their clients about the often monumental task of e-discovery at the enterprise level and justify its inclusion as a separate line item on invoices?

Some firms are working to overcome this watershed moment by strengthening their billing propositions with increased clarity, upgraded technology, and greater transparency as demanded by clients. Strategies include:

  • Creating a more uniform e-discovery approach to cut down on client confusion when it comes time for billing
  • Upgrading data processing vendors and replacing them with more efficient models
  • Aligning themselves with adept third-party e-discovery partners whose expertise lends credence to hefty costs

Making the Case for E-Discovery Due Diligence

Until e-discovery becomes recognized as a bona fide operating cost, firms will have to focus on cost reductions to convince clients that they operate efficiently during the cumbersome data gathering and review phase. Kaplan says possible tactics may include “spotlighting strategies for mitigating risk in the most cost-effective manner possible.” This strategy may help corporate clients make more informed decisions, convince them of firms’ expertise and efficiency and lay out the real-world costs of forgoing certain vital steps in the e-discovery chain of action.

The Road Ahead

This watershed moment is defined by shifting responsibilities with reference to corporate e-discovery:

  • In-house legal departments are beginning to create their own e-discovery processes, defining risks and balancing the competing charges of efficiency and accuracy
  • This trend toward a more in-house approach to e-discovery requires the adoption of new technology for corporate legal departments, allowing them to manage tasks they formerly outsourced

Kaplan says the new test that emerges from the ever-changing e-discovery landscape is finding a way to segment billable work in order to “reflect a firm’s traditional counseling role and its evolving position as a service provider.” What remains to be seen is how large firms will rise to this challenge and redefine themselves as efficient, trustworthy partners whose value is unquestionable to corporations.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

Reconciling the Risks of eDiscovery with the Convenience of BYOD

Reconciling the Risks of eDiscovery with the Convenience of BYOD

Just about everyone has a smartphone these days, and that’s in addition to the tablet, laptop and possibly desktop computer they likely own as well. Yet, while all of these gadgets are primarily used away from the office, personal mobile devices are frequently used for work-related tasks just the same. This opens up a lot of questions about the intersection of eDiscovery and BYOD. Is there a line that needs to be drawn?

Why Worry about eDiscovery?

Source: Freedigitalphotos.net/Stockimages

Electronic discovery is one of those things that the majority of companies (and their employees) don’t think much about until it happens to them. Yet, waiting until eDiscovery is knocking at the door to address the question of BYOD is much too late.

The scope of eDiscovery is often laid out ahead of time, and typically includes devices or files that are company property. These guidelines don’t include employees’ personal property or any cloud-based storage systems they may be using to access work tasks from home or while on the go, but with most employees answering quick emails while sitting at a restaurant or downloading work files outside of the office these days, it’s clear that parent companies need a more controllable answer.

Company-Issued vs. BYOD

The sticky question of work vs. personal mobile devices and whether work data should be accessed remotely has led many companies to implement company-issued cell phones, tablets or laptops. This solution allows employees the invaluable flexibility of BYOD while still allowing management some level of control over how the devices are being used—and keeping them well within the scope of eDiscovery efforts.

Company-issued devices also ensure that specific security protocols are being followed according to internal employment policies. While many employees agree to such rules as a condition of accessing work data off-site, actually following those rules doesn’t often occur in real life—and doing so really isn’t enforceable. The bottom line here is the same as it has always been: the human instinct is to get the job done in the fastest, most efficient way possible. The question of whether that’s through a personal device or one that’s been issued by the company is secondary at best.

The Future of BYOD

Beyond security concerns, there’s a financial element in thinking about BYOD. Personal devices are purchased by the employee directly, while company-issued devices are purchased by the employer. Yet, when the employee is using an employer-provided iPhone already and then using his or her paycheck (also technically provided by the employer) to buy an iPhone for personal use, the employer is indirectly paying for that equipment… essentially, buying their employees’ phones twice.

As a result, more organizations are requiring employees to use their personal electronics for company purposes. The argument is that smartphones, tablets and such are rapidly becoming essential tools that workers need in order to fulfill their daily tasks—therefore, requiring employees to purchase those tools just makes sense.

Is mandatory BYOD the wave of the future? It’s quite likely, especially when this type of arrangement would allow companies the necessary leeway they need to protect their legal interests, if needed. While company-issued devices used to seem like the ideal answer to the eDiscovery question, mandatory BYOD may offer the best of both worlds: mitigating the risks associated with pursuing eDiscovery efforts relative to personal property, and at the same saving on the high overhead of purchasing new gadgetry for each employee.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

There’s a surge in the use of social networking and fitness-tracking devices like Fitbit to monitor and improve health and wellness, but some of these same advancements in health and fitness technology are raising alarming privacy issues. Here are four ways your efforts to share your fitness journey with the latest and greatest technology could have unintended consequences and compromise your privacy.

1. HIPAA Has Its Limits

The Health Insurance Portability and Accountability Act (affectionately known as HIPAA) effectively governs the privacy and security of health-related data collected by hospitals, healthcare providers and insurance companies. However, HIPAA’s policies and regulations for data security don’t apply to your private information when you choose to place it on other outlets.

When you fill out questionnaires or surveys at a gym, massage therapist’s office or health food store, you should understand that the data isn’t regulated the same way it is when it’s shared with your doctor or insurer.

2. You May Inadvertently Over-Share

Source: Photopin

For most people, accountability is a wonderful tool to use when working towards fitness goals. Through apps and social media, we can share our successes (such as a new record for a mile run) and find support in our downfalls (like the empty Ben & Jerry’s container in today’s trash). Fitbit offers its users a leaderboard that refreshes all day to show who’s burning the most calories, making the best food choices and getting the most sleep.

Making your triumphs and failures public may seem like a great way to stay motivated and meet your goals, but, as some Fitbit users learned in 2011, you may accidentally give TMI. Just as Fitbit shared the number of calories worked off on the treadmill or how many flights of stairs were scaled, the popular fitness device also recorded and published late-night physical activity statistics including duration and calories burned.

3. “Checking In” Allows Others to Check-Up on You

Checking in via Facebook or FourSquare is a popular tool on social networking that allows users to publicize where they’re eating lunch or what landmark they’re visiting. Believe it or not, broadcasting your every move and activity could affect your health insurance rates. Insurance companies are in the business of minimizing risk and turning a profit, so constantly checking in at bars or cigar shops could lead to a hike in your premiums if your insurer decided to check out your check-ins.

4. Facebook Is the New Insurance Company Questionnaire

When applying for new health insurance, you’ll likely be asked to fill out a detailed questionnaire regarding your general health, preexisting conditions and medical history. However, insurers are jumping on the social media bandwagon and doing their own research to determine the riskiness of would-be policy holders. The amount of private and personal information people willingly share on their social networking profiles is astounding. These profiles have become a valuable and insightful resource for insurance companies hoping to determine the actual lifestyle of an individual, which may vary from how one represents themselves on a health questionnaire.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Why Electronic Health Records Face Significant Security Risks

Why Electronic Health Records Face Significant Security Risks

The days of massive file stacks full of carefully coded health records are all but over. Today’s healthcare system is undergoing a somewhat rocky transition to more easily accessible electronic health records (EHRs) that put a wealth of patient healthcare history at physicians’ fingertips. There are so many positives to the digitalization of health records that it’s easy to get swept up in the fervor.

Beyond the significant financial investments required of individual practitioners and major healthcare systems alike, upgrading to EHRs may pose significant risks to the privacy and security of patients’ private health information. What can be done to stop the data leaks and breaches that tarnish the reputation of electronic health records?

Source: FreeDigitalPhotos.net/Stuart Miles

Counting the Costs

A recent report from POLITICO found a full identify profile of a single patient could fetch up to $500 on the black market. With medical data at a premium, individual patients face a significant risk each time practitioners enter private data into an online database. The cost for consumers goes beyond financial disaster:

  • Unlike credit card fraud or banking breaches, there’s no one-stop-shop where affected individuals can report medical identity theft.
  • What happens if your record contains falsified information about previous treatments or even a fictitious diagnosis? Just thinking about the possible real-world repercussions of such breaches is enough to raise your blood pressure.

If you think healthcare identity theft isn’t a significant issue, consider this statistic from the Identity Theft Resource Center: in 2013, the healthcare sector racked up 43.8 percent of total security breaches, outpacing the business sector by nearly 10 percent. It turns out the reason for growth in healthcare breaches is likely economic; these days even a stolen Social Security number garners only about a buck on the black market, while a full medical record fetches hundreds of times that amount.

How Is Healthcare Security Performing?

In the wake of recent data breaches at Target, Neiman Marcus and other retailers, many large companies are beefing up their data security in efforts to escape the wrath of angry consumers tipped off largely by renegade data security blogger Brian Krebs. While that’s a positive development, the same encouraging changes don’t seem to be catching traction in the healthcare industry, where profits should ideally take a backseat to patient care… and that should include care of private healthcare information security, too.

Misplaced Priorities

Perhaps it all comes down to a few misplaced priorities:

  • Healthcare providers must ramp up their privacy standards, requiring significantly increased spending on security measures.
  • Leaving EHRs vulnerable to data beaches comes at a great cost to patients, many of whom are already dealing with stressful situations such as chronic diseases like cancer.
  • The Healthcare Information and Management Systems Society (HIMSS) reports that half of survey respondents in a recent security study spent less than three percent of their overall IT budgets on healthcare information security.

This statistic points to a serious spending shortfall, leaving patient health information vulnerable to security breaches that come at great personal and security costs. In order to safely modernize U.S. healthcare, providers will need to refocus and redouble their efforts at securing patient information to keep Americans both healthy and safe from identity breaches.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Why It’s Time for Law Firms to Get Real about Data Security

Why It’s Time for Law Firms to Get Real about Data Security

Source: freedigitalphotos.net/Renjith Krishnan

Source: freedigitalphotos.net/Renjith Krishnan

When it comes to data security, law firms are facing two distinct disadvantages. First, the legal industry seems to lag behind other fields somewhat when it comes to technology in general; not every member of the old guard sees the need to learn new tricks. And secondly, there’s no industry-wide standard when it comes to data security requirements for sensitive information. This combination all too often leaves law practices severely lacking when it comes to protecting data, leading experts to refer to law firms as the “soft underbelly” when it comes to cyber security. Is this a fair designation, or are law firms more self-aware than that?

Technological Savvy

Although of course new case law is created on a regular basis, the truth is that the vast majority of legal expertise lies in examining and reexamining the same information again and again. This can give the impression—sometimes even to those within the legal profession—that not much changes when it comes to litigation, and therefore not a whole lot need to join the 21st century with regards to technology by investing significantly in a firm’s technological infrastructure. As such, to run into severely outdated computer systems in a lawyer’s office isn’t all that unusual, particularly in smaller firms that lack the financial resources of larger, more established practices.

Yet, to assume that these “rules” apply to all law firms is equally shortsighted. In reality, the past year alone has shown a dramatic uptick in security efforts from individual firms, either in an effort to adopt ISO 27001 or even stricter security standards. Initiatives like LegalSEC® are helping to develop consistent guidelines within the legal community and create security programs that are both measurable and achievable, as well as promote greater awareness about cyber security.

The Future of Legal Technology

The issue of cyber security becomes paramount when the legal industry intersects with other professions in which data protection is a chief concern. For example, clients in the financial services industry are likely to conduct security audits to ensure outside counsel’s compliance with industry-specific guidelines. These audits can even include details such as security assessments of data centers and physical files.

In short, the legal industry now finds itself positioned in a place that requires them to maintain robust security programs, acknowledge and resolve any existing vulnerabilities and be prepared to address any risks that are uncovered during a security audit. The overwhelming response has been to rapidly restructure existing operating budgets accordingly.

While the sudden IT security ramp-up may seem like an overwhelming shift, this is really only one pixel in the big picture of other changes law firms are facing: new billing practices as clients push for a move from hourly to service-based fees, the non-traditional career path of working as an independently contracted lawyer, and a number of other post-recession adaptations that allow the industry as a whole to evolve and—eventually—thrive in its new incarnation. Rest assured, those in the legal field are not the only seasoned professionals who are facing these types of challenges. Armed with a renewed awareness of the severity that a lapse in data security can represent, the legal industry is ready to face the future and get serious about data security.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.