Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Underestimating the threat of security and data breaches may leave patients more at peril after they’ve left the hospital than when they’re in the ICU. With the U.S. Department of Health and Human Services reporting in August that major breaches alone – that is, incidents affecting upwards of 500 people – now number nearly one thousand. That is 30.1 million Americans to date who have had their personal health information (PHI) severely compromised.

What’s being done to stop the flood of PHI being snatched, leaked or even willingly served to hackers and cybercriminals primed to do just about anything they want with it? Isn’t HIPAA privacy enough protection to prevent exactly these kinds of incidents?

Source: freedigitalphotos.net

HIPAA

It’s dangerous to underestimate the crucial importance of the HIPAA privacy law because it brought a new national awareness to the importance of protecting patient data. The legislation secured sensitive health information such as test results and to prevent unauthorized disclosures of pre-existing conditions and diagnoses. Now, patients see HIPAA-related paperwork at every office visit, at least they have investment in the privacy of their information.

For the medical community, HIPAA requires that practices and practitioners invest in reducing risk. They must think through some scary “what if” situations and create contingency plans to help reduce the impact of a breach. But is following HIPAA enough to keep PHI safe and secure?

Security Measures

It turns out just about any IT professional or security expert will say “No.” HIPAA is a good starting point, but it will not seal an already leaky dam. The onus is on hospitals and private practices to implement key security technologies designed to secure networks powered by the most personal details about every patient. Important steps include:

  • Firewalls
  • Spam and spyware protection
  • Improved sign-on requirements, including single sign-on authentication with stricter security standards
  • Encryption

In a recent article in the “New England Journal of Medicine,” the executive director of Harvard Medical School’s Center for Biomedical Informatics, Eric Perakslis, said healthcare is in the crosshairs and “is being aggressively and specifically targeted.”

The Outlook

The question of healthcare information security cannot be answered with only one tool. Taming this rather ferocious beast will require an entire platform of strategies for security success. Perhaps what will be most interesting is whether the public – the patients whose information is being so “aggressively targeted” – will rise to this challenge by demanding stronger action by both the government and industry. Without a singular commitment to this partnered approach, including both HIPAA provisions and purposed security actions, healthcare information will remain ripe for the hackers’ picking.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

At certain points in history, it becomes apparent that the only way to solve a major question or overcome a monumental challenge is to change our governing perspectives on the matter. These paradigm shifts are sparked by discoveries like the roundness of the earth and the centrality of the sun within the solar system. The concept is astonishingly simple: once we change the way we look at a problem, we may find the key to solving it. Such a paradigm shift might serve the complex and increasingly chaotic realm of healthcare data security.

Source: freedigitalphotos.net/ddpavumba

Beyond the Security Team

In a recent interview posted at Healthcare & IT News to prepare for his upcoming keynote appearance at Boston’s Privacy & Security Forum, Texas Health Resources CIO Ed Marx explains his organization’s macro-focus on healthcare privacy and security as taking the stand that security is “everyone’s responsibility.”

Instead of taking a laissez-faire approach to the issue and trusting that the IT department is running interference for the entire 25-hospital healthcare system, Marx asks his 24,000-strong workforce to look at security as an all-in proposition. Texas Health is fostering an atmosphere of vigilance amongst the entire employee team, not just the security professionals. This “culture of security” requires yearly training sessions and proficiency tests to drive home the company-wide commitment of increasing security and protecting patient records.

Never Break the Chain

This revolutionary approach to protecting personal health information goes beyond just enlisting workers in the common cause. Besides this initiative, Marx also overhauled the chains of command within his organization and formed a security task force with reporting duties to the health system’s board of directors.

Visibility and accountability are primary drivers to security at Texas Health: “We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee.” Marx continues, “When we need support, we get it because we have this governance council for security and straight access to the board.” It’s obvious that Marx and his team mean business, a mindset that patients should appreciate considering the risky state of security affairs at many other healthcare organizations nationwide.

At such a crucial time in the healthcare security realm, when many organizations lack direction while risk to consumer personal health information grows increasingly higher, perhaps this thinking will inspire a much-needed healthcare security paradigm shift.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

The Top 5 Tips for Big Data Use in Healthcare

The Top 5 Tips for Big Data Use in Healthcare

Like virtually every other industry, success in the healthcare sector these days relies primarily on becoming more data-driven. Leveraged properly, big data can help deliver better patient care while at the same time reducing the per capita cost of that care. A targeted investment in big data with regards to healthcare analytics combined with best practices in the big data space can be a recipe for analytic success. Here are a few tips that can help you get started.

freedigitalphotos.net/cooldesign

1. Set Clear Goals

The first step in a successful big data analytics project is to define your business objective. Knowing exactly what you want to accomplish with big data at your back is a must before launching into a new idea. For example, are you trying to answer specific business questions, the scope of which exceeds traditional tools? Or do you want to make future predictions that could shape the way you make business decisions next quarter? Without taking the time to set definitive goals ahead of time, you run the risk of creating a very expensive failure.

2. Take a Comprehensive Approach

It’s natural to assume that analysis only applies to previously unstructured data, but don’t forget to take into account the answers that are probably hiding in data that’s already been processed and cleansed. You also need to include data from not-so-obvious sources, like social media and web logs. Any data analysis project has to be all-inclusive in order to establish a meaningful big picture.

3. Embrace Discovery Analytics

Big data doesn’t exactly replace legacy evidence-based research, but effective analytics are essential to separate out the chaff. There’s really no difference between discovery analytics and big data analytics. Big data analytics aren’t just about reporting; they help inform diagnosis and strategy. Through the use of new algorithms and data visualization techniques, big data can speak volumes—and far more clearly.

4. Simplify

Big data doesn’t have to be overwhelming if you take a simplified approach. Choose analytics technologies that help you connect using familiar tools, and that also support short-cycle iterative analysis. This helps open the analysis field to more minds than just a handful of highly paid specialists.

5. Engage Outside Experts

Managing big data is no small task; no matter how skilled your IT staff and existing analytics team, your big data project can surely benefit from some specialized support. Working closely with an experienced vendor can shorten the learning curve tremendously when it comes to figuring out new processes for big data analytics.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

There’s a surge in the use of social networking and fitness-tracking devices like Fitbit to monitor and improve health and wellness, but some of these same advancements in health and fitness technology are raising alarming privacy issues. Here are four ways your efforts to share your fitness journey with the latest and greatest technology could have unintended consequences and compromise your privacy.

1. HIPAA Has Its Limits

The Health Insurance Portability and Accountability Act (affectionately known as HIPAA) effectively governs the privacy and security of health-related data collected by hospitals, healthcare providers and insurance companies. However, HIPAA’s policies and regulations for data security don’t apply to your private information when you choose to place it on other outlets.

When you fill out questionnaires or surveys at a gym, massage therapist’s office or health food store, you should understand that the data isn’t regulated the same way it is when it’s shared with your doctor or insurer.

2. You May Inadvertently Over-Share

Source: Photopin

For most people, accountability is a wonderful tool to use when working towards fitness goals. Through apps and social media, we can share our successes (such as a new record for a mile run) and find support in our downfalls (like the empty Ben & Jerry’s container in today’s trash). Fitbit offers its users a leaderboard that refreshes all day to show who’s burning the most calories, making the best food choices and getting the most sleep.

Making your triumphs and failures public may seem like a great way to stay motivated and meet your goals, but, as some Fitbit users learned in 2011, you may accidentally give TMI. Just as Fitbit shared the number of calories worked off on the treadmill or how many flights of stairs were scaled, the popular fitness device also recorded and published late-night physical activity statistics including duration and calories burned.

3. “Checking In” Allows Others to Check-Up on You

Checking in via Facebook or FourSquare is a popular tool on social networking that allows users to publicize where they’re eating lunch or what landmark they’re visiting. Believe it or not, broadcasting your every move and activity could affect your health insurance rates. Insurance companies are in the business of minimizing risk and turning a profit, so constantly checking in at bars or cigar shops could lead to a hike in your premiums if your insurer decided to check out your check-ins.

4. Facebook Is the New Insurance Company Questionnaire

When applying for new health insurance, you’ll likely be asked to fill out a detailed questionnaire regarding your general health, preexisting conditions and medical history. However, insurers are jumping on the social media bandwagon and doing their own research to determine the riskiness of would-be policy holders. The amount of private and personal information people willingly share on their social networking profiles is astounding. These profiles have become a valuable and insightful resource for insurance companies hoping to determine the actual lifestyle of an individual, which may vary from how one represents themselves on a health questionnaire.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Why Electronic Health Records Face Significant Security Risks

Why Electronic Health Records Face Significant Security Risks

The days of massive file stacks full of carefully coded health records are all but over. Today’s healthcare system is undergoing a somewhat rocky transition to more easily accessible electronic health records (EHRs) that put a wealth of patient healthcare history at physicians’ fingertips. There are so many positives to the digitalization of health records that it’s easy to get swept up in the fervor.

Beyond the significant financial investments required of individual practitioners and major healthcare systems alike, upgrading to EHRs may pose significant risks to the privacy and security of patients’ private health information. What can be done to stop the data leaks and breaches that tarnish the reputation of electronic health records?

Source: FreeDigitalPhotos.net/Stuart Miles

Counting the Costs

A recent report from POLITICO found a full identify profile of a single patient could fetch up to $500 on the black market. With medical data at a premium, individual patients face a significant risk each time practitioners enter private data into an online database. The cost for consumers goes beyond financial disaster:

  • Unlike credit card fraud or banking breaches, there’s no one-stop-shop where affected individuals can report medical identity theft.
  • What happens if your record contains falsified information about previous treatments or even a fictitious diagnosis? Just thinking about the possible real-world repercussions of such breaches is enough to raise your blood pressure.

If you think healthcare identity theft isn’t a significant issue, consider this statistic from the Identity Theft Resource Center: in 2013, the healthcare sector racked up 43.8 percent of total security breaches, outpacing the business sector by nearly 10 percent. It turns out the reason for growth in healthcare breaches is likely economic; these days even a stolen Social Security number garners only about a buck on the black market, while a full medical record fetches hundreds of times that amount.

How Is Healthcare Security Performing?

In the wake of recent data breaches at Target, Neiman Marcus and other retailers, many large companies are beefing up their data security in efforts to escape the wrath of angry consumers tipped off largely by renegade data security blogger Brian Krebs. While that’s a positive development, the same encouraging changes don’t seem to be catching traction in the healthcare industry, where profits should ideally take a backseat to patient care… and that should include care of private healthcare information security, too.

Misplaced Priorities

Perhaps it all comes down to a few misplaced priorities:

  • Healthcare providers must ramp up their privacy standards, requiring significantly increased spending on security measures.
  • Leaving EHRs vulnerable to data beaches comes at a great cost to patients, many of whom are already dealing with stressful situations such as chronic diseases like cancer.
  • The Healthcare Information and Management Systems Society (HIMSS) reports that half of survey respondents in a recent security study spent less than three percent of their overall IT budgets on healthcare information security.

This statistic points to a serious spending shortfall, leaving patient health information vulnerable to security breaches that come at great personal and security costs. In order to safely modernize U.S. healthcare, providers will need to refocus and redouble their efforts at securing patient information to keep Americans both healthy and safe from identity breaches.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

The Frightening Truth About Data Brokers

The Frightening Truth About Data Brokers

A recent report released by the Federal Trade Commission only confirms what many in the know have suspected for quite a while: information is the latest and most valuable form of currency in the business world. This has led the FTC to call for greater transparency from data brokers and their information harvesting practices, particularly when it comes to consumer health information.

Data Brokers Under Scrutiny

Although the practice of data mining in general is now under the microscope, the FTC particularly looked at the tactics of nine well-known data brokers:

  • Acxiom: Acxiom’s databases house information on around 700 million consumers from around the world, which enables them to deliver consumer data and analytics for use in everything from marketing campaigns to fraud detection.
  • Corelogic: With databases that hold property information, including historical records of property transactions and mortgage applications, Corelogic is able to provide records for more than 99 percent of residential properties in the U.S. for use in analytics by government and businesses.
  • Datalogix: Businesses need marketing data to target the right audiences, and Datalogix excels in providing that data. Datalogix recently partnered with Facebook in an effort to examine the effectiveness of advertising via social media.
  • eBureau: Marketers, online retailers, financial services companies and others turn to eBureau for analytics services and predictive scoring. eBureau’s services help analysts better predict which demographic segment is most likely to transform into profitable consumers.
  • ID Analytics: Identity theft and consumer fraud can be minimized through the services of a company like ID Analytics, which works to verify consumers’ identities through comparison against unique identity elements and data points.
  • Intelius: An accessible online database for private individuals and businesses alike, Intelius enables background checks against public record information… over twenty billion records’ worth.
  • PeekYou: PeekYou uses patented technology to analyze social media content, blog platforms and various other sources in order to provide their clients with comprehensive consumer profiles.
  • Rapleaf: Rapleaf provides information to flesh out existing email lists by contributing additional demographic info on email address owners’ age, gender and many other data points.
  • Recorded Future: Through the capture of past data on the habits of companies and consumers, future behaviors can be better predicted as well. Currently, Recorded Future gathers information from across half a million different websites.

Although the FTC report uncovered many unsettling findings, one of the most troubling is the fact that the vast majority of consumers have no idea that their data is being harvested without their knowledge or permission.

Data Brokers and Health Data

Despite the stringent guidelines laid forth by HIPAA to go the extra mile in protecting patients’ health records, data brokers are not liable under the same rules. This means that data brokers are able to collect information on personal details such as over-the-counter medication purchases, consumer preference on issues like medical care, and even track online searches for health conditions and prescription information, yet aren’t bound by the same strict standards as any other agency that collects or retains this data.

This presents an even greater concern when taking into consideration the fact that most citizens expect a reasonable degree of privacy, particularly when it comes to their physical and mental health. As a result, the FTC is now urging Congress to set forth guidelines that would ensure a higher degree of accountability by data brokers and their clients, including requiring consumer consent beforehand.

Image via freedigitalphotos.net/cooldesign

Are Security Concerns Holding Back eHealth?

Are Security Concerns Holding Back eHealth?

Despite the ever-growing integration of technology into the average person’s daily life, there’s still one frontier that many remain resistant to when it comes to going virtual: health care. According to a recent Ponemon Institute study called “Risk & Rewards of Online & Mobile Health Services: Consumer Attitudes Explored,” many consumers still feel uncomfortable about sharing information about their health online. Are these concerns holding back the potential for a more fully developed approach toward electronic health records and other eHealthcare possibilities?

What Holds Consumers Back

The study, sponsored by Experian Data Breach Resolution, looked at the way consumers use online health services and portals as compared to other online services that involve potentially sensitive data as well, such as online banking or making purchases from smartphones.

The study included nearly a thousand participants, many of whom described themselves as regular Internet and mobile app users. Yet, 52% of respondents said that they do not currently use eHealth services, for three main reasons:

  • Mistrust that their online health information would not be fully removed upon request
  • Questions over the respect for privacy—for example, whether users would be tracked online
  • Whether complete online anonymity could be assured

Add to this the common public perception that online healthcare services or portals are not as secure as they should be, and it’s easy to see the challenges facing eHealth industries today.

What Does the Future of eHealth Hold?

With such clear reluctance from the general population, even those who are otherwise fairly tech-savvy, what future developments can be expected in the field of eHealth services? First, it’s important to recognize that there are many benefits to electronically-stored healthcare information as well as many other health-related applications.

  • Microsoft’s HealthVault lets families organize their healthcare records, and share that data with physicians or other agencies (such as children’s schools for their records). HealthVault also integrates with many popular health-related fitness apps.
  • An app called MedTracker gives patients reminders about when to take medications, but this capability is available in electronic pillboxes as well.
  • Other online-based tools, platforms and apps are already in use for nearly every aspect of healthcare, from medical billing to electronic health records and other resources.

Despite hesitance from consumers, healthcare systems are definitely making the shift toward digitally-managed healthcare, both as a solution for improving patient care and safety, and as a cost-saving measure. In fact, the Affordable Care Act was in part written to encourage and promote these technologies in order to lower health care costs overall.

The prime takeaway here is the persistent impression consumers have that their health-related data is less secure to access online than their bank accounts or credit card transactions. In order for this perception to be changed, consumers must feel reassured that the systems and products they’re using are securely encrypted; securing healthcare information is vital for encouraging the widespread adoption of eHealth services in the future.