New Contracts to Increase Military IT Interoperability

New Contracts to Increase Military IT Interoperability

A new military IT contract with Cerner, Leidos and Accenture will be implemented to increase the interoperability of EHRs nation-wide with thousands of civilian healthcare facilities. This contract promises to diversify healthcare outreach for the nearly 10 million active duty and retiree military members that receive care by privatized providers.

Cooperation Is Necessary

EHR vendors have traditionally been slow at making their systems interoperable with other organizations, creating challenges for an industry that relies on communication and transparency for patient data and information sharing. This new contract was designed to overcome these shortcomings and enhance the business practices of hundreds of facilities that currently avoid cooperation.

Image courtesy of Jeroen van Oostrom at FreeDigitalPhotos.net

Image courtesy of Jeroen van Oostrom at FreeDigitalPhotos.net

This connectivity will not be simple to implement; hundreds of EHRs platforms will be integrated, including those provided by rival bidders. Over 1,200 military healthcare sites will experience changes, including international facilities in Iraq and Afghanistan.

Dr. Johnathan Woodson, Assistant Secretary of Defense for Health Affairs, spoke to the necessity of cooperation with these private-sector companies, which provide 60 to 70 percent of healthcare for soldiers and their families.

“Part of our requirement is to position ourselves to be interoperable with the private sector, but the fact of the matter is, the private sector has to make itself interoperable as well. What we’re doing today will help advance that public preparedness.”

Looking to the Future

This commitment to interoperability of the public and private sectors comes at a critical time, as the compliance deadline for the ICD-10 transition is less than two months away. Healthcare organizations in the middle of this transition must focus their efforts on communication and cooperation with other facilities to ensure that the quality of patient care does not suffer.

This is particularly true for the military and private-sector companies that must adjust their policies to reflect the needs of civilian and public-sector partnerships.

Federal Health IT Coordinator Dr. Karen DeSalvo commended the contract, calling it “…An important step toward achieving a nationwide, interoperable health IT infrastructure.” She pledged her office’s support of the Defense Department: “To help ensure its interoperability efforts align with nationally recognized data standards and industry best practices.”

While new standards of cooperation are a step in the right direction, military healthcare facilities will need to undergo rigorous testing to confirm the viability of their updates. Interoperability is necessary progress for the health field, but requires constant improvement to maintain its efficacy.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterWhat Healthcare Execs Need to Know About ICD-9 to ICD-10 iBridge LLC

Healthcare IT and the Dangers of Cloud-Based Computing

Healthcare IT and the Dangers of Cloud-Based Computing

Employees in the healthcare industry are increasingly using cloud applications to boost their productivity, but cloud-based services can create security vulnerabilities that IT support is ill-equipped to handle.

Security Weaknesses

Healthcare IT and the Dangers of Cloud-Based Computing

Image courtesy of SweetCrisis at FreeDigitalPhotos.net

A recent study by cloud security vendor Skyhigh Networks showed that cloud-based computing is on the rise, with the average company now utilizing 923 distinct cloud services. This creates a unique challenge for IT security, as Skyhigh’s team reported that only 9.3 percent of cloud services met security standards for data protection, identity verification and service security. The report also found that while only eight percent of companies were considered high-risk for cyber-security breaches, high-risk partners received 29 percent of all shared data.

The research gathered on cloud security highlights a worrying trend—even when IT knows of employee usage of cloud applications, their presence creates significant loopholes in a healthcare security infrastructure that relies on keeping patient information confidential.

Cloud-Based Threats

According to a report by The Cloud Security Alliance that identified the biggest threats to cloud computing, data breaches, and stolen information were the primary concern, followed closely by improper data handling by industry insiders along with a fundamental lack of understanding of what cloud security entails.

With nearly a third of shared data being transferred through companies with poor cybersecurity compliance, many healthcare organizations hoping to achieve increased efficiency through the cloud may instead find themselves at risk for data breaches and mishandling of privileged information.

Rajiv Gupta, CEO of Skyhigh Networks, admitted that the value of stolen medical information put health organizations at high risk for breaches: “…Healthcare companies [are] prime targets for criminal attackers, and the stakes will only increase as more medical records move to the cloud.”

A Culture of Security

To fight the growing trend of data vulnerability in the cloud, healthcare organizations must implement more comprehensive evaluations of risk assessment against employee behaviors.

Better security standards rely on data protection rather than network security that can be bypassed through the hundreds of cloud-based applications that healthcare organizations use. To facilitate this goal, Gupta recommends eliminating redundant cloud applications now in use and implementing stronger sanctions for authentication.

Though security breaches occur though employee mishandling of information as readily as data leaks, healthcare organizations must make a concentrated effort toward coaching their employees on cloud application use alongside updating their corporate security policies.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterWhat Healthcare Execs Need to Know about ICD-9 to 10 Conversion

First, Do No Harm: How Traditions in the Healthcare Field Prevent Progress

First, Do No Harm: How Traditions in the Healthcare Field Prevent Progress

Practices in the healthcare field have typically been directed by tradition. The medical industry is slow to change due to the inherent risks associated with breaking from the status quo. When patient lives are on the line, arguing for new procedures can be a hard sell.

This can be a positive trait when you compare the stability of traditional infrastructure against the chaos that change can cause. Additionally, it also creates one of the biggest challenges for those hoping to move the healthcare industry into the technological world.

A Technological Afterthought

The rigid routines clinicians cling to creates a false sense of security in healthcare organizations. Most clinics have strong structure in place to prevent mishandling of physical copies of information, but are ill-equipped to handle the challenges that digital records present.

How Traditions in the Healthcare Field Prevent Progress

Image Courtesy of Digitalart at FreeDigitalPhotos.net

Information technology is notoriously overlooked and undervalued in the healthcare environment. Hospitals are more focused on continuing practices that have worked in the past than adapting to the latest trends. Despite the resistance, IT in the medical world is slowly becoming the new norm.

While this trend has been accepted as a move in the right direction, traditional methodologies of patient care don’t consider the infrastructure and security that reliable IT systems need. Clinics unprepared to adapt to these new requirements face costs greater than a comparatively simple technological overhaul.

The Human Factor

With the inherent vulnerabilities of electronic systems, employees who manage patient information are unprepared for the unique challenge that electronic record-keeping poses. Phishing scams that prey on untrained staff members are one of the biggest internal threats to confidentiality; two recent events involving significant leaks of patient data at Seton Health and Partners HealthCare resulted from employees inappropriately responding to outside requests for information.

The bloated traditions of the medical industry have created a culture where physical information is highly secure, while digital information is an afterthought. As technology progresses, healthcare organizations must update their practices to reflect the changing needs of the industry. And while security problems create significant distress to any clinic, adversity creates the best opportunities for growth. By addressing the weak points of your healthcare infrastructure, a stronger practice is built.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterWhat Healthcare Execs Need to Know About ICD-9 to ICD-10 iBridge LLC

Hospital IT – Adapt or Perish

Hospital IT – Adapt or Perish

As hospitals and other medical facilities become dependent on computers, networks and software, the role of the IT department becomes more critical to the facility’s mission. IT departments and their leaders thus must become more proactive and insist on a seat and a voice in the facility’s leadership team, and the resources to fulfill their role.Startup Stock Photos

Integrative IT

Medical science continues to proceed at a blinding pace, and procedures, therapies and devices are increasingly reliant on IT systems and software. At one time, a hospital’s IT department was indistinguishable from that of a bank or a manufacturing facility; its marching orders were to keep the computers on and the network running. Now, however, IT is integrated with the hospital’s mission, and its staff must be more knowledgeable in how hospitals are run, the regulatory environment in which they operate and the specific needs of doctors, nurses and other hospital staff.

At many facilities, either hospital management, the IT department or both fail to realize this, causing system inadequacies or failures, low morale among the IT staff and endless finger-pointing. Particularly as electronic health records (EHRs) come into common use and as hospitals and other facilities must meet “meaningful use” standards, the time has come for hospital IT departments and hospital leadership to recognize this shift in IT’s role and to support it with the resources it needs to succeed.

Hospitals, particularly the larger institutions, suffer from a fair amount of bureaucratic inertia, so it is often up to the IT department to get what they need. Here are things hospital IT departments can do:

Become partners in the business. The hospital CIO must become familiar both with the way the hospital is operated today and how it could in the future, and bring this knowledge to the leadership team. By knowing—and communicating—how IT can help the hospital cut costs, operate more efficiently and realize better patient outcomes, IT becomes a respected part of the leadership team and less of a “cost of doing business.”

Serve the needs of the business—but make sure they’re the right ones. The CIO must clarify that the IT department, usually understaffed and underfunded, cannot handle every request that comes along, and that priorities cannot be determined by whoever screams the loudest. Each hospital should have an IT governance board, composed of representatives of the various departments, that can evaluate the requests from a business standpoint and determine where the priorities lie.

Don’t be an afterthought. Too often, in major initiatives and construction projects, consideration for IT is left to the last minute, if at all, and IT departments must scramble to install or move network cabling, order and deploy computers, expand network capacity or perform hardware or software upgrades. There is a lack of transparency regarding what IT departments do and how much work it takes. CIOs should insist on being in the loop on all major hospital initiatives, and should have veto power if the demands on IT resources are unrealistic. This evaluation should be written into the hospital’s standard operating procedures.

The IT organization must take the lead in changing the organizational culture to recognize the critical role IT plays. Without it, IT will continue to suffer from marginalization, staff burnout and turnover and suffer all the blame when things go wrong.

Dean Van Dyke
Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter Sign Up

CTA ICD-10 eBook

Is New Focus Needed for EMRs?

Is New Focus Needed for EMRs?

The 2009 economic stimulus package, designed to help the US recover from a record financial downturn, included several smaller, targeted programs supporting projects in a variety of fields. In healthcare, federal grants for converting from paper medical records to electronic medical records (EMRs) provided clinic and office-based physicians with significant monetary incentives to accelerate their transition to a 21st century healthcare records system. While the shift to digital is a smart and necessary move for a planet struggling to stave off climate change by reducing waste, it doesn’t come without complications.

Source: freedigitalphotos.net/stockimages

EMRs and Incompatibility

One large issue with EMRs is that, like iPhones and Androids, their proprietary software makes them unable to “talk” to EMRs created on a competitor’s system. If a hospital system uses EMR software from Acme Corporation, but your records are from a hospital in a neighboring state that signed a contract with Beta Industries, you may be in trouble when you show up at the Acme Corporation hospital without identifying information.

Part of the goal of the Affordable Care Act (“Obamacare”) was to make healthcare more portable, preventing job changes or unexpected unemployment from costing Americans their healthcare insurance. What the ACA doesn’t make more portable, however, is EMRs.

At this point in the EMR revolution, it’s time for the US to have a serious conversation about data portability. Hospital administrators should be very selective when choosing an EMR vendor and verify that data is formatted in a way that is compatible with other popular systems:

  • EMR data should be easily exportable; ease of data export should be a built-in feature of any software solution.
  • Data must be formatted in a non-proprietary fashion recognized by other popular software.
  • Be sure that data and databases are organized in a logical fashion. A standard import/export language and the ability to transfer data in a standard table or Excel file format will be of great value should a healthcare organization must update or change EMR systems.

EMRs and Security: A Complex Proposition

Data breaches continue to stack up. As security experts come up with more creative ways to secure patients’ healthcare data, hackers, and digital miscreants are rising to each new challenge and finding novel ways to access and capture private health data. Harsh penalties have not been enough to slay the security beast and retroactive actions like offering identity theft insurance to affected patients isn’t enough.

Going digital shouldn’t mean danger. At this critical turning point in U.S. healthcare policy, as much or more attention should be focused on securing patient information and EMRs as is focused on insuring the uninsured and controlling rising costs.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Underestimating the threat of security and data breaches may leave patients more at peril after they’ve left the hospital than when they’re in the ICU. With the U.S. Department of Health and Human Services reporting in August that major breaches alone – that is, incidents affecting upwards of 500 people – now number nearly one thousand. That is 30.1 million Americans to date who have had their personal health information (PHI) severely compromised.

What’s being done to stop the flood of PHI being snatched, leaked or even willingly served to hackers and cybercriminals primed to do just about anything they want with it? Isn’t HIPAA privacy enough protection to prevent exactly these kinds of incidents?

Source: freedigitalphotos.net

HIPAA

It’s dangerous to underestimate the crucial importance of the HIPAA privacy law because it brought a new national awareness to the importance of protecting patient data. The legislation secured sensitive health information such as test results and to prevent unauthorized disclosures of pre-existing conditions and diagnoses. Now, patients see HIPAA-related paperwork at every office visit, at least they have investment in the privacy of their information.

For the medical community, HIPAA requires that practices and practitioners invest in reducing risk. They must think through some scary “what if” situations and create contingency plans to help reduce the impact of a breach. But is following HIPAA enough to keep PHI safe and secure?

Security Measures

It turns out just about any IT professional or security expert will say “No.” HIPAA is a good starting point, but it will not seal an already leaky dam. The onus is on hospitals and private practices to implement key security technologies designed to secure networks powered by the most personal details about every patient. Important steps include:

  • Firewalls
  • Spam and spyware protection
  • Improved sign-on requirements, including single sign-on authentication with stricter security standards
  • Encryption

In a recent article in the “New England Journal of Medicine,” the executive director of Harvard Medical School’s Center for Biomedical Informatics, Eric Perakslis, said healthcare is in the crosshairs and “is being aggressively and specifically targeted.”

The Outlook

The question of healthcare information security cannot be answered with only one tool. Taming this rather ferocious beast will require an entire platform of strategies for security success. Perhaps what will be most interesting is whether the public – the patients whose information is being so “aggressively targeted” – will rise to this challenge by demanding stronger action by both the government and industry. Without a singular commitment to this partnered approach, including both HIPAA provisions and purposed security actions, healthcare information will remain ripe for the hackers’ picking.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Guilty Until Proven Innocent: A Paradigm Shift for Healthcare IT Security

Guilty Until Proven Innocent: A Paradigm Shift for Healthcare IT Security

With sensitive patient information like diagnoses, test results and financial data on the line, healthcare administrators must take a different approach to protecting patient privacy. While our judiciary system guarantees us all the assumption of innocence until proven guilty beyond a reasonable doubt, the same philosophy may be a dangerous proposition for patients’ personal health information (PHI).

Source: freedigitalphotos.net

We Built It; They Came

To prepare for a presentation titled “The New Security Reality: Assume the Breach and Reduce Your Risk” at September’s Privacy and Security Forum, Seattle Children’s Hospital chief information security officer Cris Ewell spoke with Healthcare IT News about this important shift in the way healthcare organizations approach security and why assumption of guilt may be a necessary evil:

“In today’s world, security controls just are not enough to protect an organization against the cyber threats that are out there, both internal and external, and if you solely rely on the very prescriptive controls, whether you believe in NIST, ISO, HIPAA or any of those things, it’s the wrong philosophy to take from a very strategic point…You can’t put up larger walls, you can’t post more guards, you can’t do those things to keep people out, therefore change your philosophy to ‘they’re already inside.’ Now what would you do to protect that information?”

Wow. That sobering thought goes a long way to scare the pants off us and makes us wonder what might be gained from more organizations – and perhaps the largest organization of all, the federal government – making similar philosophical shifts. If most current efforts are focused on attempting to seal cracks in an already irreparably leaky dam, then why not abandon or reduce those efforts in favor of securing the waters from inside?

The Threat from Inside

We’ve examined how it’s healthcare employees themselves, not necessarily those foreign cybercriminals we might imagine, who may pose many of the largest threats to PHI. Greater efforts should be focused on reducing loss and theft of devices containing sensitive information. Performing regular, thorough audits of networks and systems is a good place to start. An even better jumping off point is good old fashioned encryption: not enough institutions are doing so, and unencrypted devices are like red carpets upon which ill-intended information poachers may glide swiftly and silently into healthcare systems.

Again, the threat of insider breaches is alarming. But Ewell makes a larger point with great clarity: other threats – foreign, domestic, organized, amateur or otherwise – are already inside the proverbial house. What remains to be seen and decided is how smart, responsible organizations will detect and remove those threats with surgical skill while protecting the best interests of both the patients and the hospitals.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

At certain points in history, it becomes apparent that the only way to solve a major question or overcome a monumental challenge is to change our governing perspectives on the matter. These paradigm shifts are sparked by discoveries like the roundness of the earth and the centrality of the sun within the solar system. The concept is astonishingly simple: once we change the way we look at a problem, we may find the key to solving it. Such a paradigm shift might serve the complex and increasingly chaotic realm of healthcare data security.

Source: freedigitalphotos.net/ddpavumba

Beyond the Security Team

In a recent interview posted at Healthcare & IT News to prepare for his upcoming keynote appearance at Boston’s Privacy & Security Forum, Texas Health Resources CIO Ed Marx explains his organization’s macro-focus on healthcare privacy and security as taking the stand that security is “everyone’s responsibility.”

Instead of taking a laissez-faire approach to the issue and trusting that the IT department is running interference for the entire 25-hospital healthcare system, Marx asks his 24,000-strong workforce to look at security as an all-in proposition. Texas Health is fostering an atmosphere of vigilance amongst the entire employee team, not just the security professionals. This “culture of security” requires yearly training sessions and proficiency tests to drive home the company-wide commitment of increasing security and protecting patient records.

Never Break the Chain

This revolutionary approach to protecting personal health information goes beyond just enlisting workers in the common cause. Besides this initiative, Marx also overhauled the chains of command within his organization and formed a security task force with reporting duties to the health system’s board of directors.

Visibility and accountability are primary drivers to security at Texas Health: “We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee.” Marx continues, “When we need support, we get it because we have this governance council for security and straight access to the board.” It’s obvious that Marx and his team mean business, a mindset that patients should appreciate considering the risky state of security affairs at many other healthcare organizations nationwide.

At such a crucial time in the healthcare security realm, when many organizations lack direction while risk to consumer personal health information grows increasingly higher, perhaps this thinking will inspire a much-needed healthcare security paradigm shift.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

How Much Could a HIPAA Breach Cost You? A Rhode Island Hospital Finds Out the Hard Way

How Much Could a HIPAA Breach Cost You? A Rhode Island Hospital Finds Out the Hard Way

Playing fast and loose with patients’ personal health information is no small crime. In addition, for the administration at Rhode Island’s Women & Infants Hospital, a civil penalty of $150,000 is what it took to settle allegations of its negligence in safeguarding the private healthcare data of over 14,000 patients.

Though the hospital in question is located in Rhode Island, the suit was brought by Massachusetts Attorney General Martha Coakley because the vast majority of patients whose personal health information (PHI) was leaked – 12,127, to be exact – were Massachusetts residents. Information compromised in the HIPAA breach, which occurred in spring of 2012, included patients’ names and birthdates, ultrasound imagery, Social Security numbers, and physician information.

Source: freedigitalphotos.net

Perhaps most shocking is that the PHI compromised in this breach was stored on unencrypted backup tapes. In a modern healthcare security environment, there is no excuse for hospitals to forgo encryption on media, which includes patient data. The backup tapes, which numbered 19 were meant to be shipped to a secure off-site data center before being archived along with legacy radiology files and data in a new picture archiving and communication system (PACS). Somewhere along the way, however, the unencrypted tapes disappeared. Though they went missing in spring of 2012, the breach was not reported until September of the same year.

Of the epic healthcare security failure by Women & Infants Hospital (WIH) of Rhode Island, Coakley said: “Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities… This data breach put thousands of Massachusetts consumers at risk, and it is the hospital’s responsibility to ensure that this type of event does not happen again.”

Besides the first failure – a lack of encryption on the 19 backup tapes – Coakley’s office determined there was also other security missteps that led to the massive leak of PHI. The hospital had inadequate inventory and tracking systems and its lack of solid employee training in handling and securing private patient data resulted in a delay in its reporting of the breach.

On top of the hefty $150,000 fine, the settlement requires WIH of Rhode Island to undertake a few steps intended to prevent such a security breach from occurring in the future. They include:

  • Regular security auditing
  • Immediate action to correct any weaknesses or failures discovered during the audit process
  • Updating and maintaining chain of custody procedures
  • Inventory of any unencrypted devices containing PHI

It’s likely that the coming years will usher in a new era of no-nonsense enforcement of HIPAA security laws. Massachusetts has a history of being a stalwart defender of patient privacy with actions like this and several others. Healthcare institutions still being too casual with PHI should pay heed to the consequences faced by WIH of Rhode Island and investigate their own practices and procedures to ensure that patient security is a top priority.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.