Tag: ePHI

Lose a laptop with 441 patients’ records, pay $50,000 and pray for donations

The latest HIPAA breach story out of northern Idaho breaks my heart. It also chills me to the bone. First off, here’s the news:

I actually worked with a hospice on tech issues in the last couple years, and I can tell you the attitude about security and IT in general was… less than progressive. They had better things to do. Literally. Hospice folks have a really rough job, emotionally and financially, providing a service that’s simply not properly supported by payers, whether private or public. They live on donations and posthumous gifts. They’re the soup kitchen of modern healthcare, providing a vital service that no one really wants to think about.

But pleading a charity case obviously didn’t work on HHS. The hammer continues to fall with increasing speed and strength in matters of ePHI security.

Yet again, this breach is the story of a lost, unencrypted laptop with patient information on board. It’s not clear whether the records were actually accessed or distributed, but that’s obviously irrelevant.

Community Health Centers and other smaller health providers: Pay attention. HHS is now bringing the penalty thunder down to breaches of less than 500 records. And the price is high, at $50K for just 441 records (theoretically) stolen in this case. Of course the HHS write-up points to lack of policies, no risk assessment, no controls over mobile devices, no encryption, and so on. It’s kind of a broken record now.

So consider this your last chance to get your HIPAA policies and procedures drafted and start making regular progress on improving security. The key is to show active interest and ongoing improvements. Do your risk assessment. Build your list of critical improvements. Do them. Keep records of what you’re doing.

This stuff takes staff time and cash money to buy some technology, which is always tough in nonprofit healthcare. So get these stories in front of your CEO right away if you’re not getting the resources you need. Alternatively, put them in front of your CFO — because a big enough breach could threaten the financial viability of the company.

Health IT Links and Notes: 2012-12-31

Here are my favorite links from the Health IT and general IT sector today. Follow me on Twitter to get most of these links real-time, albeit with less commentary.

OCHIN awarded federal grant to help community health centers with HIT
OCHIN has scored a 3-year $775,000 annual grant to provide services to client clinics dealing with PCMH, MU, EHR implementations and so forth. Good for them. But I wonder whether the client clinics might be better off struggling with some or all of these issues directly. After all, they’ll have to change their cultures to really develop a viable PCMH program, and you can’t buy culture. Furthermore, if you think Health IT changes are going to stop after PCMH and MU, you’re dreaming. Plan to hire IT capacity in-house if you can, because you have got to have internal change and technical capacity.

Vampire data and 3 other cyber security threats for 2013
I’m always a little suspicious of a security services vendor trumpeting all the threats that will destroy your business if you don’t hire someone like them. But in truth the threats are real — it’s just a question of how much risk you’re really facing in your situation. Still, the threats and issues to consider here include:

  • Watch out for risks posed by data you aren’t aware of or can’t easily monitor or control (what they’re calling “vampire data”), including cloud-hosted stuff or old data stores you’ve forgotten about
  • If you don’t already have lawyers and others on retainer to help you in a breach situation, you really should because you don’t want to be scrambling to hire them after a breach
  • You really need to be logging stuff and reviewing the logs, folks (easier said than done)
  • Hackers are as much about disrupting your business as stealing your data these days
  • Just start publishing your breaches, even if it doesn’t involve ePHI

Analysis: Microsoft Is Squandering Its Hyper-V Opportunity
Critics love the Hyper-V included with Windows Server 2012. But it’s not taking off because of several strategic mistakes Microsoft has made and continues making. Meanwhile, VMware remains king of virtualization for most businesses.

How to Say ‘Yes’ to BYOD
Saying “no way in hell” to smartphones, tablets and other employee-owned gear in the enterprise strikes me as a bigger risk than saying “yes, but with controls” and this audio panel discusses how you can say yes and feel good about it. About 15 minutes long.

How MiGym plans to quantify the health club workout
Finally. Pretty soon you’ll be able to take your smartphone to the gym and capture workout data from the machines already there, then sling that data into an online PHR (like Microsoft’s almost-forgotten HealthVault). My own thinking is that there’s a future for CHCs in the health club space. I mean what are we doing, disease management or health promotion? Keep an eye on gyms, health data devices (the “quantified self” movement), PHRs, and developments in payer preferences for preventive care with results.