Thousands of confidential medical records were loaded on a USB flash drive, which subsequently was stolen during a car break-in.  Sound familiar?  An increase in data breach notification laws throughout the US has brought to light hundreds of incidents that would have been glossed over in the past.  In this case, the protected health information is covered under new regulations in HIPAA and the HiTECH Act of 2009.

According to the MetroWest Daily News, it’s unclear whether the incident will result in direct monetary damages but it certainly hasn’t been a public relations success:

Smith declined to say whether the loss of the records would be considered a violation of the Health Insurance Portability and Accountability Act - known as HIPAA - or whether the company could face penalties.

Under the Health Information Technology for Economic and Clinical Health Act of 2009, companies that experience a breach of health information covered by HIPAA for more than 500 patients are required to inform the patients and the media.

Data Security, Healthcare

According to TechEye, another NHS Trust has exposed confidential patient information by storing it on an unencrypted USB drive, which promptly disappeared.  This is a continuing issue for NHS.

The Surrey and Sussex Healthcare NHS Trust patient records were lost in September 2010. Shockingly, the details were on an unencrypted memory stick and worse, the 800 affected patients were never told. Leaked details include full name, date of birth and operation details.

Kanguru strongly recommends that all healthcare organizations protect patient data by using mandatory hardware encryption on all portable devices.  The Kanguru Defender Elite secure flash drive is completing Common Criteria certification and is now available in the UK and throughout Europe.  It’s an ideal solution for healthcare data protection.

Data Security, Healthcare

Electronic medical records are the future, and the government is encouraging their adoption through the HITECH act.  InfoSecurity.com has analysis of the first phase of HITECH:

Phase I implementation (2011–2014) provides a graduated series of financial incentives to physicians and hospitals. At the same time, certain information security measures must be implemented along with the expanded use of electronic health records and information exchanges.

For healthcare facilities, these security measures include implementation of access control; data integrity; emergency management; encryption of data at rest, in motion, and removable media; identity proofing; log analysis and management; and system timeout.

Healthcare organizations are advised to use an encryption algorithm that meets FIPS 197 standards or better.  It’s important to ask your vendor about their encryption certifications, as not all password-protected devices are truly secure.

Data Security, Healthcare

Kanguru is pleased to announce that we have been chosen to provide a major healthcare provider in Maryland with secure flash drives and remote management software.  Our encrypted flash drives will help keep their patient data safe and secure, and also help them meet HIPAA regulations relating to data security and privacy. 

This is the latest of several secure flash standardizations Kanguru has recently been involved with across the government, healthcare, and financial industries.  Healthcare providers have been under increasing scrutiny lately as the Dept of Health & Human Services has stepped up enforcement of HIPAA privacy rules.  Kanguru’s remote management platform provides security against data breaches as well as audit logs for proof of compliance.

Data Security, Healthcare, Portable Storage

Here at Kanguru we frequently talk about encrypting and securing your mobile data, but sometimes don’t stress enough the importance of tracking and monitoring data usage.  As important as it is to secure your data, it is equally important to know where it is going. 

When an employee leaves the office for the day, taking his work with him on a flash drive, where is that data going?  A quick stop by the local coffee shop and opened up on one of their unsecure wireless networks?  To an unsecure home computer? 

These possibilities along with the risks associated with them are why Kanguru emphasizes a total security solution.  This can be especially advantageous to organizations that are required to meet security regulations like HIPAA, the Hitech Act or any one of the many state-level data breach laws. 

Tracking and monitoring can be done via Kanguru’s Remote Management Console and USB Device Control, a tandem of products designed specifically to allow organizations to keep tabs on and secure their portable data. 

It’s time to look beyond encryption and recognize the importance of end point security as a key element to the overall big picture of securing your data.  Some options to look for in endpoint security and remote management:

1.) Device Control - Control what, when and how USB devices are allowed to access your computers

2.) IP and Domain Control - Manage which IP addresses and/or domains are allowable for devices to access via whitelist and blacklist methodology.

3.) Auditing and Reporting - Get a full audit trail with detailed graphical reporting and the ability to export both customizable audit logs and graphs for external analysis to ensure proper compliance.

4.) Remote Provisioning - Remotely manage security policy changes from a single location. Control password complexity, password expiration, software updates, patches, A/V definitions, online and offline access, and more.

Data Security

The Dept of Health and Human Services is stepping up enforcement of HIPAA privacy laws by handing out new fines against two violators.

From Government Computer News:

HIPAA requires health plans, health care clearinghouses and most health care providers to protect the privacy of patient information through administrative, physical and technical safeguards.

After an investigation by OCR, the agency found Mass General in violation when an employee left documents relating to 192 patients on a subway train. The documents, which were never recovered, included information on patient names, dates of birth, medical record numbers, health insurers and policy numbers, diagnoses and name of providers for 66 of those patients. HHS discovered the loss after a patient reported the records lost on March 9, 2009.

Mass General was fined $1 Million for this violation.  Imagine how many USB flash drives and other portable devices get lost in subway trains, taxis and other public places every year.  With HHS handing down stiff penalties, it’s time to consider security plans for these devices.

Data Security, Healthcare, Portable Storage

The loss of an unencrypted portable hard drive containing private health information has proven extremely costly and time consuming for Health Net, Inc., and Health Net of the Northeast, Inc. 

The health insurance company is now being fined $55,000 by the State of Vermont and must also submit to a data-security audit and file reports with the State regarding the company’s information security programs for the next two years.

“The lawsuit is Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009.”

Read more at Infosec Island.

Data Security, Healthcare

Data breaches that expose confidential medical data are costing healthcare providers $6 Billion a year.  SC Magazine reports on a new study by the Ponemon Institute and the results are not good.

The top three causes of breaches were unintentional employee action, lost or stolen computing devices and third-party accidents. The average number of lost or stolen records per breach was 1,769.

The survey found that breaches have cost the U.S. health care system $12 billion over the past two years. The economic impact of a data breach was approximately $2 million per organization over a two-year period.

Expect the number of records per breach to increase as portable devices continue to grow in capacity and shrink in price.  Employees may have good intentions when they take the entire database home with them, but data breaches often result when a car is broken into or a thumb drive slips out the pocket.  Healthcare organizations need a policy for securing USB devices and it needs to be enforced automatically.

Data Security, Healthcare, Portable Storage

The Philadelphia Inquirer reports a on a major data breach at Keystone and AmeriHealth Mercy Health Plans.

A computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing - one of the largest recent security breaches of personal health data in the nation.

A spokesperson for the companies responded to questions for a follow up article:

Data Security, Healthcare, Portable Storage

CSO Blog has a short explanation of the HITECH Act and its implications for Healthcare providers and 3rd party partners.  The author also outlines some steps you can take to lower the risk of a data breach.  These include taking an inventory of all Protected Health Information (PHI) and using encryption on all storage devices.

Healthcare