Healthcare and Technology news
48.6K views | +0 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Hospital employee gets indicted for fraud

Hospital employee gets indicted for fraud | Healthcare and Technology news | Scoop.it

A former employee at a major New York health system has been indicted, along with seven others, for stealing personal data of 12,000 patients, enabling more than $50,000 in fraud.


Manhattan's district attorney last week announced the indictment of Monique Walker, 32, a former assistant clerk at the eight hospital Montefiore Health System, for swiping patient data and supplying it to an identity theft ring. Walker, who had access to patient names, Social Security numbers, dates of birth, among others, reportedly printed the records of as many as 12,000 patients and supplied them to seven other individuals who used the data to make multiple purchases from department stores and retailers.


Walker, according to the New York County’s District Attorney’s office, sold the patient records for as little as $3 per record. Co-conspirators were able to open credit cards and make several unauthorized big ticket purchases at Barneys New York, Lord & Taylor and Bergdorf Goodman, among others. Defendants have been charged with grand larceny, unlawful possession of personal identification information, identity theft and criminal possession.


"In case after case, we've seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers," said New York County District Attorney Cyrus R. Vance Jr. in a June 18 press statement announcing the indictment. "I thank Montefiore Medical Center for taking immediate steps to alert authorities to ensure that those involved are held responsible, and moving swiftly and responsibly to notify and protect patients."

The case of insider misuse with patient data within healthcare organizations is nothing new. In fact, according toVerizon's annual data breach investigations report published this spring, security incidents caused by insider misuse – think organized crime groups and employee snooping – jumped from 15 percent last year to 20 percent in 2015.


"We're seeing organized crime groups actually position people where possible in healthcare organizations so they can steal information for tax fraud," Suzanne Windup, senior analyst on the Verizon RISK team, told Healthcare IT News this spring. "As organizations are putting in better monitoring and they're reviewing access logs, they're finding more cases of snooping."


As Cathleen A. Connolly, FBI supervisory special agent explained at Healthcare IT News' Privacy & Security Forum this past March, "your people that work for you are a very large threat," speaking in the context of combatting insider threats within healthcare.


What's more, according to data from the U.S. Department of Health and Human Services, unauthorized access or disclosure accounts for 5.3 million of the patient data compromised in HIPAA breaches. 

more...
No comment yet.
Scoop.it!

Healthcare data security is like a box of chocolates

Healthcare data security is like a box of chocolates | Healthcare and Technology news | Scoop.it

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute had more surprises than Forrest Gump’s box of chocolates – surprises that were far from palatable. One key finding was that criminal attacks are up 125 percent and are now the leading cause of healthcare data breaches. Other results of the study were just as unsettling:


Surprise 1: Sixty-five percent of healthcare organizations do not offer any protection services for patients whose information has been lost or stolen. With cyber threats on healthcare data mounting, this is unacceptable. Ironically, the Ponemon study also found that 65 percent of healthcare organizations—the same percentage that don’t offer protection services—believe patients whose records have been lost or stolen are more likely to become victims of medical identity theft.


According to the Ponemon Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Many medical identity theft victims report they have spent an average of almost $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records. Healthcare organizations and business associates must make available medical identity monitoring and identity restoration services to patients whose healthcare records have been exposed.


On the other hand, the majority of people still don’t understand the serious risk of medical identity theft. They pay more attention to their credit score and financial information than they do their insurance EOBs or medical records. They don’t understand that while a credit card can be quickly and easily replaced, their medical identity can take years to be restored. When their records become polluted, patients can be misdiagnosed, mistreated, denied much needed medical services, or billed for services not rendered. Medical identity theft can literally kill you, as ID Experts CEO Bob Gregg has said.


Surprise 2: The average cost of a healthcare data breach has stayed fairly consistent over the past five years – $2.1 million. This is in contrast to the average total cost of data breach in general, which has risen 23 percent over the past two years to $3.79 million, according to another recent Ponemon report, 2015 Cost of Data Breach Study: Global Analysis. Cyber liability insurance to cover notification costs, better options for identity monitoring, and more privacy attorneys offering help should reduce the cost of healthcare data breaches over time.


Healthcare organizations can take proactive steps to reduce the likelihood and impact of a data breach. This means addressing the tactical issues of protecting patient data. According to Dr. Larry Ponemon, founder and chairman of Ponemon Institute, healthcare organizations face “the dual challenge of reducing both the insider risk and the malicious outsider. Both require different approaches that can tax even the most robust IT security budget.” 


According to the Ponemon report, 96 percent of healthcare organizations had a security incident involving lost or stolen devices, and employee negligence is the greatest concern among these organizations. Dr. Ponemon says healthcare providers should create “a more aggressive training and education awareness program, as well as invest in technologies that can safeguard patient data on mobile devices and prevent the exfiltration of sensitive information.”

These training and awareness programs should center around protecting PHI, especially education on how to avoid phishing emails and what to do to ensure data is not disclosed. Healthcare organizations must also collaborate with their business associates to also ensure they have similar programs in place. 


For external risks such as the growing number of criminal attacks, Dr. Ponemon says that healthcare providers must “assess what sensitive data needs to be monitored and protected, and the location of this data.” I would add that board and executive management must recognize that professional hackers are targeting health data and records and, as mentioned earlier, that such attacks are now the leading cause of data breaches in healthcare. This awareness should spur enterprise-wide alignment in addressing cyber threats.


Surprise 3: Too many healthcare organizations take an ad-hoc approach to incident risk assessment. Only 50 percent of healthcare organizations in the study performed the four-factor risk assessment following each security incident, as required by the HIPAA Final RuleOf that 50 percent, 34 percent used an ad hoc risk assessment process, and 27 percent used a manual process or tool that was developed internally.


This practice is not acceptable. Healthcare organizations now have software tools available to help automate and streamline processes such as risk assessment and data breach response. By supporting consistent and objective analysis of security incidents, providing a central repository for all incident information, and streamlining the documentation and reporting process, these tools can improve outcomes and free an organization’s privacy and security staff to spend more time on prevention.


So far, 2015 has been a bad year for protecting patients and their data. Increasing cyber attacks mean that even more patients and their data will be put in harm’s way. While nobody can escape the inevitable security incidents, it is my hope that we can all learn lessons from the Ponemon study and each other, and work more collectively so that next year will bring fewer unpleasant surprises and many more happy ones.

more...
No comment yet.
Scoop.it!

Healthcare cybersecurity info sharing still a work in progress

Healthcare cybersecurity info sharing still a work in progress | Healthcare and Technology news | Scoop.it

While President Barack Obama issued an executive order to use information sharing and analysis organizations (ISAOs) to boost cybersecurity awareness and coordination between private entities and the government, those efforts need more development before they provide useful information, according to an article at The Wall Street Journal.


About a dozen longstanding nonprofit Information Sharing and Analysis Centers (ISACs) serve specific sectors such as finance, healthcare and energy, and work with government on infomation sharing.


Though more narrowly focused, many ISAOs already exist, Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, told HealthcareInfoSecurity.


Executives who spoke with WSJ say large entities don't get much useful information from ISACs.


"Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities," Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the healthcare ISAC, tells the newspaper. As sharing standards are developed, he adds, "expectations will mount in terms of the kinds of specific data needed as everybody figures it out."


What's more, networking within the industry, Dworkin says, tends to provide more information about what's going on. ISACs generally are more useful to smaller organizations that lack security expertise in-house, the article adds.


The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of the ISAOs. HITRUST is working with providers to test and improve their preparedness for attacks through its CyberRX 2.0 attack simulations. The need for organizations to be more open about attacks was one of the early lessons from that program.


Participants in the recent White House Summit on Cybersecurity and Consumer Protection stressed that threat data-sharing doesn't pose the danger of exposing patients' insurance and healthcare information.


more...
11 Paths's curator insight, April 8, 2015 4:30 AM

This is a great news story

Scoop.it!

Health IT Security: What Can the Association for Computing Machinery Contribute?

A dazed awareness of security risks in health IT has bubbled up from the shop floor administrators and conformance directors (who have always worried about them) to C-suite offices and the general public, thanks to a series of oversized data breaches that recentlh peaked in the Anthem Health Insurance break-in. Now the US Senate Health Committee is taking up security, explicitly referring to Anthem. The inquiry is extremely broad, though, promising to address “electronic health records, hospital networks, insurance records, and network-connected medical devices.”

The challenge of defining a strategy has now been picked up by the US branch of the Association for Computing Machinery, the world’s largest organization focused on computing. (Also probably it’s oldest, having been founded in 1947 when computers used vacuum tubes.) We’re an interesting bunch, having people who have helped health care sites secure data as well as researchers whose role is to consume data–often hard to get.

So over the next few weeks, half a dozen volunteers on the ACM US Public Policy Council will discuss what to suggest to the Senate. Some of us hope the task of producing a position statement will lead the ACM to form a more long-range commmittee to apply the considerable expertise of the ACM to health IT.

Some of the areas I have asked the USACM to look at include:

Cyber-espionage and identity theft
This issue has all the publicity at the moment–and that’s appropriate given how many people get hurt by all the data breaches, which are going way up. We haven’t even seen instances yet of malicious alteration or destruction of data, but we probably will.

Members of our committee believe there is nothing special about the security needs of the health care field or the technologies available to secure it. Like all fields, it needs fine-grained access controls, logs and audit trails, encryption, multi-factor authentication, and so forth. The field has also got to stop doing stupid stuff like using Social Security numbers as identifiers. But certain aspects of health care make it particularly hard to secure:

  • The data is a platinum mine (far more valuable than your credit card information) for data thieves.
  • The data is also intensely sensitive. You can get a new credit card but you can’t change your MS diagnosis. The data can easily feed into discrimination by employees and ensurers, or other attacks on the individual victims.
  • Too many people need the data, from clinicians and patients all the way through to public health and medical researchers. The variety of people who get access to the data also makes security more difficult. (See also anonymization below.)
  • Ease of use and timely access are urgent. When your vital signs drop and your life is at stake, you don’t want the nurse on duty to have to page somebody for access.
  • Institutions are still stuck on outmoded security systems. Internally, passwords are important, as are firewalls externally, but many breaches can bypass both.
  • The stewards/owners of health care data keep it forever, because the data is always relevant to treatment. Unlike other industries, clinicians don’t eventually aggregate and discard facts on individuals.
Anonymization
Numerous breaches of public data, such as in Washington State, raise questions about the security of data that is supposedly anonymized. The HIPAA Safe Harbor, which health care providers and their business associates can use to avoid legal liability, is far too simplistic, being too strict for some situations and too lax for others.

Clearly, many institutions sharing data don’t understand the risks and how to mitigate against them. An enduring split has emerged between the experts, each bringing considerable authority to the debate. Researchers in health care point to well-researched techniques for deidentifying data (see Anonymizing Health Data, a book I edited).

In the other corner stand many computer security experts–some of them within the ACM–who doubt that any kind of useful anonymization will stand up over the years against the increase in computer speeds and in the sophistication of data mining algorithms. That side of the debate leads nowhere, however. If the cynics were correct, even the US Census could not ethically release data.

Patient consent
Strong rules to protect patients were put in place decades ago after shocking abuses (see The Immortal Life of Henrietta Lacks). Now researchers are complaining that data on patients is too hard to get. In particular, combining data from different sites to get a decent-sized patient population is a nightmare both legally and technically.
Device security
No surprise–like every shiny new fad, the Internet of Things is highly insecure. And this extends to implanted devices, at least in theory. We need to evaluate the risks of medical devices, in the hospital or in the body, and decide what steps are reasonable to secure them.
Trusted identities in cyberspace
This federal initiative would create a system of certificates and verification so that individuals could verify who they are while participating in online activities. Health care is a key sector that could benefit from this.

Expertise exists in all these areas, and it’s time for the health care industry to take better advantage of it. I’ll be reporting progress as we go along. The Patient Privacy Rights summit next June will also cover these issues.


more...
No comment yet.
Scoop.it!

Digital health in 2015: What's hot and what's not?

Digital health in 2015: What's hot and what's not? | Healthcare and Technology news | Scoop.it

I think it’s fair to say that digital health is warming up. And not just in one area. The sheer number and variety of trends are almost as impressive as the heat trajectory itself. The scientist in me can’t help but make the connection to water molecules in a glass — there may be many of them, but not all have enough kinetic energy to ascend beyond their liquid state. The majority are doomed to sit tight and get consumed by a thirsty guy with little regard for subtle temperature changes.


With this in mind, let’s take a look at which digital health trends seem poised to break out in 2015, and which may be fated to stay cold in the glass. As you read, keep in mind that this assessment is filtered through my perspective of science, medicine, and innovation. In other words, a “cold” idea could still be hot in other ways.

Collaboration is hot, silos are not. Empowerment for patients and consumers is at the heart of digital health. As a result, the role of the doctor will shift from control to collaboration. The good news for physicians is that the new and evolved clinician role that emerges will be hot as heck. The same applies to the nature of innovation in digital health and pharma. The lone wolf is doomed to fail, and eclectic thinking from mixed and varied sources will be the basis for innovation and superior care.

Scanners are hot, trackers are not. Yes, the tricorder will help redefine the hand-held tool for care. From ultrasound to spectrometry, the rapid and comprehensive assimilation of data will create a new “tool of trade” that will change the way people think about diagnosis and treatment. Trackers are yesterday’s news stories (and they’ll continue to be written) but scanners are tomorrow headlines.

Rapid and bold innovation is hot, slow and cautious approaches are not. Innovators are often found in basements and garages where they tinker with the brilliance of what might be possible. Traditionally, pharmaceutical companies have worked off of a different model, one that offers access and validation with less of the freewheeling spirit that thrives in places like Silicon Valley. Looking ahead, these two styles need to come together. The result, I predict, will be a digital health collaboration in which varied and conflicting voices build a new health reality.

Tiny is hot, small is not. Nanotechnology is a game-changer in digital health. Nanobots, among other micro-innovations, can now be used to continuously survey our bodies to detect (and even treat) disease. The profound ability for this technology to impact care will drive patients to a new generation of wearables (scanners) that will offer more of a clinical imperative to keep using them.

Early is hot, on-time is not. Tomorrow’s technology will fuel both rapid detection and the notion of “stage zero disease.” Health care is no longer about the early recognition of overt signs and symptoms, but rather about microscopic markers that may preempt disease at the very earliest cellular and biochemical stages.

Genomics are hot, empirics are not. Specificity — from genomics to antimicrobial therapy — will help improve outcomes and drive costs down. Therapy will be guided less and less by statistical means and population-based data and more and more by individualized insights and agents.

AI is hot, data is not. Data, data, data. The tsunami of information has often done more to paralyze us than provide solutions to big and complex problems. From wearables to genomics, that part isn’t slowing down, so to help us manage it, we’ll increasingly rely on artificial intelligence systems. Keeping in mind some of the inherent problems with artificial intelligence, perhaps the solution is less about AI in the purest sense and more around IA — intelligence augmented. Either way, it’s inevitable and essential.

Cybersecurity is hot, passwords are not. As intimate and specific data sets increasingly define our reality, protection becomes an inexorable part of the equation. Biometric and other more personalized and protected solutions can offer something that passwords just can’t.

Staying connected is hot, one-time consults are not. Medicine at a distance will empower patients, caregivers, and clinicians to provide outstanding care and will create significant cost reductions. Telemedicine and other online engagement tools will emerge as a tool for everything from peer-to-peer consultation in the ICU to first-line interventions.

In-home care is hot, hospital stays are not. “Get home and stay home” has always been the driving care plan for the hospitalized patient. Today’s technology will help provide real-time and proactive patient management that can put hospital-quality monitoring and analytics right in the home. Connectivity among stakeholders (family, EMS, and care providers) offers both practical and effective solutions to care.

Cost is hot, deductibles are not. Cost will be part of the “innovation equation” that will be a critical driver for market penetration. Payers will drive trial (if not adoption) by simply nodding yes for reimbursement. And as patients are forced to manage higher insurance deductibles, options to help drive down costs will compete more and more with efficacy and novelty.

Putting it all together: What it will take to break away in 2015?

Beyond speed lies velocity, a vector that has both magnitude and direction. Smart innovators realize that their work must be driven by a range of issues from compatibility to communications. Only then can they harness the speed and establish a market trajectory that moves a great idea in the right direction. Simply put, a great idea that doesn’t get noticed by the right audience at the right time is a bit like winking to someone in the dark. You know what you’re doing, but no one else does.


more...
No comment yet.
Scoop.it!

Indiana medical software company hack exposes protected information of unknown number of patients

Indiana medical software company hack exposes protected information of unknown number of patients | Healthcare and Technology news | Scoop.it

Medical Informatics Engineering, a Fort Wayne, Ind.-based maker of Web-based health information-technology software, said Wednesday it was the victim of a sophisticated cyber attack that exposed the protected health information of an unknown number of patients. 

MIE emphasized that patients of only some of its clients were affected, including the Fort Wayne (Ind.) Neurological Center, Franciscan St. Francis Health Indianapolis, the Gynecology Center in Fort Wayne, Rochester Medical Group in Rochester Hills, Mich. and Concentra, a national network of primary-care and specialty clinics. The company said in a statement that it is working with a third-party forensics firm to determine an “accurate number of affected patients.”

MIE's clients include about 100 small- to medium-sized physician offices.

The hack includes MIE's NoMoreClipBoard subsidiary, which produces a personal health-record management system. 

The servers that were hacked held protected health information including patient names, mailing and email addresses, birthdates, and for some patients, social security numbers, laboratory results, dictated reports and medical conditions. Financial records were not compromised because the company does not collect or store that information, but experts told Modern Healthcare that clinical data can often be even more valuable to identity thieves. 

The company said it learned about the hack after it discovered suspicious activity on one of its servers May 26, at which point it immediately launched an investigation to resolve any system vulnerabilities, in addition to reporting the security breach to law enforcement, including the FBI, company officials said. 

Eric Jones, MIE's chief operating officer, said it's clear that, big or small, healthcare companies must deal with the serious threat of cyber attacks.

“I certainly I think it's becoming obvious to most of us that this is becoming a more common occurrence," Jones said. "There are sophisticated entities out there that want to do harm and we need to be more vigilant, we need to do a better job to protect the information that we hold."

Jones said he doesn't believe that the Web-based nature of the company's software made it an easier target.

"I think everybody is vulnerable, whether your application is Web-based or if your client server is within four walls, I think there's still high risk that you could be impacted this way," Jones said.

MIE and NoMoreClipBoard began contacting clients and patients on June 2, and are offering free credit monitoring and identity protection services to affected patients for the next 24 months. The company also established a toll-free hotline to answer questions about the hack. 

Data breaches in healthcare are the most expensive to remediate and are growing more so, according to a May report from the Ponemon Institute.

more...
No comment yet.
Scoop.it!

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation | Healthcare and Technology news | Scoop.it

Senior executives at the Armonk, N.Y.-based IBM announced in a press conference held on Monday afternoon, April 13, at the McCormick Place Convention Center in Chicago, during the course of the HIMSS Conference, that it was acquiring both the Dallas-based Phytel and the Cleveland-based Explorys, in a combination that senior IBM executives said held great potential for the leveraging of data capabilities to transform healthcare.


Both Phytel, a leading population health management vendor, and Explorys, a healthcare intelligence cloud firm, will become part of the new Watson Health unit, about which IBM said, “IBM Watson Health is creating a more complete and personalized picture of health, powered by cognitive computing. Now individuals are empowered to understand more about their health, while doctors, researchers, and insurers can make better, faster, and more cost-effective decisions.


In its announcement of the Phytel acquisition, the company noted that, “The acquisition once completed will bolster the company’s efforts to apply advanced analytics and cognitive computing to help primary care providers, large hospital systems and physician networks improve healthcare quality and effect healthier patient outcomes.”


And in its announcement of the Explorys acquisition, IBM noted that, “Since its spin-off from the Cleveland Clinic in 2009, Explorys has secured a robust healthcare database derived from numerous and diverse financial, operational and medical record systems comprising 315 billion longitudinal data points across the continuum of care. This powerful body of insight will help fuel IBM Watson Health Cloud, a new open platform that allows information to be securely de-identified, shared and combined with a dynamic and constantly growing aggregated view of clinical, health and social research data.”


Mike Rhodin, senior vice president, IBM Watson, said at Monday’s press conference, “Connecting the data and information is why we need to pull the information together into this [Watson Health]. So we’re extending what we’ve been doing with Watson into this. We’re bringing in great partners to help us fulfill the promise of an open platform to build solutions to leverage data in new ways. We actually believe that in the data are the answers to many of the diseases we struggle with today, the answers to the costs in healthcare,” he added. “It’s all in there, it’s all in silos. All this data needs to be able to be brought into a HIPAA-secured, cloud-enabled framework, for providers, payers, everyone. To get the answers, we look to the market, we look to world-class companies, the entrepreneurs who had the vision to begin to build this transformation.”

more...
No comment yet.
Scoop.it!

Health checks by smartphone raise privacy fears

Health checks by smartphone raise privacy fears | Healthcare and Technology news | Scoop.it

Authorities and tech developers must stop sensitive health data entered into applications on mobile phones ending up in the wrong hands, experts warn.

As wireless telecom companies gathered in Barcelona this week at the Mobile World Congress, the sector's biggest trade fair, specialists in "e-health" said healthcare is fast shifting into the connected sphere.

"It's an inexorable tide that is causing worries because people are introducing their data into the system themselves, without necessarily reading all the terms and conditions," said Vincent Genet of consultancy Alcimed.

"In a few years, new technology will be able to monitor numerous essential physiological indicators by telephone and to send alerts to patients and the specialists who look after them."

More and more patients are using smartphone apps to monitor signs such as their blood sugar and pressure.

The European Commission estimates the market for mobile health services could exceed 17.5 billion euros (19 billion euros) from 2017.

The Chinese health ministry's deputy head of "digital health", Yan Jie Gao, said at the congress on Wednesday that the ministry planned to spend tens of billions of euros (dollars) by 2025 to equip 90,000 hospitals with the means for patients to contact them online securely.

Patients are entering health indicators and even using online health services for long-distance consultations with doctors whom they do not know.

"There is a steady increase in remote consultations with medical practitioners," particularly in the United States, said Kevin Curran, a computer scientist and senior member of the Institute of Electrical and Electronics Engineers.

"Your doctor can be someone who's based in Mumbai. We have to be very careful about our data, because they're the ones who probably will end up storing your data and keeping a record of it."

- Cloud-based healthcare -

Other users are entering personal health data into applications on their smartphones.

This kind of "e-health" could save governments money and improve life expectancy, but authorities and companies are looking to strengthen security measures to protect patients' data before such services become even more widespread.

"I think tech companies are becoming more concerned with privacy and encryption now," said Curran.

"The problem quite often is that a lot of this data is stored not on the phone or the app but in the cloud," in virtual storage space provided by web companies, he added.

"We are at the mercy of who the app providers are and how well they secure the information, and they are at the mercy sometimes of the cloud providers."

Others fear that insurance companies will get hold of customers' health information and could make them pay more for coverage according to their illnesses.

Various sources alleged to AFP that health insurance companies have been buying data from supermarkets about what food customers were buying, drawn from the sales records of their loyalty cards, following media reports to that effect.

The kind of "e-health" indicator most sought after by patients is fitness-related rather than information on illnesses, however, said Vincent Bonneau of the research group Idate.

A study by Citrix Mobile, a specialist in wireless security, showed that more than three quarters of people using e-health applications were doing so for fitness reasons rather than for diagnosing illnesses.


more...
No comment yet.
Scoop.it!

Lessons from the Anthem hack

Lessons from the Anthem hack | Healthcare and Technology news | Scoop.it

Anthem experienced a major data breach recently, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

The social security number is the only universal unique identifier we have at our disposal in this country. It's easy to ask for, and to use, but ... it's not supposed to be used for anything other than administration of Social Security benefits. Until not all that long ago, states used SSNs as driver's license numbers. No longer (at least around these parts). Most of us get asked for the last 4 (or 5 or 6) digits of our SSNs constantly for all kinds of reasons. How many of us refuse every time?

Way back in 1998, as folks were trying to figure out how to implementHIPAA, the question arose: Gee, why don't we establish a unique patient identifier system so that we can be assured that each electronic health record is properly tied to the right individual? (Check out this vintage HHS white paper on the Unique Health Identifier, published as prologue to a rulemaking process that never went anywhere.) Eventually, that approach was taken for providers (UPIN, then NPI), but not for patients. In fact, every year since then, Congress has included a special line in the HHS budget that says "thou shalt not establish a unique patient identifier system."

This approach has spawned a sub-industry that scrubs data sets to ensure that an individual patient doesn't have duplicate records, each including only a part of the whole, by triangulating from all the data points used to perpetrate identity theft: SSN, DOB, name, address, etc. All those data points are needed in order to make sure that we're talking about the right Mr. Jones. If the only identifier attached to the health data were the patient ID number, then health records would suddenly become much less valuable to identity thieves -- and it would be easier to determine which record belongs to whom.

Using patient ID numbers (which could be encrypted and thus protected -- because, after all, who wants to get a new patient ID number? Getting a new credit card number after some system or other gets hacked is bad enough, and remember, you can't get a new SSN just because your health records have been hacked) would be one element of a data minimization approach designed to lessen the likelihood of damage resulting from a breach. Couple that with the auditing capabilities that allowed Anthem to notice its breach in short order (vs. some breaches which were exploited over the course of years before anybody noticed), and we'd be looking at some real improvements to health data security.

more...
No comment yet.