Thursday, January 06, 2011

Looking to 2011 – not a pretty picture.

Experts Forecast Top Seven Trends in Healthcare Information Privacy for 2011

By Dissent, January 5, 2011

In today’s installment, we gaze into the crystal ball to see what 2011 might have in store for us:

What are the top security and privacy issues facing the healthcare industry in 2011? A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011. These experts suggest that as health information exchanges take form, millions of patient records—soon to be available as digital files—will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.

These predictions are supported by the recent Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security, published November 2010, which found that data breaches of patient information cost the healthcare industry $6 billion annually; protecting patient data is a low priority for hospitals; and the healthcare industry lags behind the recently enacted HITECH laws.

The top predictions for 2011 include:

  1. Health information exchanges, many of which will be launched by inexperienced and understaffed organizations, will force more attention on security and privacy;

  2. Increased fines and regulatory action by State Attorneys General and regulatory agencies;

  3. Data breaches and associated costs will increase, as penalties for information security negligence are acted on;

  4. Hospital governing-boards will exert their power to manage data breach risks in order to increase accountability and fiduciary responsibility;

  5. A significant “data spill” is inevitable and will bring national attention to the issue;

  6. Heightened patient awareness and concern over the security of their private medical data;

  7. The finalization of data breach notification rules by the Department of Health and Human Services could remove the controversial “harm threshold” provision that determines whether notification is required when an incident occurs. If removed, this will create a risk of over notification and desensitization of patients. [Note from Dissent: it will create a risk of entities being embarrassed and patients leaving. I doubt if any patient would truly ignore a letter that provides sufficient details for them to determine whether they need to take action to protect their medical privacy.]

Industry-Wide Experts Share Their Opinions and Insight

Dr. Larry Ponemon, chairman and founder, Ponemon Institute; research experts in privacy, information security policy and information management

“Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy plaguing in the healthcare industry. Millions of patients are at risk for medical and financial identity fraud due to inadequate information security. Information security in the healthcare industry is at the fulcrum of economic, technological, and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges—but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it.”

Dr. Deborah Peel, M.D., practicing physician and founder of Patient Privacy Rights; the nation’s health privacy watchdog

“2011 will be the year that Americans recognize they can’t control personal health information in health IT systems and data exchanges. Will 2011 be the year that data security and privacy are the top of the nation’s agenda? I hope so. The right to privacy is the essential right of individuals in vibrant Democracies. If we don’t do it right in healthcare, we won’t have any privacy in the Digital Age.”

Cliff Baker, managing partner for Meditology, a healthcare IT risk management and deployment services firm

“In 2011, we can expect that the Department of Health and Human Services Office for Civil Rights will be gearing up its proactive audits. Where does this leave OCR audits in 2011? They’re probably directed at those organizations that have breaches attributable to known and published high-risk areas. Look for those organizations to be dealing with OCR auditors camped out at their facilities in 2011.”

Ernie Hood, vice president and CIO, Group Health Cooperative; one of the nation’s largest consumer-governed health care systems

“The healthcare industry is on the verge of a major shift. Organizations are venturing into the electronic world for the first time as practices implementing electronic health records and states are launching health information exchanges. A surge of new data will be brought online by a lot of inexperienced organizations fueled by monetary government incentives. Mistakes are a certainty. Combine this with sophisticated approaches to identity theft by organized crime, and breaches will happen. When a breach occurs, the way the organization handles it publicly will be critical.”

Rick Kam, president and co-founder, ID Experts; comprehensive data breach solutions

“Health information exchanges will raise the awareness of security and privacy. I am seeing organizations shift their focus from implementation of electronic health records to a focus on the next phase of “meaningful use,” specifically how they are going to share patient records though health information exchanges. There will also be more concern over accountability if PHI is breached. How will a patient know who is responsible when a health information exchange has a data breach? Who will they hold accountable to fix the problem and for the financial, reputational, and other damage they experience? I think a lot of work needs to be done in this area and it will come into focus as a ‘must do’ initiative in 2011.”

Sandeep Tiwari, CEO, Zafesoft, Inc.; provider of information security and control software

“As healthcare information becomes more mobile, issues with security will only become increasingly complex. Healthcare is a mammoth space that changes and moves slowly, but when it does, it moves en masse. In the case of PHI/PII the laws were ahead of the technology. To date, there have been no secure audit trails, which impacts the effectiveness of the laws. If we can’t track how and when private and personal information is accessed, we will never secure it.”

Larry Walker, president of The Walker Company; governance consultant to health care organizations

“Patient health information data breaches are one of the most significant legal and public trust risks facing hospital governing boards, which are legally and ethically accountable for the results of a breach. The board of trustees has a fundamental fiduciary responsibility to ensure that patients’ health information is safe and secure at all times. To do this, boards must establish the prevention of data breaches as a critical organizational priority, ensure that financial resources sufficient to achieve the objective are made available, and require periodic updates from senior management on data breach risks and methods being utilized to close potential breach gaps. This should be one of the critical agenda items for hospital and health system boards in 2011.”

For more information, visit

Looking back at 2010, hard to see what happened...

Massachusetts Attorney General Reviews 2010 Data Breach and Data Security Regulations Compliance

January 5, 2011 by admin

Ellen M. Giblin writes:

With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf)(“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General’s Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement.


Scott Shafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Shafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed.

Read more on Workplace Privacy Counsel.

I wonder who the 3% are who aren't required to secure their data?

January 05, 2011

Majority of Federal Employees Go Beyond Mandatory IT Security Requirements

News release: "Most Federal employees go beyond baseline IT security requirements, according to a new survey by the Government Business Council, the research division of Government Executive Media Group, and CDW Government LLC (CDW-G), a leading provider of technology solutions to government, education and healthcare customers. While 97 percent of Federal employees are required by their agencies to use authentication measures such as passwords, security tokens and biometric identifiers, most take still more security precautions to protect agency data. Respondents noted that they proactively lock their screens when they are away from their computers and only use secure network connections and agency-issued machines to further secure information... The survey, underwritten by CDW-G in partnership with HP, conducted in September 2010, captured the views of 230 randomly selected Federal defense and civilian decision makers."


Wikileaks As Security Breach

January 5, 2011 by Dissent

Ryan Calo writes, in part:

The leak represents an appalling security breach—one that makes TJX look like a misplaced diary. As I argue in a previous post, the leak threatens a set of classic privacy harms. One of the central roles of privacy is to help preserve the conditions for intimacy. The leak means that leaders will be less candid with U.S. diplomats going forward, who in turn will report back insights only with great caution. No one will take U.S. promises of confidentiality seriously. At the margins, this shattering of intimacy may take certain diplomatic options off the table. All because the government failed to take minimal steps to keep information within its proper context.

The government can—and in my opinion, should—prosecute Manning. Still, the responsibility for this breach lies squarely with the state. The U.S. hired, trained, and supervised Manning, and it built the system that permitted this young adult to undermine global diplomacy with a Lady Gaga CD.

Read his entire commentary on The Center for Internet and Society

The Cloud Computing wars begin!

January 05, 2011

Google Wins Injunction in Cloud Computing Bid Protest Against Interior

Follow up to Google Files Bid Protest Against Dept. of Interior Over Hosted Email and Collaboration Services, news that Google wins: Interior forbidden to award noncompetitive contract to Microsoft - "U.S. Federal Claims Court Judge Susan Braden ruled on Jan. 3 that negotiations for a sole source contract with Microsoft “commenced many months prior to July 15, 2010,” when department officials decided Microsoft's software was their standard for e-mail and computer operating systems. Meanwhile, Google had been trying to get considered for the work as well."

Supply & Demand: Maybe they didn't pay enough?

Goldman Closes Facebook Fund After Billions in Orders Pour In

Just days after announcing a private investment placement that values Facebook at $50 billion, Goldman Sachs’ controversial fund is already oversubscribed, The Wall Street Journal reported late Wednesday. The platinum-plated Wall Street titan will not seek any further investments after receiving orders worth several billion dollars, the paper said.

That strong response from Goldman’s wealthy clients appears to have far exceeded the $1.5 billion the bank had planned to raise, and leaves absolutely no doubt that the appetite for a piece of the world’s largest social network — still a private company that outsiders can only speculate brings in a reported $2 billion a year — is voracious.

… An offering document for the fund said Facebook made a profit of $200 million in 2009 on revenue of $777 million, but did not list disclose 2010 revenue, though industry experts have pegged it at $2 billion, the paper said.

For my ethics class...

January 05, 2011

2010 Law School Survey of Student Engagement

2010 Law School Survey of Student Engagement: "Findings reveal that students who interacted with faculty more often were significantly more likely to report substantial gains in key areas related to professionalism and ethics compared to students with less faculty contact. Despite the benefit to students, opportunities for student-faculty interaction often are missed. Results also indicate that only half of students (53%) felt prepared to deal with ethical dilemmas that arise in practice."

For my Computer Security students.

The 9 Types of Computer Viruses To Watch Out For & What They Do


Securing the Smart Grid

"Securing the Smart Grid: Next Generation Power Grid Security, authors Tony Flick and Justin Morehouse provide a comprehensive and first-rate overview of smart grid technology and what is needed to ensure that it is developed and deployed in a secure and safe manner. An issue is that smart grid has significant amount of hype around it, including the promise that it will make energy more affordable, effective and green. With that, promises around security and privacy are often hard to obtain."

For my Data Mining and Analysis students

January 05, 2011

Google Refine, a power tool for working with messy data

"Google Refine is a power tool for working with messy data, cleaning it up, transforming it from one format into another, extending it with web services, and linking it to databases like Freebase."

No comments: