Tag Archives: privacy

Online Comments Lead To Privacy Complaint – WPXI Pittsburgh

Posted by on December 4, 2008 1 comment

The following is a verbatim report by Target 11′s Karen Welles that first aired at 5 p.m. on Dec. 3, 2008, on Channel 11 News.

HIPAA – One case has angered local women so much that they switched doctors. It centers on a myspace page created in the name of Stephanie Sicilia, an employee of local doctor Paul Zubritzky.

Read more by clicking below

Online Comments Lead To Privacy Complaint – Target 11 News Story – WPXI Pittsburgh.

Hospital fires up to 6 for accessing Pressly’s files

Posted by on November 21, 2008 No comments

St. Vincent Health System fired as many as six employees last month for improperly accessing the records of Little Rock morning television anchor Anne Pressly while she was a patient at the company’s main hospital, the chief executive confirmed Wednesday morning.

System President and Chief Executive Officer Peter Banko said that while Pressly, 26, was still alive and a patient at St. Vincent Infirmary Medical Center in Little Rock, a routine patient-privacy audit showed that as many as eight people gained access to her records improperly.

“Those records were being audited every day,” he said, “and as soon as we learned of a possible breach, we investigated.” All eight were placed on leave pending a swift investigation, which determined that at least two had valid reasons for viewing Pressly’s records, Banko said.

“The others, and I won’t say how many exactly, the rest we terminated immediately on the same day,” Banko said. “I will say it was more than one.” Dismissal was a natural penalty for any breach of a patient’s privacy rights, he said.

“Patient privacy is a matter of law, and it is a matter of policy for us,” Banko said.

NWAnews.com :: Northwest Arkansas’ News Source.

Do Federal Agencies Belong in Cloud Computing Networks?

Posted by on November 21, 2008 No comments

Given the current state of the economy and the yawning federal deficit, the efficiency and cost-savings associated with cloud computing are prompting U.S. federal IT agencies to flirt with the cloud platform. Slowly, of course, since it is the government, after all.Cloud computing has become so pervasive in the enterprise that even federal agencies are moving—slowly, of course—in the direction of on-demand computing. Given the current state of the economy and the yawning federal deficit, the efficiency and cost-savings associated with cloud computing may prompt an even quicker shift to the cloud.

“In many cases, agencies are already using the Internet,” said Drew Cohen, a vice president in Booz Allen Hamilton’s Defense IT practice who is working closely with federal agencies. “The words and terms are new, but the core tools have been evolving for some time. It’s really just a maturing of things that are already going on.”

DISA (Defense Information Systems Agency), for instance, awarded contracts in 2006 for on-demand computing services. The idea was for government customers to pay for computing and storage capacity on an as-needed basis instead of having to invest in new hardware and software. Interested customers had to work through the Defense Enterprise Computing Center to develop solutions.

Taking another step toward the cloud, DISA recently introduced RACE (Rapid Access Computing Environment), in which Department of Defense users go to a Web-based portal and provision their own operating environments based on standard Department of Defense architecture. RACE contractors include Hewlett-Packard, Apptis, Sun Microsystems and Vion.

“DISA likes that model in terms of supporting their customers,” Cohen said, though noting that DISA is developing its own cloud for a number of security and privacy reasons. “Building your own cloud is whole different thing. When you build your own cloud, when does it become a cloud?”

Research in the cloud

Other, more public-facing agencies are embracing the now traditional cloud platforms offered by Amazon.com, Google and Microsoft. In February, Google announced it was working with NSF (National Science Foundation) and IBM to allow the academic research community to conduct experiments and test new theories and ideas using a large-scale, massively distributed computing cluster.

Jeannette Wing, the NSF assistant director for the Computer and Information Science and Engineering Directorate, said in an open letter to the academic computing research community that the relationship would give government-funded researchers access to resources that would be unavailable to them otherwise.

According to Wing, NSF hopes the relationship will provide a blueprint for future collaborations between the academic community and private enterprise. “We welcome any comparable offers from industry that offer the same potential for transformative research outcomes,” she said.

Other agencies are also considering a move to cloud computing. After an October cloud computing seminar for government IT agencies, Cohen said more than 20 agencies approached Booz Allen for further insights on life in the cloud.

“Cloud computing gives the ability to go out and try things,” Cohen said. “The cloud offers the opportunity to unlock new ideas. A lot depends on the IT problems they are trying to solve. The rate of adoption [for cloud computing] depends on how and when they are taking up the problem.”

The U.S. government’s march to cloud computing faces steep barriers to adoption, particularly in the areas of security and privacy, but nothing insurmountable, Cohen said. “There are already vulnerabilities in our existing infrastructure that are not in the cloud,” he said. “In the cloud it is harder to exploit these known vulnerabilities.”

Government regulations are also a problem that must be addressed. FISMA (Federal Information Security Management Act), which dictates what federal IT managers can and cannot do with their data, was written before cloud computing developed. The ITAA (Information Technology Association of America) is already exploring what standards the feds might use in cloud computing.

Overall, Cohen predicted, federal agencies will take up cloud computing sooner or later. Given the slow pace of government agencies, though, “sooner” can often be much later.

Do Federal Agencies Belong in Cloud Computing Networks?.

EAC gets mixed review for FISMA compliance

Posted by on November 14, 2008 No comments

An independent evaluation of the Election Assistance Commission found that it continues for a second year to fall short of some requirements in the Federal Information Security Management Act. Many of the problems identified are tied to a lack of resources and to the commission’s reliance on the General Services Administration as a provider of IT services.

FISMA establishes broad requirements for IT security in executive branch agencies, including maintaining an inventory of information systems, certification and accreditation of those systems, and comprehensive risk-based security plans. It requires an annual evaluation of compliance, which the EAC inspector general this year turned over to the CPA firm Clifton Gunderson LLP for the evaluation.

“The U.S. Election Assistance Commission has made progress in educating users through security and privacy awareness training, and has initiated discussions to develop EAC specific policies related to information system security and privacy,” the IG said in the transmittal letter with the report. “However, additional improvements are needed. The evaluation found that the EAC has not established an information security program and has not been proactive in reviewing security controls and identifying areas to strengthen this program. In addition, the evaluation found that the EAC was not fully compliant with several provisions of the Privacy Act.”

The problems illustrate the challenges faced by small agencies with limited resources, which often rely on other agencies and outside third parties to provide IT services. In the case of EAC, GSA provides network services and applications supporting the commission’s operations. Its Web site is supported by Humanitas Inc. of Silver Spring, Md.

The Election Assistance Commission was established in 2002 by the Help America Vote Act to serve as a national clearinghouse and resource for election administrators. Its mission includes providing technology guidance and voluntary voting system guidelines, managing a voting system testing and certification program, and administering grants and payments to states to help them meet HAVA requirements.

EAC said in its response to the findings that it relies heavily on GSA’s security plans and controls for its IT security and continuity of operations, but is developing its own programs and capabilities.

“Though EAC’s process is informal considering the lack of documentation and procedural guides, a contingency plan exists for GSA systems which include EAC,” the agency wrote. “As a result, EAC would be effectively operational in the event of a minor or major disaster. EAC currently has a draft of recommendations for a COOP plan which will be addressed during the agency’s efforts to be in compliance.”

EAC also has hired a consultant to help it meet FISMA requirements, including, “completion of a certification and accreditation of support systems, system security plans and practices and procedural guides and documentation that will address the following issues:

  • Periodic assessments of risks.
  • Policies and procedures that are based on risk assessments.
  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices and security controls.
  • A process for planning, implementing, evaluating and documenting remedial actions to address any deficiencies in the information security policies, procedures and practices of the agency.
  • Procedures for detecting, reporting and responding to security incidents.
  • Plans and procedures to ensure continuity of operations.
  • Subordinate plans for providing adequate information security for support systems.

This year’s FISMA evaluation identified three deficiencies that carried over from last year, as well as six new ones. Carryovers from last year were:

  • Lack of an inventory of systems and applications used by GSA to support EAC.
  • Lack of policies and procedures for information security or privacy management.
  • Inadequate personnel security practices at GSA, which is EAC’s service provider. GSA’s inspector general has reported some non-compliance with background checks for contractors.

New problems for this year are:

  • Lack of an agencywide information security program.
  • Failure to implement a security management structure with written authorities.
  • Failure to complete certification and accreditation, formal risk assessment, security plan or security test and evaluation of LAN and Web site general support systems.
  • Privacy Act non-compliance: No chief privacy officer, has not identified systems with personally identifiable information or done privacy impact assessments, no formal policies addressing info protection needs associated with PII accessed remotely or removed from offices.
  • Failure to establish formal incident response capability.
  • Failure to complete a continuity-of-operations plan, disaster recovery plan or business impact assessment.

EAC is looking to its contractor to help address most of these issues, and in the meantime, “EAC operates within GSA’s security controls,” it said.

EAC’s human resources director currently is acting as privacy officer and the commission still is facing difficulties in identifying a permanent official.

“EAC is currently researching this issue,” it wrote in response to the evaluation. “Due to the fact that the EAC is a small agency with limited human resources and capital, EAC needs to verify that the currently Acting Privacy Officer can formally be appointed Chief Privacy Officer due to the multiple roles and assignments that the person formally has.”

EAC gets mixed review for FISMA compliance.

How to ensure Call Center security

Posted by on November 14, 2008 No comments

Information security has emerged as a significant concern for businesses that use call centers and Interactive Voice Response or voice portal systems for customer service, which include financial services institutions, insurance agencies and health care companies. Here, Knowledge Center contributor Ron Settele explains how companies can safeguard against a contact center security breach, while meeting new regulatory demands to prevent identity theft.

Identify theft remains a major problem in the United States, with Americans losing $45.3 billion last year. In 2007 alone, 8.4 million adult Americans, or one in 27, were the victims of identity fraud.

While this is a drop of 11 percent from the $51 billion lost in 2006, it’s still a significant issue for consumers. Contact centers and IVR Interactive Voice Response / voice portal systems are particularly vulnerable since existing methods of confirming callers’ identities are insecure.

The pressures

Understandably, consumers today are concerned about security. When it comes to access to voice self-service systems, they are not satisfied with PIN numbers and content knowledge alone for identity verification. Compared to current authentication methods, an increasing number of consumers feel that the use of their voiceprint would go a long way in making their transaction more secure and convenient. Most consumers would enroll their voiceprint with their financial institution, for example, if given the opportunity.

The politics

Established in 1979, the Federal Financial Institutions Examination Council FFIEC is a “formal interagency body empowered to prescribe uniform principles, standards and report forms for….financial institutions.” In 2001, the FFIEC provided specific guidance on authentication in an Internet banking environment. In 2005, it updated that guidance to include high-risk services performed through telephone banking systems and call centers attached to financial institutions. As financial institutions enhance their Internet banking security, threats will migrate to other access channels–mainly the telephone.

The insurance and health care industries are being similarly impacted by the Privacy Rule under HIPAA Health Insurance Portability and Accountability Act of 1996. HIPAA itself protects “individually identifiable health information” held or transmitted, in any form, whether electronic, paper or verbal. HIPAA’s Privacy Rule establishes regulations for the use and disclosure of Protected Health Information PHI, which is any information about an individual’s health status, including biometric identifiers such as finger and voiceprints.

Both of these policies are forcing organizations to a heightened awareness of how to address critical security issues.

The possibilities

Until very recently, you could always count on being prompted for your account number and the last four digits of your social security number when accessing a self-service system. In many cases, the same would be true when speaking to a live agent. Times have certainly changed! There are now many methods available to enhance caller authentication. However, no single method is adequate. Utilizing multiple “factors” to authenticate the identity of a caller is advised.

What is a factor? The FFIEC places factors into three specific categories:

Category #1: Something the user has, such as an ID card, security token, software token, phone or cell phone

Category #2: Something the user knows, such as a password, passphrase or PIN number

Category #3: Something the user is (such as voiceprint, fingerprint or retinal pattern)

In some cases, providing access with a single-factor, multi-item authentication would be considered adequate. In this case, challenging the caller with pieces of information that only they would be likely to know are used. These solutions are typically simple to implement and could be deemed adequate for callers accessing information that is not considered sensitive.

But that’s where the rub is! Opinions differ widely as to what types of information should be deemed sensitive. And, with the proliferation of information that can be accessed via the Internet, could single-factor, multi-item authentication ever be viewed as secure enough?

Multifactor and risk-based authentication solutions

These concerns by the consumer are pushing enterprises to consider multifactor and risk-based authentication solutions. Using something the user “knows” in combination with something they “are,” provides a much more secure environment in which callers can access account information and transact business. The ability to compare and verify a voice sample from the caller against the voiceprint found in the customer profile (for the account being accessed) significantly increases the likelihood that the right person is attempting to access the account.

Even more secure authentication methods are available if other parameters are taken into account. What if, on top of the multifactor authentication method described above, the system also took into account the number from which you were calling? Or how about whether or not the transaction you are performing is typical based on past behavior? How about taking into account the “Superman Effect?” What do I mean by that? It’s when someone tries to access your account from Los Angeles and then tries again just an hour later from New York City.

Risk-based authentication can take all of these parameters into account and more. How about taking into account access attempts from the Internet and the contact center? Solutions such as these are available today and can be tailored to meet your business needs. Market and regulatory pressure is building to require enterprises to deliver more secure access to customer account information. How secure is your customers’ information?

eWeek.

20 Employees Fired for Viewing Collier’s Medical Records

Posted by on November 2, 2008 1 comment

It seems some employees at Shands-Jacksonville Medical Center violated Richard Collier’s right to privacy by viewing his medical records unnecessarily. Under the HIPAA (Health Insurence Portability and Accountability Act) laws, an individual’s medical records have been given a new level of privacy. No one in a hospital is allowed to arbitrarily view medical records unless they are directly involved in the patient’s care, or if the patient gives them written permission.

What these “employees” have done is both disgusting and reprehensible. None of these people can plead ignorance either because HIPAA law is literally drilled into your head if you work in the healthcare field. In my psychology doctorate program I am currently enrolled in an Ethics course and I had to take a 4 hour online exam to become certified in HIPAA. On top of that, we spent two class periods (6 hours) going into detail about all of HIPAA’s regulations, as well as the healthcare provider’s responsibility to protect the patient’s privacy at all cost.

Imagine someone seeing everything you’d ever had wrong with you since birth; talk about humiliating. Even without centralized records, your medical records are still pretty far back reaching in terms of history. In the technological age we live in today, the stakes are even higher, because it would have only taken five minutes for an employee to scan and post it all over the web. Make no mistake, this is a serious offense and these workers should be fired post haste.

However, it seems the employees union has plans to appeal the termination and file a grievance against Shands-Jacksonville Medical Center on the basis of unfair treatment.

20 Employees Fired for Viewing Collier’s Medical Records – Big Cat Country.

Hedge Your Bets: The Importance of IT Risk Management in M&A

Posted by on October 30, 2008 No comments

Information & technology (IT) is a critical component in achieving an M&A strategy; without effective IT risk management, the value of the deal could be threatened or even eroded. IT risk management is a multi-disciplinary undertaking, and covers a variety of functional domains—ranging from data protection to change management. (See “Common IT Risk Management Areas” below) It is also a multi-faceted and complex undertaking that also entails consideration of a wide array of compliance requirements. As such, in a business environment with increasing emphasis on regulatory compliance, the role of IT risk management becomes more important as an enabler of the M&A strategy.

Often, many organizations need to demonstrate compliance with several overlapping requirements. A large financial company may need to meet Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry data security standard (PCI), Health Insurance Portability and Accountability Act (HIPAA), and other mandates such as those from the Federal Financial Institutions Examination Counsil, Office of the Comptroller of the Currency, and Federal Trade Commission; a global transportation company may need to meet SOX, HIPAA, PCI, FTC, and European Union and Asia-Pacific Economic Cooperation data protection requirements. The effort to meet these regulations often further complicates the efforts required to identify an approach and develop a strategy to mitigate risks when consolidating or separating companies.

Although many of these regulations address similar requirements such as data protection, access controls, transaction auditing, data availability and system monitoring; compliance with one set of regulations does not necessarily translate into compliance with another. The specifics of each set of regulations must be carefully evaluated.

Furthermore, international M&A transactions are likely to be much more complex than domestic transactions. In international transactions, companies must not only consider the regulatory compliance concerns noted above; they must also take into account the potential risks to corporate risk governance, employee data rights, customer data expectations, cross-border data flow, as well as the risk and compliance culture of the home countries of all entities involved in the M&A transaction. Failure to adequately address these factors could scuttle the transaction.

In this complex risk environment, it is clear that IT risk management must be effectively implemented to effectively address the myriad legal, regulatory, contract, and compliance requirements; otherwise, IT risk issues left unaddressed could fundamentally affect the overall M&A strategy and desired value creation.

Is the Loss of Business Value Real?
Based on Deloitte’s experience with M&A transactions, when IT risks, especially those risks that are compliance-driven, are not fully addressed, they can completely undermine the expected value creation of an M&A transaction. Generally, IT risk tends to impact M&A deal value in four primary areas: IT cost, EBITDA, technology, and regulatory and governance.

Examples of common IT risk issues that can have a serious negative impact on M&A transactions include:

  • Inevitable technology changes occur with disparate systems in combined entities and often create system consolidation delays and increase the security and compliance risks with the existing systems
  • The combined entity creates a new state, federal, and/or global jurisdiction operating footprint that often faces potential regulatory and financial risk from the possible compromise of personally identifiable information (PII)
  • The listing of IT assets assumed to be acquired during the financial due diligence process does not reconcile with detailed IT-listed assets, which results in lost value transfer
  • Unclear legal rights over existing key applications and information often inhibits integration and/or separation of IT systems
  • Sensitive information cannot be identified and located, which impedes, and can completely halt, application and system integration and/or isolation
  • The merged entities have disparate access management systems, but they have a need for immediate access to information, which often results in poorly consolidated systems that lead to segregation of duty conflicts and improper data access
  • Hidden liabilities in licenses and third-party contracts results in lost value and increased legal costs
  • Dated technology prevents customization and leads to lost business agility, opportunity and value

So, what is needed to minimize these types of risks from compromising an M&A transaction?

The IT Risk Management Framework
To mitigate the risks described above, M&A due diligance teams should incorporate a comprehensive IT risk management framework and readiness diagnostic into their planning and implementation efforts.

A sound IT risk management framework and readiness diagnostic has several key qualities. First, it is structured, risk-focused, and customizeable to cover small and large organizations. Next, it helps in the translation of information protection and technology issues into business risk impacts that will affect the overall M&A transaction. Finally, it helps address industry standards and regulatory requirements for each of the IT risk areas higlighted earlier in this paper.

The IT risk management framework and readiness diagnostic can be organized around five core components — integrated requirements, technology assessment, information assessment, business assessment, and risk quantification.

Integrated requirements establish the required IT risk management practices to be assessed during the M&A transaction. Assessment practices and criteria are established by identifying and aligning the applicable IT risk-related business requirements for each of the common IT risk management areas (see above). These should include:

  • Industry common practices (e.g. International Organization for Standardization (ISO) 27002, COBIT 4.1, Information Technology Infrastructure Library (ITIL), American Institute of Certified Public Accountant’s (AICPA) Generally Accepted Privacy Practices, etc.)
  • Laws and regulations (e.g. GLBA, HIPAA, EU Privacy Directive, CA SB1386, FTC Standards for Safeguarding Customer Information, etc.)
  • Industry standards (e.g. PCI Data Security Standard, BITS, etc.)
  • Acquiring and acquired organizations’ internal IT risk-related policies and standards for each of the common IT risk management areas previously mentioned

This particular IT risk management component is especially benefical to those organizations that worry about compliance such as How does the “new” operating structure comply with SOX quickly?’ By establishing and evaluating integrated requirements early in the IT due diligence process, the acquiring organization should have already identified the SOX related requirements and their impact on the other organization’s operations. Once the M&A transaction has been executed, the acquiring organization should be able to quickly apply their SOX control framework to the acquired organization and assimilate the various reporting entities into the new organization’s compliance testing and reporting process.

A Framework for Value Protection

The technology assessment considers core technology development, licensing and integration issues. Generally, this assessment will consider:

  • Technology software and infrastructure vulnerabilities that may affect service levels
  • Capacity and scalability of key systems to satisfy business requirements
  • System backup and power issues that may cause business disruptions
  • Unsupported systems and code
  • Vendor-owned source code that is not available for changes
  • Vendor service-level adequacy
  • Non-favorable clauses in vendor agreements that would be affected by change in ownership
  • Termination of key employees
  • Loss of quality resources required for integration efforts
  • Legal rights to existing key applications
  • Source code that is not in escrow
  • Hidden liabilities in licenses and support contracts

The information assessment considers sensitive data-handling requirements and how well data is protected. Generally, this assessment will consider:

  • Systems and data accessible by unauthorized users and how unauthorized access to such data can affect the company’s brand and reputation
  • Authorization, development, and approval processes for the records program
  • Privacy, intellectual property, and other sensitive information collection, usage, storage and complaints-handling processes
  • Third party contractual arrangement adequacy for addressing sensitive information handling

The business assessment considers technology strategy alignment with the business, business process control integrity & automation, and governance & compliance matters. Generally, this assessment will consider:

  • IT strategy that is not aligned with the current and future business requirements
  • Current systems that are not suitable for business requirements
  • Inefficient manual work-around procedures that are required to operate the business
  • Level of system automation that does not match the level disclosed by management
  • Recently-integrated business systems that have internal control integrity issues
  • Internal controls and SOX 404 issues that will impact regulatory compliance
  • Insufficient governance of IT system projects that could result in hidden future IT costs or write down of IT assets due to inappropriate system development

The risk quantification translates identified IT risks into financial impact statements and helps prioritize them for consideration in the final M&A transaction decision.

Today’s risk and compliance environment compels organizations that are developing M&A strategies to integrate IT risk management into their M&A planning and implementation processes. Left unaddressed, IT risk issues can fundamentally affect the overall M&A strategy and desired value creation. A properly structured IT risk management framework and readiness diagnostic can provide practical insights into the information and technology risk issues. Including IT risk management from the outset can make the M&A picture complete, rather than an unfinished puzzle. ##

Bill Kobel(bkobel@deloitte.com) is a Principal and John Gimpert (jgimpert@deloitte.com) is a Partnerwith Deloitte & Touche LLP.

Hedge Your Bets: The Importance of IT Risk Management in M&A.

Data Breaches at State, Local Agencies Expose Data about Millions

Posted by on October 27, 2008 No comments

 

 

October 21, 2008 • by William Jackson

Data breaches at state and local government agencies exposed the personal information of nearly 3.8 million Americans in the first three quarters of this year, according to the Privacy Rights Clearinghouse.

Most of the exposures came from a single incident in July at the Colorado Division of Motor Vehicles that compromised information on 3.4 million people. But even discounting that incident, the number of records exposed in breaches at state and local agencies outstripped those reported at federal agencies in the same period.

The figures underscore the need for standardized and improved data security at state and local government agencies, said Abe Kleinfeld, president and chief executive officer of nCircle Network Security Inc., of San Francisco.

“I don’t think we are seeing an unusual amount of data breaches” at the state and local levels, Kleinfeld said. “The danger is the kind of data they have. It is becoming increasingly important that states begin developing some kind of program.”

The company compiled the data on state and local breaches from the Privacy Rights Clearinghouse, which documented 20 breaches through September.

In the same period, the clearinghouse reported five incidents of breaches at federal agencies that exposed the records of 23,024 people. The largest was in May at the Marine Corps Reserve Center in San Antonio, where a contractor improperly accessed and stole 17,000 records. Another incident at the International Visa Service in Atlanta involved an employee’s theft of data on 1,000 people.

The lower federal numbers illustrate improvements in the government’s data security, which Kleinfeld said can be attributed largely to the standardized processes and controls required under the Federal Information Security Management Act.

“There are a lot of complaints about FISMA, but I think it is hard to argue that security has not improved in the federal government,” he said. “It has improved.”

States remain vulnerable because there is no similar overarching standard for data or information system security, he said. “We need some kind of program like FISMA that extends across state and local governments,” he added.

Imposing a nationwide standard for government data security would be difficult, and it is unlikely to happen in the short run, Kleinfeld said. But FISMA-like requirements could eventually be extended to state and local agencies that administer federal programs or share data with federal agencies.

In the meantime, Sen. Norm Coleman (R-Minn.) introduced a bill last month that could help. S. 3460, the State Cyber Security Protection Act of 2008, would give the Homeland Security Department $25 million to fund a pilot program to support cybersecurity efforts at the state level. The bill has been referred to the Homeland Security and Governmental Affairs Committee.

A program to share best practices among agencies at all levels of government and create cybersecurity templates, even if they are not mandated, would be a big step forward in data security, Kleinfeld said.

Security breaches with exposure of personal data at the state level, as reported by the Privacy Rights Clearinghouse through September, include:

Florida Department of Children and Families — 1,200 records exposed.

Maryland Department of Assessments and Taxation — 900 records exposed.

Wisconsin Department of Health and Family Services — 260,000 records exposed.

Virginia Department of Social Services — 1,500 records exposed.

Wisconsin Department of Revenue — 5,000 records exposed.

South Carolina Department of Health and Environmental Control — 400 records exposed.

Nevada Department of Public Safety — 109 records exposed.

Utah Division of Finance — 500 records exposed.

Pennsylvania Department of State — 30,000 records exposed.

Rhode Island Department of Administration — 1,400 records exposed.

Oklahoma Department of Corrections — 10,597 records exposed.

Baltimore Highway Administration — 1,800 records exposed.

Oklahoma Corporation Commission — 5,000 records exposed.

Connecticut Department of Labor — 2,100 records exposed.

California Department of Consumer Affairs — 5,000 records exposed.

Texas Department of Public Safety — 826 records exposed.

Florida Agency for Health Care Administration — 55,000 records exposed.

Colorado Division of Motor Vehicles — 3.4 million records exposed.

California Department of Consumer Affairs — 5,000 records exposed.

Pennsylvania Department of Public Welfare — 2,845 records exposed.

William Jackson is the senior writer for Government Computer News (GCN.com). You can contact William about Data Breaches at State, Local Agencies Expose Data about Millions at bjackson@1105govinfo.com.

Redmond | News: Data Breaches at State, Local Agencies Expose Data about Millions

New health-care privacy laws heighten need for HIPAA compliance in California

Posted by on October 24, 2008 No comments

New health-care privacy laws heighten need for HIPAA compliance in California

Schwarzenegger signs two data privacy bills that use the federal HIPAA law as a baseline

Jaikumar Vijayan

October 7, 2008 (Computerworld) Health care organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.

Last week, California Gov. Arnold Schwarzenegger signed into law two pieces of legislation that significantly increase state fines for security and privacy violations involving patient health information. The bills — known as Senate Bill 541 and Assembly Bill 211 — also set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data.

In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of health care data and imposing administrative fines on entities that fail to comply with the rules. Both laws were signed by Schwarzenegger last Tuesday — the same day that he vetoed a data breach bill aimed at retailers — and are scheduled to take effect on Jan. 1.

The bills significantly raise the bar on security and privacy controls for health care businesses in California, warned Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas. “The laws change the level of scrutiny, they increase penalties and fines by enormous amounts, they have mandatory reporting requirements and they allow individuals to sue,” MacKoul said.

And, he noted, the statutes are likely to put more pressure on companies in California to comply with the Health Insurance Portability and Accountability Act (HIPAA), whose privacy and security provisions took effect in 2003 and 2005, respectively. HIPAA mandates many of the same controls on data as the new California laws do, but it has yet to be broadly enforced by the federal government.

“The state is using HIPAA as the floor, saying it has been so many years since HIPAA went into effect that you needed to have complied with it a long time ago,” MacKoul said. As state statutes, SB 541 and AB 211 don’t directly require health care organizations to comply with the HIPAA regulations — but in effect, that is what they will end up doing, he added.

The new California laws also come at a time when more attention is finally being paid to HIPAA enforcement at the federal level. Earlier this year, for instance, the U.S Department of Health and Human Services imposed a $100,000 settlement on Seattle-based Providence Health & Services and forced the health care provider to adopt a stringent “corrective action plan” in response to what HHS described as potential HIPAA violations.

The so-called resolution agreement — the first of its kind to be signed under HIPAA — stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients during 2005 and 2006. The settlement stemmed from only the second known HIPAA audit conducted by HHS, following one last year at Piedmont Hospital in Atlanta. But the deal with Providence was widely seen in the health care industry as a sign that HHS would step up its enforcement actions going forward.

In California, SB 541 (download PDF) was sponsored by the California Department of Public Health (CDPH) and is aimed at stemming the increasing number of breaches involving patient health data in the state, according to an analysis of the bill by consultants for the State Assembly’s Committee on Health. Previously, there were no specific penalties or administrative actions available for the state to use against organizations that failed to prevent unauthorized access, use and disclosure of patient data, the analysis noted.

The new law amends and adds to sections of the California Health and Safety Code. One of the most significant changes is the addition of a requirement that covered entities take steps to prevent unauthorized access to patient health data — not just “unlawful” access, as was the case previously.

The change in terminology means that health care organizations will need to implement controls not just to protect information from malicious outsiders, but also to guard against misuse of data by employees who have access to systems as part of their job responsibilities, MacKoul said.

For instance, the consultants who wrote the analysis of SB 541 for the Committee on Health pointed to an incident at the University of California, Los Angeles, earlier this year in which a former UCLA Medical Center employee was charged with illegally accessing the confidential medical records of 939 individuals — including Maria Shriver, Schwarzenegger’s wife, and about 30 other celebrities. And that employee was just one of 127 workers at UCLA who allegedly snooped into data files without authorization.

SB 541 specifically requires covered businesses — such as licensed clinics, health facilities, home health agencies and hospices — to implement physical, technical, administrative and procedural safeguards for preventing unauthorized and unlawful access to patient data and for monitoring employee access to the data. The new law gives the CDPH authority to impose fines of up to $25,000 for each patient whose medical information may have been accessed, used or disclosed in an unauthorized manner.

Health care organizations also face administrative penalties of up to $100,000 — or four times the previous maximum of $25,000 — for data privacy and security violations that potentially put patients at immediate risk of injury or death. And SB 541 includes a new disclosure rule, under which any breaches must be disclosed both to the affected patients and the CDPH within five days of being discovered. Organizations that fail to do so can be fined $100 per violation for each day they are late, up to a maximum of $250,000.

Importantly, SB 541 also allows the CDPH to refer entities that aren’t compliant with HIPAA to the new Office of Health Information Integrity for enforcement under the provisions of AB 211. That bill, which is an amended version of an earlier measure (download PDF), also requires health care organizations to “reasonably safeguard” patient data from unauthorized access.

Like SB 541, AB 211 was sponsored by the CDPH and provides for a range of fines to be assessed against violators, starting from $2,500 to $25,000 per violation for organizations that negligently disclose patient records. People or companies that illegally use medical information for financial gain face fines of up to $250,000 per violation.

In addition, AB 211 allows individuals to take legal action against covered entities and licensed health professionals for failing to adequately protect their medical data. Patients can claim up to $1,000 in damages under the law, even if a data exposure caused no harm them.

New health-care privacy laws heighten need for HIPAA compliance in California.

New FTC Rules Governing Health Providers Go Into Effect Nov. 1 – Security Blog – InformationWeek

Posted by on October 24, 2008 No comments

New FTC Rules Governing Health Providers Go Into Effect Nov. 1

Posted by George Hulme, Oct 23, 2008 12:27 AM

Are you ready? In about a week, new so-called “Red Flag Rules” from the FTC go into effect, aimed at curbing medical identity theft.

It’s a good thing, too. It seems new headlines surrounding medical identity theft surface all of the time. Just last week, a Californian pleaded guilty to federal charges for defrauding Medicare. The man allegedly used patients’ Medicare identification numbers without their knowledge. His sentencing is scheduled for sometime this January, and he faces 12 years for billing the Medicare system for about $1,640,000.

Sometimes it’s not outright fraud, sometimes it’s just negligence on the part of hospitals themselves for failing to properly protect patient data. Consider this recent story about patients at Mary Washington Hospital, who learned it was possible for anyone to look at the private medical information of about 803 maternity patients on the hospital’s online registration system. A hospital spokesperson called the incident an “anomaly.” Ten years of reporting on these types of breaches tells me its a high probability of neglecting to properly secure or patch the system. While there was no medical identity theft in this specific case (that we know of), such carelessness can and will certainly lead to more incidents.

Now, the U.S. Department of Health & Human Services (HHS) is showing more interest the role health care providers can play in combating medical identity theft in the face of new Federal Trade Commission rules that go into place Nov. 1.

According to this press release, many hospitals aren’t even aware of the rules:

In October, both the HHS Office for Civil Rights (OCR) and the Office of the National Coordination for Health Information Technology (ONC) signaled that stronger actions to address the issues of identity theft and particularly medical identity theft are coming.

On Oct. 10, OCR said it was examining the FTC’s identity theft regulations, as questions have been raised over whether violations of the so-called “Red Flag” rules could also constitute violations of the HIPAA privacy or security rules. There also have been no decisions on whether OCR or CMS would refer cases to the FTC when they receive complaints in their HIPAA enforcement systems.

Many health care organizations are not aware that they will come under FTC authority as a result of identity theft rules that were once thought to only apply to financial institutions and other lenders.

The Red Flag rules require any organization — including nonprofits and government agencies not traditionally subject to FTC jurisdiction — that does not require payment at the time it provides service to establish and maintain a program to spot and address possible ID theft.

In recent weeks, the FTC said the rules also applied to health care entities.

This is good news, even if these red flag rules from the FTC do overlap with HIPAA. Why? Because too few hospitals have been fined or sanctioned for failing to properly safeguard patient data — like Mary Washington Hospital — by adequately putting into place the precautions necessary to make sure someone’s health privacy isn’t violated by an avoidable “anomaly.”

New FTC Rules Governing Health Providers Go Into Effect Nov. 1 – Security Blog – InformationWeek