Risk
1/9/2012
12:14 PM
Connect Directly
RSS
E-Mail
50%
50%

More Patient Data Risks, Lawsuits Predicted In 2012

The new year promises to bring greater patient data risks as healthcare organizations increase their use of mobile technology and social media sites.

Top 9 Health IT Stories Of 2011
Top 9 Health IT Stories Of 2011
(click image for larger view and for slideshow)
According to experts in healthcare law and information privacy and security, healthcare IT managers can expect to see more patient data breaches in 2012, along with more lawsuits filed by patients as the availability of patient information exchanged over social media sites and mobile devices grows.

These conclusions, published by ID Experts, offer a glimpse into what health CIOs can expect as they seek to protect patient data during a year that promises more of the same challenges they faced last year. In 2011, the healthcare industry had its fair share of patient data breaches, and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) stepped up its oversight activities, handing down fines to healthcare organizations that were lax in meeting their patient privacy obligations.

Rick Kam, president and co-founder of ID Experts and chair of the American National Standard Institute’s (ANSI’s) PHI Project, gave InformationWeek Healthcare his assessment of the forecasts, noting that "the thread that links all of the predictions together is safeguarding. Protected health information (PHI) is truly a patient safety issue, and healthcare data breaches will reach epidemic proportions this year if precautions are not taken."

[Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs.]

On the legal front, Kirk Nahra, partner at the law firm Wiley Rein LLP, predicts that the number of class-action lawsuits will increase in 2012 as patients sue healthcare organizations for failing to protect their health information.

Adam Greene, partner at Davis Wright Tremaine, said the next 12 months will bring greater attention to the 150 HITECH Act audits and publication of the final rules implementing modifications to the Health Insurance Portability and Accountability Act (HIPAA) regulations. Greene also said 2012 will see the OCR more aggressively pursuing enforcement against noncompliance due to "willful neglect." That will result in more financial settlements and fines.

Christine Marciano, president of Cyber Data Risk Managers LLC, said she foresees healthcare organizations increasingly signing up for cyber security and data breach insurance policies to protect themselves and their patients.

However, while insurance can provide some financial protection, other dangers are on the horizon. Larry Walker, president of The Walker Company, a healthcare consulting firm, said this year health providers will continue to outsource many functions, such as billing, to third parties or business associates (BA). But BAs are often considered the weak link in the data privacy and security chain.

Other privacy dangers will come from social media, according to Chris Apgar, CEO and president of Apgar & Associates, LLC. This year will see more physicians and healthcare organizations communicating with patients over social media sites. The misuse of social media will increase, as will the risk of exposure of PHI, Apgar predicts.

Christina Thielst, health administration consultant and blogger, believes the increasing use of tablets, smartphones, and tablet applications in healthcare will force providers to enter agreements that outline written terms of use with employees and contractors using personal devices in a healthcare setting.

With regard to cloud computing, James C. Pyles, principal, Powers Pyles Sutter & Verville PC, said because of security and privacy regulations there will be a demand for more health plans, health care providers, and health care clearinghouses to enter into a carefully worded business associate agreement with a cloud computing vendor before disclosing protected health information. These organizations should ensure that they have adequate cyber security insurance to cover the direct and indirect costs of a breach.

Given these predictions, Kam recommends that health CIOs:

-- Conduct an inventory to find out where protected health information and personally identifiable information exists within their organization and where this information exists at their business associates.

-- Perform a risk assessment to understand where there may be vulnerabilities and risks of unauthorized disclosure, and mitigate the risks you identify.

-- Evaluate relationships with current business associates and contracts to ensure that their organization’s privacy and security requirements are covered. Start with those business associates that present the highest risk.

-- Develop a clear communication plan for reporting unauthorized disclosures caused by the business associates.

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CMARCIANO000
50%
50%
CMARCIANO000,
User Rank: Apprentice
1/12/2012 | 8:39:23 PM
re: More Patient Data Risks, Lawsuits Predicted In 2012
To expand on my comment above, its important that when a healthcare organization outsources its critical health information that they insist that their third party vendor has a data breach/cyber insurance policy in the event of a data breach. I am seeing more and more contracts that are requiring that a third party vendor has a data breach/cyber insurance policy. A Commercial General Liability (CGL) insurance policy is no longer enough today, as it does not cover cyber risks or digital information. This is a very important consideration for healthcare organizations.
CThielst
50%
50%
CThielst,
User Rank: Apprentice
1/12/2012 | 1:46:06 AM
re: More Patient Data Risks, Lawsuits Predicted In 2012
Lisa: We can expect to see social media technologies being used to gather information from patients and healthcare consumers and this data being uploaded into the patient's PHR or their EHR. Take microblogging or texting technologies for example. They can be used to communicate reminders to patients (time to take medication) or for mood monitoring or other reporting back to their clinician. The key is that this must be done on technologies that are secure and have the necessary safeguards to avoid breaches.
Christine Arevalo
50%
50%
Christine Arevalo,
User Rank: Apprentice
1/11/2012 | 1:39:38 AM
re: More Patient Data Risks, Lawsuits Predicted In 2012
In reference to social media and risks to patient data, patients can put themselves at risk by revealing too much information through social media outlets. Using this vehicle for communication between Dr. and Patient can also create legal risks for the medical facility or the physician. As this becomes more and more a GǣstandardGǥ communication channel for us, the risks of misuse, abuse, and unauthorized disclosures increases.

One reason for the concern is that the misuse of personal health information can have much greater impact on a patient than other types of data misuse. Also the effects of problems like medial identity theft, for example, can truly be devastating, if not deadly.
DPOLLACK000
50%
50%
DPOLLACK000,
User Rank: Apprentice
1/11/2012 | 1:12:18 AM
re: More Patient Data Risks, Lawsuits Predicted In 2012
To expand on the import of this article, 2012 promises to be a year where outsourcing of health information is likely to be a new and critical factor that contributes to data breach incidents. Healthcare providers are aggressively putting patient records into electronic health record (EHR) systems, and moving towards exchanging this type of information with health exchanges.

They are also increasingly using cloud-based services for hosting information in order to remove the physical threat and hassles that go along with sited computer systems. But as more information moves into the cloud, and out to other outside data processors, the threat of data breach grows dramatically.

Lawsuits and regulatory actions are likely to strike fear into the healthcare providers, but it is unlikely that this fear will translate into enhanced privacy and security until top management of health systems allocate budget and resources, and make this a top priority for their organizations. That surely isn't happening today.
Lisa Henderson
50%
50%
Lisa Henderson,
User Rank: Apprentice
1/10/2012 | 1:10:56 AM
re: More Patient Data Risks, Lawsuits Predicted In 2012
The consultants pretty much pointed out the loose links in the heatlhcare data chain, although I'm not clear on how social media affects personal health information, unless people are sharing their own information on social media? I'd like to see more specifics around that topic, such as which social media and how it can be risk-managed as far as a healthcare data breach.

I do hope that 2012 is not as dire as the prediction that "healthcare data breaches will reach epidemic proportions this year if precautions are not taken."

Lisa Henderson, InformationWeek Healthcare, contributing editor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the security connected approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.