November VA Information Security Report: 693 Veterans’ Data Exposed
The November information security report from the Department of Veteran Affairs to congress shows a slight increase in the number of breach victims month on month. There were almost 7% more breach victims created in November than October, 2015, with 693 veterans affected compared to 648 last month. There were significant improvements in the number of mishandling incidents, down almost 21% from 81 in October to 64 in November. There were approximately 7% fewer mis-mailed incidents reported for the month, falling from 123 to 114 over the same period. Pharmacy mis-mailings were also down from 8 in October to just one incident out of 6,145,859 mailings sent in November: A major improvement month on month. Figures for the number of lost devices were virtually identical to October, with 47 devices reported lost compared to 49 last month. The November VA information security report indicates 156 PIV cards were lost in November. There were 158 PIV cards reported lost in October. Fewer breach notifications needed to be sent out in November, although substantially more victims were offered...
Only Half of Companies Have a Computer Security Incident Response Team
Defenses can be put in place to prevent cybersecurity incidents, but sooner or later a cyberattack will be suffered. It is therefore essential that healthcare organizations have the infrastructure and policies in place to respond quickly to an attack. A dedicated computer security incident response team can be invaluable in this regard. Under HIPAA Rules, all covered entities must develop a data breach response plan which can be put in place as soon as a data breach is discovered. The breach response plan must be executed immediately, yet many healthcare organizations do not have a dedicated computer security incident response team. A response team consists of a number of IT security experts whose main role is to respond to security incidents and data breaches as soon as they occur. New Survey Indicates Half of Companies Lack A Dedicated Computer Security Incident Response Team A recent survey commissioned by (x)matters looked at the security response capabilities of U.S. companies. The survey was completed by 400 IT professionals, 13% of whom were employed in the healthcare...
Healthcare Cybersecurity Addressed in Omnibus Bill
New cybersecurity provisions specifically for the healthcare industry have been added to the Omnibus bill passed by congress late last week. The aim of their inclusion is to assist healthcare organizations tackle the growing risk of cyberattacks, and provide them with the information and guidance necessary to let them to shore up their defenses, plug security gaps and make them less pregnable to cyberattacks. The new legislation is part of the Cybersecurity Information Sharing Act, passed by Congress on Friday. One of the ways that the new legislation will help healthcare organizations is with the formation of a new Cybersecurity Task Force. This is scheduled to take place during the first 90 days following the introduction of the new legislation. The purpose of the task force is to assess the current cyber threats faced by the healthcare industry. The methods used by cybercriminals to break through security defenses will be analyzed and vulnerabilities assessed. The task force will also study how other industries are managing to repel attacks. Healthcare organizations will then be...
Texas Healthcare Employee Facing Jail for Disclosure of Patient Health Information
A former employee of State of the Heart Cardiology in Grapevine, TX, has entered into a plea deal in a case filed against her for the improper disclosure of patient health information. Ebony Shonte Echols, 35, agreed to plead guilty to the wrongful disclosure of Protected Health Information of a patient in the hope that she will avoid a jail term. The former healthcare worker was indicted in January, 2015, for disclosing patient data with malicious intent after getting into an argument with a patient. The incident occurred in February, 2014. A pilot visited State of the Heart Cardiology in order to have a physical fitness exam conducted. The Federal Aviation Administration (FAA) requires all pilots to pass a physical examination by a FAA-authorized aviation medical examiner. The commercial airline pilot got into an argument with Echols when he complained about the State of Heart Cardiology clinic. Echols subsequently told the patient he had been terminated as a patient of the clinic, and that she would be sending his medical records to the FAA. The pilot instructed her not to...
Visual Hacking Risk Needs to be Addressed, Says 3M
Hackers may be using high-tech methods to obtain the Protected Health Information of healthcare patients, but HIPAA-covered entities must take action to protect themselves from low-tech threats such as shoulder surfing and visual hacking. Shoulder surfing and visual hacking are names used to describe the practice of obtaining sensitive information from computer screens and other electronic equipment as data is entered or viewed. That information may be visible on the screen or the user of a computer could be observed entering a password on a keyboard. The direct observation technique is often seen at cash-dispensing machines as users enter their PIN numbers. The same techniques can be used on healthcare providers, and the practice is common in offices according to 3M. Remembering a PIN number or a password as it is entered is not a difficult task, but remembering a name, address, phone number and social security number would be much more difficult. However, according to 3M, the practice is easy, highly effective, and can result in sensitive data being obtained. Information could...



