Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security
Under HIPAA Rules, access to Protected Health Information must be strictly controlled. HIPAA-covered entities must therefore implement technical safeguards to ensure that only authorized individuals are able to gain access to data. EHRs and other software systems that are used to store or send ePHI must be protected by a minimum of a username and password, and any attempt to gain access to ePHI must be logged and periodically audited. Improving ePHI Security with Two-Factor Authentication Data security can be greatly enhanced by the use of two-factor authentication. Two factor authentication requires an additional identification factor (other than a username/password combo) to be entered prior to access to ePHI being granted. Under the HIPAA Security Rule – 45 CFR § 164 – this control is strongly advisable but not mandatory; however, under the DEA’s Electronic Prescription for Controlled Substances rules, it is mandatory for 2-factor authentication to be used by all entities that e-prescribe controlled substances. Typically, the additional factor is a security question,...
Former Northwest Primary Care Employee Stole 5,372 Patient Records
A former employee of Portland-based Northwest Primary Care (NWPC) stole the Protected Health Information (PHI) of 5,372 patients of the Oregon medical clinic, according to a NWPC breach notice issued yesterday. The healthcare provider was alerted to the data theft by law enforcement. An investigation into the alleged data theft revealed the individual had accessed the medical records of patients during the time that he/she was employed at NWPC and had viewed and stolen highly sensitive patient data including patient names, dates of birth, credit card numbers, and Social Security numbers. The data theft occurred over two years ago between April and December 2013, although NWPC was only made aware of the theft on October 13, 2015. According to the NWPC press release there is no indication that any of the data were actually used for fraudulent purposes. However, the theft of data such as credit card and Social Security numbers indicates the information was taken with criminal intent, and patients are consequently at risk of suffering identity theft and fraud. In order to mitigate...
Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing
A recent survey conducted by Privacy Analytics, a Canadian technology firm specializing in data masking and data de-identification technology, indicates two out of three healthcare organizations do not have complete confidence in their ability to share patient health information without placing patient privacy at risk. HIPAA and Data Sharing Covered entities are not allowed to share Protected Health Information for a purpose not required or permitted by the Privacy Rule unless prior authorization has been obtained from the patient or unless data have first been de-identified – 45 CFR §164.502(d). When de-identifying data, covered entities must ensure the risk of re-identification of patients is kept to an acceptable level: the use of Expert Determination and the Safe Harbor model are suggested – 45 CFR §164.514(a)-(b). When sharing data, many HIPAA-covered entities opt for the Safe Harbor model, which requires the removal of 18 identifiers from the data prior to those data being disclosed to a third party for research studies, policy assessment, etc. Unfortunately,...
Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016
2014 was widely considered to be “The Year of the Data Breach.” Then came 2015. The year of the mega healthcare data breach. Now the year is coming to an end, it is time to look to the next 12 months and what could possibly be in store. If the upward trend continues, 2016 could really be an annus horribilis. According to a recent white paper issued by Experian, the next twelve months are likely to see more of the same. We can expect the large-scale healthcare data breaches to continue as the industry is targeted by cybercriminals seeking the highly valuable data stored by HIPAA-covered entities. The high value of healthcare data combined with relatively weak defenses and the continued digitization of medical records will see even more attacks launched by cybercriminals on healthcare organizations, according to the Experian Data Breach Resolution White Paper. Large Healthcare Data Breaches Will Occur, But Small Breaches Are Likely to Cause the Most Damage This year has seen some mega data breaches suffered by health insurers, and those organizations will continue to be targeted in...
Five New Cases of Healthcare Employee Data Theft Reported
Healthcare employee data theft is a common occurrence, yet it is difficult to prevent determined employees from stealing healthcare data. A number of safeguards can be put in place to reduce the opportunity for data theft, and controls can be implemented to ensure that instances of theft are rapidly identified, but it is impossible to eliminate the risk of healthcare employees stealing patient data. In the past few days, five new HIPAA violation cases of healthcare employee data theft have come to light, having been discovered in Texas, New York, Washington, and Colorado. Husband and Wife Team Steal PHI from Manhattan’s Lenox Hill Hospital Over 80 patients who visited the emergency room of Manhattan’s Lenox Hill Hospital have had their identities stolen and have potentially been defrauded, after a former employee of the hospital stole their Protected Health Information. Kyle Steed, 30, was employed at Lenox Hill hospital, taking up a position in 2011. Between January 2014 and February 2015 he allegedly stole patient data which was used by his wife to defraud patients. Krystle...



