Microsoft Issues Warning over Effectiveness of EHR Data Encryption
Researchers at Microsoft have recently issued a paper questioning the effectiveness of EHR data encryption. A warning has been issued to healthcare providers about security vulnerabilities in some electronic medical record systems, which have been shown to leak information, even when data encryption software is used. The results of the study are due to be presented at the ACM Conference on Computer and Communications Security next month, although the research paper can be viewed now, ahead of the ACM presentation. During the study, Microsoft researchers successfully managed to view patient data that included names, race, age, hospital admission information and other data, by exploiting security vulnerabilities. The paper cites four methods that can be used by hackers to gain access to the Protected Health Information of patients. The researchers were so concerned about the high risk of data exposure, it was deemed necessary to issue a warning to healthcare providers and other HIPAA-covered entities that were using CryptDB based protections. They were told in no uncertain terms to...
Healthcare Workers Risk Data Exposure from Smartphone Gambling Apps
Healthcare providers and other HIPAA-covered entities operating Bring Your Own Device (BYOD) schemes will be aware that the use of mobile devices carries risks; however, a recent study has highlighted just how risky unauthorized apps can be, with employees’ use of Smartphone gambling apps deemed to be especially risky. If healthcare workers are allowed to use their own personal devices for work purposes, policies must be put in place covering the permitted use of apps on the device. Apps must be assessed, and employees informed of the applications which can be used securely on the devices. While an app may never be used for work purposes, if it is installed on a device, security vulnerabilities in that app could potentially be exploited by hackers. An app could therefore be used to gain access to the data stored on the device, or the computer network that the device connects to. New Study Highlights Data Security Risk from Gambling Apps A recent study conducted by the security company Veracode, suggests that the average-sized company has at least one gambling app being used by...
Recent Cases of Portable Device Theft Highlight Need for Healthcare Data Encryption
Healthcare professionals can be given training on the importance of keeping electronic equipment secure; however, even the most security minded healthcare professional can make an error of judgement that results in PHI being exposed, such as leaving a laptop computer in a vehicle while patients are attended to. Theft of medical devices containing Protected Health Information (PHI) had declined in recent months; but the HHS’ Office for Civil Rights breach portal now displays a high number of HIPAA violation cases of portable device theft, highlighting the importance of using data encryption software to safeguard PHI. While portable devices carry the highest risk of data exposure, a number of recent burglaries of physicians’ offices show that even data stored on less portable computer hardware, such as desktop computers and servers, is not secure without robust security measures such as encryption. Stolen Portable Electronic Devices Cited in Numerous Recent Breach Reports In June, a physician from the University of Oklahoma’s Department of Obstetrics and Gynecology had a laptop...
VA: PHI Incidents Fall in July; Breach Notification Letters Increase
The Department of Veteran Affairs has issued its July and Q3 data security report to congress, indicating there were fewer Protected Health Information (PHI) exposures in the month of July than June, with fewer breach victims created. However, the total number of security incidents – and the number of individuals affected by those incidents – have been steadily rising throughout the year. The July report shows fewer individuals were affected by data breaches. In June, the VA reported 2,076 individuals had been affected by data breaches. The July figures are much improved, with only 1,031 individuals affected. There was also a reported fall in PHI incidents, which affected 872 individuals in July compared to 935 individuals in June. Even with that reduction, more breach notification letters were sent out in July than the previous month – 779 letters in July compared to 543 notification letters in June. Lost and Stolen Device Reports Increase Lost and stolen devices are still a leading cause of data exposure. In the month of July, the VA reported 56 security...
UCLA Health Cleared in Data Breach Lawsuit
The University of California Los Angeles Health System was cleared of liability in a lawsuit filed against it for the unauthorized disclosure of a patient’s medical records to a “romantic rival”. The patient in question, Norma Lorenzo, filed a lawsuit against UCLA Health for disclosing her personal information to an unauthorized individual in 2012. Lorenzo filed the suit claiming emotional distress and an invasion of her privacy, and sought $1.25 million in damages. The incident which sparked the lawsuit involved a temporary worker using the login credentials of a physician to access Lorenzo’s files. That individual then texted photos of the medical records to Lorenzo, her father and her former boyfriend. The information texted related to a sexually transmitted disease Lorenzo had received treatment for. The individual who accessed and disclosed the records was the current partner of one of Lorenzo’s former boyfriends. While UCLA Health was not directly responsible for the breach of personal information, Lorenzo claimed in the lawsuit that UCLA Health had not taken sufficient steps...



