Monday, August 28, 2006

Wasting Away Again in Margaritaville

We live in the most interesting modern times--- did you know that there is an organization called The National Association for Information Destruction? I didn't until I read this excellent article in The Naples News:

Then his son introduced him to a magazine called Waste Age.
"I read an article that said Wayne Huizenga (owner of Miami Dolphins) had bought a document shredding business," Stevens said. "And I said, 'Gee if it's good enough for him, it's good enough for me.'"
So he started JM Stevens Services in Naples, which was one of the first on-site document shredding businesses in Collier and Lee counties. He did pretty good business, starting with about a dozen clients the first year and moving up to about 300 within seven years.
But it has been the last three years that Stevens' business has picked up.
"I added at least 200 or better clients in the last three years," Stevens said.
The reason for his client increase is recent federal laws designed to protect patient privacy rights, prevent identity thefts and preserve confidentiality of credit transactions. The laws increased the document handling requirements put on financial institutions that handle confidential information.

There is everything to like about this story--- small-town boy makes good, a new industry born of the need for privacy, and even a plug for keeping old data secure through destruction.

Friday, August 25, 2006

When You're a Jet

A little self-promotion here--- Comply With Me has been invited to join HITSphere.

The HITSphere is a network of premium weblogs that write content about the healthcare, medical, and clinical informatics and information technology (IT) industry. Combined, these sites reach a large readership of influential healthcare technology professionals.

Check them out here.

And I will be administrating the new HIPAA forum at, one of the top security websites around.

Welcome new visitors from both places!

Moment by Moment

Here is a nice little piece on web portals for patient information from --- you'll have to register, but it is fairly painless.

"Hospital staff says it helps avoid that `awkward HIPAA moment' when they have to stop and think about how much information they can share," says Tom Hills, vice president of market development for Chicago-based TLContact, which operates CarePages, a company offering patient-developed Web sites. Provisions of the federal Health Insurance Portability and Accountability Act of 1996 have made provider disclosure of patients' health status much more complicated.

Ann Converso, vice president of the United American Nurses union, acknowledged that these "HIPAA moments" do occur and said she welcomes anything that can help relieve this awkwardness. "I haven't heard it termed that way, but I like it," she says. "People call all the time and say `This is Joe Schmoe's first cousin. How's he doing?' But unless the person speaking is authorized to get (clinical) information, that's a HIPAA problem."

A couple of healthcare organizations in my area have implemented web portals with very good results. The usual caveats apply--- if you are ging to do this, great care must be taken with making it secure and user-friendly.

Drive my Car

From the Detroit News comes yet another example of the risks of treating PHI like the photos of your vacation, and allowing users to carry it around on portable devices:

It's ironic that while parents can't gain access to the medical records of college-age children still living under their roof, a laptop computer containing the medical histories of more than 28,000 Michigan residents was missing for days in Metro Detroit.

The laptop was assigned to a Beaumont Hospital home care nurse, and was stolen from her unlocked and running car when she stopped in Detroit for a restroom break. Fortunately, it has been recovered with the data apparently untapped.

The stupidity of the nurse is beyond belief. But even more unbelievable is that Beaumont or any other hospital would be so careless with the private medical records of its customers.

In the end, stupid stuff like this comes back to us. We must have systems in place that make it easy for the users to do their jobs, while at the same time make it difficult for them to drive around with thousands of records in the back seat of their car. The administrators failed in three places on this one. They failed to train the user correctly, they failed to put systems in place to limit the availablity of PHI, and they failed to secure the data itself.

And from the Detroit Free Press comes these additional details:

The security lapse, disclosed Tuesday by Beaumont officials in Troy, is not an isolated occurrence in these days of portable technology and information sharing, but it underscores the need for greater enforcement of laws intended to protect patients' privacy, advocates said.

Beaumont Hospital officials said the laptop, which contained Social Security numbers and medical information, was stolen earlier this month from the car of a home care nurse. They said the nurse broke hospital policy by leaving her access code and password with the computer.

There are a number of reasons why a user leaves their password written down--- poor training, too-complex passwords, simple idiocy. While the human capacity for the last seems infinite, it can many times be circumvented by proper application of the first, and avoidance of the second

Friday, August 18, 2006

Over and Over

Some great clarification to some confusion that some folks have about two-factor authentication from Michael Farnum:

In regards to the HIPAA security rule, it has been stated that §164.312(2)(i) only requires that each individual be given a unique username and password. This is not entirely true. §164.312(c)(2) states that the covered entity should "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed". Single-factor authentication, even a username and password combination, is considered to be inadequate by many security professionals to verify identity of an individual. In case of legality, the Federal Financial Institutions Examinations Counsel ("FFIEC") has recently concluded "single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions". Though this does not apply specifically to HIPAA, it does give a strong indication as to where all federal regulations are headed.

Simply said, requiring an easily remembered PIN number in addition to the RFID card adds virtually no complication or time to the login process, yet the security benefits are very high. It protects your patient data (your most valuable asset) and secures your network, and it would be a favorable layer of security in case of a HIPAA audit.

Thanks Michael!

All by Myself

My bold, below. More on that further down the page.
I am a big freedom of the press advocate. I think that the final bastion of liberty is the people's right to know what is going on with both their government and the world around them. However, this has to be balanced with the right of privacy of the individual. I am often amused by reporters framing of the awful HIPAA regs and how they prevent them from doing their job. I was a reporter, once, too. I sympathize. But there is no built-in coda to the first amendment that says that reporters should have automatic access to private information. Being a reporter is a tough job, and HIPAA makes it a little tougher. It is a trade.
Here is another episode of that ongoing saga:

Sen. Kirk Schuring, R-Jackson Township, said the public should have a right to know about criminal activity, even with the HIPAA laws.

“The HIPAA laws should apply to the mentally ill,” he said. “I think everyone understands that. But for those who are guilty of crimes against society, those records should be open to the public.”

It’s not the first time the Ohio Department of Mental Health has used the HIPAA laws to withhold information.

After the two “client” patients, Nathan Young and Damien Corley escaped in May, The Indepedent requested information on other felony “clients” being housed at Heartland to find out how dangerous they might be.

Corley was charged with aggravated murder, and Young was charged with felonious assault in two different cases.

Neither the personal at Heartland or Wentz were forthcoming with that information.

When The Independent asked for a list of clients, Heartland CEO Helen Stevens said HIPAA laws didn’t allow her to do that.

Back to the bold. I would have a little more trust in a reporter who spelled the name of his own paper correctly, an editorial staff who might catch that, and a typesetter who used the built-in spell checking that most software has. Just a thought.

In the Air Tonight

Okay, this is a quite amusing little tale from ComputerWorld:

The new HIPAA regulations have hit this small hospital with a vengeance, and it falls to the IT manager pilot fish to develop the necessary policies and protocols to stay compliant on the IT end.

"Among the many policies I had to develop in order to satisfy onerous government regulations was a computer access authorization policy," says fish. "It requires a department head to fill out an access modification form for any additions or changes in an employee's security access.

But I have a question. Why would it take "onerous government regulations" for you to realize that you needed an access authorization policy? Would you otherwise just let anybody see anything, or put the burden of authorization policies on managers with other duties to invent as they go along?

Monday, August 14, 2006

Your Money or Your Life

This is completely unacceptable:

Intracare is the publisher of a popular practice management system called Dr. Notes. When some doctors balked at a drastic increase in their annual software lease, they were cut off from accessing their own patients’ information.

This situation is completely unconscionable. There can be no truly open doctor-patient relationship when an unrelated third party is the de facto owner of and gatekeeper to all related data.

We do all we can to make users, providers and everyone in between more comfortable with technology, and then some idiot company throws it out the window by risking the lives of patients over a few bucks.

With or Without You

Great piece on basic security from Roger Grimes, at ComputerWorld:

The same thing happens in computer security. Some companies, like a law office I visited last week, don't have a clue. They are running a workgroup network full of Windows 95 computers with no log-ons, no anti-virus, no patches, and no firewall. Clearly a disaster already in progress.

But to be frank, that company and others like it aren't ready to listen to my spiel about all the current security risks and how I'm going to make their network perfect. It was all I could do to convince them that it would be nice if a law office holding lots of confidential client information required log-ons to get access to internal data and installed an Internet firewall.

And that's where Grimes' Hierarchy of Security Needs comes into play. Whenever I enter a company for the first time, I quickly try to measure its computer security maturity. Often I can do this in a few minutes. Mentally, I've classified them into five stages, much like Maslow's Hierarchy of Needs, based on their approach to security.

Grimes' Hierarchy of Security Needs. Wonder if someday college sophomores will snooze to its recitation?

Thursday, August 10, 2006

There's a Kind of Hush

I just received, from a major training company, an offer for their latest product--- a computer-based training on security for end users. It seems reasonably priced, at a little less than 50 bucks per user---- which is much more than most companies are willing to spend on something like this, reasonable or not, at least until they have a major expensive data breach and then the perspective changes. But the money phrase was hidden in the littl clip below:

Business owners and IT departments beware: your users are the weakest link of your computer and information security plan. Show all your users this training, plus make it a part of new user orientation, and you'll see benefits and cost savings across the board...

...Every company with a computer needs this series. These 6 hours of training videos can be invaluable in strenghtening your security's weakest link.

Six hours? I can hardly get users to sit still for 15 minutes, once a quarter, and I am a pretty dynamic speaker. The whole point of training is to cause the trainee to, you know... learn something. Six butt-numbing hours of computer-based training for users who resent anything concerning that blinking box that interferes with their actual job is somehow a good idea?
Wow. Just wow.

Thursday, August 03, 2006

Karma Police

I came to HIPAA as an IT guy, specifically in the security field. As any InfoSec guru will cheerfully tell you, all the high-tech gizmos and black-ops ultra-whiz code can do is protect you from the outside. There is no protection against yourself.
Dumpster-diving is a long honored and traditional form of gathering information. Any well-ordered penetration test will include a turn around the back and a quick peek under the plastic lid. One of the big frustrations for us all is the fact that no matter how mant times we repeat it, very few people seem to take this back-door approach very seriously.
Now, thanks to a clever news team, even the Office of Civil Rights, who has up to this point shown remarkable reluctance to actually, you know... protect any one's rights, has had their nose rubbed in the odiferous mess of idly tossed away PHI:

In Washington, D.C., officials at the Department of Health and Human Services have been "closely monitoring" the investigation, as well.
"I can tell you there are people in the highest levels of OCR who are watching these reports and are very interested in what they are seeing," said DHHS spokesman Patrick Hadley. OCR is the department's Office of Civil Rights, which investigates violations of the federal health privacy law known as HIPAA.
Last week, several local families filed HIPAA complaints with the OCR's regional office in Chicago after they learned their personal information was found in dumpsters during WTHR's pharmacy investigation. That clears the way for OCR to begin its own investigation, although the agency will not confirm whether that has happened.
"We take complaints very seriously," said Susan McAndrew, senior advisor for HIPAA privacy policy at the Department of Health and Human Services. "Just tossing out patient's personal information where anyone can access it is not taking reasonable precautions."

Though not much has been done to enforce HIPAA's requirements, if the situation is sufficiently blatant even our public servants have to take action.
Don't let this be you! Phamacists have the toughest row to hoe here, with daily exposure and need to use best professional judgement as to who gets information. Do the easy stuff. Walk over to aisle 7, office supplies and pick up that shredder. Shred everything. Get a locking can for used pill bottles, and empty it just before garbage pick-up into your locked dumpster.
See how easy it is to avoid your neighbors talking about seeing you on the six o'clock news?

Crash into Me

An update on the Ohio University data breach and what is being done--- after the horse has left the barn, of course:

The network still remains offline, pending the result of an audit to determine if the rebuilt network is compliant with the Health Insurance Portability and Accountability Act.
It is not known if the network prior to the breach adhered to HIPAA guidelines, because the U.S. Department of Health and Human Services, which enforces HIPAA compliance, has a policy against commenting on possible investigations.
When the system does come back online, Hudson will no longer store social security numbers with the student information, said Jackie Legg, Hudson business manager.
The Hudson breach, which was discovered May 4, compromised the Social Security numbers of all students enrolled since Fall Quarter 2001 and certain faculty and university employees.

A big part of the sloppiness seems to have resulted from higher-ups ignoring repeated requests from IT personel for help with an inadequate system. Now, instead of an ounce of prevention, the university will have to spend up to 5.5 million dollars on a cure.

Every Breath You Take

Here is some interesting commentary from a former insider in the insurance business who now has a private psychiatric practice:

"In practice, HIPAA has allowed the dissemination of our records of every illness, disorder, and condition for which an insurance claim has been filed," he said. Mr Schofield added that HIPAA has given managed care companies and underwriters, who receive no practical medical training, even more involvement in patients' lives.
Compounding the already complicated privacy standards are information services that can access sensitive medical and treatment records from secondary sources, which are actually disclosed and endorsed in the HIPAA statement providers are required to sign if they are participating in managed care compensation.
"If a company [human resources representative] can afford to subscribe to certain information services, they can find out almost everything that is on your insurance company's health care records," Mr Schofield said. "That's part of the reason why my wife and I both opted out of taking insurance from our patients.
"I don't want some young person to be refused a job five years down the road, because I recommended he seek psychiatric and possible medical treatment for depression or anxiety as a teenager," he said.

Along with supplying the world with a ready made pool of excuses, HIPAA has had the addded unintended consequence under the current, privacy-adverse political atmosphere of actually allowing easier access to some of the sort of things it was supposed to restrict. This will no doubt change with the regulatory climate but for many peoples' PHI the cat is already out of the bag.