Monday, September 25, 2006


From GCN:

“You could look at all the state laws in all jurisdictions that are involved and come up with so many potential conflicts that it would take you forever to resolve them,” Christensen said. “Are they actually getting in the way, or is it the way people interpret those laws, or are there other things that they are doing in the name of privacy and security that aren’t even based on law or regulations?”

HHS and AHIC's CCPSG (American Health Information Community’s Confidentiality, Privacy and Security Work Group) are working on a project to smooth out some of the inconsistancies in privacy and security. It will be interesting to see how this shakes out.

Saturday, September 16, 2006

Save the Land

In the course of writing this blog, I read a lot of stuff from a lot of sources. Most of it is pretty dull stuff, but occasionally something pops out at me, like this from an otherwise routine piece on secondary heath information markets from
Sales of medical data could also figure into new "consumer-driven health care" products such as Health Savings Accounts (HSA's), as at least one company has developed "medical credit scores" designed to parse the risk of borrowers looking for price comparisons on potential accounts.

The whole HSA thing has never seemed very practical to me, as it would only help those who were in a position to need an additional tax break. As a replacement for insurance it would simply not work for most of us. But if someone opts in to a program like that, intended so far as I can tell to reward individual responsibility, how is it right that companies are already looking for ways to "redline" customers. That they would be using a loophole to use your own PHI against you is doubly wrong.

Killing Me Softly

If you are struggling with compliance and you have users who use moblie devices, you need to read this from Computer World:
In general, however, Palma said there are three types of tangible security procedures that can bring mobile devices, and the data they carry, into compliance:

Authentication of devices and users.
Encryption of data.
The "remote kill." This enables IT personnel to remotely delete data on wireless devices such as smartphones once they are known to be missing. Such capabilities typically are provided by mobile device management software.
These broad elements are closely related to central management of mobile devices, another key aspect of mobile compliance efforts, Palma added.

"You need to centrally manage and push [changes] out to all types of devices and have a consistent approach because when it comes back to compliance, that's what you need," he said.

One of the solutions is to encrypt the entire device, not just individual files on it. "We encrypt the entire [device] one level below the operating system so if the machine is lost or the disk is stolen, it can't be read..." USB drives, PDAs, convergent devices, laptops. If you truly must have PHI on mobile devices, make it useless to unauthorized users.

If I Had a Hammer

From comes this quite good piece by Liz Freeman on a very interesting case going on right now in Florida:

The 1,100 Naples patients who were victims in the state's first federal privacy prosecution have little legal recourse, and Cleveland Clinic not likely to face fines

The indictment of a former Cleveland Clinic Florida employee for conspiracy to commit health care fraud with personal information of more than 1,100 Naples patients isn’t likely to bring a hammer of civil fines against the hospital by the federal government, which has yet to sanction a hospital or other health care entity for patient privacy breaches.

But the former hospital employee at Cleveland Clinic in Weston and her Naples cousin, who was her alleged co-conspirator, will be the first in South Florida to be prosecuted for violating the federal law protecting patients’ privacy rights and the third such case nationally, according to the U.S. Attorney’s Office in Miami.

Note the general cynicism when it comes to enforcement--- even the folks from HHS can't put enough lipstick on this pig. What started as a reasonable policy to allow providers to ease into compliance has become an excuse to not enforce. It won't last forever, and when the climate changes there will be some very unhappy folks in the docket.

As a side note, it looks to me as though Cleveland Clinic Florida, the provider in this case, did everything they should have, and seem both blameless and cooperative.

Here is a little more detail on this case from the Sun-Sentinal.

And here is the press release from the FBI.

Tuesday, September 05, 2006

Crank it Up

In the middle of a quite excellent and wonderfully ascerbic piece on storage solutions, Jon William Toigo, writing in Application Development Trends drops this tasty little description:

Acknowledging the risk that deleted data might be recovered using “under-data,” the U.S. Department of Defense has a project running with Georgia Tech Research Center to perfect a technique for absolutely ensuring data erasure from a hard disk in less than 5 seconds. Apparently, software based “data shredders” such as Norton WipeInfo don’t do an adequate job. Bad sectors of a hard disks that have been marked for exclusion from new data writes by disk electronics are ignored by the erasure process too. Since some valuable information might persist in these sectors, another approach, dubbed “Guard Dog” by developers, is being tried that leverages a 125-pound magnet and a hand crank to completely obliterate disk data in all sectors.

A 125-pound magnet and a hand crank? Man, I gotta get me one of those!

The rest of the article is well worth reading, too, by the way.

Poppa Don't Preach

I told you so.
With the publication of the final enforcement rule, many observers are saying that the era of lax enforcement is at an end. Among those who think so are the folks at and Jennifer Wilcox has written a fine and scary piece called "HIPAA Gets 'Teeth'"--- among her suggestions for avoiding trouble in the future are these quite excellent queries:
Training: Are new benefits employees trained on the requirements of HIPAA Privacy and Security? Do you keep records documenting the training programs run for such employees, such as having employees sign statements certifying they attended the training?
Use of PHI for Employment Purposes: Do you have an appropriate "firewall" between your health plan and other human resources functions? Particularly for companies with relatively small human resources/benefits staff, do your employees know about the prohibition on using information obtained or created by the health plan for other employment-related purposes?
E-mails: Are you careful about disclosing PHI in e-mails that travel over open networks, unencrypted? Do employees use common-sense precautions to limit the amount of PHI used in e-mails?
Information Security: Has your HIPAA security risk assessment been updated to incorporate any new software, applications, or information technology systems purchased by your company? Does your Security Officer keep up to date on developments in information technology, and monitor warnings and reports regarding external PHI security threats such as viruses and worms?

There are several other questions in the full article that you should be asking yourself. It really does make sense to be ready for full enforcement, because it was inevitable that the day would come. It is so much better to be prepared, and compliant than to go through a scrambling panic remediation under the threat of federal attention. You are most of the way there now, and there is no reason for terror. Just spend a little effort and make sure that it is someone else held up as a cautionary tale on the six o'clock news.

Mr. Roboto

Interesting discussion in about identity management:

Frost & Sullivan added that apart from aiding regulatory compliance and security issues, identity management would enhance operational efficiency of enterprises, reduce costs and also enable risk management. A high level service centric identity management solution will have features including automated audits, attestations, consistent access and provisioning, an ability to manage change automatically and full delegation.

As organizations open their networks for increasing numbers of employees, customers and partners, companies will face the challenge of providing accounts to multiple users with an appropriate level of access to applications and resources. Large enterprises then begin to demand comprehensive identity and access management solutions which can provide self-service to end users in a secure environment while addressing all aspects of user administration, authentication and access control, claimed the study.

As a commenter points out, identity management is just one step in protecting your information, but it is a very imortant one.