Tuesday, October 30, 2007

Call The Ambulance

That HIPAA thingy cuts both ways...

Jaramillo said he plans to sue the city as an entity, and the mayor and councilors individually on grounds violating the Health Insurance Portability and Accountability Act by divulging unpaid ambulance bills, infringing upon his freedom of speech and retaliation for whistleblowing...

Documentation shows Jaramillo divulged his ambulance bills himself at a council meeting, Bhasker said.

Self-immolation is one thing, but flaming out like this is amazing. I think he had better get a new lawyer, because from the looks of things, his current one is not serving him very well.

Stupid Cupid

Now here is a classic hunka hunka burnin' stupid:

NORTH BERGEN -- More than two dozen Palisades Medical Center employees have been suspended for violating Oscar winner George Clooney's patient privacy rights after a motorcycle accident in Weehawken last month, hospital officials said.

A hospital spokesman would not detail the alleged infractions that led to the monthlong suspensions of 27 workers. But a spokeswoman for the union that represents some of the suspended employees said the violations ranged from workers who accessed Clooney's health records to others who went into his room to shake his hand.

The suspended workers acted "inappropriately" in accordance with federal patient confidentiality regulations, spokesman Eurice Rojas said.

"They were suspended for a range of things," Rojas said on Tuesday. "Only direct caregivers should be accessing a patient's file or chart."

I have no sympathy for front line workers who, at this late date think that it okay to oogle someone's health info just because they are famous. I would also fire the person responsible for their training.

Open Season On My Heart

It is the HIPAA excuse season, and boy howdy are they thick on the ground:

ATLANTIC CITY - Federal health law experts said health privacy laws are confusing, but should not keep city officials from revealing where the resort's mayor is.
Mayor Bob Levy's last official duty came last Wednesday, when he signed seven ordinances into law. Since then he, and his black city-issued Dodge Durango, have apparently vanished.

His attorney and city officials have said since Thursday he was in an undisclosed hospital receiving unspecified treatment. In the meantime, Business Administrator Domenic Cappella has served as acting mayor.

With Levy's absence, the city has been beset by rumors of imminent resignations tied to an ongoing federal investigation into his military record. City Council members have said they believe Levy has abandoned his post and have sought state help replacing him.

Adding to the problem is that top city officials say they know where he is, but providing more information would run afoul of the 1996 federal Health Insurance Portability and Accountability Act, commonly called HIPAA.

Under Federal investigations? Hide, say you are sick, and claim HIPAA rules prevent anyone from finding out where you are! This one has Golden Hippo written all over it!

How We Operate

Here is an excellent run-down on setting up secure passwords from fellow CISSP and IT security blogger Joel Dubin:

At the heart of compliance is access management and authentication. And at the heart of authentication are user IDs and passwords. Despite their many weaknesses and the availability of multifactor authentication technologies, the venerable user ID and password combo remains the centerpiece of access to many corporate systems.
Rather than tearing up network plumbing for new-fangled devices, like one-time password (OTP) tokens and smart cards, many companies have opted to strengthen their existing password systems to keep compliant with audit and compliance regulations and standards, including Sarbanes-Oxley, HIPAA, FFIEC and PCI DSS.

It doesn't have to be a big deal, and you don't have to spend a ton of money. Just spend a little time in training and reminding users of how it is done.

Take That & Party

Damn skippy!

"Attorney General Van Hollen's well-researched legal opinion provides a valuable public service by clearing up confusion and explaining that federal HIPAA law does not enable local and state government officials to keep records secret if they should otherwise be open," Stanley said.

"In this case, a local fire department had refused to provide information about a public employee who crashed his truck into a sign and was arrested for drunk driving. The taxpayers who pay for his salary, for the truck he was driving and for the auto and liability insurance - as well as the people who live in the neighborhoods he was driving drunk through - deserve to know that information."

Like every other abused law, HIPAA has a special place in the heart of public officials who are less than fond of the public spotlight. HIPAA is not a shield law for cronies and incompetence, it is to protect individuals rights of privacy. Take that, public servant!

They're Red Hot

Somedays the stupid burns so hotly you can warm your attic with it:

"You can't look at your own records or any family member records unless there is a clinical need to do so," Braccino said. "If you are doing so just because they are there and you have a private interest, you are violating HIPAA regulations and patient confidentiality."

Trustee Shelbie Bershinsky said many of the employees probably looked at their own medical records with harmless intent.

"I've been in health care 19 years and I, until today, I didn't think there was anything wrong with me looking at my records," she said. "I now know that I shouldn't do that."

Hospital compliance officer Dean Jessup said HIPPA regulations, including the prohibition against viewing one's own medical records, are posted at each of the hospital's time clocks.

Your medical records are yours. There is no provision in HIPAA preventing you in any way from viewing your own PHI. None. There may very well be a regulation in that facility's HIPAA compliance policy against it, but it is nowhere to be found in the Act itself.

Sunday, October 07, 2007

Insecurity Alert

Headlines like this scare me:

These Notebook PCs Aren't A Security Risk

Nope. Even though they carry no data, there is no such thing. This particular item is a wireless thin client, and though they don't carry any data, they connect through wireless networks! What part of wireless network goes with "Aren't a Security Risk?"

Whisper in Blindness

More and more I am starting to believe that email is the biggest blind spot in most systems:

One slip-up can become a whopper. For example, a Palm Beach County, Fla., health department statistician and epidemiologist mistakenly attached a list containing more than 6,000 names of HIV/AIDS patients to an e-mail in 2005. The message was sent to 800 of the department's 900 employees.

It is so easy to hit send without giving any thought, and that is just the most likely innocent breach. Most people have web-based email accounts like Hotmail, GMail, or Yahoo Mail. Because these are web-based, it is nearly impossible to control what goes out via them. One alternative, of course, is to block access to these webmail providers, but there are so many and users are so clever at circumventing blocks and safeguards that it is almost impossible to make this bulletproof. Training is a solution, of course, but not a cure, because if your users are careless or malicious they will ignore you.

Anatomy of Your Enemy

See? Its not just me:

Apgar noted that while there are technological solutions that claim to harden records against vulnerabilities, it might be a mistake to focus too much on outside threats. "Eighty percent of all security breaches come from your people," he said. "It's not the hackers."

Don't ignore the barbarians at the gates, but pay closer attention to the enemy within!

Get That Clear

Quote of the day:

On the opposite end of the spectrum are those less-enlightened companies that chose to go with "CNN is our IDS" and that only learn that their networks were compromised when the news shows up in the media. Don't be those guys.

Just say no to CNN!