HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

The Iceberg Waiting for Your Health Care Data

April 29, 2014

The Heartbleed web security exploit was first publicized several weeks ago. In the time since then, numerous web-based services have let their users know (some more clearly than others) whether and how their data security was compromised by this OpenSSL flaw that has been open for about two years. This is one flaw, one exploit, but on a scale of 1 to 10, it has registered as an 11 on our collective consciousness. Fred Trotter notes in the MIT Technology Review that other similarly worrisome exploits do not get our attention in the same way, and that more health data leaks are likely in our future. He also cites others’ observations that many health IT vendors are not currently equipped to respond effectively to such exploits in a timely manner.

Everyone loves to hate HIPAA (including those who can’t spell it correctly). The core of the privacy and security protections in HIPAA (including the HITECH Act updates) is directed at improving the baseline of patient control (over who has the right to see which pieces of personal health information) so that we can all have greater confidence in EHR systems and related electronic systems handling our health care data. Rather than continuing to heap abuse on HIPAA, I think that critics should turn to addressing the underlying problems of our worldwide cloud infrastructure that, for all the benefits it enables, has its warts. Financial and health care data are regularly stolen on line, and health care records fetch a premium on the black market thanks to the richness of their data. The FBI shares Fred’s perspective regarding the likelihood of additional exploits targeting the health care sector (particularly given the January 1, 2015 target date for Meaningful Use compliance), so this is not the last we’ll be hearing about large-scale security exploits.

The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the Internet, generating a rich new environment for cyber criminals to exploit. According to open source reporting from SANS, Ponemon, and EMCΒ²/RSA, the health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs). The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.

FBI Cyber Division Private Industry Notification 140408-010. (Update 5/1/2014: Original PIN 140408-009 was updated to reflect new FBI contact information. A reader provided a copy.)

So what is to be done?

First, come to terms with the fact that privacy and security are not absolutes. The sooner you do, the happier you’ll be. As a family member of mine used to say, “It is what it is.”

Second, keep an eye on The Wall of Shame starting in early June. Health care data breaches experienced by covered entities under HIPAA involving 500 or more individuals must be reported to OCR within 60 days of discovery, and are posted there. (Breaches including fewer than 500 individuals are to be reported within 60 days of year-end.) So far, the only Heartbleed breaches we’ve heard about involve Canadian social security numbers and a newspaper. Information about breaches tied to Heartbleed may turn out to paint an interesting picture of health IT vendors serving covered entities. (I don’t think that the fact that the Heartbleed exploit was available for two years is, in and of itself, a breach worthy of notification. If it were, OCR could be deluged with breach notifications.)

Third, don’t just give up. Do your part to ensure that health data are kept as private and secure as possible. Policies and procedures should be in place — and should be followed (yeah, that) — to minimize the likelihood of a damaging breach, and the effect of a breach when it occurs. Take warnings to heart, and act on them in a timely fashion.

In the face of all these questions about inappropriate access to information in health records, concerns about the accuracy of data input into EHRs was recently identified as the leading concern consumers have about EHRs. So there are concerns about data coming into the system as well as concerns about data coming out of the system.

The industry has a lot of work to do to assure stakeholders that data privacy and security, as well as data integrity, are well in hand.

What are you going to do?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

photo: flickr cc liamq

Filed Under: EHR, Health 2.0, Health care policy, Health Law, HIPAA, HIT, Privacy, Security

you might also like:

  1. Massive data breach. Time for sports analogies?

  2. Waiting for HIPAA Clarity? Who Has Time?

  3. David Harlow In the Press: Security, Ransomware and HIPAA Audits

« Hospital Readmission Data for All Payors
Medical Groups Need to Focus on HIPAA Compliance »

Follow me on Twitter

David Harlow πŸ’‰πŸ˜· Follow 43,238 17,534

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
4h 1640718041855184902

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @mlleavocado @DigitalSalutem @HannaRail #digitalhealth #ai

Image for twitter card

80-hour weeks and roaches near your cot? More medical residents unionize

npr.org Part of a national trend, medical residents at Penn Medicine in Philadelphia push to form a union to dem...

paper.li

Reply on Twitter 1640718041855184902 Retweet on Twitter 1640718041855184902 0 Like on Twitter 1640718041855184902 1 Twitter 1640718041855184902
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
6h 1640697826802900992

ICYMI> Lissy Hu, President of Connected Networks at WellSky β€” Harlow on Healthcare https://healthblawg.com/2023/01/lissy-hu-wellsky.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Lissy Hu, President Twitter feed image.
Reply on Twitter 1640697826802900992 Retweet on Twitter 1640697826802900992 0 Like on Twitter 1640697826802900992 0 Twitter 1640697826802900992
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
13h 1640592481241759744

ICYMI> Jenny Schneider, MD, CEO of Homeward: Rural Health Meets Value-Based Care β€” Harlow on Healthcare https://healthblawg.com/2022/06/jenny-schneider-homeward.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Jenny Schneider, MD, Twitter feed image.
Reply on Twitter 1640592481241759744 Retweet on Twitter 1640592481241759744 1 Like on Twitter 1640592481241759744 0 Twitter 1640592481241759744
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]