Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

phi

healthcare-apps

The State of Cybersecurity in Healthcare Organizations in 2016

ESET and the Ponemon Institute have announced results of The State of Cybersecurity in Healthcare Organizations in 2016.

According to the study, healthcare organizations average about one cyber attack per month with 48% of respondents said their organizations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organization has an incident response plan in place.

The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security,” said Stephen Cobb, senior security researcher at ESET. “The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management

Key findings of the survey:

78% of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

63% said the primary consequences of APTs and zero-day attacks were IT downtime

46% of respondents experienced an inability to provide services which create serious risks for patient treatment.

Hackers are most interested in stealing patient information

  • The most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records, according to 81% of respondents.

Healthcare organizations worry most about system failures

  • 79% of respondents said that system failures are one of the top three threats facing their organizations
  • 77% cyber attackers
  • 77% unsecure medical devices

Technology poses a greater risk to patient information than employee negligence

  • 52% of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information
  • 46% of respondents also expressed concern about the impact of employee negligence
  • 45% cited the ineffectiveness of HIPAA mandated business associate agreements designed to ensure patient information security

DDoS attacks have cost organizations on average $1.32 million in the past 12 months

  • 37% of respondents say their organization experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage.

Healthcare organizations need a healthy dose of investment in technologies

  • On average, healthcare organizations represented in this research spend $23 million annually on IT
  • 12% on average is allocated to information security
  • Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks

Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies

DataMotion_IG4_BriefHistoryofHCDataBreaches_092915

Most Healthcare Organisations Have Experienced A Data Breach

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data reveals that the majority of healthcare organizations represented in this study have experienced multiple security incidents and nearly all have faced a data breach. Despite the universal risk for data breach, the study found that many organizations lack the funds and resources to protect patient data and are unprepared to meet the changing cyber threat environment.

The 2015 study was expanded beyond healthcare organizations to include Business Associates.

Represented in this study are 90 covered entities (hereafter referred to as healthcare organizations) and 88 business associates (hereafter may be referred to as either business associates or BAs). A BA is a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI), according to the U.S.

Department of Health & Human Services. The inclusion of BAs provides a broader perspective of the healthcare industry as a whole and demonstrates the impact third parties have on the privacy and security of patient data. Respondents were surveyed about their privacy and security practices and experiences with data breaches, as well as their experiences with both electronic and paper security incidents.

Data breaches in healthcare continue to put patient data at risk and are costly. Based on the results of this study, they estimate that data breaches could be costing the industry $6 billion.

  • 90% of healthcare organizations represented in this study had a data breach
  • 40% had more than five data breaches over the past two years

According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.

For the first time, criminal attacks are the number one cause of data breaches in healthcare. Criminal attacks on healthcare organizations are up 125% compared to five years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack and 12 % say it was due to a malicious insider. In the case of BAs, 39% say a criminal attacker caused the breach and 10% say it was due to a malicious insider.

The percentage of criminal-based security incidents is even higher; for instance, web-borne malware attacks caused security incidents for 78% of healthcare organizations and 82% for BAs. Despite the changing threat environment, however, organizations are not changing their behaviour, only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers.

Security incidents are part of everyday business. 65% of healthcare organizations and 87% of BAs report their organizations experienced electronic information-based security incidents over the past two years.

  • 54% of healthcare organizations suffered paper-based security incidents
  • 41% of BAs had such an incident

However, many organizations do not have the budget and resources to protect both electronic and paper-based patient information. For instance, 56 % of healthcare organizations and 59% of BAs don’t believe their incident response process has adequate funding and resources. In addition, the majority of both types of organizations fail to perform a risk assessment for security incidents, despite the federal mandate to do so.

Even though medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014, the harms to individuals affected by a breach are not being addressed. Many medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records.

Nearly two-thirds of both healthcare organizations and BAs do not offer any protection services for patients whose information has been breached.

Since 2010, this study has tracked privacy and security trends of patient data at healthcare organizations. Although the annual economic impact of a data breach has remained consistent over the past five years, the most-often reported root cause of a data breach is shifting from lost or stolen computing devices to criminal attacks. At the same time, employee negligence remains a top concern when it comes to exposing patient data. Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.

Key Findings

In this section, they provide a deeper analysis of the findings. They have organized this report according to the two following topics:

  • Privacy and security of patient data in healthcare organizations and business associates
  • Five-year trends in privacy and security practices in healthcare organizations

To respond quickly to data breaches, organizations need to invest more in technologies.

  • 58 % of healthcare organizations agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft.
  • 49% agree they have sufficient technologies
  • 33% agree they have sufficient resources to prevent or quickly detect a data breach.
  • 53% of organizations have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.

Background

  • Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
  • A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines.
  • This is based on multiplying $1,067,400 (50% of the average two year cost of a data breach experienced by the 90 healthcare organizations in this research) x 5,686 (the total number of registered US hospitals per the AHA).

Cloud usage is extending the perimeter of most organisations

CloudLock have produced an interesting report on how the use of the cloud and apps has extending the perimeter of most organisations.

CloudLock Executive Summary

The adoption of public cloud applications continues to accelerate for both organizations and individuals at an exponential rate, evidenced across the massive growth in the volume of accounts, files, collaboration, and connected third-party cloud applications.

The rapid surge of accounts, files, and applications presents increased risk in the form of an extended data perimeter. The adoption of cloud applications has significantly increased the threat surface for cyber attacks. Faced with this massive growth and the elevated risk, security professionals are looking to enable their organizations to embrace and leverage the benefits of cloud technologies while remaining secure and compliant.

Sensitive data is moving to the cloud, beyond the protection of your perimeter controls. As this occurs ,the amount of data, and, most importantly, the amount of sensitive or ‘toxic’ data the enterprise stores in these Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (laaS) platforms is increasing by the day – and regardless of its locations, S&R pros still need to protect it effectively.” Forrester Research (2015, March) Market Overview: Cloud Data Protection Solutions

Cloudlock key findingsOther findings

  • 100,000 files per organization that represent risk. Number of files per organization stored in public cloud applications that violate corporate data security policy, amplifying the danger of exposing sensitive information.
  • 4,000 files per organization contain passwords. Number of files per organization stored in public cloud applications containing credentials to corporate systems, inviting cybercriminals to hijack corporate SaaS environments.
  • 1 in 4 employees violating security policies. Number of employees that violate corporate data security policy in public cloud applications, opening organizations to risk of data breach and compliance concerns.
  • 45,000 third-party apps installs conducted by privileged users. Third-party cloud applications with access to privileged users accounts significantly elevates organizational risk.
  • 12% of an organizations files are sensitive/Violate a policy
  • 65% of Security Teams Care about what type of sensitive data is exposes
  • 35% care about how/where it is exposed
  • 70% of corporate cloud based external collaboration occurs with non-corporate entities
  • 77,000 Third Party cloud Apps that touch corporate systems
  • 4x increase in the number of third-party applications enabled per organization, from 130 to 475. The total number of unique third-party cloud apps ballooned to 77,000, amounting to 2.5 million installs
  • 2% growth in third-party SaaS application installations performed by privileged users (administrators and super admins)

Information that organizations worry about most includes:

  • 59% Intellectual Property and Confidential Information
  • 19% PCI DSS data
  • 13% PII data e.g. social security numbers
  • 5% Objectionable content for CIPA compliance- e.g. curse words, harassment
  • 4% PHI/healthcare related data such as medical conditions, prescription drug terminology, patient identification numbers or Compliance

CloudLock Methodology

Cloudlock bases findings on anonymized usage data over 2014 and 2015

  • 77,500+ Apps
  • 750Million Files
  • 6 Million Users

The full report can be found here.

Cyber Data Breach – Is Your Business Ready?

NewAgencyPartners 2NewAgencyPartners

The Top 7 HIPAA Risk Analysis Myths

HIPAA-Risk-Assessment-Infographic-e1406067274883

I thought I had published this months ago but found it still in my drafts.

2013 was a very busy year for the UK’s Information Commissioners Office (ICO) as he issued record numbers of fines and enforcements.

There are normally three types of punishments administered by the ICO:-

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act and like 2012 there were not many in 2013.

The complete list of those who fell foul of the Data Protection Act in 2013 is below:-

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury. The size of the fines might change with the pending revision to the Data Protection Act.

The list has the most recent first.

  • 16 December 2013. A monetary penalty notice has been served on First Financial (UK) Limited after the pay day Loans Company sent millions of spam text messages.
  • 29 October 2013. A monetary penalty notice has been served on North East Lincolnshire Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children.
  • 22 October 2013. A monetary penalty notice has been served on the Ministry of Justice for failing to keep personal data securely, after spreadsheets showing prisoners’ details were emailed to members of the public in error.
  • 26 September 2013. A monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database.
  • 29 August 2013. A monetary penalty notice has been served on Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 23 August 2013. A monetary penalty notice has been served to Islington Borough Council after personal details of over 2,000 residents were released online via the What Do They Know (WDTK) website.
  • 5 August 2013. A monetary penalty notice has been served to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.
  • 12 July 2013. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. Appeal withdrawn.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

The list has the most recent first.

  • 20 December 2013. A follow up has been completed to provide an assurance that Luton Borough Council has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 26 November 2013. An undertaking to comply with the seventh data protection principle has been signed by the Royal Borough of Windsor & Maidenhead, following an incident in which restricted information about employees was disclosed on its intranet in error.
  • 22 November 2013. An undertaking to comply with the Privacy and Electronic Communications Regulations has been signed by Better Together. The organisation must neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers unless the recipient of the electronic mail has previously notified Better Together that they consent.  A follow up has been completed to provide an assurance that Foyle Women’s Aid has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 21 November 2013. An undertaking to comply with the seventh data protection principle has been signed by Great Ormond Street Hospital for Children NHS Foundation Trust. This follows four incidents involving the accidental disclosure of sensitive personal data.
  • 1 November 2013. A follow up has been completed to provide an assurance that The Health and Care Professions Council has appropriately addressed the actions agreed in its undertaking signed July 2013.
  • 1 November 2013. A follow up has been completed to provide an assurance that Mansfield District Borough Council has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 25 October 2013. A follow up has been completed to provide an assurance that The Burnett Practice has appropriately addressed the actions agreed in its undertaking signed in April 2013. An undertaking to comply with the seventh data protection principle has been signed by Panasonic UK. This follows the theft of an unencrypted laptop containing personal data relating to people who had attended a hospitality event run by a third party company on Panasonic’s behalf.
  • 15 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Royal Veterinary College. This follows the loss of a memory card containing personal data. In addition, data protection training is not considered to be adequate and the RVC does not appear to be taking steps to address this proactively. This highlights a potentially serious failing in respect of staff awareness of Information Governance policies. Their investigation revealed that the device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace.
  • 7 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by The Hillingdon Hospitals NHS Foundation Trust.
  • 4 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Cardiff & Vale University Health Board, following the loss of documents containing sensitive personal data by a consultant.
  • 29 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 11 September 2013. An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council following several incidents involving inappropriate handling of sensitive personal data. Investigation of these incidents revealed that previous recommendations made by the ICO had not been implemented.
  • 28 August 2013. An undertaking to comply with the sixth data protection principle has been signed by Cardiff City Council. The Council agreed to put measures in place to ensure greater compliance with subject access requests.
  • 22 August 2013. An undertaking to comply with the seventh data protection principle has been signed by the Local Government Ombudsman. This follows the theft of a bag containing hard copy papers relating to complaints made to the Local Government Ombudsman (the LGO) including some SPD. It is felt that the provision of data protection training was insufficient to ensure staff awareness of policies and procedures relating to the use of personal data.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Northern Health & Social Care Trust. This follows a number of security incidents which led to a formal investigation into the Trust’s compliance with the Act. One incident in May 2011, involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Foyle Women’s Aid. This follows the temporary loss of a folder belonging to a Criminal Justice Support worker employed by Foyle Women’s Aid that was left in a café. The folder contained confidential client information. An apparent lack of effective controls and procedures for taking information out of the office was a contributor to the loss of highly sensitive personal data.
  • 16 July 2013. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website http://www.janetpage.com.
  • 9 July 2013. An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013. (issued 10 September 2012) An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 12 June 2013 (issued 18 September 2012). An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011). An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

The list has the most recent first.

  • 3 December 2013. A former manager who oversaw the finances of a GP’s practice in Maidstone has been prosecuted by the ICO after unlawfully accessing the medical records of approximately 1,940 patients registered with the surgery. Steven Tennison was prosecuted under section 55 of the Data Protection Act at Maidstone Magistrates Court.
  • 8 October 2013. A pay day loans company based in London and its director have been prosecuted after failing to register that the business was processing personal information. Hamed Shabani, the sole director of First Financial, was convicted under section 61 of the Data Protection Act at City of London Magistrates Court.
  • 25 September 2013. A former Barclays Bank employee has been fined after illegally accessing the details of a customer’s account. In one case the employee, Jennifer Addo, found out the number of children the customer had and passed the details to the customer’s then partner, who was a friend of Ms Addo.
  • 15 August 2013. A probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator has been fined £150 following a prosecution bought by the ICO.

Find the 2012 list here.

Health sector needs to improve its data protection

The Information Commissioner’s Office report on how organisations providing secondary health care are complying with the Data Protection Act and highlights areas that need improvement.

The report summarises the results of 19 audits, mostly against NHS Trusts.

The audits looked at how personal data is handled by the organisation, and fit alongside NHS information governance guidelines. The organisations voluntarily agreed to work with the ICO to identify good practice and, where necessary, improve procedures relating to the handling of personal data.

The Audits found:

  • All the organisations had data protection policies and procedures in place, though compliance with the policies wasn’t always effectively monitored, for instance through spot checks.
  • All the organisations had a system in place to track health records, though some did not conduct audits for missing files. The physical security of records also varied, with concern raised particularly around unlocked trollies used for moving files.
  • There was also a lack of simple password controls, notably forcing regular password changes.
  • Some organisations had little in the way of fire or flood protection in place for paper records.
  • All organisations had appropriate information governance related risk registers and risk assessments that were regularly reviewed.
  • Concern was raised around the use of fax machines for sending personal information, given the human error associated with using a fax machine.

Before three of the audits, staff were surveyed about their awareness of data protection policies

  • 88% of staff had read and understood the policy in place within their organisation
  • 94% had completed data protection training within the previous year

Claire Chadwick, ICO Team Manager in the Good Practice team, said:

Information about a person’s health tends to be one of the most sensitive types of personal data, and it is clear it must be properly handled.

“Our experiences in these audits suggested that tended to be the case. Only one of the audits suggested a substantial risk of non-compliance with the law, while more than half gave reasonable assurance the law was being complied with.

“By paying attention to this report, more organisations in this sector can ensure they are handling personal information properly. This report is an opportunity to review and improve practices and procedures based on our experiences

The audits followed a letter from the Information Commissioner and the Chief Executive of the NHS Sir David Nicholson to chief executives and finance directors within the NHS.

The full report can be found here.

Securing Patient data has improved massively but still has work to do

In it’s recent Winter 2013 Newsletter Experian released the details of the fifth annual Healthcare Information and Management Systems Society (HIMSS) which they sponsored.

The survey found many areas of improvement and highlighted them in the infographic below:

Infographic_-The-security-of-patient-data-in-a-virtual-universe3

Key highlights from the HIMSS study include:

  • Only 38% of the respondents encrypt mobile devices, such as smartphones and tablets, which is worrisome considering their rising use. In fact, there are currently 1.1 billion global smartphone subscribers, representing a 42% year over year growth rate. In addition, there’s been a 29% increase in tablet or e-reader users since 2009.
  • Only 43% of respondents test their data response plans, meaning they don’t know whether their plans work. Organisations should review their response plans regularly and conduct practice runs at least once per year. It’s also a good idea to update the contact list of your response team quarterly and redistribute it.
  • 64% of this year’s respondents encrypt emails, compared to 55% in 2008.
  • Two-thirds conduct a risk analysis at least once per year, compared to 54% in 2008
  • Nearly 25% of the respondents sustained a data breach in the past year alone
  • the high number of breaches has caused 21 million American patients to have their healthcare records exposed to date
  • 90% of the respondents (Hospitals) in a recent study indicating that they conduct formal risk analyses.

.

Latest NHS Fine for breaching the Data Protection Act is close to the “current” limit at £325,000

After a series of breaches where the NHS organisation involved received nothing more than a slap on the wrist the Information Commissioner is finally ratcheting up the pressure on public sector organisations, especially the NHS for breaching the Data Protection Act.

In the latest breach Brighton and Sussex University Hospitals NHS Trust has been fines £320,000 after a serious breach and is the highest ever issued.

The maximum fine was raised to £500,000 in April 2010

It is worth noting that fines under the proposed European Data Protection Act will be considerably higher with numbers in the order of €1 million or 2% of turnover been discussed, see Proposed European wide Data Protection Act – a review.

The Brighton and Sussex University Hospitals NHS Trust involved highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of:

  • Patients’ medical conditions
  • Treatments
  • Disability living allowance forms
  • Children’s reports

It also included documents containing staff details including:

  • National Insurance numbers
  • Home addresses
  • Ward
  • Hospital IDs
  • Information referring to criminal convictions and suspected offences

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

See previous ICO monetary fines for the NHS

.

Lose memory stick: go straight to court, do not pass go and do collect damage to reputation…

Praxis Care Limited breached the UK Data Protection Act and the Isle of Man Data Protection Acts by failing to secure Personally Identifiable Information (PII).

An unencrypted memory stick was lost on the Isle of Man in August 2011 and contained personal information relating to

  • 107 Isle of Man residents
  • 53 Northern Ireland residents

Some of the information was sensitive and related to individuals’ care and mental health

Praxis Care Limited has informed all affected individuals about the loss and no complaints have yet been received by the regulators.

Christopher Graham, UK Information Commissioner, said:

 “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”

Iain McDonald, Isle of Man Data Protection Supervisor, said:

“Today’s joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected.”

.

Illicit access of medical records leads to a breach of the Data Protection Act

A medical record folder being pulled from the ...
Image via Wikipedia

A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act (DPA).

Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court after unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking.

The offence was uncovered when Patwal’s sister-in-law received text messages indicating that the texter knew about the medication she was taking.

She then contacted her doctors’ surgery – Gateway Medical Practice, Gravesend, Kent – to express her concerns.

The ICO investigation uncovered that Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010.

Further enquiries found that medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist. The fax has never been found and Mrs Patwal did not co-operate with the ICO investigation by giving an explanation for her actions.

Christopher Graham the Information Commissioner said:

“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.

“Ms Patwal used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: