DATA BREACHES IN HEALTHCARE BY CHUCK EASTTOM

Slides:

Advertisements

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

HIPAA Regulations What do you need to know?.

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

English Arabic Cyber Security: Implications of recent breaches MENOG April 2015.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

For Holding Companies Accountable for Data Security Breaches Victor Flores CIS

HEALTHCARE BREACHES Andrew Kuebler MIS 534 April 15, 2015.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Knowing cyber risks is essential to manage cyber liabilities CYBER SECURITY TO REDUCE CYBER LIABILITY.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

October The Insider Financial Crime and Identity Theft Hacktivists Piracy Cyber Espionage and Sabotage.

** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.

DATA BREACHES IN HEALTHCARE BY CHUCK EASTTOM

Health Information Technology for Economic and Clinical Health Act (HITECH)

Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.

How Safe Is Your Mobile Information? Issues and Safeguards for Mobile Devices Dan Morrissey, CHSP Catholic Health Initiatives Fourteenth National HIPAA.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.

ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Children’s Hospital Requirements for Remote Access.

Patient Portals

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

HIPAA CASE STUDY- BREACHES OF PHI IN HEALTHCARE Amanda Foster Erin Frankenberger.

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Desktop Security Strategy Common Solutions Group September 19, 2006 Bill Clebsch.

Desktop Security: Making Sure Your Office Environment is Secure.

CYBER WARFARE What is it and what does the future hold?

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.

1 AFCOM Data Center World March 15, 2016 Moderator: Donna Jacobs, MBA Panel: Greg Hartley Bill Kiss Adam Ringle, MBA ITM 9.2 The New Security Challenge:

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.

DHS Publishes Report Saying Low but Persistent Risk of Cyber Attack on Energy Sector DHS REPORT ON ENERGY CYBERSECURITY April 6, 2016 | Ben Booker Source:

Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

Presented by: Mike Gerdes Director, Information Security Center of Expertise Cybersecurity State of the Union.

Enforcement, Business Associates and Breach Notification. Oh my!

Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.

BEST PRACTICES FOR AN IT SECURITY ASSESSMENT

By: Eamon Callahan and Wilston Johnston

Agenda Consumer ID theft issues Data breach trends Laws and regulations Assessing and mitigating your risk.

The Practical Side of Meaningful Use:

Keeping your data, money & reputation safe

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Las Positas College Flex Day

Looking to the Future MIS 689 Cyber Warfare Capstone.

LO1 - Know about aspects of cyber security

Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.

Texas Assisted Living Association 2019 Conference

Presented to Information Systems Security Association of Orange County

Data Breach of United States Office of Personnel Management

Data Breach of United States Office of Personnel Management

School of Medicine Orientation Information Security Training

Presentation transcript:

DATA BREACHES IN HEALTHCARE BY CHUCK EASTTOM

ABOUT THE SPEAKER 18 books (#19 in progress) 29 industry certifications 2 Masters degrees (#3 in progress) 5 Computer patents Over 20 years experience, over 15 years teaching/training Worked on EMR/EHR and medical billing software Frequent consultant/expert witness

GENERAL FACTS As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. Since federal reporting requirements U.S. Department of Health and Human Services' database of major breach reports 944 incidents affecting personal information from about 30.1 million people. Smaller breaches are also at issue. In 2012, there where 21,194 reports of smaller breaches affecting 165,135 patients. Health care data has seemingly become increasingly targeted. According to some sources, it accounts for 43 percent of major data breaches reported in In April 2014, the FBI warned healthcare providers many that their cybersecurity systems are lagging behind systems used in other industries, making the healthcare industry more vulnerable to cyber attacks

LARGE BREACHES Breaches involving 500,000 records or more are uncommon, but not unheard of. In 2014 Chinese Hackers stole information regarding 4.5 million patient records. The attack was on Community Health Systems and reportedly included patient social security numbers.

STATISTICS AS OF NOVEMBER 2014 More than 146 of the 1,135 of major HITECH breaches reported as of as of Oct. 17, were ongoing and not attributed to one-time events, ranging from one day to 2,891 days.

SMALLER DATA BREACHES Laptops Stolen from New York Podiatrist's Office Contained 6,475 Patients' Information-Poughkeepsie, N.Y.-based Sims and Associates Podiatry notified patients of a data breach that occurred when its office was burglarized and three laptops containing patients' personal and health information were stolen. Laptop Containing Patient Information Stolen From Coordinated Health Bethlehem, Pa.- Coordinated Health notified patients of a data breach that occurred when a laptop containing patient information was stolen from an employee's vehicle. The Kaiser Permanente Northern California Division of Research in Oakland, Calif., notified patients their personal and health information was compromised when its research server was infiltrated by malware. Decatur, Ala.-based PracMan, a billing company utilized by many Alabama physicians, announced a subcontractor caused a data breach that exposed the personal and health information of 3,100 patients.

TOP THREATS Physical theft Insider mis-use Accidental disclosure/Unintentional actions

SPECIFIC ISSUES/THREATS The following have been reported as part of known breaches: Employees and contractors leaving media containing ePHI in vehicles which were broken into. Physical burglary of servers with data. USB devices with PHI left unsecure.

MAJOR SECURITY ISSUES This list is compiled from several sources: EHRs are still new to many health care providers, so they lack experience securing electronic patient data Lack of detection controls -- Health care providers may have adequate perimeter security but not intrusion detection and forensics. Other financial priorities/budgetary issues. Insufficient information sharing. Lack of a ‘security attitude’

SOME GOOD NEWS More attention to this issue As evidenced by this symposium The IEEE is giving more attention to medical devices and their security More training available for staff Better technology is available