North American Medical Records At Risk

While you are sitting patiently during your typical 5-6 hour emergency room visit, ever wonder just how safe your records are at the doctor’s office?  Are ya ready to puke?

91% of small healthcare practices (less than 250 employees) in North America say they have suffered a data breach in the past 12 months.

The Ponemon Institute recently conducted a survey, commissioned by MegaPath, asking more than 700 healthcare organizations’ IT and administrative staff about breaches.  Among the findings:

  • 70% say their organizations either don’t have or are unsure if they have, sufficient budget to meet governance, risk, and compliance requirements.
  • 55% of respondents had to notify patients of a data breach in the previous 12 months.
  • 52% of respondents rated their security technology plans as “ineffective”.
  • 43% of respondents had experienced medical identity theft in their organizations.
  • 31% say management considers data security and privacy a top priority.  (69% not so much?)
  • 29% say breaches have resulted in medical identity theft.
  • More than a third have not assigned responsibility for patient data protection to anyone in particular.
  • Approximately half say less than 10% of IT’s budget goes to data security tools.

Data breaches of patient information cost healthcare organizations nearly $6 billion annually, and many breaches go undetected.  Protecting patient data appears to remain a low priority for hospitals and doctors’ offices, and these organizations have little confidence in their ability to secure patient records.  They are putting individuals at increased risk for medical identity theft, financial theft, and exposure of private information.

Are ya feeling warm and fuzzy yet?  Read the whole report.

Canadian’s Online Privacy At Risk

From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage.  Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.

Michael Geist has a good article about the bill and why it is crazy.  The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“.   As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron!  Yep, there is no middle ground here.  Line up with the rest of ’em, mate.

I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over.  I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro.  Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement.  You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Continue reading

Six Major Identity & Privacy Trends To Watch

According to Gartner, six major trends will drive identity and access management (IAM) and privacy in 2012.  Businesses will need to increase their focus on projects in that space that can achieve quick value and deliver real benefits to the business.

Organizational boundaries continue to erode due to M&A’s, converging environments, and outsourcing complexities, and IT’s control continues to weaken as mobile devices and cloud services proliferate.  Identity management is becoming more important than ever.

Six IAM Trends:

  • Tactical identity: The scope and budgets for identity management projects will remain constrained.  A major cause of failure for these projects has been an overly broad scope combined with a lack of focus on business value.
  • Identity assurance: Demands for stronger authentication and more mature practices will intensify.  Organizations need to know who they are trusting, why, and for what.
  • Authorization: Authorization requirements will grow more complex and urgent in response to regulatory pressure and more complex IT and business environments. the real magic of IAM lies in authorising access and in the creation of logs used to hold people accountable for their actions. Authorization and enforcement of access control policies is less mature than other processes in many organizations.
  • The identity bridge: Identity management must span the chasm between organizations. A new architectural component will be needed to manage identity information flows between cooperating companies.
  • The sea of ID tokens: Identity information frequently has to be adapted by each domain that receives it, and pass it to downstream domains. Identity information is transmitted via tokens.  These tokens may be carried in protocol headers or in protocol payloads.
  • Policy battles: Concerns over identity theft and privacy are alarming the public, and having a serious impact on operations.  The business community, privacy lobby, law enforcement and national security communities will continue to wrangle over laws and regulations continuing to drive changes in the identity infrastructure.

As usual, gartner is right on the money.  Read the entire article to get the deatils.

Advice On Healthcare Breach Avoidance

Interesting and fairly good recorded interview on HealhCareInfoSecurity blog from the perspective of a lawyer who has been involved in many a breach invetigation.  Listen to hear attorney David Szabo’s top three tips for breach prevention and detection.  Be aware of and learn from other organizations’ mistakes.

“There’s a huge risk area around laptops and other portable devices that carry a lot of data.  Organizations, even when it’s not legally required, need to be looking at, say, encryption of all laptops that leave a facility with protected health information or personal information.  Organizations also should re-assess exactly what kind of information should and should not leave the premises on mobile devices”, Szabo says. “That’s another factor of risk.”

In this exclusive interview, Szabo discusses:

  • The three most important steps to take now to prevent and detect breaches;
  • What healthcare organizations can do now to prepare for the final version of the HIPAA breach notification rule;
  • The most important steps healthcare organizations can take to prepare for this year’s HIPAA compliance audits.

I enjoyed the interview, thought you might too.

Carrier-IQ SmartPhone Monitoring Analysis

I am sure that everyone who reads this has already heard that there is a big gaffuffle raging over the potential monitoring and eavesdropping of smartphone based phone calls, text messages and even keystroke logging claims.





According to Dan Rosenberg’s blog, he has done some detailed analysis on the software, and has found the following to be true on his Samsung handset:

  • CarrierIQ (on his particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call.
  • CarrierIQ cannot record any other keystrokes besides those that occur using the dialer.
  • CarrierIQ cannot record SMS text bodies, the contents of web pages, or email contents, even if carriers and handset manufacturers wished to.  There is simply no “metric” designed to carry this information.
  • CarrierIQ (on this particular phone) can report GPS location data in some situations.
  • CarrierIQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data. Continue reading

Privacy Information Aids

I promised a little more Canadian Privacy content this year, and I’ve been doing some more homework in the field, so here is an update on the topic of Privacy.  Below are some summaries and resources that I have found useful in staying abreast of this complicated area of law and regulation.  I like to gather this sort of information into one place for reference.  If you have something to add, feel free to send me your useful links and descriptions.

In Canada, the federal Personal Information Protection and Electronic Documents Act sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.  The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them. 

Provinically, Ontario and several other provinces have specific privacy legislation for organizations operating in the public sector, and has adopted specific provincial privacy legislation for health service providers.

The Information and Privacy Commissioner of Ontario enforces PHIPA, FIPPA, and MFIPPA.  Continue reading

Bill 122 – Canadian Privacy Changes

On October 20, the Ontario government introduced amendments to Bill 122, the Broader Public Sector Accountability Act.  The basic purpose of the act itself is to promote a higher level of accountability within the public sector.  The changes introduce new standards for accountability and reporting for hospitals, local health networks, school boards, colleges and universities, and other public sector organizations receiving greater than $10 million in annual public funding.  The bill is expected to pass by November 30, 2011.

Bill 122 materially extends the Freedom of Information and Protection of Privacy Act (FIPPA) for both public and private health care facilities.  The Personal Health Information Protection Act (PHIPA) regulates access to personal information.  Under the extended FIPPA legislation, the general public will gain a right of access to their institutional records, unless they are specifically excluded, or subject to an exemption of access.

Hospitals and other organizations will have until January 1, 2012 to implement new procedures to meet these expanded requirements, including the training of staff.  Management and staff need to be aware and cognizant of the requirements of the Act.  The new legislation applies to all records in custody or under control of the affected organizations after January 1, 2007.  Ensuring compliance with FIPPA is mandatory, and the responsibility of the chair of the organizations’ Board of Directors.

It is worth noting that email messages are considered information records under the Act, and are subject to the same provisions, exemptions and exclusions as any other record, unless they fall into one of the exclusions outlined in the Act.  Emails containing personal information must be protected and dealt with in accordance with FIPPA.

There is no doubt that the application of FIPPA represents a significant change for Health Care Professionals in Ontario.  The proposed legislation is very likely to be enacted, and many health records will become accessible to the public.  It is critically important for Ontario hospitals to make changes to their record keeping and retention policies, procedures, and practices to be able to respond to access to information requests appropriately.