For support call: 703-528-8300 x1 | Client Portal Login

BEI HIT Blog RSS

US Health Information Breaches Up 137%

Advance Health Network, 3/15/15

BEI Commentary: Just how bad is HIT security? 7 million. That is how many patient records were breached in 2013, an increase of 137% over 2012. As BEI says, and is also emphasized in the article: encrypt your data.

More than seven million health records in the United States were affected by data breaches in 2013, an increase of 137% over the previous year, according to the annual breach report by Redspin, an information security company based in Carpinteria, California.

Since 2009, there has been a rapid rise in the adoption of electronic health records in the US. There have also been 804 breaches of health information affecting nearly 30 million patient health records reported to the Secretary of Health and Human Services, as required by law. Read More

 

 

Health-care sector vulnerable to hackers, researchers say

Washington Post, December 25, 2013

BEI Commentary: This article confirms that healthcare practices need to be vigilent about security.

As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.

Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. Read More

Exclusive: SEC left computers vulnerable to cyber attacks – sources

Reuters, November 8, 2012

BEI Commentary:  This is a non-HIT/HIT article.  You can see from this that the medical industry is not the only one that has regulatory oversight that requires encryption and other protections.  Good computer security is just a fact of life in an increasingly networked world.

Staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter.

While the computers were unprotected, there was no evidence that hacking or spying on the SEC’s computers took place, these people said.

The computers and other electronic devices in question belonged to a handful of employees in an office within the SEC’s Trading and Markets Division. That office is responsible for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems, one of those people said. Read More

Workstation Security – Easy steps you should be taking

Security becomes a bigger IT issue everyday. Security is not just about protecting websites or servers; appropriate security is required for workstations as well. In fact, HIPAA requires it. Here are a few simple things to think about:

  • Make sure each individual on your staff has a unique ID/Password for logging into the EHR. This may seem like a simple thing, but we have seen practices where a common ID/PW is used by people with similar roles. Unique ID/PWs are required to determine who has logged into the EHR and what changes they made.
  • Passwords should be strong. Require at least 6 characters with at least one character being alphabetic and one being numeric.
  • Place an inactivity timer on each workstation of five minutes. It is quite easy for someone to walk away from a workstation while forgetting that they are logged in. This gives a patient or other staff the opportunity to access the EHR using someone else’s ID/PW. This would result in unauthorized access to ePHI, which is a HIPAA violation.
  • Encrypt your hard drives. Some workstations may have ePHI and some may not. Why bother figuring out which is which. If you encrypt the hard drive of each workstation, you will guarantee that you are HIPAA compliant. Encrypting the hard drive should not cost anything. If the workstation is lost, and you are not sure if there is ePHI on the machine, and the machine does not have encryption, that is a HIPAA violation that most likely needs to be reported to the Office of Civil Rights.
  • Consider a privacy filter for workstations, especially those in public areas. Privacy filters allow only the user to view what is on the screen. Off angle viewing is blocked. They are very inexpensive and can be purchased for both laptops and desktops.

All of the items above are straight-forward and easy to implement. They can go a long way to protecting the ePHI in your practice!




Home|Success Stories|Events|BEI Blog|Partners|Who we are|Contact Us|RSS

© 2014 Business Engineering, Inc.

11130 Sunrise Valley Drive, Suite 202 Reston, VA 20191
P: 703.528.8300 F: 703.276.7938