OCR Boosting Security Enforcement

The health care industry can soon expect a greater emphasis on enforcing the HIPAA security rule than in years past.

That’s the message that Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights, delivered May 11 at the Safeguarding Health Information conference in Washington. OCR sponsored the conference with the National Institute of Standards and Technology.

Federal enforcement of the security rule transitioned in 2009 from the Centers for Medicare and Medicaid Services to the OCR. The office continues to build expertise on the security rule, but much of the transition work is done, McAndrew says. “Transitions are always longer than you expect.”

To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes. “We’re hoping that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.”

The HITECH Act links privacy and security–and enforcement of both HIPAA rules–enabling regulators to look at these issues from a more holistic viewpoint, McAndrew says. As the electronic world moves into the clinical side, the health care industry increasingly will find that privacy and security issues collide, she contends. “Without a sound security policy, privacy will just be a principle.”

Consequently, 2010 is when the industry will really start to see a realization of HITECH’s privacy and security initiatives enacted in 2009, McAndrew says. “We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement.”

View original source here

Corporations must protect data, says CMY Cylab report

Corporate boards of directors and senior management aren’t adequately involved in the privacy and security of their computer systems and data, according to a report issued Tuesday by Carnegie Mellon University’s CyLab.

The report found that while company boards are taking risk management seriously, there remains a gap in understanding the relationship between information technology, or IT, and risk management. The report is based on the results from 66 respondents to its survey at the board or senior executive level from Fortune 1000 companies. It builds on CyLab’s first survey, conducted in 2008.

“The survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data, but this year’s study shows some important areas of improvement,” said Jody Westby, a distinguished fellow in CMU’s CyLab, and CEO of Global Cyber Risk LLC, in a statement.

The report found that a majority of companies don’t have full-time privacy, security and risk executives responsible for those issues. Respondents indicated that corporate boards reviewing privacy and security issues weren’t focusing on activities that would help protect the organization from high-risk situations, such as reputational or financial losses due to breaches of personal identity information or theft of confidential or proprietary information.

Medical files found in trash

PORT ST. LUCIE, FL — Police on turned up medical files in a trash bin near University Medical Clinics that contained information that could be used to commit identity theft, a police spokesman said Wednesday.

Police determined the files, which contained information including patient names, Social Security numbers, phone numbers and addresses, had been discarded from University Medical Clinics in the 1800 block of Southeast Port St. Lucie Boulevard, said Officer Tom Nichols, police spokesman.

A man identified by Nichols as a high ranking official with the company indicated an employee had thrown the files way.

“A garbage bag full of medical records is not an oversight,” Nichols said.

Dr. Samuel Sadow, CEO of University Medical Clinics, said Wednesday he didn’t think any patient information had been compromised.

“We’re very concerned about it and we’re doing our own internal investigation,” Sadow said.

Nichols said the records were returned to the office.

Nichols said the files initially were found by a woman acting on an anonymous tip that they’d been discarded. That woman then notified police of her discovery.

(Read original article here)

Shredding Service Fort Lauderdale

MicroShred

Secure Mobile On-Site / Off-Site Document Shredding Company – Fort Lauderdale, Florida

MARYLAND BANK DUMPS IDENTITIES INTO TRASH

ABC2 News – Rodgers Forge, Maryland

ABC2 News investigators recently discovered that an M&T Bank branch in Rodgers Forge, Maryland improperly disposed of documents that should have been shredded. These documents included social security numbers, driver’s license numbers, bank accounts, and other sensitive information that should not have wound up in the dumpster. When contacted by the media M&T stated that the discovery was a clear violation of corporate policy, and pledged to conduct an extensive internal investigation…

Full Story

HITECH RELATED REFERENCE TO NIST SPECIFICATION CAUSING CONFUSION/CONCERN

The Department of Health and Human Services issued guidance related to safe harbors for healthcare providers to avoid mandatory data breach notification.  The guidance states that if computer hard drives are disposed after sanitization meeting National Institute for Standards and Testing (NIST) specification SP 800-88, data breach notification will not be required.  It also states that that destroying paper media in a manner that it “cannot be read or otherwise cannot be reconstructed” provides that same safe harbor. The NIST SP 800-88 specification reference in the HHS Guidance DOES NOT APPLY to paper media within the HHS Safe Harbor Guidance, HIPAA, HITECH or Data Breach Notification.

Unfortunately, because NIST SP 800-88 also contains specifications for paper destruction, which is very small, some HIPAA/HITECH Covered Entities are misinterpreting the HHS Guidance to mandate that destruction specification extends to paper as well. Again, NIST SP 800-88 does not extend to paper media, only to sanitization.

Here is the language as it reads in the Federal Register:

(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

It is important to note that none of this is actually a requirement of HIPAA or HITECH—it is simply advice regarding safe harbors for avoiding possible data breach notification events.

Read the Federal Register Reference

(source:http://naidonline.org/)

FLORIDA SHREDDING

MicroShred

Secure Mobile On-Site / Off-Site Document Shredding

SOUTH FLORIDA SHREDDING DIRECTIONS

MicroShred, South Florida, provides both mobile and plant-based destruction of confidential documents. Our mobile shredding units can come to you and shred all sensitive material at your location, under your supervision. Click here to read about our South Florida Shredding Services.

If you are interested in plant-based destruction, you can get directions to Florida’s Document Shredder MicroShred Inc. from the following places :

All directions are from South Florida going to:
MicroShred Inc.
19593 NE 10th Ave.
Miami, FL 33179-3577, US

We also provide Shredding Services to the following areas:

• Atlantis
• Boca Raton
• Boynton Beach
• Briny Breezes
• Broward County
• Cloud Lake
• Deerfield Beach
• Delray Beach
• Fort Lauderdale
• Glen Ridge
• Golf
• Greenacres
• Gulf Stream
• Haverhill
• Highland Beach
• Hypoluxo
• Juno Beach
• Jupiter
• Jupiter Inlet Colony
• Lake Clarke Shores
• Lake Park
• Lake Worth
• Lantana
• Loxahatchee
• Manalapan
• Miami-Dade County
• Miami
• Palm Beach
• Palm Beach Gardens
• Pompano Beach
• West Palm Beach

NAID TO KEEP CLOSER TABS ON BREACH NOTIFICATION CASES

With HIPAA Covered Entities and Business Associates now subject to data breach notification requirements of HITECH, NAID Members will see the association more closely following and reporting on related issues.

Recently, Aetna Casualty was forced to notify 65,000 current and former employees, sending each a letter wherein the company admitted its role and described the nature of the data breach.  The company’s online job application site was breached, which only became apparent earlier this month when affected individuals began receiving suspicious emails soliciting personal details.  The site reportedly contained the Social Security Numbers of the 65,000 people who were notified.

A class action suit has already been filed against Aetna related to this incident, which is just one of the consequences of what is coming to be known as Breach Notification Fallout.

The upcoming edition of NAIDnews (June 2009) contains a thorough examination of the impact of breach notification and why it is among the most feared of all the new HIPAA/HITECH provisions.

Full Article

Corporations Still Unfamiliar with Laws Governing Information Privacy

A recent survey reveals that while corporations are spending more money in an effort to safeguard personal information, many corporate leaders say they are unfamiliar with key federal and state laws governing information privacy.

The survey, conducted on behalf of Boston-based Iron Mountain, targeted companies with annual revenue of at least $750 million. The survey polled 115 business professionals involved in or responsible for information privacy at publicly held companies.

According to the survey’s findings, companies believe they’re more familiar with federal requirements for information destruction than they actually are. While nearly three in four respondents (74 percent) express familiarity with federal requirements, fewer than one in three (30 percent) are aware of the Federal Trade Commission’s Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule. The FACTA Disposal Rule mandates that organizations properly dispose of documents containing consumer information through methods such as burning, pulverizing or shredding so that the “information cannot practically be read or reconstructed.”

The survey also reveals that nine in 10 companies outsource their shredding, while more than half (57 percent) also rely on on-site commercial-grade shredding or incineration equipment. But fewer than one in four report compliant destruction of consumer information (24 percent) or audit-compliant policies and procedures (23 percent) based on best industry practices.

Two in three companies (66 percent) say it has become more important to formalize policies and procedures for destroying sensitive information. Those companies cited new laws (63 percent), negative press of data losses (43 percent), customer demand for information security (29 percent) and pressure from industry groups (28 percent) as the top reasons why.

(Source: sdbmagazine.com)

11 People Charged In TJX Identity Theft Case of 45+ Million Personal Identities

11 people, including even a confidential informant working for the Secret Service, were charged in connection with a case involving illegally tapping into the wireless payment processing systems of the following retail outlets:

• TJX (TJ Max)
• OfficeMax
• Boston Market
• Barnes & Noble
• Sport’s Authority
• DSW
• Forever 21
• BJ’s Wholesale Club

Besides tapping into the wireless networks of these major retailers, the thieves were successful in setting up programs that captured card numbers, passwords and account information from a massive amount of unsuspecting consumers.

While TJX admitted to 45 million consumers were negatively impacted from the two year period the identity thieves had unauthorized access to their payment processing data, court documents revealed the real estimate was closer to 100 million consumers confidential data was compromised based on depositions by Visa and Mastercard.

The ring leader, a Miami man who was also the confidential informant for the Secret Service, turned out to be a double agent who had been providing criminal’s information about ongoing investigations and tipping off associates.

With the massive amount of credit account access information stolen and provided to worldwide identity thieves, this case involving TJX has a big impact in our personal identity and financial safety.