Professional Documents
Culture Documents
EDITIO N 2 , 2 0 1 2
4. The First Wave of OCR Audits for HIPAA and HITECH Compliance: Key Results Summary
By Mike Humason, Director of Healthcare Systems, Micro Solutions
PAGE 8
If you have not already subscribed, please signup to receive the monthly
Risky Business newsletter: http://www.privacyanalytics.ca/registernl.asp
Follow us on
@privacyanalytic
CONTACT US
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
INTRODUCTION
If you just read these questions and are asking yourself, what is an
Incident Response Plan?, or what is a Written Information Security
Program?, you are not alone. Lets discuss why we even need to be
talking about data privacy in the first place.
STARTLING STATISTICS
Over 544,664,595 data breaches have been reported since 2005
(Privacy Rights Clearinghouse). Of course, many have gone
unreported, so this figure is more than likely 3 times higher or
1,633,993,785. A Ponemon Study has recently found that the average
cost of a data breach is $214 per compromised record, which is
broken down as follows:
QUESTIONS TO CONSIDER:
Activity
Percent
Dollar
11%
$23
10%
$21
Outbound Contact
5%
$10
Inbound Contact
6%
$13
Public Relations/Communications
1%
$2
14%
$30
2%
$4
1%
$2
2%
$4
39%
$83
9%
$19
100%
$214
Total
Source: http://www.ponemon.org/index.php
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
Of the attacks, 85% are not even considered difficult and 96% are
avoidable through simple or intermediate controls (Verizon Data
Breach Investigations Report).
So what is the incentive for a criminal to have access to your PI
through either a low-tech breach or via hacking into a computer
network? The value of your stolen data on the black market is quite
surprising:
Overall Rank
2010
Item
2009
Percentage
2010
2009
2010 Price
Ranges
Credit Card
Information
22%
19%
$0.07-$100
Bank Account
Credentials
16%
19%
$10-$900
Email
Accounts
10%
7%
$1-$18
13
Attack Tools
7%
2%
$5-$650
Email
Addresses
5%
7%
$1/MB-$20/
MB
Credit Card
Dumps
5%
5%
$0.50-$120
Full Identities
5%
5%
$0.50-$20
14
Scam Hosting
4%
2%
$10-$150
Shell Scripts
4%
6%
$2-$7
10
Cash-out
Services
3%
4%
$200-$500 or
50%-70% or
Total Value
COST OF NON-COMPLIANCE
As if the requirements in the statutes themselves were not
burdensome enough, many of the regulations include significant
penalties for failing to comply with the data privacy statutes. A few of
the legal penalties include:
Up to $750,000 in penalties to the company for failure to notify
affected individuals
$10,000 per violation for officers/directors personally (GrammLeach-Bliley Act)
Up to $50,000 per violation for consumer health information
retained on a hard drive (Health Insurance Portability and
Accountability Act [HIPAA])
Officers/directors can serve up to five years in prison
Banks can lose FDIC insurance
Bank officers can be barred from industry under GrammLeach-Bliley Act
State privacy statutes provide for private civil actions for
instances of non-compliance, including punitive damages and
attorneys fees
Under HIPAA, failure to properly erase consumer health
information can carry a minimum prison term of one year
(SOURCE: HTTP://WWW.SYMANTEC.COM/THREATREPORT/)
CONCLUSION
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
James J. Giszczak, a Member with McDonald Hopkins, litigates matters involving data
security and data privacy and advises clients regarding data security measures and
responding to security breaches. Jim also works with clients in a myriad of industries
to assess and implement appropriate data security safeguards and continues to works
with federal, state and local authorities, as well as third party vendors.
Jim can be reached at: jgiszczak@mcdonaldhopkins.com
An Associate with McDonald Hopkins in Detroit, Michigan, Dominic A. Paluzzi, advises
clients regarding data privacy and network security measures, drafts information
security programs and incident response plans, and responds to data security breaches.
Dominic coaches clients who have experienced a data breach, ensuring compliance
and minimizing exposure.
Dominic can be reached at dpaluzzi@mcdonaldhopkins.com
iTunes Announcement
AVAILABLE NOW!
Subscribe to the free iTunes podcasts, co-sponsored by Privacy Analytics, providing a comprehensive
webinar series addressing the topics of de-identification, data breaches, data protection, consent,
ethics, privacy regulations, and data sharing.
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
In every market the patient still has this trust with the care provider
but they react very emotionally when things go wrong, all the way
to the sacking of the executives, says Kurt Long, FairWarning CEO,
admitting his surprise at the 90 per cent response rate demanding
fines or dismissal for executives who fail to act following a breach.
96.25%
29.75%
42.75%
44.5%
(Source:
http://www. fairwarning.com/subpages/resources.asp#patientsurveys)
Useful Links:
We conclude that theres a lot of trust and a belief that care providers
are doing the right things but when it goes wrong, boy are they mad,
adds Long.
With time to absorb the survey results and a commitment to use the
current surveys to benchmark follow up studies in the four countries,
Long predicts a blend in openness and privacy in the future.
HIPAA Security Spot Audits Begin: Chicken Littles and Annual Traditions,
Webinar by Ken Rashbaum for Privacy Analytics, February 2012,
(https://www.ehealthinformation.ca/survey/webinarfeb132012.aspx)
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
Average
# of Breaches
Location
40
Paper
Network Server
Other
Desktop Computer
(Analysis of OCR data Jan 17 Feb 17, 2012 by Health Information Privacy/Security
Alerts HIPAA & Breach Enforcement Statistics
(http://www.melamedia.com/HIPAA.Stats.home.html)
Spurred on, Pam Dixon and World Privacy Forum released Medical
Identity Theft: The Information Crime that Can Kill You, on May 3, 2006,
the most comprehensive report to date on medical identity theft and
medical identity fraud. The report helped to define the term medical
identity theft and provided real-life crime stories and accompanying
statistics. The media gravitated to the report and helped to raise
public awareness.
It can be done but its just a matter of shifting a very old culture into
a very new age where security is essential.
Looking ahead, Dixon predicts that the healthcare world will
continue to attract the attention of organized crime and in the
coming months the World Privacy Forum will complete a two-year
project on criminal operations in the healthcare field that will plot the
geographical locations of the criminal activity in the U.S.
The purpose of the report was to prove that medical identity theft
existed and we expected some push back, says Dixon.
Useful Link:
Medical Identity Theft: The Information Crime that Can Kill You,
World Privacy Forum, 2006, (http://www.worldprivacyforum.org/
medicalidentitytheft.html)
In the years that have passed since the report was released, Dixon
seems frustrated that the public continues to hear stories about data
breaches caused by the loss or theft of unencrypted USB sticks and
unencrypted laptops. As a privacy expert serving many industries,
she says that these simple mistakes would just not happen in the
financial sector or to a bank employee because there is a culture of
security.
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
The First Wave of OCR Audits for HIPAA and HITECH Compliance: Key
Results Summary
BY MIKE HUMASON, DIRECTOR OF HEALTHCARE SYSTEMS, MICRO SOLUTIONS
Thousand Oaks, California, U.S.A. Since the passage of the
Health Information Technology for Economic and Clinical Health
Act (HITECH), part of 2009s ARRA, those who watch the news to
see what government regulators are doing to enforce the many
provisions of HIPAA and HITECH, plus various state regulations in
addition. Changes to enforcement structure and doctrine have
indicated that sweeping changes are underway, leading to a far more
proactive effort to audit, investigate, and where indicated to mandate
corrective actions on the part of healthcare providers in the areas of
patient records privacy and security. Subject matter experts and legal
experts have speculated at length over if, and when, a major wave of
audit activities might commence. A pilot project was initiated late last
year, initial information on which is just becoming available.
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
10
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca
11