Posts

Healthcare Providers Gaining Trust by Marketing Security

You’ve surely heard of “B2B” or business-to-business marketing. The new game plan is “B2C” – business to consumer marketing, particularly in the healthcare industry. The Affordable Care Act allows healthcare organizations to directly deal with consumers on a massive scale for the first time. However, this comes with some challenges, namely, how to effectively reach potential consumers and differentiate their organization from the competition.

3DOrganizations must take notice that potential enrollees aren’t just concerned about cost and coverage, but two less apparent concerns: privacy and security.

Consumers want reassurance that their data is protected. They can’t get all the data breach fiascos out of their mind. According to the TRUSTe 2014 U.S. Consumer Privacy Report, 92 percent of U.S. Internet users are worried about their online privacy. Of these, 47 percent are frequently worried.

So even though a potential enrollee may have complete faith in your service and reputation, they may be unnerved by the pathways of information exchange: the Internet, mobiles, wireless networks, computers. They know that their personal health data is out there in “space,” up for grabs.

If you want strong enrollment numbers and loyal customers, you must put the consumer’s concern for the protection of their personal health information at the top of the priority list. No way around this. If consumers don’t get assurance from you, they won’t stick around for it; they’ll take their business elsewhere.

So what will you do to put consumers’ apprehension at ease? One way to accomplish this is to facilitate a security and privacy program to ease consumer anxiety.

AllClear ID provides the following guidelines for healthcare insurers and providers:

  • Continue to use state-of-the-art IT techniques to secure cloud services, access points, databases and mobile devices; and to better monitor systems for breaches.
  • Improve security of corporate devices and employees’ personal mobile devices used for work.
  • Enhance employee training at all levels to decrease errors, improve device security and ensure HIPAA compliance. Also train employees around how to comfortably talk to customers about how their data will be protected.
  • Institute an identity protection program for enrollees to make them feel safe signing up with you and reduce the pain if there is a breach.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures

Healthcare Firm pays Big Bucks for Breach

A data breach can slug below the belt and knock a healthcare business flat on its back, as was the case with Columbia University and the New York and Presbyterian Hospital.

3DThey paid a $4.8 million settlement (the biggest HIPAA settlement to date) after the electronic records of 6,800 patients (including vital stats, medications and even lab results) were accidentally leaked into cyberspace.

The leak was caused when a Columbia University doctor (who developed applications for CU as well as NYP) attempted to deactivate a computer server that was personally owned; the server was on the network that contained patient data.

The server lacked technical safeguards, and there’s evidence that neither organization had made any efforts, prior to the data breach, to ensure that the server was properly protected.

In fact, not even any risk analyses had been conducted; there was no risk management plan of substance, and there was a failure on both parties to put in place the policies and procedures for allowing access to databases, among other issues that were failed.

The leak was unveiled when someone discovered and then complained of details of a deceased partner (a former NYP patient) online.

Neither NYP nor CU had taken measures to ensure server integrity.

“When entities participate in joint compliance arrangements,” says Christina Heide, “they share the burden of addressing the risks to protected health information.” Heide is Acting Deputy Director of Health Information Privacy for OCR. She goes on to point out that this disaster should be a wakeup call to healthcare organizations that protection of patient data should be paramount.

Part of the judgment is that both organizations will have to overhaul security measures, a major corrective action undertaking that includes developing a risk management plan and providing progress reports.

Find more information about this breach here:

http://insurancenewsnet.com/oarticle/2014/05/08/data-breach-results-in-$48-million-hipaa-settlements-a-500992.html

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Healthcare Data under Attack

Crooks want your health information. Why?

2PIt’s called medical identity theft, and it’s not going away too soon. In fact, the ACA (Affordable Care Act) has only fueled the situation, says the Ponemon Institute, a security research firm.

This latest of Ponemon’s four annual Patient Privacy and Data Security studies reveals that sloppy behavior, like losing a laptop that has unencrypted data, is a primary cause of data breaches.

A crook would love this information because, “in the world of black market information, a medical record is considered more valuable than everything else,” says Larry Ponemon, the Institute’s founder.

The study was sponsored by ID Experts, and its founder, Rick Kam, says that the “black market is being flooded with payment card data.” Health care data includes a Social Security number and personal health record—data that sticks around for a long time, versus a credit card number.

Breaches can also result from unsecured mobile devices, employee negligence and third-party contractors who can get their hands on the data.

But by and large, says Ponemon, health care employees are good people who sometimes just “do stupid things.” And the rushed nature of their jobs can compromise attention to security.

One hospital visit can net six to 10 companies having access to your data, says Kam. This includes the ambulance company, hospital, extraneous labs and the health insurance company.

If someone snatches your medical records, you’ll be in a major jam. For instance, the thief who claims to be you can get medical treatment for an STD—and that will go on your record. Worse, the thief may have a different blood type. What if you’re in an accident and need blood transfusions, and you end up getting the wrong blood type?

The proliferation of mobile devices makes it even easier for criminals to steal data.

The study showed that 88 percent of medical facilities permit employees to access patient data via their own mobiles (and what percentage of these employees do you really believe have encryption and other security measures in place?).

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Health Care Information Breaches rise

Medical errors can also mean medical identity theft—accounting for 43 percent of all 2013 identity theft in the U.S., says the Identity Theft Resource Center. Medical identity theft kicks other forms of ID theft to the curb: banking, finance, government, military and education.

2DFraudsters invade health data to illegally obtain prescription drugs, services or devices and to get insurance reimbursements.

Making the situation stiffer is the Affordable Care Act, as the implementation of federal and state health insurance exchanges involved malfunctioning online marketplaces. Plus, the Act promotes digitizing medical records, and you know what that means.

What about an honor system?

HIPAA—Health Insurance Portability and Accountability Act (now you know why it’s not “HIPPA”)—and the HITECH Act define what health care providers must do to protect patient privacy. Violations of these acts can net stiff fines including up to 10 years’ prison time.

However, HIPAA has exceptions, such as “public health activities” and “health oversight activities” in which confidential information is shared.  People who know that HIPAA isn’t airtight can be turned off from revealing they have an STD or a psychiatric disorder to their doctor unless absolutely necessary.

Patients must be notified by their health plan, medical institution or medical provider when it’s been determined that their health information has been breached, says HITECH law. The Department of Human Health must also be notified. The Department will reveal breaches that involve at least 500 patients.

The discovery, though, doesn’t solve the problem that has already occurred: the fallout from the leak. It’s fairly straightforward to have the right information put back in a patient’s files, but another story to get the fraudulent information taken out, due to fear of medical liability.

Take action:

The time is now to bring attention to how a business is protecting their clients’ data. The public wants to know their information is safe and the companies they hand it over to are doing everything possible to protect it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.