Posts

Healthcare Providers Gaining Trust by Marketing Security

You’ve surely heard of “B2B” or business-to-business marketing. The new game plan is “B2C” – business to consumer marketing, particularly in the healthcare industry. The Affordable Care Act allows healthcare organizations to directly deal with consumers on a massive scale for the first time. However, this comes with some challenges, namely, how to effectively reach potential consumers and differentiate their organization from the competition.

3DOrganizations must take notice that potential enrollees aren’t just concerned about cost and coverage, but two less apparent concerns: privacy and security.

Consumers want reassurance that their data is protected. They can’t get all the data breach fiascos out of their mind. According to the TRUSTe 2014 U.S. Consumer Privacy Report, 92 percent of U.S. Internet users are worried about their online privacy. Of these, 47 percent are frequently worried.

So even though a potential enrollee may have complete faith in your service and reputation, they may be unnerved by the pathways of information exchange: the Internet, mobiles, wireless networks, computers. They know that their personal health data is out there in “space,” up for grabs.

If you want strong enrollment numbers and loyal customers, you must put the consumer’s concern for the protection of their personal health information at the top of the priority list. No way around this. If consumers don’t get assurance from you, they won’t stick around for it; they’ll take their business elsewhere.

So what will you do to put consumers’ apprehension at ease? One way to accomplish this is to facilitate a security and privacy program to ease consumer anxiety.

AllClear ID provides the following guidelines for healthcare insurers and providers:

  • Continue to use state-of-the-art IT techniques to secure cloud services, access points, databases and mobile devices; and to better monitor systems for breaches.
  • Improve security of corporate devices and employees’ personal mobile devices used for work.
  • Enhance employee training at all levels to decrease errors, improve device security and ensure HIPAA compliance. Also train employees around how to comfortably talk to customers about how their data will be protected.
  • Institute an identity protection program for enrollees to make them feel safe signing up with you and reduce the pain if there is a breach.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures

Healthcare Establishing Customer Security Programs

Consumers really get stiffed when there’s a data breach, having to change their passwords, replace credit cards, and other bothersome tasks, not to mention the grief over stolen personal information.

10DHealthcare organizations (a prime target of cyber criminals for several reasons) need to think beyond the approach of, “Here’s how we’re protecting your data,” and shift their way of thinking to, “We are dead serious about our customers’ security.”

This is how healthcare organizations can be truly proactive. While organizations can’t reveal too much information about their security plans (since this can make it easier for exploitation), they DO need to be generous with candid messages about how vital it is to protect consumer data.

Throwing around the same generic, recycled language about “Here’s what we’re doing to protect you” no longer cuts it and doesn’t build a lot of trust in the consumer. Instead, organizations should impress upon consumers their devotion to security in meaningful and understandable ways.

Consumer security should be free to the customer. This will delight consumers and help ease their anxieties over data safety, while setting the organization apart from its competitors. That’s how to put the brand’s reputation at the top and build customer loyalty.

Key Features of a solid customer security program

  • Information must be protected at the time of sign-up/data collection, and protected should data be lost.
  • Being accountable for a data recovery and restoration in the event of a breach; this will build customer loyalty.
  • Financial loss must be recovered.
  • Credit reports must be restored.

According to AllClear ID, here is how healthcare organizations can make an impression on their customers:

  • Implementation of the most current IT practices should be done because it is paramount to secure mobile devices, access points, databases, cloud services, etc., and to better keep tabs on systems for breaches.
  • The security of employees’ personal mobiles and the organization’s devices needs to be stronger.
  • Employee training must be improved, from the bottom up, to reduce mistakes.
  • HIPAA compliance needs to be reinforced.
  • An identity protection plan must be created so that potential customers will have confidence in enrolling and feel less anxious about the fallout of a security breach.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Healthcare Firm pays Big Bucks for Breach

A data breach can slug below the belt and knock a healthcare business flat on its back, as was the case with Columbia University and the New York and Presbyterian Hospital.

3DThey paid a $4.8 million settlement (the biggest HIPAA settlement to date) after the electronic records of 6,800 patients (including vital stats, medications and even lab results) were accidentally leaked into cyberspace.

The leak was caused when a Columbia University doctor (who developed applications for CU as well as NYP) attempted to deactivate a computer server that was personally owned; the server was on the network that contained patient data.

The server lacked technical safeguards, and there’s evidence that neither organization had made any efforts, prior to the data breach, to ensure that the server was properly protected.

In fact, not even any risk analyses had been conducted; there was no risk management plan of substance, and there was a failure on both parties to put in place the policies and procedures for allowing access to databases, among other issues that were failed.

The leak was unveiled when someone discovered and then complained of details of a deceased partner (a former NYP patient) online.

Neither NYP nor CU had taken measures to ensure server integrity.

“When entities participate in joint compliance arrangements,” says Christina Heide, “they share the burden of addressing the risks to protected health information.” Heide is Acting Deputy Director of Health Information Privacy for OCR. She goes on to point out that this disaster should be a wakeup call to healthcare organizations that protection of patient data should be paramount.

Part of the judgment is that both organizations will have to overhaul security measures, a major corrective action undertaking that includes developing a risk management plan and providing progress reports.

Find more information about this breach here:

http://insurancenewsnet.com/oarticle/2014/05/08/data-breach-results-in-$48-million-hipaa-settlements-a-500992.html

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

HHS provides Healthcare Providers Risk Assessment Tools

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization.

4HA risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization, or visit the Office for Civil Rights’ official guidance.

HHS (Health and Human Services) is now providing health care providers in small to medium sized offices a new security risk assessment tool that will guide them in conducting risk assessments of their organizations.

The security risk assessment (SRA) tool comes from a combined effort between the Office for Civil Rights and the HHS Office of the National Coordinator for Health Information Technology.

Organizations, with the guidance of the tool, will be able to carry out and document risk assessments with efficacy; the practices will be able to assess information security risks under the HIPAA Security Rule. The application for the tool can be downloaded from www.HealthIT.gov/security-risk-assessment.

HIPAA requires such organizations to routinely evaluate their physical, technical and administrative safeguards to preserve information security.

Deploying the risk assessments will enable health care providers to unveil possible loopholes in their systems and security policies, plus address susceptibilities—all of this will help stave off health data breaches and other security mishaps.

The HIPAA Security Rule requires conduction of the security risk assessment by health care providers that seek payment via the Medicaid and Medicare HER Incentive Program.

A user guide and tutorial video are available on the SRA tool’s website.

Additionally, the site provides videos on risk analysis.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Healthcare Data under Attack

Crooks want your health information. Why?

2PIt’s called medical identity theft, and it’s not going away too soon. In fact, the ACA (Affordable Care Act) has only fueled the situation, says the Ponemon Institute, a security research firm.

This latest of Ponemon’s four annual Patient Privacy and Data Security studies reveals that sloppy behavior, like losing a laptop that has unencrypted data, is a primary cause of data breaches.

A crook would love this information because, “in the world of black market information, a medical record is considered more valuable than everything else,” says Larry Ponemon, the Institute’s founder.

The study was sponsored by ID Experts, and its founder, Rick Kam, says that the “black market is being flooded with payment card data.” Health care data includes a Social Security number and personal health record—data that sticks around for a long time, versus a credit card number.

Breaches can also result from unsecured mobile devices, employee negligence and third-party contractors who can get their hands on the data.

But by and large, says Ponemon, health care employees are good people who sometimes just “do stupid things.” And the rushed nature of their jobs can compromise attention to security.

One hospital visit can net six to 10 companies having access to your data, says Kam. This includes the ambulance company, hospital, extraneous labs and the health insurance company.

If someone snatches your medical records, you’ll be in a major jam. For instance, the thief who claims to be you can get medical treatment for an STD—and that will go on your record. Worse, the thief may have a different blood type. What if you’re in an accident and need blood transfusions, and you end up getting the wrong blood type?

The proliferation of mobile devices makes it even easier for criminals to steal data.

The study showed that 88 percent of medical facilities permit employees to access patient data via their own mobiles (and what percentage of these employees do you really believe have encryption and other security measures in place?).

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Insurance Company fined BIG for Breach

Why would an insurance company be fined for a data breach?

2DThere was a security breach at Triple-S Salud, Inc. (TSS), which is a subsidiary of Triple-S Management GTS. The Puerto Rico Health Insurance Administration plans on imposing a $6.8 million fine on TSS.

The breach involved 13,336 of TSS’s Dual Eligible Medicare beneficiaries. The penalty includes suspending all new DEM enrollments and alerting enrollees of their right to back out.

The PRHIA says that Triple-S failed to implement all the required steps in response to the security breach.

TSS sent out a pamphlet last September that unintentionally showed the Medicare Health Insurance Claim Number of some of the recipients. This is a unique number that’s assigned by the Social Security Administration. It’s considered to be protected health information.

An investigation was carried out by TSS, and this subsidiary did report the incident to federal government agencies and Puerto Rico. TSS complied with the PRHIA’s requests for information pertaining to the DEM beneficiaries. TSS also took additional measures, one of which was that of issuing an alert of the breach through local media; all of the affected beneficiaries were notified by mail of the breach.

In the filing, Triple-S affirms that it takes the matter very seriously and is “working to prevent this type of incident from happening again.” However, it’s currently not able to assess the financial impact of the breach on TSS, nor can it estimate the sanctions’ impact.

Triple-S adds that a response is being prepared by TSS to give to the PRHIA, and that TSS has a right to make a request for an administration hearing.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Health Care Information Breaches rise

Medical errors can also mean medical identity theft—accounting for 43 percent of all 2013 identity theft in the U.S., says the Identity Theft Resource Center. Medical identity theft kicks other forms of ID theft to the curb: banking, finance, government, military and education.

2DFraudsters invade health data to illegally obtain prescription drugs, services or devices and to get insurance reimbursements.

Making the situation stiffer is the Affordable Care Act, as the implementation of federal and state health insurance exchanges involved malfunctioning online marketplaces. Plus, the Act promotes digitizing medical records, and you know what that means.

What about an honor system?

HIPAA—Health Insurance Portability and Accountability Act (now you know why it’s not “HIPPA”)—and the HITECH Act define what health care providers must do to protect patient privacy. Violations of these acts can net stiff fines including up to 10 years’ prison time.

However, HIPAA has exceptions, such as “public health activities” and “health oversight activities” in which confidential information is shared.  People who know that HIPAA isn’t airtight can be turned off from revealing they have an STD or a psychiatric disorder to their doctor unless absolutely necessary.

Patients must be notified by their health plan, medical institution or medical provider when it’s been determined that their health information has been breached, says HITECH law. The Department of Human Health must also be notified. The Department will reveal breaches that involve at least 500 patients.

The discovery, though, doesn’t solve the problem that has already occurred: the fallout from the leak. It’s fairly straightforward to have the right information put back in a patient’s files, but another story to get the fraudulent information taken out, due to fear of medical liability.

Take action:

The time is now to bring attention to how a business is protecting their clients’ data. The public wants to know their information is safe and the companies they hand it over to are doing everything possible to protect it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.