Mocana, a company that focuses on smart device security, will host a summit of technology leaders to address dangerous security breaches, hacks and vulnerabilities recently reported in a range of electronic medical devices. Hosted jointly with Symantec and Codenomicon, the “Amphion Forum: Medical” will be held in Minneapolis, Minnesota on November 3, 2011 during the MD&M Conference. The invitation-only executive breakfast and roundtable seeks to foster frank discussions between the big medical device manufacturers, hackers and security experts about the opportunities — and threats – presented by the unprecedented proliferation of networked electronic medical devices within the healthcare industry.

The summit is free, but seating is limited. Request an invitation at http://amphionforum.com/medical11/

Mocana founded the Amphion Forum to provide a venue for stakeholders in the smart device economy to share solutions and forge a clear direction for the future of the “Internet of Things”. Event organizers hope to foster a “World Economic Forum-type” environment where big thinkers can share ideas for solving some of the most pressing problems facing the global device infrastructure, especially as it pertains to the tens of millions of networked medical devices.

“Security has always been a digital health issue, but traditionally security requirements have been driven by the regulatory requirement to protect electronic health records (EHR). The issue has taken on new urgency, however, since recent demonstrations of wireless hacks on devices like implanted insulin pumps and defibrillators,” said Adrian Turner, CEO, Mocana. “These devices are proliferating nearly five times faster than PC’s in healthcare environments, but we’re not seeing the same ‘due diligence’ PC’s receive when it comes to making sure these devices are digitally ‘safe’..Our industry needs to work together to solve this problem.”

Event attendees will engage in interactive sessions that explore the most compelling ideas for realizing the potential of the “Internet of Things” in healthcare. Some of the luminaries and iconoclasts that will participate in the Amphion Forum: Medical include Dr. Dale Nordenberg, MD, Executive Director of the Medical Device Innovation, Safety and Security Consortium (MDISS); Joe Pasqua, VP of Research at Symantec; Tom Zemites, Strategic Marketing Manager of the Microsemi Implantable Medical Devices Division; Andras Nadas, Senior Research Engineer for the Institute for Software Integrated Systems at Vanderbilt University; and David Chartier, CEO of Codenomicon, among others.

The Amphion Forum is free of charge, but seating is limited. To request an invitation visit: http://www.amphionforum.com .

Event Details:

Date: Thursday, November 3, 2011

Time: 8 a.m. — 1 p.m.

Location: Marquette Hilton: 710 Marquette Avenue South Minneapolis, MN 55402

Image By lydiashiningbrightly

A majority of health organizations are under-prepared to protect patient privacy and secure data as new uses for digital health information emerge and access to confidential patient information expands, according to a new report released today by the Health Research Institute at PwC US. Old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements, says PwC.  Health organizations need to update practices and adopt a more integrated approach to ensure that patient information doesn’t fall into the wrong hands.

In its report entitled Old data learns new tricks:  Managing patient privacy and security on a new data-sharing playground, PwC says that existing privacy and security controls have not kept pace with new realities in healthcare: increased access to information in electronic health records; greater data collaboration with external partners and business associations;  the emergence of new uses for digital health information to improve the quality and cost of care; and the rise of social media and mobile technology to better and more efficiently manage patient health.

A recent nationwide PwC Health Research Institute survey of 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found:

–  Theft accounted for 66 percent of total reported health data breaches
over the past two years.  Also, medical identity theft appears to be on
the rise.  Over one third (36 percent) of provider organizations
(hospitals and physician groups) confirmed that they have experienced
patients seeking services using somebody else’s name and identification.
–  More than half (55 percent) of health organizations surveyed have not
addressed privacy and security issues associated with the use of mobile
devices, and less than one-quarter have addressed privacy and security
implications of social media.
–  More than half (54 percent) of health organizations surveyed reported at
least one issue with information privacy and security over the past two
years.
–  The most frequently reported issue among providers was the improper use
of protected health information by an internal party.  Over the past two
years, 40 percent of providers reported an incident of improper internal
use of protected health information.
–  The most frequently reported issue among health insurers and
pharmaceutical and life science companies was the improper transfer of
files containing personal health information to unauthorized parties.
Over the past two years, one in five (21 percent) pharmaceutical and
life sciences companies and one in four (25 percent) of health insurers
improperly transferred files containing protected health information.

“Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur,” said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC.  ”Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error – loss of a computer or device, lack of knowledge or unintended unauthorized disclosure.”

Over the last several years, financial institutions, retailers and healthcare organizations around the world have become frequent victims of data breaches. As more and more breaches are reported that impact large numbers of consumers, customers are losing confidence in the organizations they once trusted. In the second part of a recent SailPoint Market Pulse Survey, conducted online by Harris Interactive, consumers expressed cynicism about how these organizations are protecting their data and a willingness to leave a business that experienced a breach. The recent online survey was conducted among 2,241 adults in Great Britain, 1,023 adults in Australia and 2,309 U.S. adults.

According to SailPoint’s Market Pulse Survey, the majority of adults in the United States, Great Britain and Australia are worried about possible exposure of their personal information, and a large percentage of adults have lost confidence in how companies protect their personal information. As an example, 80% of Americans, 81% of Britons and 83% of Australians who have personal medical information are concerned about moving that information to an electronic form because of the risks of identity theft or invasion of privacy resulting from their personal information being exposed on the Internet, to other staff members or even their employers.

When asked specifically about a healthcare organization managing their personal information electronically, respondents are most “concerned” about:

• Their identities being stolen – 35% of Americans, 33% of Britons and 37% Australians
• Personal info being exposed on the Internet – 29% of Americans, 26% of Britons and 30% of Australians
• Personal information being viewed by persons not directly related to the patient’s care – 10% of Americans, 15% of Britons and 11% of Australians
• The possibility of an employer learning about a private health condition – 5% of Americans, 5% of Britons and 3% Australians

“Consumers are right to be concerned about the possible exposure of their very private medical information. As the healthcare industry around the world moves toward digitizing personal healthcare records, keeping patient information private and secure must be the highest priority. Healthcare organizations need to make sure that they have the proper controls in place to protect patient data; those that don’t clearly risk lawsuits, fines, and most importantly, loss of patient trust,” said Jackie Gilbert, vice president of marketing and co-founder at SailPoint.

SailPoint has produced a nice info-graphic on the survey results as well.

meridianEMR(®), the Livingston, New Jersey-based provider of Electronic Health Records (EHR) for Urology, announces that its Advanced Monitoring System (AMS) recently detected a security breach and other unusual activities on a practice’s meridianEMR server. This instant detection allowed meridianEMR and the Urology practice to respond immediately in protecting patient records. The successful operation of AMS highlights the company’s commitment to protecting patient data.

As part of its strong client relationships, meridianEMR shares the responsibility of protecting private information in accordance with HIPAA regulations. AMS is one part of the security measures meridianEMR provides to help protect patient data. “AMS is an integrated part of the meridianEMR system and comes at no additional cost to customers. This is a distinguishing feature of our EHR,” commented Larry G. Drappi, EVP of Sales and Marketing, meridianEMR.

“We are dedicated to adhering to privacy laws and to following best practices with regard to patient data security. If we detect any unusual activity on our customers’ meridianEMR servers, we alert them immediately,” said Michael J. Custode, CEO, meridianEMR. “As this situation revealed, Urology practices must be aware of threats to patient data security, including requests by other EHR vendors for server access – for any reason.” meridianEMR is committed to absolute transparency in all of its endeavors, including the safe and legal transfer of data, whenever necessary, according to Custode.

AMS is part of meridianEMR’s Proactive Support Monitor, which allows clients to focus on their practices and patient care rather than their EHR technology. Every meridianEMR customer receives the integrated Proactive Support Monitor to protect the safety and security of their system and data. With this monitor, meridianEMR automatically conducts more than 30 diagnostic tests on its customers’ systems each day and provides them with an early alert if something requires their attention, as was the case in the recent security breach.

The diagnostic tests monitor:

• Security – meridianEMR’s AMS is an integral part of its Proactive Support Monitor. It ensures the safety of client data and monitors for unauthorized access attempts.
• Connectivity – meridianEMR tests for connectivity every 10 minutes. Should meridianEMR lose contact with a client’s server, an alert is immediately sent to the client that the network is down.
• Hardware – meridianEMR monitors clients’ hard drives, controller cards, memory, power supplies and other components to ensure that their system is up and running at all times.
• Disk Space – meridianEMR monitors disk space and alerts clients if it is low.
• Database – meridianEMR ensures that its clients’ databases are running  24/7.
• Interfaces – meridianEMR constantly checks its clients’ interface engines for errors. If a client’s practice management system, laboratory module, or any other interface goes down, meridianEMR notifies them  immediately.

The New York Times is reporting that a medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since they discovered the breach the Stanford Hospitals and Clinics has investigated how a detailed spreadsheet from one of it’s vendors (a billing contractor) was posted to a web site that allows students to solicit paid assistance with their homework.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

You can read the entire article on the New York Times website here.

Mobile devices have become as common as the stethoscope in patient’s rooms. Physicians routinely review patients’ electronic health records, read test results, access diagnostic tools and take patient notes, all with a few touches on their iPad or tablet, smartphone or using a flash drive. These mobile devices are ideal for information sharing and time savings, but they pose huge security risks to patient information.

In less than two years, from September 22, 2009 through May 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights indicates that 116 data breaches of 500 records or more were the direct result of the loss or theft of a mobile device, exposing more than 1.9 million patients’ PHI. A panel of five experts in the fields of healthcare IT, security and privacy, data breach and identity theft—Jill Arena, Chad Boeckmann, Rebecca Herold, Rick Kam, and Robert Siciliano—share their insights on how healthcare organizations and providers can optimize mobile health (mHealth) while protecting patients’ data.

Electronic Health Records Increase Mobile Device Usage

Sixty-four percent of physicians own smartphones and 30 percent of physicians have an iPad, with another 28 percent planning to buy one within six months, according to a recent Manhattan Research study. 10,000 mobile healthcare applications are available today on the iPad, with a larger number of them created to provide access to electronic health records. Additionally, one-third of physicians use their mobile devices to input to EHR while seeing patients, while the information is fresh.

Experts Offer Their Insights on mHealth

Jill Arena, managing partner, Health e Practice Solutions, LLC, consulting and technology solutions, www.healthepracticesolutions.com/: “In many ways, digitizing patient information can make it more secure, but only if the proper security measures are in place. As we move to introduce iPad applications that integrate with physicians’ Electronic Medical Records (EMR) products, we can edit, route and capture signatures on patient forms without ever dropping them to paper. This allows physicians and their office staff to recapture valuable staff time, and it keeps paper forms with PHI, Social Security numbers and other sensitive information from floating around the clinic and potentially falling into the wrong hands.”

Chad Boeckmann, president, Secure Digital Solutions, LLC, comprehensive privacy strategy, www.securedigitalsolutions.com/: “Anytime an organization extends information beyond its walls, a risk assessment should be conducted to determine the level of security controls, including monitoring of those controls. Mobile devices are a great example of extending the enterprise. Organizations need to understand the complexities of securing mobile devices, applications and the people who use them as part of a well-rounded data security and risk management program.”

Rebecca Herold, Rebecca Herold & Associates, LLC, information security, privacy and compliance tools, education and consulting, www.privacyguidance.com/: “In healthcare, doctors and nurses are increasingly using mobile computing devices and storage devices as part of their care giving activities, storing goldmines of patient information on them. Because of the combination of increased business and patient data storage and entrusting mobile workers with mobile computing devices, it is vital that an effective mobile computing device and storage media security and privacy management program is in place. Not only to meet HIPAA compliance requirements, but also to protect your patients and your hospitals and clinics. A key component is providing training and awareness to those staff using such devices. After all, doctors and nurses cannot protect information on mobile devices if they are not taught effective ways to do so. If you don’t provide security knowledge to those using mobile devices, privacy breaches will occur.”

Rick Kam, president and co-founder, ID Experts, comprehensive data breach solutions, www.idexpertscorp.com: “Many Wi-Fi networks in hospitals and doctor’s offices are not secure and coupled with the increased mobile device usage, patient data is at risk. Here are eight things you can do to protect sensitive patient data:

1. Whenever possible, don’t store sensitive data on wireless devices. If required, ensure the data is encrypted.
2. Enable password protection on wireless devices, and configure the lock screen to come on after a short period of inactivity.
3. Turn on the Remote Wipe feature of wireless devices.
4. Enable Wi-Fi network security. Do not use WEP, and only use WPA-1 with strong passphrases. Use WPA-2 if possible.
5. Change the default SSID and administrative passwords.
6. Don’t transmit your wireless router’s SSID.
7. Only allow your devices to connect by specifying their hardware MAC address.
8. Implement a Wireless Intrusion Prevention System.”

Robert Siciliano, CEO, IDTheftSecurity.com, personal security and identity theft expert, www.IDTheftSecurity.com: “Mobile isn’t just a convenient new gadget or toy, it’s a huge target for criminal hackers and needs to be treated accordingly.”

About the Panel of Industry Experts

Jill Arena, managing partner with Health e Practice Solutions, LLC, holds a Fellowship from the American College of Medical Practice Executives and has extensive experience in practice start-up and workflow improvement, including the implementation and management of the newest health information technologies. Her professional focus and passion is the intersection of physician-patient-computer. Over the past 15 years, Jill has started more than 37 new clinics, where she has introduced EMRs and implemented complete clinical IT systems.

Chad Boeckmann, president of Secure Digital Solutions, LLC, assists organizations in government, financial, healthcare and retail industries to achieve information security and compliance goals. Since 2005 Secure Digital Solutions (SDS) continually enables companies to gain confidence and trust from their clients and auditors through IT security and regulatory compliance services. Clients continually rely upon SDS to deliver customized solutions, thought leadership, a strong work ethic and exceptional client service. SDS provides value by delivering business services and solutions effectively and tailor solutions to achieve client requirements.

Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, The Privacy Professor®, has more than two decades of information security, privacy and compliance experience. Rebecca is a partner and subject matter expert for the first cloud-based HIPAA/HITECH compliance service, Compliance Helper (www.compliancehelper.com). As owner and principal of Rebecca Herold & Associates, LLC, Rebecca is a widely recognized and respected information security, privacy and compliance expert and has been named multiple times as a “Best Privacy Adviser in the World” by Computerworld. She is currently working on her 15th published book.

Rick Kam, CIPP, is president and co-founder of ID Experts, and chairman of the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare. He is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents and identity theft. Previously, Kam spent 20 years at IBM Corporation in sales, management, and customer relationship management consulting.

Robert Siciliano, CEO of IDTheftSecurity.com, is committed to informing, educating, and empowering Americans to protect themselves from violence and crime in the physical and virtual worlds. For more than 20 years, Robert has been working in all aspects of security. A blogger, consultant, and speaker on a wide variety of topics including computer security, identity theft, and social networking security, Robert is often interviewed on national television, to give advice to consumers and to weigh in on security issues.

SOURCE ID Experts

Photo Credit By Yutaka Tsutano

To achieve growth in meaningful use of electronic health records (EHRs), care providers are deploying privacy breach detection in larger numbers than ever. FairWarning customers now represent over 500 leading hospitals representing a 67% increase in the last nine months. Health information exchanges are also adopting privacy breach monitoring in the United States and abroad.

“Leading care providers have caught-on to the importance of privacy breach detection to mitigate risks which could impede the growth and meaningful use of EHRs,” said Kurt Long, Founder and CEO of FairWarning. “Care providers committed to the highest level of patient care are leading the way in protecting patient privacy and view patient care and privacy as interrelated. There is distinct chasm developing between the treatment of patient privacy at leading care providers and the rest of the market.”

More than 50% of FairWarning customers have received major industry awards for providing a high level of quality of patient care. The chasm is evident when evaluating the patient privacy initiatives of these care providers against other care providers. A recent survey reveals that leading care providers have successfully created privacy-based cultures which deter privacy breaches through the application of industry best practices, including:

• Use of a commercial automated privacy breach detection tool
• Ongoing privacy training
• Specific training on inappropriate access to EHRs
• Consistent application of sanctions for misuse of access
• Effective and timely investigation and remediation of a suspected breach

Additionally, the research reveals that best practices organizations are more than twice as likely as other care providers to report they are effective at detecting and deterring privacy breaches.

In the United States, achievement of Meaningful Use of electronic health records continues to top the list of priorities. Care providers are investing in privacy breach detection to close privacy and security risk gaps that jeopardize continued EHR adoption. The healthcare industry continues to be plagued by major identity theft and privacy incidents that bring unwanted attention from the media, Federal government, and state governments. Federal and state governments have had no choice but to increase privacy and security enforcement activities.

About FairWarning, Inc.

FairWarning^® is a global leader in appliance-based software solutions which monitor and protect patient privacy in electronic health records enabling healthcare providers and health information exchanges to confidentially connect physicians, clinics, patients and affiliates. FairWarning^®’s turn-key privacy auditing solutions are compatible with healthcare applications from every major vendor including Allscripts, Cerner, Epic, GE, McKesson, MEDITECH, Siemens, and many others. Customers consider FairWarning^® privacy auditing solutions essential for compliance with healthcare privacy regulations such as ARRA HITECH privacy and meaningful use criteria, HIPAA, EU Data Protection, UK Freedom of Information Act, California SB 541 and AB 211, and Canadian provincial healthcare privacy law. For more information on FairWarning^® visit www.FairWarningAudit.com

According to a survey from SafeNet, Inc., a global leader in information security, only half of U.S. adults (52 percent) are concerned with the safety of their personal data within their medical records. Medical records security ranked fourth when compared to personal identification such as social security numbers (83 percent), banking data (83 percent) and general contact information (56 percent).

Americans polled were more concerned with security of personal contact information, such as phone numbers or addresses being exposed. Most medical records include this basic contact information, Social Security numbers, and intensely personal medical data. Therefore, whenever medical records are breached, this data could be accessed and misused.

“Criminals are devising new and effective ways to steal personal information regardless of where it is stored,” said Tsion Gonen, corporate vice president of product management, SafeNet. “Increasingly, the move from paper to digital records, internal vulnerabilities, and other cyber threats, medical records are more susceptible to malicious attacks. Consumers need to have a better understanding of who can access their personal data and medical records and how it is protected.”

The survey, conducted by Harris Interactive for SafeNet in November 2010, also found Americans are more concerned about the unauthorized release of their medical records due to internal negligence (49 percent) than someone hacking into the systems where their records are stored (41 percent). Fourteen percent of Americans surveyed have no concerns at all about the security of their medical records.

Other key findings include:

• 42 percent of Americans are unsure how their medical records are stored;
• 11 percent do not know who has access to their medical records;
• More than a third of Americans (38 percent) feel they are not at all familiar with medical data privacy regulations currently in place in the U.S. 

SafeNet offers a comprehensive portfolio of security solutions that protects identities, transactions, data and communications for the healthcare industry.

About the Survey

This survey was conducted online within the United States by Harris Interactive on behalf of SafeNet between November 12 and 16, 2010, among 2,405 U.S. adults aged 18 years and older. Figures for age, sex, race/ethnicity, education, region and household income were weighted where necessary to bring them into line with their actual proportions in the U.S. population.

About SafeNet, Inc.

Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet.

Source SafeNet, Inc.

Redspin, a leading provider of HIPAA risk analysis and IT security assessment services, today released an analysis of all protected health information breaches publicly recorded between August 2009 and the end of 2010, as per the interim final breach notification of the HITECH Act. The findings were based on 225 security breaches affecting 6,067,751 individuals

Redspin’s analysis focuses on single breaches affecting more than 500 people. Such large scale breaches must be reported on a timely basis to individuals, the media and the HHS Secretary according to the HHS Office of Civil Rights’ regulations. The regulations also require business associates of covered entities to notify the covered entity of such breaches at or by the business associate.

Selected findings from the report include:

• 43 states, D.C. and Puerto Rico have suffered at least one breach affecting over 500 individuals.
• 27,000 individuals, on average, are affected by a breach.
• 78% of all records breached are the result of 10 incidents, five of which are the result of theft of common storage media e.g. desktop
• computers, network servers, and portable devices. 61% of breaches are a result of malicious intent.
• 66,000 individuals, on average, are affected by a single breach of portable media.
• 40% of records breached involved business associates.

“Redspin is committed to helping covered entities and business associates properly safeguard private health information,” said John Abraham, President and CEO of Redspin. “We hope that by highlighting these findings we can help healthcare organizations proactively address areas of highest risk.”

A full copy of the report is available at http://www.redspin.com