$2.5 Million Settlement Against BA As Result of Not Understanding HIPAA Requirements

April 25th, 2017

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement against a Business Associate (BA), CardioNet. This penalty was based on the impermissible disclosure of unsecured electronic protected health information (ePHI) that was a result of not understanding HIPAA requirements.

CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.

This settlement is the first involving a wireless health services provider. CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

Overview:

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed

  1. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
  2. CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
  3. The Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

See the Resolution Agreement on the OCR website at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf

 

How to Avoid Common Privacy Notices Mistakes

March 23rd, 2016

Most organizations have posted privacy notices on their websites. Great, right? Well consider that a 2012 study showed that the average reader would need 25 days simply to read the privacy policies for all websites accessed in a year. Website privacy notices are often very poorly written. And that’s not the only problem, as I’ve discovered over the past couple of decades reviewing privacy notices. In the past year in the privacy impact assessments (PIAs) I’ve done, I’ve found two consistent problems with them all. Read the rest of this entry »

Are Smart Homes Security Dumb?

March 8th, 2016

There are fascinating and potentially very helpful smart gadgets being introduced every day into the consumer market. Particularly to create “smart homes” that will make refrigerators, lights, doors, and anything else that can be connected online (so basically anything) Wi-Fi enabled so that you can control, check on, record, and lock them, just to name just a few of the possibilities, from anywhere with a handy dandy app or mobile device. Read the rest of this entry »

The Internet of Medical Things: Health Data Privacy

March 3rd, 2016

Note: This was written in early January for part of International Data Privacy Day and Iowa Data Privacy Day activities. It is just now being published due to some unforeseen delays.

Do you have any type of wearable health device, like a fitness tracker? Or maybe an implanted or attached medical device, like an insulin pump or pacemaker? If they connect with apps or other computers through wireless connections, they are most likely collecting and sending huge amounts of data. Have you considered all that data, and how it is secured and who is getting it? Read the rest of this entry »

Data Predictions: Looking Ahead to 2016

January 13th, 2016

In November, some of my friends contacted me, saying they thought I did a pretty good job with my 2015 predictions, and wanted to know what I am predicting for 2016. So here are some good possibilities for the year to come, along with a rewind to see how close I hit the 2015 predictions. Read the rest of this entry »

Tech Support Call Scams Becoming More Aggressive

January 13th, 2016

Have you ever gotten an unsolicited call from someone claiming to be a tech support pro who wants to help you with an urgent problem with your computer? Chances are you have. It is estimated that just one type of these many scams have cost U.S. victims $1.5 billion so far in 2015. It is not known how many of these scams are currently active, but with new ones popping up almost every day, I would estimate there are at least hundreds, if not over one thousand, different groups of these crooks launching their own tech support phone scam. Read the rest of this entry »

People care about the security of their patient data

December 12th, 2015

How well do you think your patient data, wherever it is located, is being secured? How well do you think your healthcare providers (doctors, nurses, hospitals, clinics, etc.) and health insurance companies are securing your patient information?

The fact is, with the increasing occurrences of patient data breaches, and more use of patient data for purposes beyond the provision of healthcare, most people are worried about patient data security. Read the rest of this entry »

Women in STEM: Take the lead to secure a path for the future

November 20th, 2015

How do we get more women involved in STEM careers, information security and tech?

I took on this topic when I attended the ISACA EuroCACS conference in Copenhagen, Denmark earlier this month and gave two sessions. One was, “Women in IT, Information Security & Privacy.” When researching for this session I found some interesting history, along with some of the current state of inclusion of women within various IT, information security and privacy events. Let’s dive in: Read the rest of this entry »

No Those Messages Will Not Completely Self-Delete

October 30th, 2015

A childhood friend of mine, who does not have a technology or information security background, recently asked me whether or not apps that promise messages, photos, videos, and anything else sent through them will completely disappear were to be trusted. She referenced several different proclaimed “disappearing messages” apps that are currently available and asked, “So what do you think of these disappearing apps?  The messages are not really gone?” She is responsible for the care of an adult relative, and wanted to be able to communicate with his healthcare providers securely, and to not have any of the communications to linger and had been using one of these apps. Read the rest of this entry »

Four Things to Do for National Cyber Security Awareness Month

October 16th, 2015

Since this is National Cyber Security Awareness Month (NCSAM) it seems appropriate to give some examples and tips for how everyone can improve upon security, and better protect their privacy, this month. Read the rest of this entry »