2010 – Massive Security Breaches…Lessons Learned
Posted In Education, Financial, Government, Health Care, Research on May 3rd, 2011 Tags: Awareness Training, data breaches, Security Awareness, Social Engineering
Check out this recent overview of 10 of the largest data breaches from 2010 resulting in the loss of millions of data records.
Lessons Learned: Is your organization providing ongoing situational awareness training? People are the weak link for the majority of data breaches which are caused by human error, lost devices, social engineering attacks and numerous other poor decisions. It is critical for organizations to educate their employees (and third-parties) ongoing as risks, threats, requirements, and ’next’ practices are constantly changing. Lessons learned clearly reveal that once-a-year general training is not enough.
No Comments
HIPAA is Most Troublesome Compliance Regulation
Posted In Health Care, Regulatory Compliance, Research on April 19th, 2011 Tags: HIPAA
A recent survey revealed that HIPAA is the most challenging regulation to businesses today.
Lessons Learned: Regulatory requirements are updated regularly…Hackers, risks, threats, etc. are constantly changing. Staying up-to-date and within compliance is challenging, but critical. Organizations must ensure all employees (and third-parties) understand their responsibilities to protect sensitive information.
No Comments
State Attorneys Generals Trained to File Federal Civil Lawsuits
Posted In Health Care, Information Privacy, Information Security, Regulatory Compliance on April 19th, 2011 Tags: HIPAA, HIPAA compliance, HIPAA Violations, HITECH
OCR is offering HIPAA Enforcement Training to help State Attorneys General enforce the HIPAA Privacy and Security Rules and file federal civil lawsuits for HIPAA violations.
Lessons Learned: HHS and OCR are serious about Privacy and Security in Health Care. Policies and procedures play a critical role in an organization’s culture of privacy and security and need to be updated as requirements, risks, regulations, etc. change. Health care organizations will need to conduct internal audits and assessments rather than waiting for the OCR or AGs to arrive. All employees and business associates must understand how to safely handle patient information and maintain a culture of privacy and security.
No Comments
Study shows: Hospital Errors Occur 10 Times More Than Reported
Posted In Health Care on April 18th, 2011
A new study revealed an enormous patient safety gap – up to 90 percent of patient injuries, infections and other safety issues are not being recorded. What does this mean for hospitals? What does this mean for patients? What does this mean for regulators?
Lessons Learned: Hospitals face serious patient safety and patient quality challenges and the key to improving patient safety will be their People – management, nurses, doctors, staff, partners, business associates, etc. Hospitals must ensure every individual has situational awareness and accountability for better decision making and a comprehensive incident reporting and incident management platform will be critical to get the right information to the right people at the right time.
No Comments
Breaches Cost Health Care Industry $6B Annually
Posted In Health Care, Information Privacy on April 18th, 2011
Despite stricter privacy and security regulations, hospitals are struggling to protect patient information. According to a recent Ponemon Study, breaches are costing the health care industry $6 billion annually.
The top three causes of breaches:
- Unintentional employee action
- Lost or stolen computing devices
- Third-party accidents
Lessons Learned: Failure to protect sensitive and personally identifiable information is expensive and damaging to a health care organization’s reputation. Organizations need to complement their general awareness with ongoing situational awareness programs to ensure all employees (and third-parties) understand their individual roles and responsibilities for protecting sensitive patient information. With mounting regulatory changes and the move to electronic records, it will be critical that all individuals understand risks, roles, responsibilities, policies, processes, protocols and regulatory obligations to prevent expensive and embarrassing breaches.
No Comments
First HIPAA Civil Fine $4.3M
Posted In Health Care, Regulatory Compliance, Research on April 18th, 2011 Tags: Cignet Health, HIPAA, HIPAA Violation, HITECH Compliance
Cignet Health is facing a $4.3 M civil penalty after violating the HIPAA Privacy Rule and failing to cooperative with HHS’s subsequent probe. This is the first civil money penalty for a violation of HIPAA.
Lessons Learned: The Feds mean business and there will be more fines and lawsuits and more embarrassing headlines for health care organizations that do not take compliance, risk assessments and incident management seriously. Is your organization meeting all HIPAA/HITECH compliance requirements? Do you have the necessary documentation in place to provide HHS with information in the event of an audit? Does your documentation help your organization demonstrate all appropriate employees and business associates were aware and accountable for making the right decisions in different situations?
No Comments
286 Million New Threats in 2010
Posted In Financial, Financial, Health Care, Health Care, Information Privacy, Information Security on April 18th, 2011 Tags: internet security, Security Awareness, Symantec
According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day. The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks.
Lessons learned: Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?
No Comments
Whistleblowers, Incident Reporting and Incident Management…Is your Health Care Organization Ready?
Posted In Health Care, Incident Reporting, Legal on August 31st, 2010 Tags: dodd-frank wall street reform, Health Care, Incident Reporting, whistleblower
A previous Lessons Learned Blog mentioned the Dodd-Frank Wall Street Reform and Consumer Protection Act and a special bounty program within the Act for whistleblowers. Did you see it?
An attorney at the Healthcare Financial Management Association’s Annual National Institute legal update says healthcare providers may be heading into a storm of whistleblower suits that could cause serious problems for the unprepared.
The attorney predicts the new Patient Protection and Affordable Care Act could lead to an explosion of whistleblower lawsuits because the new law does not require the plaintiff to have direct knowledge of alleged fraud to file a suit.
So if you are involved with healthcare industry…are you ready?
Healthcare organizations to make sure they are ready for whistleblower related challenges:
- Do employees have access to trusted tools to report suspicious actions?
- Do third-parties/business associates have access to trusted tools to report suspicious actions?
- Do patients have access to trusted tools to report suspicious actions?
- Are assessment teams defined and trained on how to respond to incident reports?
- Do assessment teams have tools to access, track and document their actions and decisions?
- Do organizations have a customized compliance program implemented and documented?
The short list above represents some but not all of the challenges healthcare leadership should be targeting as soon as possible to ensure legal defensibility for your leadership and your organization…are you ready?
No Comments
