Time for an up­date

Health data breaches cited in GAO’S call for fix

Modern Healthcare - - THE WEEK IN HEALTHCARE - Joe Conn

One of two key fed­eral data-pri­vacy laws pro­tect­ing in­di­vid­u­als from loss or mis­use of their per­sonal in­for­ma­tion in gov­ern­ment data­bases is now 38 years old and has been ren­dered par­tially ob­so­lete by changes in in­for­ma­tion-col­lec­tion and stor­age, a Gov­ern­ment Ac­count­abil­ity Of­fice se­cu­rity ex­pert said.

Mean­while, the num­ber of data-se­cu­rity “in­ci­dents” across all gov­ern­ment agen­cies, as re­ported to a fed­eral cy­ber­se­cu­rity of­fice, has jumped 680% from fed­eral fis­cal 2006 to fis­cal 2011, which ended Sept. 30, 2011.

That sober as­sess­ment came from writ­ten tes­ti­mony by Gre­gory Wil­shusen, the GAO’s in­for­ma­tion se­cu­rity is­sues di­rec­tor, be­fore a Se­nate Home­land Se­cu­rity and Gov­ern­men­tal Af­fairs sub­com­mit­tee hear­ing.

Wil­shusen’s re­port, Fed­eral Law Should Be Updated to Ad­dress Chang­ing Tech­nol­ogy Land­scape, fo­cused on data-han­dling across all fed­eral agen­cies, but sev­eral high-pro­file health­care data breaches were men­tioned.

One was the Oc­to­ber 2009 theft of 57 un­en­crypted com­puter drives from an of­fice of Blue Cross and Blue Shield of Ten­nessee, ex­pos­ing more than 1 mil­lion records. In March, the Blues plan agreed to pay a $1.5 mil­lion penalty for pri­vacy vi­o­la­tions. The Ten­nessee in­ci­dent is one of the five largest breaches—all in­volv­ing more than 1 mil­lion records—among more than 50,000 breaches that have been re­ported to the Of­fice for Civil Rights at HHS since Septem­ber 2009 un­der the Amer­i­can Re­cov­ery and Rein­vest­ment Act’s breach no­ti­fi­ca­tion man­date.

So far, de­tails of 477 of them—those af­fect­ing the records of 500 or more in­di­vid­u­als–have been posted on­line by the Civil Rights Of­fice. More than half, or 55%, have in­volved theft of records or equip­ment on which those records are stored, while only 8% were at­trib­uted to hack­ing (See chart).

In July, Beth Is­rael Dea­coness Med­i­cal Cen­ter, Bos­ton, re­ported it would no­tify about 3,900 pa­tients that their med­i­cal data was on a lap­top stolen from a physi­cian, while NYU Lan­gone Med­i­cal Cen­ter re­ported 8,400 pa­tients’ records were on a physi­cian’s stolen lap­top.

Ac­cord­ing to the GAO, the num­ber of data-se­cu­rity in­ci­dents in­volv­ing fed­eral

agen­cies re­ported to the Depart­ment of Home­land Se­cu­rity’s U.S. Com­puter Emer­gency Readi­ness Team has risen sig­nif­i­cantly in re­cent years, up from 5,503 in fis­cal 2005 to 42,887 in fis­cal 2011, ac­cord­ing to the GAO. Among the 2011 in­ci­dents, 15,560 in­volved the unau­tho­rized dis­clo­sure of per­son­ally iden­ti­fi­able in­for­ma­tion, Wil­shusen said.

As a po­ten­tial rem­edy, Wil­shusen pro­posed that Congress con­sider amend­ing the Pri­vacy Act of 1974 and the E-Gov­ern­ment Act of 2002, which limit the use of per­son­ally iden­ti­fi­able in­for­ma­tion to a stated pur­pose, and re­vis­ing the scope of fed­eral data pri­vacy laws “to cover all per­son­ally iden­ti­fi­able in­for­ma­tion col­lected, used and main­tained by the fed­eral gov­ern­ment.”

The Pri­vacy Act de­fines a record as an item main­tained by a gov­ern­ment agency and a “sys­tem of records” as a group of records un­der the con­trol of an agency that can be re­trieved by a per­son’s name or iden­ti­fier. But while these pro­tec­tions ap­ply to gov­ern­ment-run data­bases, the gov­ern­ment also uses many newer Web­based tech­nolo­gies, such as wikis, blogs, videoshar­ing sites and so­cial me­dia, which are not di­rectly un­der gov­ern­ment con­trol.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.