skip navigation
Subscribe via RSS  


Tag Cloud
single sign on, strong authentication, user authentication, data security, password management, data breach, hitech, breach, security, hipaa compliance, password sharing, security risk, security breach, biometrics authentication, healthcare access management, secure authentication, password policy, fingerprint biometrics, data breaches, user access, healthcare single sign on, biometric authentication, fingerprint biometrics,, hipaa, access management, onesign, single sign-on, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, finger biometrics, emr, two-factor authentication, biometric fingerprints, security risks, identity management, identity and access, management, secure application access, enterprise security, biometrics, application security, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, convergence, physical/logical, asis, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
September 2010 (1)
August 2010 (4)
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Brian Mullins
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
VMworld 2010: Virtual Roads. Actual Clouds. Amazing Event.
Imprivata at VMworld 2010: Healthcare IT Panel; OneSign, Multiple Booths; Booth Giveaways
The DLP Argument for VDI in Healthcare
Secure User Access and VDI: Improving Productivity with Secure “Follow-Me” Desktops
The Impact of New HHS Rules for Health Information Privacy and Security


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: HITECH

HIT Policy Committee Consumer Choice Technology Hearing Recap

July 8, 2010 at 10:11 AM by Michael Bilancieri

Last week, I attended the Privacy and Security Tiger Team Health Information Technology Policy (HIT) Committee Consumer Choice Technology Hearing in Washington, D.C.  The gathering brought together an impressive group of healthcare industry leaders, patient data privacy advocates and HIT vendors to discuss technologies that enable consumers to choose whether or not to share their information in health Information Exchanges (HIEs).  

The day included sessions from HIT vendors on technology solutions that address the use and sharing of electronic medical records (EMRs), and lively discussion around ownership of EMRs (hospitals vs. consumers).  This public hearing included testimony and interactive sessions where presenters fielded  questions from the Security Tiger Team and a panel comprised of doctors, CEOs, universities and other advocates spearheading efforts for consumer controls of patient information.   

A few things worth highlighting from the conference:

  • Ownership of EMR Data in Heated Debate: as EMRs are more widely used, and various organizations seek to touch them for each patient, where does the ownership responsibility of such data reside – with the patient, or with the healthcare organization?  This was a hot topic and conversations on this matter spilled into the hallways after the hearing was over.
  • Technology Research and Development Timeline Still a Ways Out: many of the solutions for effective sharing EMRs that were presented are in beta stage and/or in early development with aims for full functionality by the end of 2011.  There’s still a long way to go.
  • Standards Still Need to be Developed, Embraced: There is a clear need for standards in HIT as it relates to EMRs.  While some vendors feel that the standards are in place to achieve the necessary solutions for patient privacy, there sure seems to be enough discussion around and challenges in granting patients control over their own medical records to indicate that more work needs to be done in this area. This is critical for widespread adoption and efficiencies as hospitals and health networks seek to integrate EMRs and consolidate between and among systems.  Without well-defined, vendor-agnostic standards, the vision for HIEs and the true value of EMRs will remain out of reach for the masses of health organizations, thus limiting the privacy protection that can be afforded patients.
  • Patient Consent for EMR Use Poses Complex Challenges, Requires Well-Thought Safeguards:  If patients have ownership of EMR consent, it’s critical that safeguards are in place.  One such safeguard discussed was the concept of a “break-the-glass” trigger in case a patient is unable to provide consent to the caring physician.  In this situation, doctors could override consent requirements to access EMRs with notifications sent to various stakeholders in the system – this may provide the crucial information doctors need to provide care, while ensuring access without consent only occurs when absolutely needed and instances are recorded for auditing and compliance purposes.
  • Workflow Matters:  As standards are developed and EMRs are more fully embraced by both healthcare facilities and patients, both clinician and patient workflow must be front and center!  The need for interoperability between clinical systems and the education of patients on how they can control and use their own patient information is crucial to effective long-term benefit.  Studies on user interfaces and usability testing in daily work environments are still needed, but it’s great to see this as a central consideration as vendors and the industry as a whole work toward standards.

Peeling back the onion of EMR use and the patient consent process, it’s clear that there is still much work to be done.  Managing EMRs across various HIEs introduces greater need for vendors to get in alignment to create integrated solutions that protect patients regardless of where and when they may be receiving care.   These types of discussions are critical to leading our industry to collaborate and innovate to ultimately deliver better patient outcomes.

Tagsdata_breach HITECH

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Major Healthcare Patient Data Breaches Nearing 100-Mark

June 24, 2010 at 12:00 pm by Michael Bilancieri

I read an interesting story over at HealthcareInfoSecurity.com highlighting the “Official Breach Tally Approaches 100”.  The article includes a link to the official federal list of healthcare information breaches that was launched a few short months ago.  While the article highlighted the major breaches affecting 500+ individuals as reported to the HHS Office for Civil Rights (OCR) and called out 61% of incidents stemming from stolen computer devices (e.g., laptops, USB drives, hard drives etc.), many of the largest breaches involved unauthorized access.

Here’s a snapshot at the major breaches stemming from unauthorized access:

  • Mount Sinai Medical Center of Florida in March 2010 (2,600 individuals affected)
  • Blue Cross & Blue Shield of Rhode Island in February 2010 (12,000)
  • Wyoming Department of Health in December 2009 (9,023)
  • University Medical Center of Southern Nevada in October 2009 (5,103)
  • Blue Cross Shield Association of D.C. in October 2009 (15,000)
  • [Private Practice] in California September 2009 (6,145)

What’s interesting here is that the breaches show up regardless of geographic location or company size – these issues affect EVERYBODY.  When the HITECH Act breach notification mandates went into effect in September 2009, there was a flood of small breach notifications immediately following in September and October from private practices (these are not named specifically, but that will soon change). Then came a regular drumbeat of larger breaches – some of which are listed above – and they continue to occur.

Will this flow of patient data breaches start to wane with more attention being placed on the issue, and more repercussions from HITECH being enforced?  Or will this become ‘noise’ to most people until it affects them directly? 

Many of these breaches are preventable.  Some are not, but there are now people, processes and technologies available that can help tighten the reins on the vulnerabilities that open the door to many of these breaches.  What are you doing to avoid joining the aforementioned list of breaches?

Tagsdata_breach HITECH

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap