OIG deems federal agencies' info security programs 'not effective'

(Apr 24, 2019) The U.S. Department of Health and Human Services’ Office of the Inspector General found the information security programs of four agencies were “not effective,” HealthITSecurity reports. The OIG reviewed the programs of HHS, the U.S. Food and Drug Administration, Centers for Medicare and Medicaid Services, and National Institutes of Health. In its annual Federal Information Security Management Act audit, the OIG writes the four entities have worked to improve their security programs; however, th... Read More

Volunteer Spotlight: A conversation with Abhishek Agarwal

(Apr 23, 2019) In this Volunteer Spotlight, The Privacy Advisor caught up with Abhishek Agarwal, CIPP/US, chief security and privacy officer at Fresenius Medical Care North America, where he serves to communicate security risks to key players and ensure adherence to regulatory requirements. As chair of the San Francisco Bay Area KnowledgeNet, Agarwal provides privacy leadership in the Bay Area, speaking on operationalizing requirements and best practices of the EU General Data Protection Regulation. Agarwal re... Read More

Op-ed: Digitized health care industry hinges on privacy

(Apr 23, 2019) In an op-ed for Wired, Robert Wachter writes that secure data sharing between health systems and companies on a digital platform will inevitably happen within the next 10 years, but a lack of privacy considerations will slow the process. "One of the biggest obstacles we face in this essential move to the digitisation of healthcare is public concern about privacy," wrote Wachter, who highlighted the 1.6 million patient records shared between the U.K. National Health System and artificial intellig... Read More

Study: Mental health apps share personal data without user knowledge

(Apr 22, 2019) A recent study reveals that free smartphone apps for people dealing with depression or those seeking to quit smoking are sharing user data without informing or consulting users, The Verge reports. The study, published in "JAMA Network Open 2019," reveals that 33 of 36 health apps, which are available on Android and iOS app stores, shared user information that could reveal online behaviors to advertising and data analytics companies. Twenty-nine of the 36 apps transmitted data to Facebook and Goo... Read More

Database exposes addiction treatment information for 145,000 patients

(Apr 22, 2019) An unsecured online database exposed 4.91 million documents containing sensitive health information belonging to an estimated 145,000 patients seeking treatment at several addiction rehabilitation centers, CNet reports. Discovered after independent researcher Justin Paine entered keywords into the Shodan search engine, records included patient names and details of treatments. Having notified the treatment center of the data breach, the data has since been removed from public view. "I found this ... Read More

Why employers must watch out for PHI data breaches

(Apr 19, 2019) GovInfoSecurity reports on how data breaches involving health data can impact organizations that fall outside the health care industry. Pointing to Klaussner Furniture Industries, which discovered and reported a health data breach of its Employee Benefits Plan through its sponsor, the article provides best practices to prevent a breach of personal health data for a company's employees and its dependents. CynergisTek Vice President of Compliance Strategies David Holtzman, CIPP/G, explained, "Whil... Read More

Op-ed: More focus is needed to develop de-identification techniques

(Apr 19, 2019) While privacy advocates push for greater data use restrictions, an op-ed for The Hill looks at how doing so could carry a negative consequence for individual patient health outcomes and broader public health goals. The authors write that rather than focusing on imposing greater restrictions for health data, more effort should be placed on developing better de-identification techniques to protect useful data. Using Amazon’s interest and expansion into the health care field, the authors write that... Read More

Kruzeniski voices support for ruling in Humboldt Broncos patient case

(Apr 19, 2019) Saskatchewan Information and Privacy Commissioner Ronald Kruzeniski spoke about Judge Richard Danyliuk ruling in favor of his agency in the case of one of the doctors who illicitly accessed the information of Humboldt Broncos players, The Epoch Times reports. Kruzeniski said he appreciated Danyliuk’s comments vindicating the commissioner’s work and reversing a previous decision that ordered the agency to remove reports on the incident from its website. “Anytime you have a breach of data or have ... Read More

How federal privacy laws may impact the health care industry

(Apr 18, 2019) An article for HealthITSecurity looks at the impact a federal privacy law would have on the health care industry. While most organizations focus on compliance with the Health Insurance Portability and Accountability Act, Impact Advisors Principal Advisor for Information Security, Privacy and Disaster Recovery Shefali Mookencherry explained health care organizations must also consider the Federal Information Security Management Act, other federal legislation and even the EU General Data Protectio... Read More

Proposed NC bill would overhaul state breach notification rules

(Apr 17, 2019) A group of North Carolina representatives introduced a bill to revamp the state’s Identity Theft Protection Act, according to a post from Wyrick Robbins. The proposed bill would require organizations to notify affected individuals of a breach “as soon as practicable, but not later than thirty days after discovery” of the incident. The new notification standard would match Florida and Colorado for the strictest in the country. The rules would expand the definition of a security breach to include ... Read More