Category Archives: Uncategorized

Be Still my Heart

implantable medical devicesI read two articles recently that gave me pause.  First, the Washington Post summarized a recently released Verizon report detailing the increase in breaches, and the poor prognosis for following years.  The only silver lining in the article was the admonition that data sharing and monitoring are keys to recognizing breaches early…nice to know MiddleGate is on the right track according to others as well.

Then Business Insider published an article explaining the results of a medical equipment security audit done at a Midwest hospital system.  This article described in detail the types of hacks possible on implantable, or networked medical equipment.  One paragraph in particular caught my eye:

Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.”

Unfortunately, I disagree with this statement as targeted attacks are possible if you have specific information on your target (i.e. a stolen medical record).  Pretend for a moment that you are a member of your family receives the following email:

“Hello.  You don’t know me, but I feel as if I know everything about you.  I have a copy of your medical records here, and it has been an interesting read.  I especially liked the part about you having gotten a “SuperTech Pacemaker IV” last Fall…great choice considering that near-death scare you had with an AV heart block.  Of course, I also think it was a great choice because it so happens that I can hack your pacemaker from all the way over here in Europe…small world huh?!  Now, don’t panic…I don’t want to hack your pacemaker…that would ruin your day.  However, I do want you to wire $5,000 to the account below to keep me from being tempted (sometimes I have a bad day and lash out :-).

Is it really that unlikely that people who have stolen your medical records won’t be tempted to at least blackmail you, even if they don’t have the capacity to hack your implanted medical devices?  Is it really that unlikely that a few pacemakers won’t be hacked and shut off to kill a person and make this type of blackmail more credible?



Dark Side of the Moon

220px-Dark_Side_of_the_Moon copyAs you’ve likely noticed, we attempt to liven up the world of HIPAA and all things related…it isn’t easy.  HIPAA gets modified, medical records are breached (again), someone sues someone else, etc., etc., etc.  After awhile, the entire discussion sounds a bit like a broken record skipping.

Thats why we like to find that pristine copy of “Dark Side of the Moon” hidden in the back of the vintage record shop, and put it on the turntable.  It hasn’t been played since 1978 and it still creates static as you pull it from the record jacket.  It’s this unfettered, non-skipping record that allow one to break through the annoying background noise to try to figure out how song #3, “On the Run,” relates to song #6, “Money”…remember how you’d listen to the whole album/conversation to put together the big picture? (PS: if we have to explain these references because you’ve never heard of Pink Floyd or an LP record, then this entry isn’t for you…go to another browser window immediately).

When we read the following article by Al Saikali, we had one of those “found a pristine copy of Dark Side of the Moon” moments.  Mr. Saikali describes how, in Resnick/Curry v. AvMed, Inc. in the Southern District Court of Florida, a settlement was reached for $3,000,000 in the loss of two laptops containing un-encrypted patient insurance information.  In the settlement, the 11th Circuit Court wrote an opinion supporting the plaintiff’s contention that although the litigants had not been shown to suffer damage (yet), a portion of the insured’s premiums were supposedly to have gone to the securitization (e.g. encryption) of patient data, employee training on proper HIPAA protocols, etc.  Given that the defendant did not, apparently, spend $ in those areas (as evidenced by the breach), the plaintiffs had standing to sue.  Apparently the defendants took this as writing on the wall and decided to settle.

So how does this take us back to the “Dark Side of the Moon” reference?  Well, we’ve been keeping track, and this past year has been quite interesting on the breach litigation front.  First, Clapper v. Amnesty International said there had to be proven harm in order for the plaintiff to win in a breach case…one would think this would have emboldened the defendants in Resnick/Curry v. AvMed, but read on.  Subsequently, Hinchy v. Walgreens pointed out that HIPAA could be used as a weapon in breach cases regardless of harm, and by private citizens no less, where it illuminated that a Covered Entity had not met the industry standard for patient data security.  Now, in Resnick/Curry v. AvMed, Inc., we have a settlement, based in large part on a Circuit Court opinion, pointing out that, regardless of harm, the plaintiffs had a basis to sue on the expectation that some of their premium was going toward securing their patient data and it was not apparently secured.

The final outcome is that there is no final outcome.  There appears to be a balance establishing itself in the courts.  Proof of harm in a breach is being balanced by an expectation that patient data is secured according to industry standards (i.e. HIPAA).  There may indeed be a test case that makes its way to Supreme Court some day, tilting this balance one way or the other, but in the interim this is where we appear to be.

Now, as for the link between “On the Run” and “Money,”, come on, really?  And on that note, it is time for us advance the turntable arm to the last two songs, “Brain Damage” & “Eclipse,” and bid you adieu.

The New Standard

gold standardLead

GOLD or LEAD?  In medicine new treatment modalities would run through a series of steps before eventually (if ever) being accepted as a “standard of care.”  The business world goes through similar steps before accepting a new modality as a “best practice.”

Interestingly, it seems that the two worlds may be overlapping thanks to the Federal Government.  Although not strictly a “standard of care”, HIPAA is the mandated standard for maintenance of medical record privacy.  Recent court cases have explored the limits of HIPAA’s use as a defensive tool, as well as an offensive tool where medical record privacy issues are concerned (see “For Every HIPAA Yin, a HIPAA Yang” and “Clapper v. Amnesty International“).  Now it seems plausible that HIPAA’s utility may not stop once one crosses the line from the world of medical record privacy to the world at large.

Our company has had discussions regarding use of compliance with HIPAA Security and Privacy Rules as a competitive advantage in other industries such as telecommunications and finance, where privacy concerns are growing in the wake of recent news items.  Could it be that companies may one day tout their “ability” to protect one’s personal information on a level equal to the standards set by HIPAA for Protected Health Information?  Could it be that HIPAA standards will facilitate use of government agencies to protect against government intrusion?  The debate opened by this possible use of HIPAA standards as a best practice outside of healthcare is intriguing, and it represents the steps necessary for deciding if it can be a best practice.  We may be looking at the next gold standard…or the next batch of lead.  Either way, we may just be seeing the beginning of the debate.

Medical Identity Theft a Growing Problem

Medical Identity Theft a Growing Problem

By Emily P. Walker, Washington Correspondent, MedPageToday
Published: September 23, 2011
Click here to provide feedback
WASHINGTON — Nearly four out of ten doctors and hospitals surveyed have caught a patient trying to use someone else’s identity in order to obtain healthcare services, according to a new survey from accounting firm PricewaterhouseCoopers (PwC).

Patients seeking medical services under someone else’s name was the second most common privacy or security issue reported by healthcare providers, according toPwC’s nationwide survey of 600 executives from U.S. hospitals, doctors’ organizations, health insurance companies, pharmaceutical manufacturers, and life sciences companies.

Medical identify theft is the fastest-growing form of identity theft, affecting 1.42 million Americans in 2010 and costing more than $28 billion, the report said.

When I was practicing medicine in the ER, this was a daily occurrence.  In fact, the problem led to the formation of our company, and the launch of our service offerings when I found that the medical identity theft issue was part of a larger problem related to lack of security for Protected Health Information.