Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

How To Respond to Data Breaches

Posted on May 19, 2014 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

A lot of people have really liked this whitepaper on the 6 Reality Checks of HIPAA compliance. It’s a good download for those concerned about their HIPAA readiness. It will wake you up to the fact that you need to be ready and compliant with HIPAA.

Mac McMillan recently did a great HIPAA compliance interview with me where he said “A little bit of prevention goes a heck of a long way to preventing a bad event.” That’s great advice and if you read this whitepaper I think you’ll be woken up to the need to do a little more than you’re doing today to be HIPAA compliant.

While prevention is better, I was intrigued by this article (annoying registration required) in Health Data Management that talks about what to do in the event of a data breach. I love this quote from Rita Bowen, Senior VP at Healthport, “Breaches are inevitable.” It’s true. Despite your best efforts, breaches happen in every organization large and small.

Rita also points out that the key to a data breach is to have a system in place to “learn what went wrong and fix it.” I’ve always found HIPAA to be pretty generous with mistakes. As the HIPAA name says, it’s more about accountability than anything else. If you’re accountable for the decisions you’re making, then it’s more lenient than a lot of laws out there.

The article also gives three insights worth considering if you experience a data breach:

  • Honesty, the best policy
  • Keep Asking, “What if?”
  • Go the Extra Mile

All of these are great advice. If you go the extra mile and are honest about what happened, then you’ll usually be able to recover from a data breach. If you try and cover it up or hide what happened, then that will often come back to haunt you and damage you much more than if you were just honest and up front about what happened.

ONC Plans Mobile Device Security Guidance For Smaller Practices

Posted on August 22, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

In an effort to help them avoid joining the long list of mobile device-based security failures, ONC has set plans to release guidance for small- and mid-sized providers on securing mobile devices. The agency, which has projects underway studying how mobile devices are used by smaller providers, expects to release its conclusions in the spring, reports

If you read medical business trades, it’s hard to miss that slip-ups with mobile devices and mobile data sources (such as flash drives) have been a major source of security breaches.  In fact, it seems that 54 percent of the 464 HIPAA breaches affecting 500 or more individuals reported to HHS between September 2009 and July 2012 involved the loss or theft of unencryped mobile devices.

To see how smaller medical practices are doing in this area, ONC is conducting an effort dubbed the Endpoint Security Project, for which it has built a health IT implementation typical of mid-sized and small doctor practices, including tablets, laptops, smartphones, storage devices and desktops. When the project is done, ONC plans to release configuration settings which should help these smaller practices protect their mobile device data.

This is all well and good. After all, smallish practices seldom have an IT staffer to advise them on such things, and a simple set of best practices can go a long way.

Still, what strikes me is that time and again, it’s the larger providers whose data breaches are making the news.  That’s no surprise — big providers and hospitals simply have more data endpoints to control — but given this, ONC might make slapping larger organizations into shape more of a priority.

Of course, it’s also true that we don’t want small providers being the “weakest link” in HIEs, or compromising even a comparatively small amount of patient data in their practices. But if ONC’s assuming that big practices and hospitals can take care of themselves, they’re ignoring a truckload of evidence that it ain’t so.

Healthcare Data Security, Healthcare Breaches, and EMRs

Posted on October 10, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

We’ve posted about it earlier on this blog as well, and it’s a point worth reiterating – most data breaches are not the result of hordes of internet hackers out to get your computer system, they’re due to human errors or negligence.

Here are some recent cases of patient data that has emerged from EMRs in unexpected places:
Lost in Break-In: By now, we’ve all probably already shaken our collective heads over the Tricare data breach involving data for 4.9 million military patients. Scientific Applications International Corp. (SAIC), one of Pentagon’s principal contractors, was the outfit that was responsible for the data loss, which was stolen from a break-in into a SAIC employee’s car. The data was contained in backup tapes, and contained information such as SSN, addresses and phone numbers of patients, and personal health data.

There are several perplexing things about this story – a) the statement on Tricare’s website claiming nothing important was really lost: “The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure” per this story.
b) SAIC’s success with HHS contracts – SAIC was awarded a lucrative $15 million contract by HHS, despite the breach.

Posted on a Homework Help forum: According to this NYT story and its follow-up, patient records (names, diagnosis codes, account numbers, admission codes) from emergency visits for a six month period at Stanford Hospital, CA, were posted online. Supposedly, a Stanford vendor sent the data to a prospective contractor as part of a testing exercise. The contractor posted it all online, on a website offering tutoring help no less, without realizing it was actual patient data. The story says Stanford had the data removed from the website, and reported the breach to federal and state authorities, as well as the patients. Stanford is arguing that none of its staff has done anything wrong, and that it severed its relationship with the contractor. To me, this is the proverbial buck being passed.

Lost in the Subway: The first NYT story mentions how the paper records of 192 patients left on a subway by an employee of Massachusetts General Hospital in Boston. The hospital has agreed to pay a $1 million federal fine for HIPAA violations.

So to summarize some lessons learned from these data breaches:
Loss of paper records is worse than the loss of electronic records: This should be obvious to anyone who’s not a schoolgirl with a fancy diary guarded by a lock.

Your data is only as safe as your weakest link: If you’re farming out your data to vendors, then you have to know what policies your vendor has in place. If your vendor subcontracts further, then you have to keep going down the line till you are reasonably assured of data safety. When the hammer falls, it is *you* who will be coughing up the fines.

Prep with Data-handling Policies and Procedures that you and your staff religiously follow: The data was lost in very human ways – data left inside a car, posted by an untrained contractor. This just means you need to have robust, and enforced, policies in place for how patient data is handled by your employees. Maybe in your company this means that your employees can’t take work home, or that they must clear their workspaces of any patient data before they leave. Decide what makes sense in the context of your business, and maybe hire someone to enforce these rules.

Give kickbacks to HHS: If you’re in the business of contracting with the government, seriously figure out how SAIC has managed to stay in HHS’ good books. I wish I were kidding with this one.

HIPAA Breaches Related to EMR

Posted on March 25, 2010 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Someone sent me an email with this link to the list of HIPAA breaches affecting 500 or more individuals. One of my popular searches on EMR and HIPAA is about HIPAA lawsuits, so you can imagine the lawyers are salivating over this list.

In a quick count, I found 31 on the list that were desktop, laptop, or other computer related device. In another quick count, I counted 46 on the list (feel free to correct my counts, but the range is right). The person who emailed me suggested that most of the list was breaches of EMR. I personally don’t think that’s the case.

One thing seems pretty certain. Technology has opened the doors for larger breaches. In the paper world, it’s a little harder to lose/misplace/steal 500 or more individuals information. It happens, but it’s much easier in the digital world. Plus, there’s a lot more vagueness in technology when a breach happens.

In the digital world, it’s often a best guess about what happened during a breach. Most of the time breaches happen in the technical world, they probably didn’t give a rip about the healthcare data. However, there’s the potential that they did, so you get to report it. Enough of that tangent.

One other problem with the assertion that most of this list is from an EMR breach is that I was surprised how many insurance providers were on the list. In fact, it seems like a large portion of the breaches were insurance lists probably. Not sure that’s an EMR breach.

I think it’s also interesting to note that this list of breaches is probably far below the reality. This is just the list of reported cases. I can’t imagine how many breaches happen that go unreported.

Of course, this begs the question of whether we should be moving to electronic records at all if there’s more possibility for breaches. My answer is that of course we should. Although, it should give us real pause as we consider the security of those systems as well. Stuff happens, but we shouldn’t put the possibility of breaches make us set aside the benefits of technology.