Health Information Exchange Saves Moore Hospital Records

"Worst tornado in history" devastates
Moore, OK, Moore Medical Center,
and two elementary schools.

The "worst tornado in world history" tore the roof off of Moore Medical Center in Moore, Oklahoma on May 20, 2013, visiting horrific damage on life and property, but medical records were essentially undamaged. MMC is a member of their local RHIO, SMRTnet. The Regional Healthcare Information Organization (RHIO, or HIE if you prefer), saves a backup of essentially the hospital's complete medical records database.

SMRTnet performs these services for 26 hospitals, 99 clinics, and many more individual providers. 1,400 registered provider users' data represents approximately 2.4 million patient records.

This is a far cry from the 2005 devastation in New Orleans by Hurricane Katrina, where waterlogged hospital medical records were sent blowing around the streets, or were pinned to patients' chests; with the exception of the VA hospital, where electronic records were preserved.

Moore Medical Center is located about two and a half hours southwest of Tulsa, Oklahoma, home of CarePrecise Technology.

Data Security: An Online Hacking Primer

Medical records security has been rising to the top of mind among the healthcare IT community. As HIPAA now has some teeth and has been extended to contractors, it is wise to remember that three in four Americans have fallen or will fall victim to cyber crime as a result of having been hacked. Among the systems that have infamously leaked personal information are those of universities and hospitals. The following infographic offers an overview of the personal information leakage going on out there. Thanks, Allison!

Infographic courtesy OnlineCollegeCourses.com.

______

CarePrecise encourages you to attend the Big Data for Healthcare Forum, April 29 - May 1, 2013.

Surprise: You May Now Be Liable Under HIPAA

When the HIPAA privacy rule first went into effect, business associates of hospitals, physicians, etc. didn't have to worry about getting in trouble for releasing data in ways that violate patients' privacy.

No more.

In light of several years of clumsy handling of patient data by contractors and employees, it's perhaps not surprising that HHS is changing the rules to extend the strict HIPAA privacy rules -- and penalties for violations -- to external vendors and IT communities.

If you work in any way with patients' medical data -- whether as a data processor, consultant, IT contractor, EHR installer, whatever -- you'd better get familiar with the new rule that goes into effect March 26. It clarifies when breaches need to be reported to the Office for Civil Rights, scraps the old standards for the use of patient-identifiable data for marketing and fundraising purposes, and expands direct liability under the law to so-called “business associates” of HIPAA-covered entities.

Perhaps equally interesting is that patients once again will have the right to limit release of treatment records to insurance companies if they paid out-of-pocket on that treatment. Look out for problems and potential fines related to goof-ups related to granting access to the wrong business partners on the wrong data. Greatly increased penalties for privacy and security violations under the ARRA are explained in the new ruling.

Read the HHS news release.
Read the rule in the federal register (you've still got time to comment).

Medical Data Breaches Unnecessary

The problem of breaches involving healthcare data is getting worse, not better. As more medical information is stored electronically, the risk of unauthorized access grows. But a significant portion of the risk could be reduced to near zero if the primary users of the data - practitioners, healthcare information technology staff and contractors, administrative staff - would take one simple step. One simple and completely free step. Really; it costs nothing, and places nearly zero burden on the user.

We made this same recommendation about six years ago, when reports of stolen laptops first began coming in. But it seems as though no one in the industry has applied our simple fix. In January of 2012, a contractor copied the records of 34,000 patients of Howard University Hospital, containing SSNs, birthdates, and diagnosis-related information, onto a laptop. The data was not encrypted; the laptop, of course, was stolen from the contractor's car. This same scenario has been reported numerous times. Data, laptop, car, repeat.

Last month, federal prosecutors charged a worker at the same hospital with selling hospital data. She's set for a plea hearing on June 12. Clearly, this is a different situation, and would not have been mitigated by encrypting the data, since the worker was entrusted with full access. But you can be sure that Howard University Hospital wishes that the stolen laptop had not preceded this incident. Patients and regulators are rightly outraged.

Simply put, had the data been stored on an encrypted drive partition on those laptops, it would have been safe from prying eyes. How difficult is it to do that? If a free, open source program like TrueCrypt is installed on the computer, it's as easy as typing in a password to open the protected drive, copying the data onto it, and using the data just as though it were on any ordinary drive. After so many minutes of idleness, or when the computer sleeps, hibernates or is shut down, the program can be set to close the protected drive, rendering its contents completely unusable until the password is given again.

Along with encryption, passwords must be strong, which means hard to guess. But they don't have to be hard to remember and type. A good rule is to have 20 or more characters, but a simple phrase can be easy to remember. Stop thinking pass word, and think pass phrase instead. Here's an extremely strong password: Theylike2bheld/theseKitties ("they like to be held, these kitties"). Easy to remember and type, but it has upper and lower case letters, a numeral and a punctuation character, and totals 27 characters in all. That's one strong password. It works in TrueCrypt and virtually all other encryption programs. And it even has kittens!

Some encryption software, including TrueCrypt, offer an additional important feature.  Let's say you are carrying extremely valuable data, being mugged, and are forced to enter your password to start the computer. Let's go so far as to say that the mugger is savvy enough to search the computer for an encrypted file, and finds it. TrueCrypt actually lets you use a different password when you mount the protected drive, which opens a phony data trove on which you've stored some bogus data. Plausible deniability saves you and your data.

There is simply no reason not to require all staff members and contractors to use encryption for all medical and other personal data. Essentially zero ownership cost, and it doesn't slow anybody down. No excuses.

Encryption and strong passwords. Take these two pills and sleep better tonight.

TrueCrypt is a free open source project, available at http://www.truecrypt.org/

Again: Why Is It You Don't Protect My Health Data?

Why do health plans and providers refuse to secure sensitive data when encrypting it costs nothing at all?


According to a study out of HHS that tracks healthcare data breaches, laptop computer theft was the most prevalent cause of data theft, involved in 24% of breaches. Desktop computers accounted for 16% of the breaches. Physical security is cited as an issue; had computers been kept behind locked doors, fewer would have been stolen. But that's just silly. You can't be locking and unlocking office doors all day long, and keeping a laptop in a locked room is sort of not the whole point of a portable computer.

So, why wasn't the data encrypted? "Ah," you say, "Let me explain our reasons: (1) encryption isn't really secure, (2) it costs money and wastes my time, (3) difficult to administer in an organization, and (4) I could be forced to type in my password at gunpoint."

Well, (1), wrong. Encryption is really secure; the chances of anyone being able to break modern layered encryption are somewhere between zero and non-existent* (except for pure random chance, unfortunately, like when they guess your password is hGRw5k9oBn28, or Let's1andallGo(straight)2Shaneequah'sHouse). Despite what the movies would have you believe, random strings and big long phrases with numbers and punctuation are easy to remember, but astronomically difficult to guess, even using brute force cracking software. ILoveMyCat isn't.

And, (2), wrong. Once setup on a laptop, an "encrypted volume" is just like another hard drive, and to use data on it you simply type in a password. No wasted time (oh, well, alright, however long it takes you to type in a handful of characters -- how bad are your keyboarding skills?).

And, (3), wrong. Are you just OK with losing my data, or is work too hard for you? And that old saw about not being able to administer open source software is inapplicable. Who cares if an admin can tweak and fiddle with the copies of copies of copies of redundantly off-site backed-up data that some lower-down has on his laptop?

And, (4), wrong again. The fear of being held at gunpoint while you type in a password for a file your attacker can see on your computer is simply a waste of good adrenaline. Modern encryption software provides full deniability, such that even the sensitive files themselves are invisible; which is to say, they are hidden encrypted inside another file, one that opens to reveal some non-sensitive content when you use one password, and the sensitive stuff when you use another password. Unless the attacker can see inside your head, he doesn't know the data is even there.

And it's free. Yup. Free, open source, downloadable, and you can have it on your laptop and running beautifully in minutes. We don't have any connection with the product, but we've been using it for years. It's called TrueCrypt. Setup took all of 15 minutes. Five years ago. If you don't use it and you lose my healthcare data, I'm going to be really ticked.

Okay, end of rant. Until the next stupid data breach.

*Alright, let's just say that the odds against are so unfavorable that even the most seasoned hackers won't take the bet.