Page 50 - index
P. 50
PHI – Change the Game – Focus on Prevention
The year is circa 1995; Major League Baseball players end a 232-day strike, Windows 95 is
released by Microsoft, JavaScript is first introduced and deployed, the Grateful Dead announce
their break-up, and Toy Story became the first ever wholly computer generated movie to be
released.
Did you also know that in 1995 the average hospitalized patient medical record was accessed
and viewed by at least 150 people during a typical five-day hospital stay by nursing staff,
receptionists and x-ray technicians?
Think about this; 150 viewers in 1995! That number has to have quadrupled since then to at
least 600 health professionals today with health information exchanges, business associates,
and electronic health records (EHI/EPHI) being the healthcare industry norm.
Furthermore, there is no end in sight as the number of record viewers continues to grow as
medical coders, medical billers, insurance companies, and even quality control personnel all
require access to medical patient information of some degree in order to conduct their day-to-
day work associated with healthcare payment and operations.
To be honest; these are only just a few of the many legitimate reasons around why a patient’s
medical records are viewed and in that same light why a patient’s medical information could
become part of an information breach.
Securing, protecting, and ensuring health information is private has become an ever increasing
challenge with fiscal penalties for failure increasing almost at the same rate EHI and EPHI data
is expanding.
Adherence to HIPAA must not be focused solely on a “point-in-time” that aligns with the
organizations audit and compliance review cycle. Therefore, Healthcare organizations must
embrace HIPAA as an on-going, full-time effort that requires a combined program of resources
and compliance tools to ensure success. This allows institutions to avoid penalties and
remediation costs that aren’t budgeted for.
For example: on the black market a stolen social security card costs one dollar while a stolen
medical record is worth $50. Healthcare information is ripe for an information breach due to the
fact that it allows a fraudster the ability to take over the victim’s identity in its entirety.
Let’s look at some recent HIPAA violations that have materialized in fines:
• CIGNET à fine: $4,300,000
• Concentra à fine: $1,725,220
• Alaska Department of Health and Human Services à fine: $1,700,000
50 Cyber Warnings E-Magazine – March 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
