February Issue of AIS Newsletter Offers Lessons HIPAA Covered Entities Can Learn from Target Data Breach

Share Article

The February issue of Report on Patient Privacy offers lessons that HIPAA covered entities and business associates can glean from the recent rash of retail data breaches.

Late last year, big-box store Target, luxury department store Neiman Marcus, and arts and crafts chain Michael’s experienced massive data breaches of the credit card information of millions of those stores’ customers. While these breaches seem to be confined, at least for the moment, to retail establishments, Health Insurance Portability and Accountability Act (HIPAA) covered entities (CE) and business associates (BA) are vulnerable to similar, if not identical, sorts of attacks. The February issue of Atlantic Information Services, Inc.’s (AIS) Report on Patient Privacy (RPP) offers lessons that CEs and BAs can glean from the rash of retail data breaches. Human error may have contributed to Target’s breach, and the employees of CEs are often a source of vulnerability for organizations that must comply with HIPAA’s privacy provisions.

Target’s breach is a wake-up call for HIPAA CEs and BAs, which shouldn’t be complacent about their own security compliance, experts say. CEs and BAs should be “reviewing the technical vulnerabilities in their systems,” said Jeff Drummond, a partner with Jackson Walker LLP in Dallas.

“This could happen to any one of our hospitals,” Mac McMillan, co-founder and CEO of CynergisTek, Inc. and chair of the HIMSS Privacy & Security Policy Task Force, told RPP. “What happened to Target may not necessarily have been a sophisticated attack” but might have been prompted by “mismanagement” of Target’s information technology system, which created the perfect “opportunity” for lurking data hackers, he added.

Drummond adds that CEs and BAs need to shift their typical focus on securing PHI because a breach might be embarrassing or personally upsetting to patients, to recognizing that data under their control are a valuable commodity that can be sold on the black market.

Such a shift doesn’t mean CEs should ignore the common issues like inappropriate access and snooping by employees, but shouldn’t “overshadow concerns about how you deal with credit cards, Social Security numbers and other financial data,” Drummond told RPP. “What we need to be concerned about in health care is identity theft,” Drummond said. “That’s a bigger risk for us.”

BAs and subcontractors of any size, particularly those that don’t deal exclusively with health care data, may also lack current knowledge of data security practices. CEs would do well to share security updates with them whenever possible. Even messages that are seemingly as simple as making sure they are “really vigilant about using antivirus software” of a sufficient strength and that is updated can go a long way toward preventing problems in the future, Drummond said.

Visit http://aishealth.com/archive/hipaa0214-05 to read the article in its entirety.

About Report on Patient Privacy
Report on Patient Privacy is the health industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security. Published for hospitals and other providers, health plans and other HIPAA-covered entities and business associates, the 12-page monthly newsletter focuses on privacy issues that can result in huge fines, penalties and public relations nightmares, including: security breach notification; business associate relations and agreements; and new federal privacy rules for marketing, fundraising, privacy notices, minimum necessary, patient rights and safeguarding privacy in EHRs. Visit http://aishealth.com/marketplace/report-patient-privacy for more information.

About Atlantic Information Services
Atlantic Information Services, Inc. (AIS) is a publishing and information company that has been serving the health care industry for more than 25 years. It develops highly targeted news, data and strategic information for managers in hospitals, health plans, medical group practices, pharmaceutical companies and other health care organizations. AIS products include print and electronic newsletters, websites, looseleafs, books, strategic reports, databases, webinars and conferences. Learn more at http://AISHealth.com.

Jill Brown, Executive Editor
Atlantic Information Services, Inc.
(202) 775-9008, ext. 3058

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jill Brown, Executive Editor
Atlantic Information Services
+1 (202) 775-9008 Ext: 3058
Email >
since: 01/2011
Follow >
since: 01/2011
Like >
Atlantic Information Services, Inc.

Visit website