Medical Field at Great Privacy Risk


Most every industry is grappling to strike a balance between innovation and technology with privacy and security. In no industry is this truer than healthcare.


Much has shifted in the medical field since the time of the trusted country doctor. Changes in regulations, advancements in systems and the connectivity of more equipment and devices means medical staff are challenged to protect their patients now more than ever.


Deeply sensitive, our medical information deserves the most sophisticated levels of privacy and security. Whenever possible, we should be asking our doctors, nurses and administrators what they are doing to ensure our private information stays that way.


Read on to learn more about privacy and security risks in the medical field and beyond. 

Security Each Day Keeps the Hacker Away

When a group of hackers stole more than 4.5 million patient records from a Tennessee-based (USA) hospital chain, more people began to realize that data breaches aren't just for banks and major retailers. In fact, over the past several years, more than 500 medical institutions have been attacked, resulting in the exposure of well over 25 million patient records. It appears the hackers are not only operating from the U.S., but also from China and other countries. 


Earlier this year, I spoke about the Heartbleed vulnerability. As it turns out, researchers believe the Tennessee hospital breach was a result of the hackers exploiting that faulty code. It is more critical than ever before that patient information is effectively secured everywhere it is stored and accessed.


It's incredibly important for healthcare providers, insurers and the businesses doing work for them to step up their games. Below are important components of an effective information security and privacy program:

  1. Establish comprehensive information security and privacy policies and supporting procedures that meet all HIPAA requirements. Follow them!
  2. Provide information security and privacy training so all who have access to patient information understand how to most effectively protect information.
  3. Perform regular risk assessments. 
  4. Keep all systems, applications, network security and code updated. Be sure to include medical devices, which are all too often not secured. 

Here are five ways consumers can help improve the security and privacy of their own patient information:

  1. Read the Notice of Privacy Practices (NPPs) supplied by doctors and health insurance companies and take note of when it was updated. All NPPs should have been updated last year.
  2. Ask to see their own healthcare records to ensure they're accurate. Every healthcare provider and insurer must have efficient and timely procedures in place to allow for this.
  3. Ask how often personnel are trained, and if they give them ongoing awareness communication. These are not only HIPAA requirements, they ensure personnel understand how to effectively safeguard information.
  4. Ask for proof that medical devices that transmit data wirelessly have been secured. Most medical devices do not have sufficient security, which puts data...and possibly risk.
  5. Don't use mobile apps to collect, store or process health information until you've verified them to be secured. Research shows most apps do not have adequate safeguards in place 

Bottom line: Healthcare organizations (and all other types of organizations) need to step up their information security and privacy efforts. Patients and insureds need to tell them that this is important, and pressure them to strengthen their safeguards to address today's many, and increasing, risks.

Early to Bed, Early to Rise, Keeps You Healthy, Wealthy & Wise

From the time you get up in the morning to the time you finally hit the hay, you have come into the contact with more "smart" equipment than you can probably imagine. Your thermostat, your medical device, your car... most every digitally powered gadget in your life either already is or will soon be connected to what's known as "The Internet of Things."


Here is an infographic I created to illustrate The Internet of Things

In 2009, there were nine million smart gadgets. In 2012, there were nine billion. That's expected to be as many as 90 billion by 2020. Imagine how much personal data will be floating through the air, on servers, in the gadgets and on networks and clouds that year!


Smart gadgets can be used, worn, installed... and now even swallowed. Yes, swallowed. There is such a thing as a smart pill that will report on your internal health and vitals and then dissolve inside you.


Naturally, there are great benefits to these devices. Yet providers and users - especially those in the medical field - have to be aware that all of this information is vulnerable to collection, analysis and theft.  


The Internet of Things was one of the topics we discussed on my most recent visit to the Great Day morning show, which you can watch on YouTubeI also spoke about the risks in a keynote I gave in Bogota, Colombia in June.

Quit Worrying About Your Health. It'll Go Away.

One thing very unlikely to go away anytime soon is the wearable device. From Google Glass to the Samsung Watch, it's becoming increasingly "cool" to attach your body to the Internet.


While it remains any one person's right to give away their own data, do we want to extend them the right to give away ours? What about a company's?


A tough decision is before employers everywhere - should they allow employees to wear devices that can covertly record, edit and transmit photography, scans and video? Even more controversial, should they require it? It's a question raised in this recent CiteWorld article. 




Health is Wealth 

In today's Internet of Things, it's becoming more common for smart gadget providers to use financial incentives to encourage more people to try their connected devices. Auto insurance carriers are a perfect example. Carriers like Progressive are extending premium discounts to drivers who will voluntarily install data-collection devices in their cars.


As reported by my hometown business journal, The Des Moines Business Record, as much as 80 percent of drivers are open to the idea.

While it may sound good at the outset (when the driver gets a discount of up to 10 percent just for signing up) those discounts are often then adjusted depending on the driving data. What will that tight turn or that day you went just a smidgen too fast end up costing you?


The innovators who built the data-gathering devices consumers must plug into their car are now working on installing such systems directly into the car or into a driver's smartphone. With less "action" required by the driver, the attention they pay to their personal data collection is likely to decrease over time. 


Last week, the Department of Transportation published a report that "initiates rulemaking" to mandate all cars constantly broadcast and receive "Basic Safety Messages." This should each include "the relevant elements and describe them accurately (e.g., vehicle speed, GPS position, vehicle heading, DSRC message ID, etc.)." 


An important consideration: exactly who will get their hands on all that personal movement and location data? 


Prevention Is Better Than Cure 

A strong password has always been a best security practice. Yet, it's becoming even more important now as hackers have learned to successfully pose as system administrators to accomplish their dastardly deeds. Contemporary crooks are using remote control tools, like Microsoft and Apple remote desktops and LogMeIn, to gain administrative access to payment systems to steal unencrypted payment card data and other sensitive information.


A weak password today is like an open door in a high-crime neighborhood. Although no system is ever truly hack-proof, administrators have no excuse for avoiding the simplest of security steps.


Medical administrators, in particular, must pay extra attention to securing their access. According to the editor of Healthcare Informatics, many user logins in healthcare can be characterized as "incredibly lame passwords on the part of end-users in patient care organizations."


In addition to simply being "lame" (think 12345, for example), a second common practice is making passwords an incredibly hot commodity on the black market. Take the Russian theft of passwords that numbered in the billions. These criminals attacked lower-level retail and other websites to get at passwords people use not only for access to those systems, but also for access to their financial institutions. Unfortunately, it's not uncommon for someone to use the same password for the local library as for online banking access. Folks, use different types of passwords...GOOD, STRONG passwords...for different types of sites!!


Even passenger jets are vulnerable, as we learned in August when cybersecurity researcher Ruben Santamarta demonstrated how he could hack the satellite communications equipment on passenger jets through Wi-Fi and in-flight entertainment systems. This makes it more important than ever for airplane computer engineers to build in strong security controls.  


Three Scams Bad for Privacy Health

What follows are pointers to some new and some well-worn scams. Share this warning with your friends, colleagues and family to keep everyone up-to-date and secure.


Facebook color changer app is nothing but a scam - This trap lures users to download an app called "Facebook color changer." Doing so gives the culprits access to the victim's personal information and Facebook friends list, plus potentially to their entire site.


Ohio Turnkpike Commission warns E-ZPass customers of email scam - With the email subject line "E-ZPass Info," phishing artists con unsuspecting commuters into giving up their personal information and potentially even their money.


Con artists posing as soldiers scam women out of thousands - Preying on lonely hearts, this trap uses legitimate, stolen identities to convince women the scammers are actually military officers. After establishing a digital relationship, the faux soldiers then request money for things that will keep the "romance" going, like laptops and internet access.  


Privacy Professor on Video
The Internet of Things is a hot topic for media, conference organizers, and increasingly, consumers. Below are a few videos that captured my recent speaking engagements on this topic.

August 2014: Great Day Morning Show (Des Moines, IA, USA)

On this episode, we talk through the benefits and potential privacy risks associated with smart gadgets. We also discuss the recent P.F. Chang's data breach and the ramifications for customers of that restaurant chain.


June 2014: International Information and Computer Security Conference (Bogotá, Colombia) 

I was honored to deliver the keynote address at this international conference. Discussion points focused on the importance of engineering privacy controls into gadgets built for the Internet of Things.


May 2014: 10X Medical Device Conference (Minneapolis, MN, USA)

The onus for my invitation to this event was to convey the importance of security and privacy in the development of new and enhancement of traditional medical devices. I was privileged to co-present alongside a colleague who spoke on the hacking of pacemakers, a fascinating (albeit scary) topic. 



Privacy Professor on the Road

Only four events to go until my travel season is concluded. 


September 16: Leading the SGCC Privacy Subgroup Workshop at the SGIP 2014 Conference in Nashville, TN


October 16 & 17: Providing a keynote at the Australian Information Security Association's National Conference in Melbourne, Australia.


November 5: Giving IAPP CIPM training in Chicago.


December:  Attending the SGIP SGCC meeting in Oregon.


New Risk Awareness Evaluation Tool!


Over the years, I've seen a great need for organizations to be able to quickly and economically determine the high-level HIPAA compliance risks that exist throughout their organization. I've also done work for many covered entities (CEs) to determine the risk levels of their business associates (BAs).


I've had a vision for being able to provide this help online since 2010. Therefore, I'm really excited to have finally found a great business partner who has been able to create this first-of-its-kind HIPAA Risk Level Evaluator!  


For the next few weeks or months (I've not established a set time yet) I'm providing it free. I'd love for you to take a few minutes to answer the questions, view the report that is generated and give me feedback. I can then make any tweaks and changes based upon your feedback. 


After this initial free introductory period I will sell it for $295. Please Click Hereto be taken to the evaluation. And again, please send me an email to provide your feedback!



Need Help?


If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Omnibus Rule has gone into effect), please check out my SIMBUS site ( or get in touch with me; I would love to help you! And for a limited time, if you purchase any of my new SIMBUS services, simply enter the discount code PRIVT to get 25% off for life on the software service you purchase.


You Have My Permission to Share


I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along. **NOTE: This permission does not extend to the images in this email. They have been purchased with a one-time use license that cannot, unfortunately, be passed to the readers of the Tips Message.** 


Source: Rebecca Herold (a.k.a. The Privacy Professor),


They say a cheerful heart is the best medicine of all. Around the world, there are reports of a positive attitude achieving miracle-status cures. As the stress of back-to-school and the impending holidays begins to wash over you, stop yourself and simply smile. Life is good, and acknowledging that will keep you healthy, wealthy & wise. 


If you get stuck, remember the good times (like I do when viewing the photo of my growing family after the birth of my 2nd son with big brother holding him).


See you next month!


The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564