HIPAA Compliance News and Information

HIPAA Compliance News and Information

Security | Privacy | Compliance | Training > www.itsalliances.com

SCOTUS' Cellphone Ruling Has Health Data Privacy Implications

iHealthBeat, Friday, June 27, 2014

On Wednesday, the Supreme Court unanimously ruled that cell phone searches conducted by law enforcement officials without a warrant are unconstitutional, in part because of the potential for phones to contain personal health care data, Modern Healthcare reports.


The ruling overturns a decision by a California state appeals court after a criminal conviction in a case, Riley v. California, and upholds a federal appeals court decision to strike down a criminal conviction in United States v. Wurie.

According to Modern Healthcare, the original convictions in both cases were obtained using data collected by law enforcement officials from the defendants' cell phones, which were confiscated at the time of their arrests. 

At issue in the Supreme Court case was whether the law enforcement officials' cell phone searches violated the Fourth Amendment, which states, "The right of the people to be secure in their persons, houses and effects against unreasonable searches and seizures."


In the opinion, Chief Justice John Roberts wrote that cell phones differ from other evidence collected and searched by law enforcement, such as a wallet, purse or car.

He noted that their data are "qualitatively different" and that cell phones have large storage abilities and are able to connect to online servers and cloud-based storage systems (Conn, Modern Healthcare, 6/26).

For example, the ruling noted that an individual's cell phone might show an "Internet search and browsing history" that could "reveal an individual's private interests or concerns -- perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD."

Further, the ruling stated that cell phones can track an individual's every movement and contain applications that could reveal "alcohol, drug and gambling addictions" or the individual's pregnancy status or desire to become pregnant (Barbash, Washington Post, 6/26).

Therefore, the court ruled that "a warrant is generally required before a [cell phone] search" (Modern Healthcare, 6/26).

Roberts wrote, "We cannot deny that our decision today will have an impact on the ability of law enforcement to combat crime." However, he added that "[m]odern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans 'the privacies of life'" (Vijayan, Computerworld, 6/25).


Health care privacy specialists say the ruling likely will have broader implications in the health care industry.

According to Modern Healthcare, it could become a guide for privacy advocates and health care stakeholders as they grapple with consent rights over who can access patients' medical records. Jim Pyles, a principal attorney at Powers Pyles Sutter & Verville, said that the ruling "should be very good news for those of us who do believe patients should have control over who sees their health care information."

Pyles added that the ruling could affect current discussions by HHS' Substance Abuse and Mental Health Services Administration regarding potential changes to privacy protections to facilitate the sharing of substance misuse data.

Meanwhile, Adam Greene, a privacy lawyer with Davis Wright Tremaine, said he does not foresee "any immediate potential impact for the health care industry." However, he said the ruling "sets up precedent in the government having a very strong stake in protecting patient privacy above other interests" (Modern Healthcare, 6/26).

Source: iHealthBeat, Friday, June 27, 2014

Fanny Pack Mixup Unravels Massive Medicare Fraud Scheme

By Charles Ornstein ProPublica,  July 11, 2014, 7:59 a.m.

The fraud scheme began to unravel last fall, with the discovery of a misdirected stack of bogus 2014 and a suspicious spike in Medicare drug spending tied to a doctor in Key Biscayne, Fla.

Now it's led to two guilty pleas, as well as an ongoing criminal case against a pharmacy owner.

Last year, ProPublica chronicled how lax oversight had led to rampant waste and fraud in Medicare's prescription drug program, known as Part D. As part of that series, we wrote about Dr. Carmen Ortiz-Butcher, a kidney specialist whose Part D prescriptions soared from $282,000 in 2010 to $4 million the following year. The value of her prescriptions rose to nearly $5 million in 2012, the most recent year available.

But no one in Medicare bothered to ask her about the seemingly huge change in her practice, Ortiz-Butcher's attorney said. She stumbled across a sign of trouble last September, after asking a staffer to mail a fanny pack to her brother. But instead of receiving the pack, he received a package of prescriptions purportedly signed by the doctor, lawyer Robert Mayer said last year. Ortiz-Butcher immediately alerted authorities.

Since then, investigators have uncovered a web of interrelated scams that, together, cost the federal government up to $7 million, documents show.

In February, the U.S. Attorney's office for the Southern District of Florida charged Maria De Armas Suero, who had been a secretary at Ortiz-Butcher's Island Clinic from March 2011 to September 2013, with 11 counts of conspiracy, fraud and aggravated identity theft.

Suero subsequently agreed to plead guilty to two counts of conspiracy and identity theft. In a recounting of her wrongdoing, called a factual proffer, she acknowledged using Ortiz-Butcher's paper prescriptions</a> to "create fraudulent scripts for numerous Medicare beneficiaries 2026 The prescriptions falsely represented that the Medicare beneficiary was seen by [Ortiz-Butcher] and that the listed prescriptions were medically necessary."

Suero acknowledged that she was paid $100 for each prescription she generated. Local pharmacies then billed Medicare for filling the prescriptions, which were sometimes never dispensed. The false claims resulted in losses to Medicare of at least $2.5 million, the proffer said.

In March, the U.S. Attorney charged another secretary at the same clinic, Milagros Matias Ortiz, with two counts of conspiracy to commit health care fraud and aggravated identity theft. She also has pleaded guilty, acknowledging in her proffer that she created false prescriptions while she worked at the clinic from March 2011 to August 2012. She was paid $50 for each prescription.

Ortiz and Suero are set to be sentenced this month. Suero's lawyer, Rene Palomino Jr., said the doctor had no knowledge of what was going on. "Believe me if she had any knowledge about this, her name would have been in an indictment," he said.

Ortiz' lawyer, Joseph Tesmond, said his client has "accepted responsibility" for her "very minor role in this." He said she continued working at the clinic after she withdrew from the scheme, resigning in March before she was charged."

She has been cooperating with the government since the beginning," Joseph Tesmond said. "The first time that they came to speak to her, she spoke to them at length without [legal] representation."

In May, prosecutors also charged a pharmacy owner, Luisa Isabel Vega, with conspiracy and fraud relating to Medicare claims linked to Ortiz-Butcher. Vega's AB Pharmacy in Miami was overpaid $4.2 million by Medicare from April 2011 to November 2013, according to the indictment.

In an affidavit, Daniel Crespi, a special agent with the Health and Human Services Inspector General's office, said several Medicare beneficiaries whose prescriptions were supposedly filled by AB Pharmacy denied receiving most or all of the medications. "The beneficiaries further admitted that they had been paid kickbacks by patient recruiters for allowing AB Pharmacy to submit fraudulent claims to Medicare utilizing their personal information," Crespi wrote.

Crespi's affidavit says he interviewed a physician (ProPublica data shows it was Ortiz-Butcher) who purportedly sent prescriptions for 181 Medicare patients to AB Pharmacy, but it turned out that only 17 of them were actually patients of hers. "The physician concluded that his/her signature on the prescriptions were being forged and fraudulently utilized at AB Pharmacy."

Medicare data show that 7,613 prescriptions attributed to Ortiz-Butcher were filled at AB Pharmacy in 2012, more than any other doctor.

The second highest Medicare prescriber for AB Pharmacy was Miami physician, whose tab jumped from $2.1 million in 2010 to $8.7 million the next year. (It was $8.4 million in 2012). His most-prescribed drugs, like Ortiz-Butcher's, read like a shopping list of the brand-name pills that are most valued in scams.

In an interview last year, Ortiz couldn't recall whether the prescriptions were his, but later said he'd been aware that some bogus prescriptions had been written using his name. (He has not been charged.)

Vega, the pharmacy's owner, has pleaded not guilty. Her lawyer declined to comment, saying the case is pending.

A spokeswoman for the U.S. Attorney's office said other cases related to prescriptions attributed to Ortiz-Butcher are under investigation. Criminal cases also were brought against officials at two other pharmacies that filled the doctor's prescriptions, though they began before she uncovered the scam. "

The Suero and Ortiz cases are somewhat unique because we charged the individuals creating the fraudulent scripts," spokeswoman Michelle Alvarez wrote by email. "Most of our cases focus on those who are more directly involved in billing Part D, i.e. pharmacy owners, and those who recruit and pay patients needed to bill the Part D program."

The larger question may be why Medicare didn't spot the spike in Ortiz-Butcher's supposed prescribing and inquire about it.

Aaron Albright, a spokesman for the Centers for Medicare and Medicaid Services, said he can't discuss individual cases but said the agency has beefed up its oversight of the prescription drug program, including its use of proactive data analysis. The agency recently issued a new regulation giving itself the authority for the first time to kick abusive prescribers out of Medicare.

In a brief interview, Ortiz-Butcher said she was happy the case was being investigated and acted upon, but the effect on her has been profound. "When you trust people in your life to work with you, and that trust is violated, it leaves a sense of emptiness that's insurmountable and also makes it very difficult to trust again," she said. "That's pretty much where I'm at right now."

National Public Health Week

     A Statement by Assistant Secretary for Health Dr. Howard Koh

National Public Health Week is a time to recognize progress we have made in strengthening and protecting the public health and to rededicate ourselves to the work of improving the health and well-being of Americans by preventing disease, supporting medical research, and promoting safer and healthier communities.

This year, one of the main themes of National Public Health Week, “Be Healthy from the Start,”  is particularly appropriate, as we have just marked the end of the first open enrollment period of the Affordable Care Act.

The Affordable Care Act’s focus on prevention and expanding access to quality care is rooted in the concept of “being healthy from the start.” Because of the law, millions more Americans have quality affordable coverage, including preventive services, through the Marketplace or Medicaid. Not only can they get the care they need when they need it, but they can get preventive care as well, many for the first time. Already more than 100 million Americans with private insurance and Medicare have benefitted from expanded coverage of preventive services such as recommended cancer screenings without paying coinsurance or deductibles.

The Affordable Care Act also establishes the National Prevention Council, which, through the National Prevention Strategy, strives to move the nation from a focus on sickness and disease to one based on wellness and prevention across all sectors. The Council works in conjunction with the Prevention and Public Health Fund and other efforts to prevent heart attacks, strokes and cancer, reduce tobacco use, prevent obesity, combat health disparities and improve the nation’s health.     

To help gauge advancements in America’s public health, the U.S. Department of Health and Human Services tracks leading health indicators via the Healthy People initiative, which provides science-based 10-year national objectives for improving the health of all Americans. (www.healthypeople.gov)

National Public Health Week is an opportunity to recognize not only the important work of public health workers in communities across our country, but also the role every citizen plays in the effort to "Be Healthy from the Start."

By taking better care of ourselves, and supporting friends and family in their efforts to lead healthier lives, we can all play an important role in National Public Health Week.


Cybersecurity: Involving Senior Leaders

Cybersecurity: Involving Senior Leaders


April 7, 2014

To boost cybersecurity, senior leaders - whether a CEO, a board member or a government agency director - need to think of information as a critical asset worthy of protection, risk management experts Val Rahmani and Malcolm Harkins say.

Rahmani, the former CEO of computer security provider Damballa, says many of these leaders hadn't considered information as a critical enterprise asset until publicity surrounding the Target breach and other breaches surfaced. She says: "They now are trying to work out, in conjunction with the technical team: What are our assets? What do they look like? Where are we at risk?"

Rahmani explains in a joint interview with Harkins: "What they're trying to do now is really understand what are those assets, interpreted not as bytes, but in terms of the value to the business. Then, I can start thinking about who might want those assets and how they would try to go after them. And, until you've done that, you haven't even got the capability to start thinking how might I protect them."
Communicating Clearly

Harkins, chief security and privacy officer for chipmaker Intel, says CISOs and other IT security leaders should avoid technical lingo in explaining to top executives and board members vulnerabilities their organizations face.

"When you start talking about BIOS and firmware and drivers and your network infrastructure and that level of technical depth, if you're a business leader who is not in the technology space, you might not know what those words are," Harkins says. "You have to use different ways of communicating with that senior-level audience to say there is a technical vulnerability in this particular product. The specific aspects of what it is isn't relevant, but if exploited, here's what that means in terms of impact to the enterprise."

In the interview, Rahmani and Harkins also:

  • Explain how information risk can be incorporated into the overall risk management function of the board;
  • Provide examples of how to put technical risk challenges into business terms; and
  • Discuss the appropriateness of board members bypassing the chief executive to speak directly with the CISO.

Rahmani is a corporate board member, consultant and start-up adviser. From 2009 through 2013, she served as chief executive of Damballa, a computer security company focused on malware, advanced persistent threats and targeted attacks. For more than 30 years, she served in various executive positions at IBM, with her last assignment as general manager of IBM Internet Security Systems.

Harkins is an Intel vice president. Before becoming Intel's first chief security and privacy officer, he served as its CISO. Harkins also previously held roles in finance, procurement and various business operations. He has managed IT benchmarking efforts and Sarbanes Oxley systems compliance efforts.

Does IP Convergence Open You up to Hackers?

Does IP Convergence Open You up to Hackers


April 7, 2014

Recent reports indicate that unauthorized persons gained access to Target's network using credentials stolen from a company that worked on the company's refrigeration, heating, ventilation and air conditioning. The ongoing investigation will have to determine whether this was the root cause of the Point-of-Sale (POS) malware, or was a parallel attack. Whichever it turns out to be, it is clear that you should take steps to assure that any access you provide for vendors not be abused or misused.

Kroll has seen cases that are not dissimilar. In one example, we were engaged to conduct a vendor-neutral review of a company's data security, and in the course of our penetration testing, we determined that there was an external Internet-based connection to a company that had been engaged to install and maintain a network of security sensors and cameras. This network of cameras, controllers and digital recorders, which ran over the company's corporate IT network, primarily allowed on-site security personnel to observe the camera images, steer the cameras, respond to alarms, and to control the recording of camera images.

The vendor had the ability to log into the network to maintain the camera software and diagnose problems with the security systems. We determined that there were some significant issues.

  • First, when the access account had been provisioned for the security vendor, it wasn't assigned to an individual, but to the vendor so that anyone could use it.
  • It was provisioned with an initial and trivial default password, and there was no requirement that the password be changed. In fact, we learned that it was known to a number of employees (and former employees) of the vendor.
  • There was no test in place to see if the vendor's log-in came from a known IP address associated with the vendor.
  • There was no audit to see if the access using the vendor's account was reasonable - something the company's facilities manager could easily have done.
  • The vendor was not required to maintain security controls equivalent to those of the company.
  • Finally, once in the network, an intruder with those security company credentials could pivot and reach parts of the network unrelated to the security system.

Increasing Convergence, Increasing Risk?

Over the past few years, there has been recognition of the advantages of running multiple systems over a single IP network. As network speeds have increased, it has made sense not to run parallel networks for infrastructural elements like security, environmental management and similar support systems. But we have found that in many cases, the security issues relating to these systems are not well understood, since it seems like they just use the network for data transport. Of course, as real-world cases demonstrate, it isn't that simple.

These infrastructure support systems must often be accessed by vendors as well as company personnel. Even for company personnel, there may be a need for remote access to respond to off-hour emergencies. As a result, many of these systems require that they be accessible online from outside of the company. That leads to the issue of authentication. Who has the access? How is it authenticated? Are access credentials tied to an individual, or are they just supplied to a vendor for anyone to use? Are strong passwords required and changed recently? Is account usage subject to audits?

The other issue is connectivity. Are the users of these accounts (particularly vendor accounts where they don't need access to other company online resources) limited to the specific level of access they require? Are they limited to accessing the specific devices and applications they need, or is it just assumed that's what they will do?

Windows XP Will Leave Organizations Severely Exposed

Windows XP Will Leave Organizations Severely Exposed

April 7, 2014

The clock is ticking - as of this week Microsoft will no longer support Windows XP. The operating system will pose an increasing risk to its users, making it more important than ever for organizations to identify and upgrade legacy systems wherever possible, or have stringent network security in place to mitigate the risks and to create a virtual "ring of steel" around the most susceptible systems. Windows XP has been a fairly stable, reliable and extremely popular operating system for over a decade now, but it really is time to put the venerable OS out to pasture.

What does the expiration of Windows XP support mean for organizations? Businesses have managed to get by just fine with Windows XP for years - "If it ain't broke, don't fix it", right? Well, the problem with that theory is that it assumes that Windows XP isn't broken in the first place, and that support will continue forever. It doesn't account for the reality. Windows XP works and runs business software, but it is less secure than its successors. Windows XP systems are compromised by 27 per cent more malware attacks than subsequent Windows versions, and resolving a malware incident on Windows XP takes an average of seven times longer. When viewed through the lens of security, it's easy to see that Windows XP is, in fact, broken.

When it comes to leaving corporate networks exposed to risk, "almost" is not good enough. If you lock all of the doors and windows on your house, but forget to lock the back door, you may as well not have locked any of them. Similarly, if you upgrade all of the PCs in the organization to Windows 7, but a rogue Windows XP machine you're not aware of is still connected to your network you're still at risk, as that lone machine represents an open back door into the rest of the network.

A rogue, unsupported Windows XP machine will eventually become a target to exploit that can allow them to gain a foothold inside a corporate network. That one compromised Windows XP system could be used to siphon information from the network, or spread malware to other systems.

It is crucial to have a complete and accurate inventory of the systems connected to your network. If businesses don't know what's out there, they can't keep it properly maintained and updated and can't mitigate the risk posed by it.

Knowing is half the battle

The first step in mitigating risks is to know which operating systems are in use within your organization. Using asset tracking solutions, businesses will be able to detect and identify lingering Windows XP systems with minimal effort and assess their risk level.

Businesses should consider custom software running on their systems. Businesses need to determine whether continued use of Windows XP will impact these custom systems in terms of ongoing support from their manufacturers and determine what changes these applications need when migrating to another OS, particularly if it is already a legacy, unsupported application.

The risk is that hackers will be able to identify holes in Windows XP that will no longer be addressed in short order with a Microsoft patch or service pack. These potential holes for exploitation will continue to multiply over time and as such the cost of managing a Windows XP estate will rise very quickly, both from maintenance point of view, but also from potential exploits and lost productivity.

It is recommended that organizations still using Windows XP look to upgrade to the latest - or a more recent supported version - Windows operating system to ensure they continue to receive the latest security and stability patches. Doing so will ensure their software ecosystem is protected from known exploits. Whether businesses opt for upgrading their XP machines to a new version of Windows, or they look to overhaul their entire hardware estate, the cost savings will pay off in a short amount of time. For hackers, Windows XP is like breaking into a car with no alarm installed, it will be easy for them as all the potential exploits and vulnerabilities will be known from patches for other versions of Windows.

Blog Stats

  • Total posts(16)
  • Total comments(0)

Forgot your password?