Keeping Electronic Health Records Safe

Surveys have shown that the majority of Americans are “very concerned” about identity theft or fraud (80 percent), the use of their medical information for marketing purposes (77 percent), and that their data might become available to employers or insurance companies (56 and 55 percent, respectively).  At the same time, 89 percent of respondents say that they want their physicians to be able to communicate with one another, while the majority support the development of Health Information Technology as a whole and believe that it will improve care and reduce costs1.

According to a current listing on DataLossDB.org, four of the ten major data security breaches on the list involved medical records getting into the wrong hands.  The VA experienced one of the top ten data security breaches of all time (over 26 million records).  Patient records contain information that can be used to steal a person’s identity or help criminals pinpoint vulnerable targets. Medical information can be used to discriminate unfairly because it is often beyond what the payors and others are allowed to know. Employers and insurance companies can discriminate based on past health issues if given access to these records.

Initiatives for a standardized Electronic Health Record (EHR) are gaining acceptance. As these standards are developed, the government and industry should look to the Purchase Card Industry Data Security Standard (PCI DSS) standard for eCommerce security. Under PCI DSS, compliant systems require sensitive information to be separated from non-sensitive data within the system and to be encrypted both in transit and at rest. This prevents hackers from reading the information even if they manage to break into the system or steal a computer. While PCI DSS compliance has helped prevent security breaches in […]

Keeping Credit Card Data Safe

Having your credit card stolen is a major concern for any cardholder. Combine that with the responsibility of buying supplies for the government and it is enough to lose sleep over.  Attacks on payment card processing systems are on the rise. Organized internet thieves target all sizes of on-line merchants. According to a study by the University of Michigan, 76 per cent of websites from 214 US financial institutions suffer from at least one security design flaw that prevents secure usage (you can find the full report at http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf).

No one is completely safe.

Fortunately, there’s a clear path of action for merchants that can help prevent compromise of payment card data. The Payment Card Industry Data Security Standard is the authorized program of goals and associated security controls and processes that keep payment card data safe from exploitation. The standard is often called by its acronym PCI DSS or PCI.

This standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands. This includes deploying multiple firewalls within the  ecommerce  system and separating the credit card database from other system processes.

As principle developer of the DOD EMALL eCommerce site, Partnet recognized the vulnerabilities of the system. In 2008, when the Defense Logistics Agency mandated that DOD EMALL be moved into a DISA enterprise data center, Partnet recommended that the ecommerce system network be redesigned to move toward PCI compliance. This was the first time the Department of Defense dealt with this commercial standard. Partnet […]

Google+