PHI security demands leave life coach feeling doomed

Nothing like a little morbid humor from a life coach.

But given the difficulty of securing Personal Health Information (PHI) in the digital age, Anthony Centore, founder of the Virginia-based counseling and life-coaching firm Thriveworks, sounds like he could use a little counseling himself.

On the Thriveworks website, he has posted a lament titled, "Counselors are Doomed: Client Privacy and PHI in the Electronic Age," with a depressingly familiar list of reasons why those charged with protecting the personal information of their clients are in an almost impossible situation.

His list -- with each item beginning with, "We are doomed because &" -- is familiar to those in the data security business:

  • It is impossible to guarantee 100 percent security for digital data. Yet that is the demand placed on health care professionals by federal laws like HIPAA and HITECH;
  • Data breaches are on the rise, with some of the most famous corporations in the nation, including Sony, Tricare, Nasdaq and even Google unable to block them. Most healthcare firms, and there are thousands of smaller ones with only one to five clinicians, don't have the resources or tools to counter the sophistication of today's hackers;
  • The smallest of human errors -- something like confirming an appointment with a client via email that is not encrypted, amounts to a HIPAA violation and could lead to a stolen identity;
  • Passwords, even those that comply with the industry standard of nine characters including an upper-case letter and a number, can be hacked with relative ease with the use of brute-force techniques for which more than six quadrillion possibilities are no major obstacle;
  • There are social penalties for an attack that leads to a breach. Not only does a firm have to notify affected clients, but it gets added to a "hall of shame" by the federal Department of Health and Human Services;
  • Financial penalties can crush a company. Even in cases where individuals did not know, and even with reasonable diligence, would not have known that they were violating HIPAA regulations. They are liable for up to $50,000 per violation.

In an interview, Centore says the "doomed" mantra is a bit tongue-in-cheek, but the rest of it is serious. He believes the laws have outpaced the technology. "There is no reasonable technology that can keep your data completely safe," he says, "but the penalties are still there for violations, and they are really strict penalties."

Centore says Thriveworks, with headquarters in Virginia and practices in Boston and Philadelphia, also serves "several hundred small practices around the country." He says he spends tens of thousands of dollars to comply with HIPAA and other regulations.

"We will defend our data in every area we can," he says. "We have somebody assigned to comply with HIPAA. Our staff is trained and re-trained in how to handle case notes and on doing everything we can do to make sure information is sacrosanct."

But, he says, "smaller practices can't spend what we spend."

Robert Siciliano, McAfee consultant and identity theft expert, says it is important to emphasize that, "numerous industry studies by researchers like Javelin and in reports by Verizon, McAfee and others notes that most data breaches occur as a result of inaction, lack of policy, procedure, systems in place and an overall lack of awareness.

Centore says he knows human error is the greatest risk factor in breaches and that, "little mistakes can have a big impact."

Siciliano adds that many security experts argue that "spreading doom-and-gloom scenarios just perpetuates fear, uncertainty and doubt" -- concepts so pervasive that they have their own acronym: FUD.

But, he says, "the reality is that fear does promote awareness, which in turn facilitates actionable security. There is something to be said for reviewing the fundamentals of effective security policy and procedure."

And despite his "doomed" theme, Centore does not advise giving up. He offers the standard but critical list of security tips: Make your passwords more complicated, don't use the same one for multiple accounts and never store them on your computer; Don't leave case files in your car; Update your computer's operating system and other protection.

He adds another specific to health providers: Don't store client records any longer than required.

Read more about pci and compliance in CSOonline's PCI and Compliance section.

Join the CSO newsletter!

Error: Please check your email address.

More about Department of HealthGoogleJavelinMcAfee AustraliaSonyVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts