Share Button

On a recent trip to India for work, I woke up in my hotel room and did my favorite thing which millions of Indians including celebrities and politicians do all over the country every morning: pick up a paper copy of The Times of India stuck snugly on my door knob. As a kid growing up in India, I used to head straight for the cricket page (Sports is Cricket and Cricket is Sports in India). But the gray in my beard now also make me look at the front page headlines before heading to the cricket page.

Besides the usual stuff about politics, crime and business growth, one headline in particular caught my attention: Xiaomi Mi3 sold out in a few seconds; Flipkart site crashes. 2000px-Xiaomi_logo.svg

Now, for those who don’t know Xiaomi, it is a “young” company started in China in 2010. It is known in the market for listening to the customer’s voice and making rapid changes to software on a regular basis besides being very economical. For eg., all employees including executives have to spend time interacting with consumers and responding to their feedback. By creating an initial adapter model amongst consumer who trade Xiaomi incentives, they have created a cult following in China. It has a big focus on design and many folks compare it to Apple and even being an Apple clone. Its revenues in the first six months of 2014 were almost $7 Billion and as of July 2014, it is the world’s 5th largest smartphone maker as per Forbes. It was also able to overtake Samsung in China as of August 2014. The timing of the launch of Xiaomi in 2010 would imply that it followed Apple’s first generation iPhone launch very closely and was able to build itself in China and is now expanding into countries like India very successfully.

This piece of news made me curious about some of the following things related to consumer-tech and which is what I shall be focusing upon for the purpose of this post:

  1. How was a Chinese company which as per Business Insider is an Apple clone able to create such a sensation in India in such a short time?
  2. Was the above phenomenon a flash in the pan (in the Indian market) or does it happen with other foreign companies entering the Indian market as well?
  3. What kind of competition did Xiaomi face from the local competitors in India? Was there an Apple clone in India as well started by a local Indian entrepreneur?
  4. What is the state of Indian entrepreneurship and innovation? What are the cultural aspects facing the Indian consumers which potentially influences the mindset of the Indian entrepreneur?
  5. What kind of innovation is going on in countries such as China? Where is the main innovation coming from?
  6. How do entrepreneurs outside India view the Indian market?

Digging deeper during my flying time (thanks to in-flight wi-fi), I was able to find some interesting things happening primarily in China, USA and India. Of course, as I am not based out of India anymore, a lot of these findings are “google-based” and not “on-the-ground” knowledge.

Here are the headlines of my findings:

  1. American entrepreneurs (primarily from Silicon Valley) were still the main innovators coming up with the killer and disruptive ideas. This has been going on for quite some time now and bigger and bigger ideas are being launched into the market on a daily basis. This group of innovators also includes a big chunk of immigrants including Indians.
  2. Chinese entrepreneurs observe American innovation very closely and think through which innovation might apply to the Chinese market and then localize it and quickly launch the Chinese version very quickly in China.
  3. India ends up becoming one of the biggest markets for the American companies and 2nd largest for the Chinese companies.

Here are some examples of what led me to the above findings:

  1. OS Innovation: China develops Windows and Android killer: http://money.cnn.com/2014/08/25/technology/security/china-os/index.html – this demonstrates how folks are thinking of reducing reliance on the market leaders

2. Mobile Messaging: As we all know, WhatsApp was acquired by Facebook for ~19 Billion.  WhatsApp is a Silicon Valley company founded in 2009 with the aim of disrupting the SMS space and enabling easy mobile messaging. As of August 2014, it has over 600 Million active users.

Enter WeChat (known as Weixin in China) which is owned by Shenzhen, China based internet company, Tencent (world’s fourth largest internet company as of April 2014). As per Forbes, WeChat is now one of the world’s most powerful apps. For me, it is the closest competitor to Facebook at this time given its very strong eco-system of e-commerce and micro-apps which are being used by companies globally to sell their services, products and engage with a growing number of users globally. As of Q2 2014, WeChat has almost 438 Million users. WeChat is very much catching up with WhatsApp. wechat

India market entry for WeChat: Coming back to the Indian market, as of August 2014, 10% of all active users of WhatsApp are in India which makes India its biggest market. http://timesofindia.indiatimes.com/tech/tech-news/WhatsApps-India-user-base-crosses-70-million/articleshow/45018845.cms

Tencent also sensed the growing demand from India and launched WeChat through an Indian gaming company named Ibibo in which it had invested into. WeChat is now one of the top downloaded apps in India now. WeChat continues to make significant investments and marketing promotions in India. Other top mobile messaging apps included Viber, Line and Facebook Messenger (all non-Indian).

3. Smartphones: Here’s another report for the launch of Xiaomi’s new model: Xiaomi to launch entry-level smartphone Redmi 1S in India on August 26 and how folks are looking forward to it: http://timesofindia.indiatimes.com/tech/tech-news/Xiaomi-to-launch-entry-level-smartphone-Redmi-1S-in-India-on-August-26/articleshow/40783256.cms

4. Facebook and Twitter users to cross 80 Million this year in India:http://www.dnaindia.com/mumbai/report-facebook-twitter-users-to-cross-80-million-this-year-2006431 . This demonstrates how Indian “junta” is so reception to outside innovation and embracing it. http://timesofindia.indiatimes.com/tech/tech-news/Twitter-India-among-our-fastest-growing-markets/articleshow/45240322.cms

5. Another big Silicon Valley company, Uber, has announced that India will be its biggest market: http://thenextweb.com/in/2014/08/19/india-becomes-ubers-largest-market-outside-us-launch-service-four-additional-cities/ .

With this data in hand, I started looking for Chinese comps and found such examples of Chinese innovation (above and beyond WeChat and Xiaomi) and those which have become household names not just in China but outside China as well:

— Baidu is now the default search engine – developed by Chinese, in China and is now expanding globally: http://www.techinasia.com/baidu-mobile-search-engine-hits-500-million-active-users/

— RenRen is considered to be the Facebook of China: http://www.trefis.com/stock/renn/articles/171218/renren-gains-from-facebooks-absence-in-china/2013-05-03

— Weibo is considered to be the local Twitter of China: http://time.com/65792/weibo-ipo/

— AliPay is considered to be the PayPal of China: http://blogs.marketwatch.com/thetell/2014/02/10/sorry-paypal-chinas-alipay-is-worlds-no-1/ Alipay

— Alibaba is now bigger than Amazon and founded in China: http://www.wired.com/2014/09/alibaba-already-bigger-facebook-amazon-ibm/

I tried to find similar companies founded in India and as successful as their Chinese comps but with the exception of Flipkart and a couple of others, did not find any. Which also implied that I could not find any Indian-origin consumer tech company which had become successful outside India like its Chinese and American counterparts.

Was it a market problem in India with a population of 1.25 Billion with a relatively high degree of education?As per Google, India to have more Internet users than US by 2014-end: http://www.digit.in/internet/indian-internet-users-to-surpass-us-this-year-google-23598.html

So, I started thinking: What’s going on here with India’s entrepreneurs? Why could I not find any other local competition for the above mentioned international entrants into the Indian market?

  1. Too lazy to innovate and customize for the India market and enter aggressively?
  2. Give up too fast and take for granted a proven foreign product?
  3. Have the mentality of accepting everything foreign as a better product than the “Made in India” comparable product
  4. Maybe the above is true and thus no innovation goes into developing a desi version
  5. Don’t want to take the risk when the international company is already paying a nice cushy salary plus benefits worth almost $200K/yr out of college: http://articles.economictimes.indiatimes.com/2014-12-02/news/56649164_1_rs-42-lakh-placement-season-tower-research
  6. Accept everything that falls into lap especially if it’s free or cheap
  7. Are the current set of policies, incentives and infrastructure not conductive to innovate and build locally (As an eg. a lot of Chinese companies have flourished as their American originals have been blocked in China. Google, Facebook, Twitter etc are still behind the so called “Great Firewall of China”)
  8. Is it a mindset issue? As an eg. I have seen that many folks in India were very excited with the launch of Uber and the typical thing to say is: “Wow, XYZ is now coming to India”. Replace XYZ with name of international company. Why not think that: “Hmmmm…XYZ was just launched in the US. Maybe I can bring it to India better and faster with my market knowledge and existing network and resources?
  9. Are folks content being adopter rather than being innovators and owners?
  10. Is India’s dominance in the service/BPO industry taking it away from a product development and commercialization mindset?
  11. Is it a lack of awareness towards the effect of loss of data to another country’s companies when the user data is hosted on foreign servers?
  12. Is it a lack of icons in the country in the consumer tech innovation space? Every country has icons to inspire young entrepreneurs. China has folks like Ma Yun (Jack Ma, Chairman of Alibaba) and Kaifu Lee. US has no lack of them – Hewlett-Packard, Brin-Page, Zuckerberg, Jobs, you name it. Who is the icon that Indian entrepreneurs can live up to?
  13. Is there a historical precedence for this mindset?

Maybe there is!!! I found an interesting article in Wikipedia about the British East India company and how it entered the Indian market in the early 17th century as its first step of taking over India. The thing that caught my attention was the letter from Emperor Nuruddin Salim Jahangir to King James 1. eastindia

Here’s the narrative from Wikipedia:

In 1612, King James I instructed Sir Thomas Roe to visit the Mughal Emperor Nuruddin Salim Jahangir (r. 1605–1627) to arrange for a commercial treaty that would give the company exclusive rights to reside and build factories in Surat and other areas. In return, the company offered to provide the Emperor with goods and rarities from the European market.

Jahangir investing a courtier with a robe of honour watched by Sir Thomas Roe, English ambassador to the court of Jahangir at Agra from 1615–18, and others

Jahangir investing a courtier with a robe of honour watched by Sir Thomas Roe, English ambassador to the court of Jahangir at Agra from 1615–18, and others. Credit: Wikipedia

This mission was highly successful as Jahangir sent a letter to James through Sir Thomas Roe: “Upon which assurance of your royal love I have given my general command to all the kingdoms and ports of my dominions to receive all the merchants of the English nation as the subjects of my friend; that in what place soever they choose to live, they may have free liberty without any restraint; and at what port soever they shall arrive, that neither Portugal nor any other shall dare to molest their quiet; and in what city soever they shall have residence, I have commanded all my governors and captains to give them freedom answerable to their own desires; to sell, buy, and to transport into their country at their pleasure.

For confirmation of our love and friendship, I desire your Majesty to command your merchants to bring in their ships of all sorts of rarities and rich goods fit for my palace; and that you be pleased to send me your royal letters by every opportunity, that I may rejoice in your health and prosperous affairs; that our friendship may be interchanged and eternal”

—Nuruddin Salim Jahangir, Letter to James I.

Was this letter and action by Jehangir an indicator of how India is so accepting to international companies while not innovating itself? Was it just the awesome gifts from Europe that made the emperor open up India’s doors to the East India company? Was it because he was getting it for free and did not have to work hard to get them or have to make his subjects work towards achieving them? The outcome of the letter was an open invitation to the British and the rest is history! Is the same thing going on with technology companies coming to India due to the same mind set potentially in existence today also?

Here’s the original article: http://en.wikipedia.org/wiki/East_India_Company

Things are changing though and the future looks more promising in terms of home-bred innovation for India. One of the best examples as mentioned above is Flipkart and how it is giving global companies such as Amazon a great fight.  It recently raised $1 Billion, Among The Largest In Single Funding Round In Global E-Commerce:

http://www.forbes.com/sites/saritharai/2014/07/29/indias-flipkart-raises-1-billion-among-the-largest-in-single-funding-round-in-global-e-commerce/

Also, Tiger Global raised $2.5b with an eye towards investing into India: http://techcrunch.com/2014/11/26/tiger-global-raises-2-5-billion-for-new-deals/ .Other examples include companies such as Hike and Portea Medical. Uber’s competitor in India is Ola Cabs and just raised a bunch of money: http://techcrunch.com/2014/10/27/olacabs-softbank-india/ . Entrepreneurs such as Dr. Pratiksha Gandhi have also disrupted traditional markets (healthcare in this instance) and gone into preventive medicine tackling the growing menace of heart disease through her IPC network of hospitals. (India is also known as the heart attack capital of the world: http://www.ndtv.com/article/india/india-is-world-s-coronary-diabetic-capital-says-expert-447189 )

Also, there is a huge wave of “desi” entrepreneurs who find solutions for localized problems. Here’s a great eg: http://www.cnn.com/2013/06/25/tech/innovation/frugal-innovation-india-inventors/index.html

This is a great start. I believe that Indian entrepreneurs have a great advantage which not a lot of folks do in other countries. These include:

— A tech savvy population which is hungry for innovation

— A very forward thinking, new government led by PM Narendra Modi

— Growing usage of internet and smart devices

— Hundreds of Thousands of engineering resources coming out of colleges nationwide who do not want to join the traditional BPO and want to do something different

— Low costs overall for product development

— A big eco-system in residential areas for early adopters which also include big circles of friends and families

— And above all, a deep understanding of culture and needs in the market which helps reduce the time to bring to market a much-needed solution.

Indian entrepreneurs can take advantage of these factors and locally innovate to cater faster, cheaper and better to the massive local population. More importantly, it will keep things such as data and resources within the country and avoid mis-use.

Chak De, India!

–nikhil

Share Button

As part of my work out of IdeaLab and building secure and federally compliant digital health companies and products, I get asked several times about HIPAA compliance and ways to achieve it. These questions are from different viewpoints and use cases such as investments, enterprise usage, insurance, technology-related etc.

At its heart, HIPAA is about giving the right of the protection of the privacy and security of patients identifiable information. There is a lot of stuff which has been written about it in different blogs and news site but I wanted to put together a simple checklist which deals with some things that every company can take in order to work towards HIPAA compliance. This list is also applicable to digital health and Healthcare IT startups which are now sprouting across the country. Vendors who deal with healthcare companies and data can also use this list as a starting point. HIPAA compliance is not just necessary from the standpoint of compliance (and marketing as companies tend to use it for), but also a good way to avoid expensive data breaches. Here are examples of some ways healthcare data is breached: http://www.artilient.com/10-ways-that-healthcare-data-gets-breached/

Subscribe to latest posts

As a disclaimer (and as required of me by my legal team), I am not providing legal or security advice. I am sharing some of my own experiences as part of building digital health products and companies out of IdeaLab. This list is by no means a complete checklist and I would like to welcome other experts to contribute to this list and share their experiences as well. Please always consult your legal and security advisory team also before implementing any changes.

1. Hosting: All your databases should be hosted with companies which offer a Business Associate Agreement (BAA). Your databases may contain potentially sensitive data (such as confidential Protected Health Information or patient data) and thus it is important to use a premium service which offers a BAA.

Here are some examples of companies which offer a BAA to healthcare companies which meet specific criteria:

AWS: http://aws.amazon.com/compliance/

FireHost: http://www.firehost.com/secure-cloud/compliant/hipaa

Rackspace: www.rackspace.com/print.php?page_id=8‎

I personally like to use AWS for our products and companies out of SeedHIT for the ease of use, pay-what-you-use and DIY tools it offers to its users.

 

2. SSL encryption: Obtaining an SSL certificate from a reputable provider ensures that there is secure transmission going on between the browser session of your users and your servers. Strong encryption can reduce the chances of your data communication being overheard by an unauthorized person during transmission.

A padlock icon and “https” in the address bar indicates that SSL encryption in transit is taking place.

There are several levels of SSL available starting with 128-bits. For HIPAA compliance, use a minimum of 256-bit SSL. You can upgrade to as much as 2048-bits if you would like (or your enterprise clients insist upon).

Some vendors for SSL certificates include:

Symantec (formerly VeriSign): http://www.symantec.com/verisign/ssl-certificates

GoDaddy: http://www.godaddy.com/ssl/ssl-certificates.aspx

DigiCert: https://www.digicert.com/order/order-1.php

For those who are interested in more detailed reading about how encryption applies to medical providers, I thought this article from the American Medical Association was very useful: http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

 

Subscribe to latest posts

3. Encryption at Rest: This requires that all your databases and file systems as well as servers and disks are encrypted. This reduces the likelihood of PHI being accessed by unauthorized persons in the event of hacking or theft.

Here are some companies whose products can be used:

Truecrypt: http://www.truecrypt.org/ (Open source)

Gazzang: http://www.gazzang.com/solutions/achieving-compliance/hipaa

Microsoft Encrypting File System: http://windows.microsoft.com/en-US/windows7/What-is-Encrypting-File-System-EFS

 

4. Audit trail program: Ensure that all actions and interactions of all your users are tracked along with their timestamp. Also, al

l processes happening within the system need to be tracked. From the user standpoint, think about it as: WHO did WHAT, WHEN was it done and WHY was it done.

This is useful in the event of any audits that might be needed as part of data breaches and determine

unauthorized access.

 

5. Data retention rules: Ensure that all your data is archived after last use for a minimum of 7 years and available upon request by an authorized person or entity. In the event that the data belong to the PHI of a child younger than 18 years old, then ensure that the data is available for at least 7 more years after the child turns 18 (adult) and after last use. To be on the safe side, consider retaining all data for 25 years after last use. Of course, there is a significant cost factor to this.

Here’s a comprehensive report from US HHS: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf

6. Session timeouts: Ensure that a client session times out and logs the users off automatically after 3-minutes of non-activity. This helps with non-authorized access to PHI. When the user wants to re-use the system, he/she will be required to log back in with full credentials.

 

Subscribe to latest posts
7. BAA with vendors: Any time you use a vendor such as programmers or consulting companies, make sure you execute a BAA. When it comes to vendors touching live PHI (such as production support and SysAdmins) should be doing so from within the continental United States.

 

8. Have secure backups done of your data: Make sure you take back-ups of all your data and databases. Of course, all storage of these back-ups should be done with HIPAA-compliant storage companies only which offer BAA’’s (as mentioned in #1 above). Ideally you want to back-up your data in a vendor and location which is different from your primary data storage. Also, all back-ups just like primary data should be encrypted.

This is required for disaster recovery and emergency operations.

 

9. Restrict access to right people/ unique user identification: Establish the right policies and procedures to ensure that only people who should be accessing certain aspects of your application and / or tPHI are able to do so. This access should also be tracked using an identifiable number or user name which is unique to the specific person. This identifiable information should be contained in the Audit Trail (#4 above). As an eg., a user’s email ID could be used to create a user name in order to grant that user access to your application and any PHI, if required.

Also, there should be a way to establish access to PHI in the event of emergencies such as natural disasters and technical crashes.

For more details, check out: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

 

10. 2-factor authentication: In order to establish an additional layer of verification on the users access PHI within your system, establish a second authentication layer on top of the username and password asked as part of the login information. This could be implemented in several ways such as:

– Asking for information such as pet’s name

– Calling or texting the mobile number associated with your account

– Using a security token for a 2nd randomly generated password

This ensures that in the event the user did not follow proper protocol for their login, a 2nd level authentication will hopefully be able to prevent unauthorized access.

For more details, check out: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf

 

BONUS (10 + 1)

11. Using secure email: Ensure that all data and PHI being used in any communication remains on a HIPAA-compliant server. This relates to #3 above. Thus, it is important to use a company which provides such an email service. I personally use SafeDr for this (Disclosure: SeedHIT has developed and owns SafeDr).

Subscribe to latest posts

 

I would love to hear other safeguards that you have implemented in your company which either stored PHI or has access to it as a vendor. Here’s the complete list of HIPAA tecnical safeguards too for your reading pleasure: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

–nrj

Subscribe to latest posts

Share Button

News of penalties for data breaches and HIPAA violations are splashed and highlighted in every media outlet covering Healthcare IT. The magnitude of these numbers is mind boggling (in millions) both in terms of the number of individuals impacted as well as the penalties enforced by the United States Department of Health and Human Services.HHS-Logo

The HITECH Act requires that all reported data breaches of unsecured protected health information affecting 500 or more individuals is listed and made available to the public along with the cause of the breach. Here’s some impact of breaches over the past 3 years: http://www.artilient.com/medical-records-for-over-21-million-individuals-impacted-due-to-security-breaches-in-last-three-years/ . To get a list of some reported breaches which have impacted over 500 or more individuals, click here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

As part of my work at SeedHIT, we come across several use cases of providing the right tools for our enterprise clients to SeedHIT Logo for BCprotect their data as part of communication, collaboration and storage. I wanted to create a list of some of the ways that healthcare data gets breached. The objective of this post is to not critique the companies which have been impacted by these breaches but rather to create awareness.

Subscribe to The Blog of Nikhil Jain by Email

1. Theft: This kind of breach happens when data is intentionally stolen. The theft could be of data in the form of electronic physical devices or could be electronic data itself over a network or of old-fashioned paper. Of course, there are a lot of other imaginative ways to steal data and causing breaches for enterprises.

An examples of healthcare data breach by theft includes:

– Two back-up tapes belonging to New York City Health & Hospitals Corporation’s North Bronx Healthcare Network were reported to be stolen in December 2010. The tapes reportedly contained personal health information of 1,700,000 individuals

2. Loss of devices: This could be as a result of enterprises or individuals losing possession of the physical device which actually contains healthcare data on it. BYOD lostLots of times, the device which contains the healthcare data belongs to the individual (BYOD) and in other cases, the device belongs to the enterprise. The devices might not necessarily be meant for personal use. They could also be enterprise-level devices such as back-up tapes.

Here are some recent examples of healthcare data breaches as a result of devices being lost:

TRICARE Management Activity 4,901,432 Individuals Affected in September 2011 and is now facing a $4.9 billion class-action lawsuit. Occurred due to loss of back-up tapes. These tapes could have possibly contained the personal and protected health information.

Health Net, Inc reported the loss of server drives in January 2011. These server drives contained personal information such as Social Security numbers, names and personal health information of 1,900,000 individuals.

– Miami, FL based AvMed, Inc. reported the loss of two encrypted laptops containing personal information including Social Security Numbers and health records. The loss which occurred in December 2009 supposedly impacted 1.22 Million individuals.

 

3. Hacking: When an unauthorized person gains access to the computer networks and devices, it can potentially result in the hacker getting their hands on sensitive patient information. Once a hacker gets hold of this sensitive information, it could potentially fall in hands of other areas of organized crimes too. Hacker

Utah Department of Health reported that one of its servers containing information such as addresses, social security numbers and date of birth was hacked into in March 2012 and impacted 780,000 individuals.

 

4. Incorrect Mailing: This happens when letters including sensitive patient data is inadvertently sent to the wrong people at the wrong addresses.USPS First Class

MO HealthNet reported in June 2013 that it mailed out information of its patients to the wrong addresses. The information contained in the letter potentially included Name, date of birth and last 4 digits of SSN.

 

5. Loss of Paper: Lots of information is still captured on paper and left on paper and file folders. This represPaper Recordsents several instances of breach such as the paper falling in the wrong hands or shredding not done properly or paper just lost.

In May 2007, Georgia Division of Public Health reported that 140,000 paper records containing SSN’s and medical histories were impacted as those records were “discarded” without shredding.

Subscribe to The Blog of Nikhil Jain by Email

6. Unauthorized access/ Disclosures/ Internal theft: This happens as a result of employees getting curious about certain patient’s medical history. This patient could be a celebrity or even a family member or friend. This unauthorized access could also have been made for personal financial gain.Internal Theft

– In June 2013, Los Angeles based Cedars-Sinai Medical Center reported the unauthorized access of TV personality Kim Kardashian: http://www.latimes.com/news/local/la-me-hospital-security-breach-20130713,0,7850635.story

Office of the Medicaid Inspector General reported that in October 2012 an internal employee had emailed himself over 17,000 Medicaid patient records. These records potentially included information such as patient names, date of birth and social security numbers.

 

7. Malware: This is a software or program which is designed to get access to the sensitive data in your computers when it is able to infect that computer successfully. When such a program gets access to the company’s private computer systems, it is then able to create data breaches. This method of data breach is gaining a lot of popularity recently.

La Grange, TX based St. Mark’s Medical Center reported that an employee’s computer containing patient information such as names, date of birth and social security numbers was infected by a malware in 2012. Almost 2,900 records were stored on that computer.

8. IT issues: This could be as a result of issues within configuration of internal IT or as a result of not addressing key security aspects within the organization and also enforcing it with third-party vendors.IT

– Nashville, TN based Cogent Healthcare reported that the firewall of one of its vendor’s website was down. This resulted in Google’s spiders including almost 32,000 patient records in its index in May 2013.

 

9. Lack of encryption: Any sensitive data should usually have been encrypted in order to prevent unauthorized access. This also means hardware such as laptops should have encrypted hard drives. Data breaches also happen when devices fall in the wrong hands and there is no encryption on them.

ssl-encryption–. Chattanooga, TN based Blue Cross Blue Shield of Tennessee reported the theft of several unencrypted computer hard drives. Occurring in October 2009, the theft impacted over 1 Million individuals.

 

10. Lack of internal IT policy and / or its enforcement: This happens when employees do not follow the laid out policy of the enterprise. This might happen due to lack of internal company education on policies. An example of an internal IT policy is that patient data should not be stored on hard drives of laptops.

SynerMed reported that in April 2013, an employee’s laptop containing member information of Inland Valleys IPA such as names and date of birth was stolen from his automobile. This breach impacted over 1,500 individuals.

BONUS (10 + 1):

11. Improper Handling/ Disposal: This breach usually happens when an employee or a third party vendor does not follow proper policies and procedures regarding handling of sensitive data.Improper disposal

University of Virginia’s 18,000+ students’ Social Security Numbers were included in brochures by Aetna Health Care’s third party vendor in July 2013

 

Texas Health Harris Methodist Hospital Fort Worth reported in May 2013 that a portion of the microfiche which was supposed to be destroyed by its vendor, Shred-it, was found in a park. The microfiche could included information such as patient names, addresses, dates of birth and Social Security numbers

 

What are some instances of healthcare data breaches that your organization has been part of or you have observed?

nrj

Subscribe to The Blog of Nikhil Jain by Email

26. March 2013 · Comments Off · Categories: HIPAA
Share Button
Here’s a 2012 report released by the U.S. Department of Health & Human Services Office of Civil Rights titled: Keeping Health Information Private and Secure . As per this report, over 21 Million individuals have been impacted due to security breaches which involved their medical records. These 21 Million individuals are only a part of those breaches which were big enough (500+ individuals impacted) which are required to be reported to the Federal Government as per the Breach notification rule. Thus the total number of individuals impacted is potentially higher than the 21 Million reported here.

Subscribe to The Blog of Nikhil Jain by Email

Here are some examples of recently reported security breaches at healthcare organizations in the US:

Lucile Packard Children’s Hospital at Stanford (57,000 patients potentially impacted*)
Froedtert Health (43,000 patient data records potentially impacted**)
Montfort Hospital (25,000 patient data records potentially impacted***)
Stanford Hospital (20,000 patient data records published on a website*****)
The entire list of organizations which have been breached can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
There are new reports published regularly on how laptops were stolen which somehow contained several thousand patient records or how a hospital employee checked out some patient records without any need to do so or of patient records which were simply lost like in the case of Massachusetts General Hospital******.

Subscribe to The Blog of Nikhil Jain by Email

Below is an interesting infograph by Backgroundcheck.org which points out that:
– 94% of polled healthcare organizations have been breached in the past two years
– 2,769 records are lost or stolen per breach
– The price tag for dealing with a medical breach is $2.4 Million
Even more interesting is the stat that 95% of all devices which are stolen or lost which result in breaches are portable devices such as laptops and smartphones. This indicates that there is a huge amount of data which is stored on physical hard drives of these devices and increases the risk of potential breaches.
A patient medical record breach is a very serious matter as it can potentially contain not just information and history about his health and scheduling information but also financial information such as bills, credit card information, insurance details and often times their social security number.
21 Million individuals impacted by security breaches at healthcare organizations
Source of image: Backgroundcheck.org
nrj

Subscribe to The Blog of Nikhil Jain by Email

20. September 2012 · Comments Off · Categories: China, Uncategorized
Share Button

Thanks to the invitation of the Weihai Bureau of Commerce and the brand recognition of OnGreen in China due to its work and expansion there over the past two years, I got a chance to visit Weihai this week as their guest. For those who have never heard of Weihai, you can read the Wikipedia article here.

The first thing that hit me upon coming out of the airport after arrival was the freshness of the air and the blue skies – both of which are very rare commodities in other parts of China. The city reminds me of Santa Barbara (a sister city of Weihai) and San Sebastian (Basque region of Spain).IMG_4548

Weihai is known for its very clean environment, amazing seafood, friendly people, low cost of living and best of all, a very good climate to do business driven by several incentives provided by the local government agencies and economic and investment zones.

I got a view of Liugong Island from my hotel room at sunrise. Known as the birthplace of the Chinese navy, it also has China’s first golf course which was built by the British.

The theme of the city is Joy and Happiness as evidenced by the Happiness Gate and a sculpture made with several versions of the Chinese words for Joy and Happiness. IMG_4541

The city also is home to some of the best golf courses and hot springs in the country.

My trip agenda consisted of getting a feel of the eco-system and community of Weihai as well as meeting with some officials and visiting the economic zones which offer incentives to foreign companies.IMG_4612

Weihai and its neighbor, Yantai, are building the largest wine-producing region in the world. Yantai has over 40 vineyards. The one I got to visit was Weihai Weal. Good wine, I must say. They also have a sister brewery serving some very fresh beer. The food served during the various banquet dinners consisted of some extremely rare seafood delicacies such as thorned sea cucumbers, massive shrimp, abalone and sea urchins. IMG_4672

I was able to visit Shandong University‘s Weihai campus and was told that Shandong province is one of the largest universities in the world in terms of the number of registered students at a give time. IMG_4747

During a tour of their IT/Computer Science Department, I walked into an ongoing Hackathon where a huge hall filled with students and instructors were going at it for 72 hours straight.

IMG_4738

The city officials gave a presentation of the different incentives available. Weihai and its various districts are very interested in attracting top talent – both from within China and from outside China – to Weihai and showering them with some great financial incentives – most of which are performance based. A big emphasis for them remains growth in IT given the economical and highly talented resources available in the city. The incentives come from different level – from the Central Administration to the provincial level to the City level and down to the appropriate economic zone – in a very cumulative manner. Very attractive indeed.IMG_4709

The City is also investing heavily in building the green and blue economies and keen on inviting and investing into “new energy” companies. With ample water resources and a strategic location, I thought that they were some great objectives for the local government. IMG_4694

Weihai and its neighboring cities are going through some major infrastructure advancements with a high speed rail connecting it to Yantai and Qingdao (home of Tsingtao beer) – which in turn connects to the main Chinese hub of high speed rail going to Beijing. It is also building express ways between all major cities. Most developments are expected to complete and open to the public by 2015.

Can’t wait to go back again!

–nrj