[ Tuesday, September 16, 2014 ]
Get In Line: App developers are frustrated
Jeff [11:40 AM]
with the imprecision of HIPAA. Actually, I'm not sure exactly what relief they are looking for. HHS is not going to write regs that say, "you can't use PHI except for treatment, payment, or healthcare operations, unless you do it with a mobile app, then it's all OK, do whatever you want."
HIPAA is conceptual in nature; you've just got to understand that and deal with it.
Mississippi CHS Data Breach Lawsuits:
Jeff [11:29 AM]
Suits are beginning to be filed
in the CHS hacking case. Class status is being sought.
[ Monday, September 15, 2014 ]
Temple University Data Breach:
Jeff [9:45 AM]
This time it was a desktop computer
that was stolen, with 3780 patients affected. Not encrypted, of course. This shows that, while it's an excellent idea to encrypt all mobile devices, don't forget about encrypting non-mobile devices as well (in this case, the non-mobile desktop went mobile when it was stolen).
[ Friday, September 12, 2014 ]
Huntsville, AL Lab Data Breach:
Jeff [9:57 AM]
A clinical lab in my old hometown of Huntsville, Alabama is notifying patients, since their billing contractor put some of their data on a server that was accessible to Google
searches. They've notified 7,000 patients. Presumably the lab had a business associate agreement with the billing company, and presumably that BAA will require the billing company to pay for the notification.
Is this "willful neglect"? If so, expect a sizeable fine.
[ Thursday, September 11, 2014 ]
Jeff [8:06 PM]
Jeff [1:47 PM]
Big Data is a big deal, and despite the protections of HIPAA, given enough data from non-HIPAA-covered sources, the right person (or computer) can figure out a lot about a person, potentially including medical data. I discussed this in a radio interview this summer, when the press was buzzing about this, but here's another article
[ Wednesday, September 10, 2014 ]
OCR Audits are Coming: This isn't news, or at least it shouldn't be.
Jeff [1:31 PM]
And when OCR comes, the first thing they're going to ask for is documentation of (i) your initial risk analysis and any updates or further assessments and (ii) your current policies and procedures. IF YOU DO NOT HAVE THIS DOCUMENTATION, . . . . well, it's not going to be pretty.
You can't say you weren't warned.
Can De-Identification Ruin Data for Research?
Jeff [1:06 PM]
My boy Daniel Barth-Jones
has an article
in FierceBigData discussing MOOCs, MUACs, and how concerns that de-identification might skew research results shouldn't be the death of deidentification or anonymization.
[ Tuesday, September 09, 2014 ]
Jeff [9:27 AM]
[ Wednesday, September 03, 2014 ]
Business Associate Agreement Deadline Approaching: the Omnibus Rule made a few relatively minor changes to the business associate agreement requirements, and imposed an initial deadline of September 23, 2013 for compliance. However, it did allow a certain "grandfathering" of BAAs that met the then-existing requirements and were already in place; that grandfathering was not limitless, and only allowed covered entities and business associates to keep their existing BAAs in place for an additional year. That year is about to end (NB: there's some confusion about whether September 22 or 23, 2014 is the appropriate date, but I don't think OCR will make that fine a distinction).
Jeff [5:19 PM]
If you are still operating on BAAs from 2003, you definitely need to update them to include what was required under the Security Rule in 2005, as well as what's required by HITECH and Omnibus (2009 and 2013, respectively). Now would be a good time to review your BAAs, particularly if you did not do so in 2013 or 2014.
One word of caution, though. A lot of covered entities are in the last month of pushing through "updated" BAAs, demanding their business associate vendors sign their new forms because they are absolutely required. All well and good, so far. However, many of these covered entites (hospital systems, I'm looking at you) are adding new, non-required provisions such as indemnification, encryption, and off-shoring requirements. In effect, they are trying to renegotiate their underlying agreements, and using the BAA requirement as a Trojan Horse.
My advice to covered entities: don't do that. If you need to update the BAA to meet Omnibus, do what is necessary, and nothing more. If you want to renegotiate the deal, or even if you want to require your BAs to jump through stricter hoops than you required before, that's OK, but be up front about it and don't try to hide behind the Omnibus Rule "required" changes.
My advice to business associates: read closely the new BAA, compare it with the old one, and call out your customers if they try to slide something by you.
Let's all be open and honest out there, OK?
[ Tuesday, September 02, 2014 ]
Texas Hospital Employee Indicted for HIPAA violation
Jeff [8:17 PM]
: Joshua Hippler worked at some hospital in East Texas (the DOJ isn't saying which one) and apparently took PHI for personal gain
. I'm sure there's more to the story, and will let you know when I find out more.
Health Care and Identity Theft: Interesting article
Jeff [9:06 AM]
. But the premise that data breaches in healthcare equal ID Theft isn't true. Much of reportable healthcare data breaches do not include any of the data useful for identity thieves. When lab test results are sent to the wrong office, or a hospital can't locate a piece of computer hardware, or someone steals a laptop that is subsequently scrubbed clean so it can be resold, and in each case there is a name but no social security number, date or birth, mother's maiden name, etc., the chances of identity theft are very low. But it's still a HIPAA breach, and reportable.
That doesn't lessen the fact that medical identity theft is a big problem, and carries huge, life-threatening risks. The industry should follow the FTC Red Flags Rule and implement triggers to detect medical identity theft, and work efficiently to correct bad medical records that are left behind.
[ Tuesday, August 26, 2014 ]
Jeff [6:44 PM]
[ Friday, August 22, 2014 ]
Jeff [8:28 AM]
[ Tuesday, August 19, 2014 ]
ICYMI: Rhode Island Hospital Pays Mass. AG for HIPAA Breach:
Jeff [1:42 PM]
In a rare cross-border reach, the Massachusetts attorney general fined a Rhode Island hospital
(and the hospital paid the fine) for breaching the security of PHI of a bunch of Massachusetts residents. The breach violated HIPAA, but also violated MA's stringent data encryption and breach law. The MA statute purports to have a "long arm" reach (it applies to anyone who deals with the PHI of MA residents, regardless where the record-keeper is located), but it would be hard to the MA AG to achieve jurisdiction over actors in other states. However, I suspect in this case the RI hospital gets MA Medicaid funds and otherwise may do business in MA, so they probably felt they had to play along.
[ Monday, August 18, 2014 ]
Community Health Systems:
Jeff [1:21 PM]
An APT hacker group
got into Community Health System's database and stole names, SSNs and DOBs of 4.5 million patients of Community's physician network. The good news: the hackers are usually looking for medical device development data, which they didn't get. More good news: no credit card data got out. But, it's still a big ole HIPAA breach.
[ Wednesday, August 13, 2014 ]
Weaponizing Your Breach Detection System:
Jeff [4:10 PM]
If you're a HIPAA covered entity, you need a breach detection system, even if it's just your normal access audit reviews plus your employees keeping their eyes and ears open for something funny. The more sophisticated your systems and operations, the more formal your breach detection system should be. For the bigger players, your breach detection system is probably not doing all it should. Here's an interesting article
on ways to change the focus, and thereby improve the product, of your breach detection system.
[ Monday, August 11, 2014 ]
Baby Pictures = HIPAA Violation.
Jeff [2:15 PM]
OK, this article
has made a big splash, and it's generated a lot of talk in the HIPAAverse. And it's generally accurate, but there's a lot unexplained around the margins. Yes, baby pictures are PHI if the baby is/was a patient of the practice. But a consent form is a pretty simple document, one that every covered entity should have as a handy and ready-to-use form, and it's simple to ask a parent/patient to sign it before you put their kid's picture up on the wall (it could even be part of the patient sign-in packet). Pretty much everyone who provides you with a picture would be willing to do so.
[ Friday, August 01, 2014 ]
Hospital Accuses Mother of Patient of Violating HIPAA By Taking Pictures of Him During Appointment.
Jeff [10:40 AM]
The hospital based its position on the fact that it has a policy that prohibits visitors from taking cell phone photos on hospital premises. Of course, the mother is not a covered entity, and even if she was, as personal representative of her son, she'd be entitled to consent to the release of his PHI via the pictures. But before condemning the hospital, keep this in mind: the hospital is also trying to prevent the mother from disclosing of the PHI of others besides the woman's son. If her pictures include other patients, that could be a problem. The hospital is reviewing its policies, and I suspect a reasonable accomodation will be reached.
[ Thursday, July 31, 2014 ]
Phase 2 of OCR's Audit Program is Coming Up
Jeff [10:40 PM]
. Good article
[ Tuesday, July 29, 2014 ]
Medical Identity Theft:
Jeff [11:09 AM]
Just a quick example of how it can go wrong
. If you're a provider, seriously consider using the FTC "Red Flags Rule" materials to prevent medical identity theft: not only will your patients be safer, so will your pocketbook. Don't forget that if you treat patient A and patient A has stolen B's identity, you'll end up billing B, and when B's insurance finds out, you'll have to reimburse the money; and A will likely be long gone at that point, and you'll be left holding the bag.
You may not be required to implement the FTC policies, but you certainly should consider them.
Don't Text and Heal:
Jeff [11:03 AM]
Texting and HIPAA don't go well together; as I've said many times, texting is insecure, impermanent, and ill-suited for record-keeping purposes. Texting PHI by providers could result in improper medical record-keeping, because information that would be recorded in the medical record if it were emailed or telephoned does not get charted, and many texting platforms do not retain information for indefinite periods of time. Texting also may turn the provider's communication into "telemedicine" under state law. Texts are much less secure because they rarely are encrypted (like emails often are), and even if not encrypted (which isn't an actual requirement), they are much more easily accessible: anyone picking up your password-locked iPhone can see the first few words of recent texts without even unlocking the phone. Unless you've carefully chosen a secure texting service, the risks are definitely not worth the convenience.
So far, there have been no HIPAA enforcement actions by OCR based on texting, but that's probably only because OCR has enough complaint-originated work to keep itself busy. But other areas of HHS are closely looking at texting, and trying hard to get the industry to shape up. In fact, CMS recently assigned an "e-level deficiency" to a nursing home
that was texting lab results between doctors and nurses. Both sender and recipient were authorized to receive the PHI, but the method of sending it, via unsecure texts, was sufficient to cause the deficiency. The net result was a 10-part "Directed Plan of Correction" which included hiring an outside expert to train staff, revising policies and procedures, and notifying all residents of the issue.
This should be fair warning. It is only a matter of time before OCR lays someone low for bad texting activities. This nursing home had to incur some substantial costs (both financial and reputational) to fix this problem, but it's nothing to the 6- or 7-figure hammer OCR will likely lay down.
Don't text. Unless you've thoroughly analyzed the options and are prepared to defend yourself in case of a texting-related breach, it's hard to see how the benefits of convenience outweigh the risks.
[ Monday, July 28, 2014 ]
Self Regional (Greenwood, SC) laptop theft
Jeff [12:33 PM]
: Two knuckelheads broke into a building and stole a laptop
. They've been caught, but said when they realized what they stole, they threw it into a lake. Divers were not able to find the lakebottomed laptop. Even though no harm has come to anyone, even though (if the crooks are telling the truth, a big "if") the data would likely be unrecoverable, it still must be reported.
Obviously, the data was not encrypted. If it had been, we wouldn't even know about this. Go figure.
[ Friday, July 25, 2014 ]
Jeff [12:31 PM]
[ Wednesday, July 23, 2014 ]
Sutter Health Data Breach Update: No proof of harm, no statutory damages.
Jeff [10:25 PM]
As you know, someone threw a brick through a plate glass door and stole a desktop (!) computer from a Sutter Health location. The desktop had protected health information on 4 million Sutter beneficiaries. The California Confidentiality of Medical Information Act contains a statutory damages amount of $1,000 per person, which implies a potential $4 BILLION fine for Sutter.
Not so fast. A circuit court in California has determined that, since there's no evidence the thief actually looked at the data (as opposed to acquiring and possessing it), there's no proof that the statute was violated. As the court said, it's called "the "Confidentiality of Medical Information Act,' not the 'Possession of Medical Information Act.'" Loss of peace of mind apparently isn't a damage.
While this is the second time the court threw out a claim of breach where loss was certain but actual viewing or use wasn't, I suspect nothing will be settled here until the California Supreme Court (and possibly the US Supreme Court) rules.
[ Saturday, July 19, 2014 ]
Jeff [8:34 AM]
I got a stray email on this, so thought someone might find it interesting. Vendini, a ticketseller like Ticketmaster, apparently allowed a third party to view non-PHI personal information such as credit card data, and a class action suit was filed. A settlement has been proposed
. About all you'll get is the actual cost of your credit monitoring or placing holds on your accounts, and the results of any actual identity theft such as overdraft charges. I'm sure the lawyers will do well, though.
[ Thursday, July 17, 2014 ]
Big Data in Healthcare
Jeff [9:41 AM]
: here's an interesting article
. This is all possible, but it's easy to see had this information could be used to the detriment of patients. Privacy concerns obviously abound.
Hat tip: Alan Goldberg
[ Monday, July 14, 2014 ]
Big Health Data Breaches Are Inevitable, and Are Coming: This article
Jeff [12:45 PM]
has popped up several places in my morning reading. They are probably right; in fact, some big health data hacks have probably already occurred, but we just don't know about them yet because we don't yet know how the data is being used and aren't able to see it. There are probably millions of individual instances of medical identity theft occurring every day, from the voluntary "sharing" of insurance by cooperative parties (your brother has insurance through his job but you don't so you go to a doctor and pretend to be him so that his insurance will pay for your care) to identity theft facilitated by insiders (a nurse or receptionist issues multiple Oxycontin prescriptions to a legitimate pain patient, but sends the extras to a friend who fills them and resells the pills) to pure identity theft (a hacker gains medical identities and sells them to people who use the unwitting victim's insurance to pay for their care).
Medical identity theft can be much more lucrative that stealing credit card info, since the medical information is more persistent and the credit card info is more transitory (you can get a new credit card number, not a new medical history). That said, you need a purchaser who needs healthcare to complete a medical identity theft, whereas credit card info can always be used immediately.
[ Wednesday, July 09, 2014 ]
Jeff [5:38 PM]
Jeff [4:57 PM]
According to this report
, 32 million Americans have been victims of EMR data breaches. Some say this is an indictment of the EMR concept, but I think it's more of an acknowledgement that privacy/security is hard, and digitization of information has some risks. Considering this many breaches as proof that EMRs are a bad idea ignores the benefits EMRs also bring. It's important to consider this as an additional cost of digitization of records, and EMR evangelists do tend to ignore the costs. But EMR haters can't ignore the benefits, either.
Balance. . . .
Jeff [4:19 PM]
[ Thursday, July 03, 2014 ]
Off Topic Slightly:
A Goldman Sachs contractor meant to send some confidential data to someone at Goldman using their gs.com address but accidentally sent it to the same name at a gmail.com account. They've been unable to contact the account holder, and Google won't delete the email or divulge info about the account owner without a court order. More here: http://mobile.reuters.com/article/idUSKBN0F729I20140702?irpc=932
Jeff [9:02 AM]
[ Sunday, June 29, 2014 ]
University of Cincinnati Medical Center:
Jeff [10:37 AM]
Apparently a non-clinical employee of the hospital accessed a patient's medical record and learned that the pregnant patient had a sexually-transmitted disease.
The employee gave the information to the man who impregnated her; that man took to Facebook to taunt and ridicule her. The patient complained and the employee was fired; the patient has now sued.
Fun stuff: there's a possibility that disclosing to the baby-daddy would be fine, if the hospital knew that he was "involved in the care" of the pregnant woman. But that's probably not going to be persuasive since the employee was not a clinical employee and had no business being in those medical records (perhaps she should not even have been able to access those records, depending on the scope of her job responsibilities). And I suspect the baby-daddy and the financial services employee had some personal connection, such that she should have known not to dig into medical records for improper reasons (assuming the hospital did good training, had good policies, etc.).
What's interesting is that OCR is taking an interest because the hospital did not notify OCR about the breach; however, the hospital says they did provide notice, and they have proof of it. This could be a hole in OCR's reporting website. Or it could be a confusion about names.
Hat tip: Jennifer Clemons
[ Thursday, June 26, 2014 ]
Jeff [9:12 AM]
: Is your data network leaking data that makes itself more vulnerable to a targeted hack? It seems to be the case
with lots of hospital networks. You're still more likely to suffer a HIPAA breach from a lost laptop, but this type of hack could cause you a whole lot more damage.
[ Wednesday, June 25, 2014 ]
Jeff [9:22 AM]
a Long Island (NY) radiology practice has sent notices
to almost 100,000 patients that a radiologist employee improperly accessed their personal information. This is particularly interesting because HIPAA allows a covered entity to not send notice when the improper access is by an employee who might otherwise be allowed access to the data. If the access was unintentional or done innocently, the radiology group might not have had to send the notice. That implies that the practice thinks there's something wrong here. Stay tuned. . . .
Jeff [9:16 AM]
the computer system of the Montana State Department of Health was hacked
, resulting in exposure of ID-theft type information.
[ Monday, June 23, 2014 ]
Parkview Health Fined $800,000:
Jeff [2:03 PM]
OK, this wasn't smart
, but the fine seems awfully steep, especially since it doesn't appear that the records were accessed. What happened? Parkview had records from a retiring physician, apparently intending to give them to other physicians taking over those patients. I guess some were left over -- 71 cardboard boxes full of them. The hospital stacked the boxes up in the doctor's driveway, even though they knew she wasn't home. Not a good idea.
[ Monday, June 16, 2014 ]
Domino's data breach/data hostage issue:
Jeff [12:49 PM]
As this story
illustrates, one of the current scary trends in data breaches is hackers who capture a business-critical database, encrypt it, and hold it for ransom; if you don't pay, you lose all your data.
What's really scary about this story is that Domino's has operations in France. My respect for French cuisine may never recover
[ Wednesday, June 11, 2014 ]
SAMHSA is Listening
Jeff [4:43 PM]
: I mentioned earlier
that the Substance Abuse and Mental Health Services Administration is trying to figure out whether the "Part 2" rules are hindering the exchange of information necessary for coordination of care in the new interconnected world of HIEs and ACOs. My favorite health privacy reporter, Theresa Defino, has an article
(free registration required) on today's "listening session," where SAMHSA is trying to get constituents to give input.
Jeff [11:19 AM]
weekly HIPAA breach report
is out. I picked up a few of these specifically already, but there's always more.
[ Tuesday, June 10, 2014 ]
Jeff [3:36 PM]
As you know, I occasionally allow a guest blogger or two to provide different perspectives. Here's one:
Health IT Lag
by Michael Sculley, VP of Marketing, PracticeSuite
Technology, a security rating firm, reports that the
healthcare industry needs to take a lesson from the recent data breaches
experienced by Target and eBay. The BitSight report, “Will Healthcare Be the
Next Retail?” warrants close attention. It analyzed security breaches and
response times of four different industries: Pharmaceuticals and healthcare
(healthcare), utilities, retail and finance.
was conducted for the year between April 1, 2013, and March 31, 2014. All
sectors experienced security incidents. Finance had the fewest incidents and
the fastest response time, about three-and-a-half days. Retail and utilities
both responded in about four days. Healthcare had more security incidents, yet
came in last in response time. It took five full days to respond to security
breaches and best response time was in the financial industry. That industry
takes cybersecurity very seriously and goes beyond doing what is legally
required. It takes extra steps to ensure the security of data. It also readily
provides warnings to other industries whenever it becomes aware of potential
neither healthcare nor pharmaceuticals view cybersecurity as seriously as they
need to. It apparently has not received the appropriate attention from
executives at the higher levels. Both industries need to spend more money and
provide greater compensation for its data security professionals.
industries are in compliance with HIPAA regulations, but spend barely enough
money to meet the requirements. Unfortunately, just because they are compliant
does not mean they are secure.
Bitsight report is similar to a recent SANS Institute
That report emphasized that the healthcare industry has lagged far behind in
its cybersecurity and warns that measures need to be taken to reduce risks.
Breaches have become so frequent that the U.S. Department of Health & Human
Services (HHS) is imposing heavy fines for a health care organization that has
a compromised Internet-connected device.
failure to take proper cybersecurity precautions can be expensive as the New
York-Presbyterian Hospital recently discovered. HHS imposed a $3.3 million fine
on the hospital. This is the largest penalty ever imposed for use of a
compromised server in the health care industry.
You can reach Michael at firstname.lastname@example.org
offers billing, practice management, and other medical software products.
Access Health CT (Conn. Obamacare exchange) Data Breach:
Jeff [10:58 AM]
This, on the other hand, is a reportable breach
: a backpack was found abandoned on a Hartford street. It contained paperwork from the Connecticut Obamacare insurance exchange relating to 400 exchange customers, including names, social security numbers, birthdates, and other printed and handwritten information. Apparently it was a call center employee's backpack. They aren't supposed to take that information outside of the premises of the call center.
It will be interesting to see if there is a fine levied here.
Penn State-Hershey Hospital Breach: Should this have been reported? A lab tech accessed PHI of 1800 patients
Jeff [10:47 AM]
via his home computer using a flash drive, and sent some PHI to two doctors via his personal email. The flash drive wasn't encrypted, nor were the emails.
I'm pretty surprised this did not meet the "low threshold of compromise" standard for non-reporting. The staff member was authorized to access the PHI, just not outside the security of the hospital's computing environment. The flash drive wasn't encrypted, but wasn't lost or apparently outside the control of the tech. The data was definitely PHI, but did not include social security numbers, so it's a low ID theft risk. The emails were to physicians, presumably proper parties to receive the PHI (just not via unsecure email). If the data is scrubbed from the tech's personal email account, and the doctors have secure accounts (or also scrub the data), where's the risk of compromise? That someone snatched the PHI out of the ether while it was being emailed? Possible, but a very low risk.
The more I think about it, the more I think this should not have been reported. This is much more likely to (i) unnecessarily worry patients who receive notices, and (ii) increase the likelihood of "alarm fatigue" by providing a false positive. Fix the problem, fix your policies if you need to (prevent the use of flash drives or only allow encrypted ones), retrain the staff, sanction this employee, make this a teachable moment . . . but don't ring the alarm bell when it's not necessary.
[ Monday, June 09, 2014 ]
University of Cincinnati Medical Center "Team No Hoes" Facebook Page:
Jeff [1:32 PM]
If true, I'm hoping this is just a "bad employee" problem
. But the UC Medical Center is being sued because a patient with a sexually-transmitted disease had her medical records posted on the hospital's "Team No Hoes" facebook page by a couple of hospital employees, allegedly at the urging of the patient's former boyfriend.
I can't cast any judgment without more facts, but it sure sounds like a good time for UC to (i) review their employee training, sanctioning, and other policies, and (ii) review their social media policies.
HIPAA and Mental Health:
Jeff [1:26 PM]
HIPAA causes a lot of issues as it tries to balance the right to privacy with the effective working of the healthcare system. One area of acute issues is mental health, particularly involving adults. Here's an article
outlining the issues raised when a child with mental health issues reaches the age of 18, and his parents no longer are automatically treated as his "personal representatives." Before a child reaches the age of majority (usually 18), his parents usually will have the right to access his records, communicate with his caregivers, and make medical decisions for him; but once he reaches 18, unless he gives his consent, the caregiver is limited in the information he can give to the parents, and the child gets to decide on his treatment. The caregiver can still provide information to the parents as people "involved in the care of" the patient, but if the patient demands the caregiver keep the information secret, they must do so in most instances. Plus, even if the caregiver could pass the information to the parents under the "involved in the care" exception, they are sometimes afraid to do so, since that decision could be challenged by the patient.
It's a difficult area where HIPAA's balancing act is going to leave some frustrated. But I don't think the Murphy bill will help.
[ Wednesday, June 04, 2014 ]
Securing Mobile Devices:
Jeff [12:38 PM]
InfoWeek has a great article
on the importance of and ways to secure mobile medical devices, including not just phones and tablets, but other medical equipment that stores or transmit data. One takeaway:
Enterprise mobile management best practices include:
- Managing all devices, as well as constantly maintaining security settings and configurations.
- Enabling remote lock and wipe, so unauthorized users (such as ex-employees) are easily removed from the system.
- Full device or app-by-app encryption that's monitored and enforced.
- Enforcement of device-level passwords.
- Monitoring the operating system's integrity to avoid usage of compromised versions.
- Implementing an auto-wipe policy to minimize the risk of attacks via lost or stolen devices.
- Secure email and attachments to prevent malware being spread from personal accounts.
- Protecting application data by encrypting app data for operating systems such as Android or deleting app data if a device is non-compliant.
- Prevent untrusted file-sharing apps from accessing secure documents.
- Log devices and actions for audit.
Jeff [8:04 AM]
[ Tuesday, June 03, 2014 ]
The OIG's take on Big Data:
Jeff [5:14 PM]
A couple of interview clips
with Daniel Levinson, the AG, on the risks and compliance issues posed by Big Data. Brought to you by @HHCA.
[ Monday, June 02, 2014 ]
Montana HHS Hack
Jeff [10:44 AM]
: apparently the Montana state Department of Health and Human Services got hacked
, when they found malware on a server. No determination of whether anything was improperly accessed or not.
[ Tuesday, May 27, 2014 ]
"Be Khat Bell."
Jeff [2:48 PM]
OK, this is completely off-topic, but a pretty cool thing happened to me this weekend.
A little back story first. Last December, I drove to Omaha to bring my oldest daughter home from Creighton University. She spent the spring semester at Loyola-Chicago's campus in Rome, so needed to move out of her apartment completely over Christmas break. Gina played volleyball through high school and has played club volleyball in college, and we're a volleyball family: I coached Gina in 7th and 8th grades, and have coached my youngest daughter, Mary, since 3rd grade (she's about to enter 8th). As luck would have it, the night I would be in Omaha picking Gina up was the first night of the regional round of the NCAA volleyball tournament (wherein the Sweet 16 would become the Final Four), with the University of Nebraska hosting one of the 4 sites. Again, as luck would have it, that Friday night would see the University of Texas play American University, and Nebraska play University of San Diego. I attended law school at UT, and Gina attended several overnight volleyball camps at UT, so we're definitely fans of Jerritt Elliott's UT volleyball program. And since Lincoln is about an hour's drive from Omaha, we decided to go watch some volleyball in the middle of packing up. StubHub delivered great tickets (the view from our seats is below), and we got to see UT beat American and Nebraska beat USD. (We were driving home the next day when the UT-Nebraska game started, but got home in time to see UT beat Nebraska; unfortunately, they lost to Wisconsin in the semifinals.)
The games were a blast. One of Gina's good friends, Creighton club volleyball teammates, and honorary Drummond daughter, Reana Lee, is from Hawaii, as is Sarah Palmer on the UT team. Of course everyone in Hawaii knows each other, so we talked to Sarah's parents after UT's win (actually, Sarah and Reana played volleyball together in Hawaii and the families know each other).
But back to the story. During the UT match, I was intrigued by one of the UT players, Khat Bell. I noticed that whenever Khat was on the sidelines and not on the court (she's a front-row player, but is replaced with a defensive specialist when she rotates off the front row), instead of standing with her teammates watching and cheering on the girls on the court, she was crouched down, like a wide receiver, ready to sprint out onto the court. Sometimes she'd even put one hand down, like a sprinter. The other girls on the sidelines laughed, cheered, high-fived, but Khat was poised, like a lion or a jaguar, (or some other "big cat"), her face stressed and serious. Forget the cheering, forget the celebrating, she only wanted one thing: to get back on the court, pound some volleyballs, and kill some sets. I found myself watching her rather than the points, to see if she would lighten up, but she never did. She didn't care what happened on the last point, good or bad: she wanted to be out there, on the court, winning the next point.
This spring, my youngest, Mary, played club volleyball for the first time. Mary's very hard on herself, frets over past mistakes, and tries to find fault or blame on every bad play (and most good ones too). After a bad play, she loses energy, and it's obvious that she's fretting, worrying about, and focusing on the last play, not concentrating on the next. You can read it in her face. Between matches at one early tournament, I pointed out to her that she was spending too much time focusing on the last point, and it was costing her. I told her the story of watching Khat Bell on the sidelines. Khat didn't care whether her last play on the court was a good one or a bad one. She didn't care if her teammates were playing well or poorly without her. She didn't care about fault or blame. She just wanted to get back into the game and play the next point. And that's what I encouraged Mary to do: forget the last point, and focus on the next.
I told her, "You've got to find your inner Khat Bell. You've got to be that person who only looks forward. You've got to be Khat Bell."
During the rest of the season, one of the things I constantly yelled at her from the sidelines was, "Be Khat" or "Be Khat Bell." I'd crouch down like a wide receiver about to sprint off at the snap of the ball, so if she didn't hear me, she'd see what I was encouraging her to do. I'm her dad, so of course she didn't pay any attention to me, or at least pretended she didn't.
Fast foward to last weekend. Club season is over, and now Mary is trying beach volleyball. She normally trains on Tuesdays afternoons at The Sandbar in the Deep Ellum part of Dallas, but she's going to miss a few Tuesdays for summer vacation and is making up those training sessions with some Thursday and Sunday practices. Gina and I took Mary there this past Sunday, and we stayed to watch them train. Shortly after they started, a tall, sleek athlete sauntered in, with a burnt orange top and black spandex with the UT longhorn on the sides. Guess who?
If the next best thing to being Khat Bell is being next to Khat Bell, then Mary got there this Memorial Day weekend. Maybe she'll listen to me now. . . .
Blogger: HIPAA Blog - Edit your Template