» healthcare

Healthcare Data Breaches-Insider Job, Cybercrime, or Both?

Posted on October 3, 2011 by Dan Berger in Main | Leave a comment

As required by section 13402(e) (4) of the HITECH Act, the HHS Secretary must post a list of breaches of protected health information (PHI)  impacting 500 or more individuals. In the past 2 years, over 11.8 million Americans have been affected in nearly 330 separate incidents. This information is contained in a publicly searchable and downloadable database. Thus many organizations (including Redspin) have published “PHI breach reports” which summarize the data and offer conclusions based on the results of the past 2 years.

Relying solely on historical data has limitations, particularly in such dynamic, fast-moving arenas as healthcare and IT. Any conclusions drawn may turn out to be less predictive or prescriptive than as originally put forth. The old adage “if we don’t learn from history, we are doomed to repeat it,” is diluted by the pace of technological change. Relatively new innovations such as smart phones, iPads, and social media continue to alter the nature of human-machine interaction, workflow and social reach. With new modalities for patient care, such as genetic-driven personalized medicine and mobile consumer health applications, one can easily conclude that how a patient’s health record was breached in 2010 will have little relevance in 2014.

As a case-in-point, Bloomberg Businessweek recently reported on a new healthcare industry privacy and security report released by PwC’s Health Research Institute. The article was entitled: “Theft of Digital Health Data More Often Inside Job, Report Finds” (Sep 22, 2011).  Presumably, the editor relied on the following two statements from the report to support the title; “Theft accounted for 66 percent of publicly reported breaches” and “Thieves are most often ‘knowledgeable insiders.’”

Ah, the dangers of oversimplification. If I were a healthcare CIO or Chief Privacy Officer, I might conclude that my security risk would be markedly reduced with daily shakedowns of all staff and more extensive background checks of prospective new employees. Worse, based on history alone, I might dismiss external hackers as not much of a threat to electronic protected health information (ePHI).

Yet, just this same month, RSA re-released a re-formatted, modestly updated 2009 report entitled “Cybercrime and the Healthcare Industry.” This paper discusses the rise of underground cybercrime networks and explains why a stolen medical identity has 10 times the higher relative value than a “regular” identity theft. Looking into its encrypted crystal ball, RSA concludes: “Cybercrime in healthcare is just starting to evolve but could quickly become a devastating industry, economic and societal problem.”

Inside job or underground cybercriminals, most healthcare organizations are under prepared for data breaches. PwC’s report “Old Data Learns New Tricks: Managing Patient Privacy and Security on a New Data Sharing Playground,” (despite the wildly mixed metaphor) was supported by over 600 interviews with health care executives. The 40+ page document is an excellent treatise on the importance of healthcare IT security, only slightly self-serving, and accurately summarizes the health data breach problem as follows: “Breaches erode productivity and patient trust. They’re costly, unpredictable, and unfortunately quite common.” (p3.)

Those in the healthcare IT industry face an increasingly complex challenge. Patients, providers, payers, business associates, researchers and industry economics will demand a significant increase in data sharing. At the same time, the threat surface for data breach will increase exponentially, exacerbated by personal and mobile communications devices and overall multiplicity of end-points. History can guide us only mildly. To borrow from Aldous Huxley and Shakespeare, it’s a brave new world and a world without data islands. Redspin will meet you there.

Preventing a Healthcare Data Breach Epidemic

Posted on July 1, 2011 by Dan Berger in Main | Leave a comment

Certain types of computer dysfunction are analogous to disease, at least in a descriptive sense. For example, we say that a PC can get “infected” by a computer “virus.” The recent rash of hacker attacks makes me wonder if we’re on the verge of a data breach “epidemic?”

True epidemics occur when new human cases of a certain disease substantially exceed what is expected over a period of time. Epidemic diseases need not be communicable; they occur when there are an accelerating number of exploits of similar weaknesses in the human immune system. (Note the clever use of the analogy in reverse). It’s not much of a stretch then to apply the concept of an epidemic affecting  the human body to one that cripples IT infrastructures.

Perhaps recent events even warrant the use of pandemic. There have been over 11 million personal health records compromised in major data breaches in the U.S. since September 2008. Last week, 8.6 million health records were reported at risk due to an unencrypted missing laptop in London.  Add recent hacker intrusions at Epsilon, Sony, the IMF, Citibank, Sega etc. and reported incidents are clearly accelerating at a staggering rate.

This must be disturbing news for a healthcare industry moving forward aggressively on the implementation and adoption of electronic health records. But consider this instead a call-to-action. Providers and business associates should seize this moment to take preventative measures. Hospitals and providers can leverage the mandatory security requirements of the “meaningful use” EHR incentive program to build organization-wide consensus and gain budget approval to invest now in their IT security future.

To qualify for incentive payments under meaningful use, covered entities and eligible providers must “conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” What an opportune time to revisit and revamp the outmoded, insufficient, neglected and/or minimal security risk programs that were likely put in place years ago.

For forward-thinking business associates, this is an opportunity too. Direct liability for ePHI data breach won’t transfer to business associates until sometime in 2012, but there’s no time like the present. In IT security, preventative action trumps reaction and damage control. Just ask Sony. And, as a “culture of security” grows among healthcare providers, business associates will find that data security becomes not only a requirement of doing business with health providers but also competitive differentiators.

So how do we all work together to prevent a data breach epidemic? In the 1995 movie “Outbreak” one proposed solution was to drop a fuel-bomb on a city where the virus had been contained.  But data breaches are rarely containable and even if they were, I doubt there would be many fuel-bombs dropped anywhere but in the computer war game Call of Duty.

Our “call of duty” to prevent data breach outbreaks or epidemics is to first understand that security is an end-to-end process. In this new environment where networks, and networks of networks, will be able to  provide an access path to the most sensitive personal information, there is no such thing as containment. To quote John Halamka, MD, MS, and CIO at Beth Israel Deaconess Medical Center) “the healthcare system is as vulnerable as its weakest link. Thus each application, workstation, network and server within the enterprise must be secured to a reasonable extent.” That is your mission.  And Redspin’s job is to help you achieve it.

MidState Medical Center Breach – The Business Associate Loses PHI, The Covered Entity…. in the news

Posted on April 9, 2011 by John Abraham in Main | Leave a comment

In another classic case of – the business associate is at fault, but the covered entity takes the wrap – the latest breach disclosed by MidState Medical Center in Connecticut  is a classic case. The breach itself is indicative of a pretty vanilla data-loss vector. While few details have been released, the hospital’s own news release indicates that data had been copied to an external drive by a worker who wanted to use the data to work at home. The drive was subsequently misplaced and is now unaccounted for along with the protected health information (PHI) of 93,000 customers.

While the liability argument will likely be continued privately for some time between MidState Medical Center and the business associate, Hartford Hospital – for now MidState is taking the brunt of the public impact.

RSA Breach – What it says about healthcare security strategy

Posted on April 6, 2011 by John Abraham in Main | Leave a comment

RSA’s release of additional information about their security breach (impacting their SecurID multi-factor authentication system) highlights important elements of an information security program. These elements are particularly important in a healthcare IT environment. To understand why, lets first review a rough outline of some widely reported details of the RSA attack:

  • Step 1: Attacker sends email to some RSA employees with an attachment entitled ’2011 Recruitment Plan’
  • Step 2: Some uninformed-but-probably-not-malintentioned RSA employee downloads attachment, which includes an Adobe Flash zero-day exploit
  • Step 3-n: the attackers apparently leverages this initial compromise of an existing employee system to escalate privileges eventually gaining access to core elements of the SecurID system

This was described by RSA as an “advanced persistant threat” but that is probably just an attempt to gain sympathy by implying that the attackers were really smart, focused and determined. Really, this looks like a pretty standard attack sequence. The most intriguing thing about this attack is that RSA would be vulnerable to a situation in which a single  employee mistake in step 1, above, would be leveraged into a full network compromise. Its astounding actually.

I’ve got to hope that RSA’s core SecurID technology is highly secured in an isolated subnet of their corporate network. If that is the case, then the initial attack would require sending the phishing email to a small set of employees that are sitting on the right part of the network. If RSA can’t effectively train critical employees of the dangers of effective security behavior, then what is a healthcare organization to do.

At Redspin, we do a lot of social engineering audits in which use tests that simulate an employee’s understanding of an organization’s information security policy. For example, in the RSA breach, the attacker used a document entitled ’2011 Recruitment Plan’. We use variations of this type of attack; we send out email to employees and then log the number of employees that fall for the scheme. Its not uncommon for 30% of the employees to violate policy and download such documents with enticing names such as “employee salary report” or “upcoming staff reduction plan”.

If RSA can’t succeed in securing a small and critical area of their network, what is a healthcare organization to do? In many health IT environments, ePHI is widely distributed, often with many users with different roles and responsibilities as well as in different, varied and often public facilities.

A key point is that employees are so often the weakest link in security – and training is a key element of that. At Redspin we perform HIPAA Risk Analysis and risk assessments for healthcare organizations. These are a very valuable way to identify health IT and PHI security risk. However, interestingly enough, in the case of the RSA breach, a small subset of the security assessment – social engineering, which is cheap, easy and effective, might have avoided this breach. Our social engineering page lists some additional interesting examples of telephone-based social engineering (where we call up and say “can I have your password please”). Furthermore, some organizations are even able to do this kind of testing in-house… and its very scalable – social engineering test results are big topics around the water cooler – even a little bit of testing can improve a big part of the organization.

A “Reasonable” Approach to HIPAA Risk Analysis

Posted on March 17, 2011 by Dan Berger in Main | Leave a comment

The Office of Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318.). But with so much recent interest in IT security driven by the “meaningful use” incentive program, we want to share some our observations and perspectives from recent Redspin client engagements in the healthcare industry.

All electronic protected health information (ePHI) created, received, maintained or transmitted by an organization is subject to the Security Rule. The importance of safeguarding ePHI cannot be understated. Sure, publicized breach notifications and million dollar penalties damage a healthcare organization’s reputation and bottom line. But more than that, such incidents undermine professional and public trust of electronic health records (EHR). And make no mistake about it – the widespread adoption of EHR is fundamental to future improvements in efficiency, communications and patient care.

So if security is the cornerstone to health IT transformation, what can your organization do to not only comply with the regulations but also contribute to this important mission? First, all heathcare organizations are required to evaluate risks and vulnerabilities in their environments. Then they must “implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI.” While “reasonability” is a quintessential element of modern judicial systems, it doesn’t provide a lot of guidance. At Redspin, we suspect there will be little sympathy for major ePHI security breaches no matter what any standard of reasonability might dictate. More simply put, it’s better to be safe than sorry.

Conducting a risk analysis that maps to the HIPAA Security Rule is the first step in protecting ePHI. Note, the Department of Health and Human Services (HHS) does not endorse or recommend any particular risk analysis or risk management model. At Redspin, we think this is wise. From our direct experience, no template or “one-size-fits-all” approach can meet the diverse needs of the healthcare industry. We treat each client individually and conduct a thorough review of their environment even before drafting a scope of work, including:

- size and complexity of the IT environment

- number of physical and logical locations where ePHI is stored

- number of IT staff; their knowledge and experience level

- types of EHR, CPOE and other new applications

- functional responsibilities of team members

- progress-to-date toward EHR completion

- company culture and information security awareness

While a HIPAA Risk Analysis is often project-based, we also consider it the start of a process that will lead to ongoing and durable improvements in information security. The Security Rule itself requires an entity to update and document its security measures “as needed” and specifically recommends conducting continuous risk analysis to identify when such updates are warranted. While the rule does not specify how frequently to do this, it’s a moot point for Redspin’s enterprise security assurance clients. By providing our services on a monthly or quarterly subscription basis, regularly-scheduled assessments, validation and re-testing simply become part of an overall operating environment. Our enterprise solution also tracks and documents all historical findings and remediation via our secure, online web portal. The portal’s dashboard view displays summary information via a compelling graphical user interface, making complex data easier to understand and better enabling you to communicate improvements in your overall security posture to all stakeholders.

In summary, Redspin empowers healthcare organizations to truly integrate their risk analysis and management process. This helps them to accommodate: (1) new technologies (2) evolving business operations, (3) new regulations and (4) personnel changes. And by addressing security risks in a proactive, timely manner rather than fixing problems after implementation, healthcare organizations gain greater value from their investment in IT. Sound reasonable?

HIPAA Enforcement Training for State Attorneys General – Is this a good thing or bad?

Posted on March 10, 2011 by John Abraham in Main | 1 Comment

I received an email notification about State Attorneys General HIPAA enforcement training posted by Joseph Conn at ModernHealthcare.com. The HITECH Act gave authority for state attorneys general to bring civil actions to obtain monetary damages for residents in their state for HIPAA Security Rule and Privacy Rule. What might it mean that the Office of Civil Rights (OCR) has scheduled enforcement seminars open only to State Attorneys General and their staff? The OCR has four of these 2-day seminars scheduled between April and June of this year, in Dallas, Atlanta, Washington and San Francisco. Whereas before the HITECH Act HIPAA was seen as having no teeth, in part due to the lack of enforcement resources available, bringing cash strapped state-resources into the picture could change the compliance landscape considerably.

Here are topics covered in these seminars as documented on the OCR’s website:

  • General introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

Based on the topics covered, a couple of questions come to mind:

Will the states only get involved after a PHI disclosure incident or reported violation, or is there some intention of a pro-active HIPAA audit? The OCR indicates that their enforcement process can be initiated by either a complaint or a compliance review. What will drive the State Attorneys General enforcement actions?

How will the State Attorney’s General interpret the HIPAA Security Rule? HIPAA leaves plenty of latitude for compliance. Flexible guidelines can be a good and a bad thing for covered entities and business associates. On the positive-side flexibility enables a healthcare organization to create a meaningful and practical information security program that effectively mitigates security risk – the intent. However, State Attorneys General may also interpret compliance guidelines differently than their targets. The effect of this is that healthcare organizations may focus more on the letter of the law, than the intent. However, compliance and security are two different things. At Redspin we are more comfortable with organizations that take a practical risk-based approach to security and HIPAA Risk Analysis, than someone purely focused on compliance. We’ve seen too many cases of organizations that claim to be 100% compliant but are in reality totally insecure.

Report on Data Privacy and Security in Health Care Industry

Posted on February 28, 2011 by perlbot in Main | Leave a comment

A report recently released by Deloitte performs a nice literature review including industry white papers and surveys, congressional testimony, and related journals. Interesting results include:

  • 71% of HHS-reported information breaches are from Health Care Providers.
  • The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580.
  • Approximately one third of data breaches result in medical identity theft.
  • Nearly 85 percent of hospitals are NOT in compliance with the HITECH Act.
  • 30 percent of BAs did not know HIPAA Security Requirements had been extended to their organizations.

For a more in depth review of HHS-reported breaches and how to prevent them, see our 2010 Protected Health Information Breach Analysis.

8 “Simple” Rules for Protecting PHI

Posted on February 19, 2011 by Dan Berger in Main | 1 Comment

In the popular TV series: “8 Simple Rules for Dating My Teenage Daughter,” the rules may have been a bit exaggerated but they sure made their point. (Rule #1: Use your hands on my daughter and you’ll lose them after). Likewise, my “8 Simple Rules for Protecting PHI” strike a similar chord – no threats to bodily harm, but certain transgressions may be bad enough to result in personnel sanctions or even loss of employment. This is serious stuff.

And as with the dating commandments, my 8 rules for safeguarding PHI are not simple but they are doable – provided you can engender operational discipline throughout your enterprise and extend that influence over important business partners. This always requires a 100% commitment to security at the highest level of your organization. But that really shouldn’t be an issue. After all, breach notification rules are strict and the monetary penalties high enough that survival of your business may literally depend on it.

Rule #1: Maintain a comprehensive PHI inventory within your organization and your business associates. You need to know everywhere under your direct and indirect control where protected health information “lives.” This includes both structured and unstructured data in ePHI, records replicated in multiple places, paper files etc.

Rule #2: Establish a data classification model and assign levels of sensitivity. While many government agencies use a 5-level model (or even more), a 2 or 3-tiered system should be sufficient to start with.

Rule #3: Map how ePHI travels during normal workflow. Ensure that compatible security controls exist at both ends of each data transfer. Then do an additional exercise looking at how ePHI might need to be transferred during exceptional events or in crisis management situations. Apply the same safeguards.

Rule #4: Develop access control policies balancing “need to know” without compromising patient care. Then implement and enforce those policies and controls systematically so that software applications, database rules, and personnel restrict access to sensitive information to only people and/or other software programs that have been specifically granted access rights.

Rule #5: Monitor and audit all access to ePHI (include read-only, data changes, privileged activity such as changes to data structures and changes to user access rights).

Rule #6: Conduct internal vulnerability testing and an assessment of current security measures (controls testing). These are components of the risk analysis process that everyone should be working on. If you don’t have the skill set in house, bring in a qualified outside vendor. Expert security firms can add more technical depth to your analysis. Establish a regular, repeatable, ongoing security assessment process that enables you to adapt to new changes in technology, people, systems, business relationships and workflows. Make certain the process maintains historical data so that management can see progress over time.

Rule #7: Implement an ongoing security awareness campaign and regular training program that fits your culture, yet ensures employees understand their role in safeguarding PHI. Conduct social engineering testing on your employees to measure the effectiveness of the training.

Rule #8: Encrypt all ePHI stored on any device that can be carried out of your office (desktops, laptops, hard drives, backup tapes, iPads/tablets, smart phones, and other portable media).

We understand that this is one of the most significant undertakings facing healthcare organizations today. But there really isn’t a choice. A single individual’s healthcare involves multiple practitioners, facilities, diagnostic labs, administrators, payers, ancillary service providers, etc. The very benefits that electronic health records promise can only be realized if the security challenges are met. We’re here to help. It’s 11PM. Do you know where your PHI is?

Correction…8 million and counting

Posted on February 18, 2011 by perlbot in Main | 2 Comments

Since our 2010 Protected Health Information Breach Report was released, we have been asked a lot about trends in the industry. Well, just in the last couple weeks, a number of breaches have been released that occurred at the end of 2010.  This includes 16 incidents, over half the result of theft and involving some type of portable media.

The worst case involved 1.7 million records compromised as a result of 1) unencrypted backup tapes and 2) business associate leaves tapes unattended. The trends are becoming more clear. Protect sensitive information in transit and storage, and perform sufficient due diligence on all business associates that have access to your sensitive information.

Practical Business Associate Risk Management

Posted on February 14, 2011 by mmarshall in Main | Leave a comment

As any reasonably sized covered entity will attest, it is not unusual to have hundreds of Business Associates (partners who have access to ePHI).  While your own security may be adequate to protect your ePHI, a breach by a Business Associate will result in substantial impact and the data breach is required to be disclosed.  The process of ensuring they are protecting your ePHI is a bit easier since the HITECH act mandated that Business Associates must be HIPAA compliant.  So it’s important to ensure your Business Associates implement appropriate security controls to adequately protect ePHI and reduce the odds of a breach of ePHI. Given the challenges of performing in-depth due diligence on hundreds of organizations simultaneously, a risk based approach should be use to prioritize the list of Business Associates.  This allows focusing first on the areas of greatest risk/impact.

Here are a few questions to ask about your business associates to help prioritize your due diligence efforts.

-How many ePHI records do they have?

-Are they granted controlled access to data housed by us, with risk mitigated by our own internal controls?

-Is the data housed by them and are we completely reliant on their security controls?

-Consider the type of ePHI they have: SSN, Payment details (Credit Card, Bank accounts, drivers license, etc).  More data is higher risk.

-How long are the records maintained by them?  (short period and destroyed vs. archived indefinitely).

-How many of their employees have access to our data?

-Have they experienced a breach in the past?

-Are their systems connected directly to our network?  Will a compromise of their network give an attacker access to our network?

-Are they providing a service where ePHI is accessed directly via the Internet?  Can attacker from the Internet could directly breach the system.

These are a few questions to get you thinking about where to start your focused due diligence.  What other ways are you currently prioritizing your Business Associates risk management efforts?

Download a more in depth questionnaire to be completed by your business associates  here!

1 2 3   Next »