It’s always educational to review a data security breach to see what can be learned. In the case of the Charleston Area Medical Center (CAMC) last month a number of lessons can be learned. First lets review what we know (and don’t know) about the data breach which happened at CAMC subsidiary CAMC Health Education Research Institute (CHERI).
It was a pretty straight forward breach. Last month someone doing an online search for an address found that the name of a relative and their ePHI was readily accessible on a CAMC website via a Google search. He immediately notified the relative who in turn contacted the State of West Virginia Attorney General. The Attorney General’s Consumer Protection Division quickly had the offending site, (http://www.wvchamps.com/) shut down. In all 3655 patients were involved with the breach whose data had been accessible on the site since September of 2010. The site was created by a contractor who inadvertently enabled access to the data.
More Questions than Answers
- If the contractor had access to ePHI, were they treated as a Business Associate (BA)?
- Was there a Business Associate Agreement (BAA) in place?
- Was protecting ePHI specified as an upfront feature/requirement of the site created by the contractor?
- Was any application penetration testing performed on the site before it went live?
- As a result of the breach CAMC has agreed to additional safeguards including a security assessment – does this imply that CAMC had not previously performed a HIPAA Risk Analysis?!?!
An ounce of prevention…: While we don’t know details of this particular vulnerability, it appears that an application penetration test would have identified the risk and enabled trivial remediation before an incident. That would be a fraction of the cost of this breach. Its hard to determine the CAMC brand damage and staff costs associated with a breach like this. And its too early to tell if the hospital will see HIPAA / HITECH Act fines associated with the incident. The Equifax credit monitoring cost is also unclear, though calculating the retail cost from their site at $15 per month per user for each of the 3655 individuals affected by the breach for a year tallies to over $54,000 per month and over $650,000 for the year …. a pound of cure.
Security Assessments have more value before a breach: Well I am stating the obvious here, but there’s more to the point than the obvious fact that identifying this particular vulnerability early would be much less painful on the organization. The point is that, in our experience, incident-driven assessments are often knee-jerk reactions to a compliance issue that are completed more to show reaction and publicize respect for client ePHI rather than a core value-driven approach to secure operations. These types of assessments often cost way more and the value can be limited. The value of a security assessment is proportional to an organizations bandwidth to absorb the findings and willingness for organizational improvement. An event-driven assessment for CAMC will not yield a lot of value if the health IT staff is not ready to react to the findings.
Ensure BAs are aware of the need to protect ePHI: When you outsource to a vendor, you are outsourcing the actual labor, but also to a certain extent security management. While you want to expect that a vendor would be aware of information security best practices you can’t always trust the BA to be secure. A robust BAA shows you care? While requiring a BA to complete a Business Association Self Assessment Questionnaire may not be appropriate for a web site developer, quizzing them on a secure software development life cycle might filter out incompetent developers and send a message that you care about their performance.