Anatomy of a Healthcare Data Breach

Similar documents
Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Healthcare in the Public Cloud DIY vs. Managed Services

Horizon Health Care, Inc.

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

The HIPAA Omnibus Rule

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Secure HIPAA Compliant Cloud Computing

Securing Health Data in a BYOD World

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

mhealth SECURITY: STATS AND SOLUTIONS

Cloud Communications for Healthcare

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Putting It All Together:

The Relationship Between HIPAA Compliance and Business Associates

The simplified guide to. HIPAA compliance

Cybersecurity and Hospitals: A Board Perspective

Healthcare HIPAA and Cybersecurity Update

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

Compliant. Secure. Dependable.

Combating Cyber Risk in the Supply Chain

HIPAA Privacy, Security and Breach Notification

HEALTH CARE AND CYBER SECURITY:

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Cybersecurity in Higher Ed

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

PCI Compliance. What is it? Who uses it? Why is it important?

PULSE TAKING THE PHYSICIAN S

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Behavioral Health Information Network of Arizona (BHINAZ)

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Security and Privacy Governance Program Guidelines

Data Backup and Contingency Planning Procedure

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Best Practices in HIPAA Security Risk Assessments

The Data Breach: How to Stay Defensible Before, During & After the Incident

Cybersecurity and Nonprofit

Why you MUST protect your customer data

Customer Success Story. ZeOmega. ZeOmega and ClearDATA partner to help a large IDN achieve Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

ips.insight.com/healthcare Identifying mobile security challenges in healthcare

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

HIPAA Compliance & Privacy What You Need to Know Now

HIPAA Compliance Assessment Module

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Securing Devices in the Internet of Things

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Internet of Things Toolkit for Small and Medium Businesses

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA COMPLIANCE AND

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Executive Insights. Protecting data, securing systems

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Protecting your next investment: The importance of cybersecurity due diligence

HIPAA AND SECURITY. For Healthcare Organizations

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Learning from a breach

Teradata and Protegrity High-Value Protection for High-Value Data

Cloud & Managed Server Hosting for Healthcare Professionals

All Aboard the HIPAA Omnibus An Auditor s Perspective

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

What is Penetration Testing?

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Keys to a more secure data environment

Security and Privacy Breach Notification

DeMystifying Data Breaches and Information Security Compliance

Protecting Health Information

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI)

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

SECURING DEVICES IN THE INTERNET OF THINGS

HIPAA Security and Privacy Policies & Procedures

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

SECURITY & PRIVACY DOCUMENTATION

Cyber Insurance: What is your bank doing to manage risk? presented by

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

HIPAA UPDATE. Michael L. Brody, DPM

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Cyber Risks in the Boardroom Conference

State of Cloud Survey GERMANY FINDINGS

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Cybersecurity The Evolving Landscape

Sage Data Security Services Directory

2017 RIMS CYBER SURVEY

2015 HFMA What Healthcare Can Learn from the Banking Industry

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Nine Steps to Smart Security for Small Businesses

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Transcription:

Business White Paper Anatomy of a Healthcare Data Breach Prevention and remediation strategies

Page 2 of 8 Anatomy of a Healthcare Data Breach Table of Contents Page 2 Increased Risk Page 3 Mitigation Costs Page 3 An Industry Unprepared Page 4 Patterns Are Emerging Page 5 Advocate Medical Group Page 6 Best Practices and Cloud Options The statistics on healthcare data breaches is growing increasingly troublesome. According to the Identity Theft Resource Center, healthcare data breaches accounted for 44 percent of all breaches in 2013 the first time the healthcare sector topped this list. Perhaps the main reason for such a large proportion is because personal health information (PHI) is worth roughly 50 times more than credit card or Social Security numbers. The most profitable type of fraud stemming from identity theft is now Medicare fraud. The annual cost of health data breaches estimated at $5.6 Billion. One in 10 Americans has been affected by a large health data breach, according to the HHS. Employee negligence is considered the biggest security risk based on the Ponemon Institute s Fourth Annual Benchmark Study on Patient Privacy and Data Security. Criminal attacks have risen 100 percent since the first study was released in 2010. What is even more surprising is that many healthcare organizations fail to detect these attacks and often remain compromised, according to a 2013 SAS-Norse study. Upgrades, enhancements, and overhauls of IT systems can open the door for data breaches if security issues aren t addressed in tandem. Increased Risk Personal health records have become high-value targets since they can be exploited for identity theft, fraud, and stolen prescriptions. The HIPAA Security Rule also requires business associates to appropriately safeguard electronic PHI. Chris Bowen, chief privacy officer, ClearData, says healthcare data is potentially more susceptible than ever. In healthcare, the shelf-life of a medical record is sometimes decades long, Bowen said. Correcting your medical record after somebody uses it for fraudulent purposes is extraordinarily difficult for the patient especially when you can tack on a debit card number, or fraudulent

Page 3 of 8 treatment, and all kinds of serious things are on protected health information. We just don t think people understand that value. According to a 2013 HIMSS Security Survey, internal employees inappropriately accessing patient information is an ongoing concern. Internal user monitoring technology can help alleviate this tendency. Physical safeguards remain a sticking point since many professionals prefer the portability of laptops and mobile devices. But their proliferation exacerbates the problem. Mitigation Costs According to a report by Meritalk, 19 percent of healthcare organizations experienced a security breach in 2013. The top causes were: malware/virus (58 percent), digital intrusion/theft (42 percent), and physical intrusion/theft (38 percent). The average cost per security breach for hospitals with over 100 beds averaged $810,189. Depending on the nature of the breach, federal and state fines for a single disclosure of (PHI) could reach as high as $1.5 million. Other mitigation include: legal fees, credit monitoring fees, IT recovery fees, and costs associated with reputation damage. An Industry Unprepared Surprisingly, healthcare is still lagging behind other industries in security efforts and spending. Spending on electronic health records (EHRs) has been getting most of the attention and budget, while security and prevention often gets overlooked. In addition, changes in IT infrastructure or applications can have a trickle-down effect exposing new vulnerabilities, oversight, or mistakes. While some providers play catch-up, hackers are pouncing on the unprepared. Healthcare organizations make particularly attractive targets because of payment data and detailed patient records used to collect reimbursements. In addition, healthcare providers typically have smaller IT budgets than private-sector companies. Although

Page 4 of 8 the push to digital health records has increased health IT budgets, spending on EHRs and Meaningful Use has taken center stage. Prior to the HITECH Act, a surprising number of providers and practices were not encrypting healthcare data. According to a Price Waterhouse Cooper survey, 74% of health providers believed their security activities were effective, but after an audit, only 22% actually met all advised security criteria. Lou Morentin, senior security risk consultant, ClearData, contends that the healthcare industry simply doesn t implement encryption safeguards as often as it should. We re at that point now where not just mobile devices need to have drive encryption, Morentin said, but your desktops, as well, because if somebody breaks into your clinic and steals a desktop, you ve got a data breach. One of the easiest things to do is just encrypt all those drives, but yet very few people moving to get this done. Patterns Are Emerging To date, approximately 945 data-breach incidents have been reported where PHI was compromised. A few recent high-profile data breaches could shed additional light on how vulnerable PHI can be and what can be done to prevent breaches. Community health systems As recently as August 2014, Community Health Systems (CHS) suffered a criminal cyberattack affecting 4.5 million individuals, the second-largest HIPAA breach ever reported. The attacker was able to bypass security measures and implemented malware to copy and transfer data outside the company. CHS has implemented remediation efforts aimed at preventing similar attacks in the future. These efforts include implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies, and requiring users to change their access passwords. A closer look at the breach reveals that the Heartbleed bug contributed to the vulnerability of the data. Chris Bowen, CEO of ClearData, said he is surprised such a breach could occur with so much advanced warning about the bug.

Page 5 of 8 There are some attacks that are very sophisticated, very targeted, but the bulk of them are based on missing the basic checklist of things you ve got to do, Bowen said. An active monitoring program could have helped mitigate the loss once the attackers gained access to the core infrastructure, Morentin said. The Heartbleed bug once identified should have been patched as soon as Juniper released a patch however, many device manufacturers took some time to develop and test a patch that could be used. A System Information and Event Monitoring (SEIM) properly configured could have triggered an alert once an anomaly was detected. Advocate Medical Group Another recent data breach highlights the increased susceptibility of mobile devices, including laptops. In July 2013, Advocate Medical Group had four password-protected laptops stolen that contained 4.5 million medical records and patient health information, which was not encrypted. Advocate took aggressive steps to reduce the possibility of another break in, including the addition of 24/7 security personnel as well as accelerated deployment of enhanced technical safeguards. An Advocate senior vice president admitted that the data should never have been on laptops and instead should have been maintained on a secure network. Sometimes, the simplest solution actually is the best solution. In this case, the data should have been encrypted and, as the Advocate vice president said, it should never have been on a mobile device. Over and over these breaches could significantly be minimized by adopting an encryption policy and procedure, said Morentin. A recent analysis of breaches showed over 60% of the breaches could have been prevented by encryption of the devices. Morentin said practices and hospitals need to train their staff to never download PHI to mobile devices. He also suggests that policies and procedures should tie in to strong sanctions for violations.

Page 6 of 8 Cloud access to data could help to mitigate this kind of breach as well because the data is viewed through a secure browser connection (SSL) without the need to work the data on local machines, said Morentin. Cogent healthcare A summer 2013 data breach impacted Cogent Healthcare when a transcription partner stored provider data on an unsecure site, exposing patient data to potential identity theft. Apparently the site had its firewall down, and Google even subsequently indexed some of the patient data. More than 32,000 patients were affected. Cogent terminated its relationship with the transcription company and took possession of the hardware in use. Some of the steps providers can take to assure their business associates and partners maintain data security is to secure data through encryption and maintain the chain of custody concerning PHI. The business partner should have a Business Associate Agreement in place with random due diligent inspections to assure the BA is following the rule and regulations, Morentin said. The final Onmibus Rule puts all business associates (BA s) in the same level of responsibility and safeguards as covered entities. Morentin suggested periodic inspections of the BA s environment and auditing of their operations to ensure compliance with regulations. Again, Morentin said, policies and procedures should be tied into strong sanctions for all staff to safeguard company assets and applications to track assets and monitor their use. There are asset tracking applications to aid in the management of all company assets, said Morentin. Applications like Lab Tech can help to monitor these devices. Best Practices and Cloud Options Industry best practices suggest an active learning approach to data breach prevention (including real-time surveillance of emerging threats) is perhaps the best way to better prioritize strategies and prevention. Near constant vigilance is becoming increasingly

Page 7 of 8 important. Managed security solutions that cloud providers offer have shown tactical success against cyberthreats. Industry groups such as The Advisory Board recommend a multipronged approach that includes audits, upgrades, and the use of cloud-services from organizations that specialize in robust security. It is also critical to prepare for a breach in advance. In other words, prevention and preparation are important. If a breach does occur, it is imperative that a crisis team be in place to move quickly and accept responsibility. A crisis team should be comprised of a multidisciplinary group including executive leadership, legal/ compliance/privacy, information technology, communications and customer relations. Initial steps should be to end the compromise or remedy the risk control deficiency, restore the affected system and determine the cause of the incident and the appropriate mitigation and protection to be utilized. Bowen was also quick to caution that just because a vendor or business associate is involved, it doesn t absolve the covered entity or provider. It s a shared responsibility if you re hosting some data offsite, or if you are working with any type of vendor, Bowen said. You can t just off-load data storage and management to a vendor or cloud provider. Those who think they can do so are fooling themselves. For greater security options, it might be wise to consider a long-term cloud storage solution that is HIPAA-compliant. While recent breaches of public cloud services have cast some doubt on cloud-based storage, healthcare cloud data providers employ greater security measures for added protection. A long-term cloud computing solution could also be used as an alternative to on-site redundant archiving. In addition, a cloud-based Data Loss Prevention (DLP) solution can identify specific information that needs protecting and help make decisions on how to secure the information.

About Us ClearDATA is the nation s fastest growing healthcare cloud computing company. More than 310,000 healthcare professionals rely on ClearDATA s HIPAA compliant cloud computing HealthDATA platform and infrastructure to store, manage, protect and share their patient data and critical applications. For more information 1600 W. Broadway Road, Tempe AZ (800) 804-6052 www.cleardata.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback