There are two very disturbing trends regarding information security that should keep physicians and practice administrators up at night.

The first trend is that is seems like no company is safe from security breaches. Just yesterday Citigroup announced that they experienced a breach that involved more than 200,000 accounts.  Sony has been hacked repeatedly. Epsilon has experience a huge data breach.  These are multi-national companies that have the resources to protect data and yet they have been hacked and data has been breached.

The second trend is that hackers are starting to focus on smaller targets. In the Verizon 2011 Data Breach Investigations Report (PDF) they found that hackers are moving away from larger targets to smaller companies (tell that to the companies mentioned above).  The reason is that smaller companies have less security and are easier to hack.

Medical data has a very high value on the black market and it is only a matter of time until hackers turn their attention to medical practices. Medical practices typically don’t invest a lot of money in security and many are not compliant with HIPAA Security regulations. The chances that hackers are successful when they focus on medical practices is probably pretty high. In addition, the costs of security breaches are increasing and HIPAA enforcement and fines are also increasing.

Physicians and practice administrators need to be aware of these disturbing trends. Security and HIPAA compliance is essential and needs to be focused on now before it is too late.

Image: digitalart / FreeDigitalPhotos.net

In the movie The Perfect Storm, all the forces had to come together to cause the perfect storm.  A storm so big and so powerful, well you know,  the Andrea Gail had no chance against the storm.

If I was to think of a scenario where everything came together to cause an environment where there were a huge amount of data breaches affecting patient data, this is what I would come up with:

1. The government would encourage health organizations to switch from paper records to electronic records by giving away billions of dollars to provide incentives.
2. The government would not give these organizations the money upfront but would slowly pay them over a few years.
3. The health organizations would spend an enormous amount of money implementing electronic medical record systems.
4. The large outlay of money would leave these organizations financially strapped with minimal resources for training and security of the new EMR systems.
5. A severe economic recession would cut down on the amount of patients that these health organizations would provide services to.  This would add to the financial burden already being felt by the organizations.
6. A shortage of skilled IT workers would make it difficult for health organizations to find workers to help secure these new EMRs.
7. Computer viruses and malware would become more sophisticated and harder to prevent.  The malware would steal data and leak patient information to external parties.
8. Portable devices, laptops, tablets and smartphones would become cheap and ubiquitous.  These portable devices could easily hold  a lot of patient data.
9. A large number of portable devices would be lost and/or stolen.
10. Patient medical data would become valuable and would be in high demand by criminals looking to utilize the data for identity theft and other crimes.
11. The government’s regulations protecting patient medical data would largely be ignored due to a lack of resources and a lack of government enforcement.

Altogether these forces would cause the perfect storm of patient data breaches.  Hundreds of health organizations would have data breaches.  Millions of patients would have their information compromised.  And while this was occurring the government would sit back and watch.

The scenario is very frightening.  Good thing stories like this only happen in the movies.

The Verizon Business RISK team in cooperation with the United States Secret Service (USSS) released a report on data breaches.  The breaches were across all industries and were not specific to the Healthcare industry.  The report came out in July but I just got around to reading it.  A few interesting points in the report include:

Who is behind Data Breaches?
70% resulted from external agents
48% caused by insiders
11% implicated business partners
27% involved multiple parties

Driven largely by organized groups, the majority of breaches and almost all data stolen (98%) in 2009 was still the work of criminals outside the victim organization  Insiders, however, were more common in cases worked by the USSS, which boosted this fgure in the joint dataset considerably This year’s study has by far improved our visibility into internal crime over any other year Breaches linked to business partners continued the decline observed  in our last report and reached the lowest level since 2004.

How do breaches occur?

48% involved privilege misuse
40% resulted from hacking
38% utilized malware
28% involved social tactics
15% comprised physical attacks

Related to the larger proportion of insiders, Misuse sits atop the list of threat actions leading to breaches in 2009 That’s not to say that Hacking and Malware have gone the way of the dinosaurs; they ranked #2 and #3 and were responsible for over 95% of all data comprised  Weak or stolen credentials, SQL injection, and data-capturing, customized malware continue to plague organizations trying to protect information assets  Cases involving the use of social tactics more than doubled and physical attacks like theft, tampering, and surveillance ticked up several notches

What commonalities exist?

98% of all data breached came from servers
85% of attacks were not considered highly difficult
61% were discovered by a third party
86% of victims had evidence of the breach in their log files
96% of breaches were avoidable through simple or intermediate controls
79% of victims subject to PCI DSS had not achieved compliance

As in previous years, nearly all data were breached from servers and applications  This continues to be a defining characteristic between data-at-risk incidents and those involving actual compromise The proportion of breaches stemming from highly sophisticated attacks remained rather low yet once again accounted for roughly nine out of ten records lost  In keeping with this fnding, we assessed that most breaches could have been avoided without difficult or expensive controls  Yes, hindsight is 20/20 but the lesson holds true; the criminals are not hopelessly ahead in this game The more we know, the better we can prepare  Speaking of being prepared, organizations remain sluggish in detecting and responding to incidents  Most breaches are discovered by external parties and only then after a considerable amount of time

Some interesting points from the data above:

• 98% of all data breached came from servers.  Needless to say that servers are where you want to spend your time, money and effort on securing.
• 86% of victims had evidence in their log files.  Log monitoring is essential.  Without it, you have no idea what is happening to your data.
• 38% of breaches used malware.  Malware isn’t just about popping up porn pictures anymore.  Malware is about stealing data and profiting from that data.
• 96% of breaches were avoidable through simple controls.  That is an amazing figure that tells me with some proper security in place it is possible to avoid a majority of data breaches.

In a report published by Identity Theft Resource Center, the number of healthcare data breaches exceeded the number of data breaches by the financial services sector so far in 2010.  According to the report, healthcare had 119 data breaches of 1,636,400 records.  The financial services sector had 39 breaches of 4,451,803 records.  It should be noted that the number of records for the financial services sector data breaches was 3 times the amount for healthcare.

As I mentioned in this post, I believe the number of data breaches for the healthcare sector will increase as more and more practices start to implement EMRs.  Now is the time to take HIPAA Security seriously.  If you haven’t performed a Risk Assessment or implemented basic steps of security, such as laptop encryption, you are just asking to be included in the reported number of healthcare data breaches.

I have used this blog to talk a lot about data security and how to prevent data breaches.  Several times I have referenced studies by Kroll’s Fraud Solutions division.  I was contacted by Brain Lapidus, chief operating officer for Kroll’s Fraud Solutions division, who has offered to share some very insightful information about how healthcare organizations can improve their data security measures.

As the healthcare industry prepares for a major shift to EHRs over the next several years, providers must take important steps to make sure their data security practices are in good health.

Protect outsourced data. Your organization must know exactly where and how your data is stored with all of your third party vendors. This includes service providers, like labs, as well as internal service arrangements like remote hosting or backup storage facilities. If the organization is considered a Covered Entity (CE) under HITECH, your Business Associates (BAs) are required to notify you if they have a breach. However, it is the CE’s responsibility to notify the individuals and the appropriate federal entities. Specifically:

• Know where data stored by BAs is physically located, particularly if it is going to an offshore facility – depending upon the laws of that country, the BA may be under no obligation to notify you in the event of a breach or to turn over evidence in legal discovery.
• If you haven’t already done so, make sure all of your BA contracts contain strong provisions regarding data privacy and security and detailed guidelines on what to do in the event of a breach. This should include proof of employee training and background checks – two fundamental aspects of a good security plan. Respondents to the HIMSS survey indicated that half did not require proof of employee background checks from third party vendors, and 40 percent didn’t require proof of employee training.

Make sure all portable media devices are fully encrypted. HITECH specifies notification in situations where the PHI that has been lost or stolen is “unsecure” – that is, PHI that has not been rendered unusable or unreadable through some means, generally through encryption. Full disk encryption, especially of portable media devices, is a valuable means of securing any and all sensitive information, and regulators are increasingly looking to encryption as a means to ensure compliance with privacy and security laws. For instance, Nevada has legislation that went into effect at the first of the year that, in general terms, requires the encryption of all personal data transmitted electronically, except via fax. In making the case for encryption, make sure organizational decision makers understand that “password protection” does not equate to encryption.  Kroll has had clients who thought they were covered when a laptop was stolen because it was password protected, but this is still considered unsecured data under HITECH provisions.

Train your staff. Employee training is the most important thing an organization can do to assure that its privacy and security policies are correctly implemented. The most successful organizations make training part of the culture as compared to those organizations who limit training to reviewing a manual and signing an agreement. Employees of healthcare organizations often have widely varying responsibilities and points of touch with patient data, so it’s important to construct a training program that is relevant to job function and level of sensitive data handling. We see many organizations make the mistake of not training employees on relevant new legal requirements, new security threats and other current topics. Simply learning how to detect a breach of information can be invaluable, given the notification requirements timelines under HITECH.

Plan for an event, and then test your plan. The HITECH act specifies that notification must occur “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” Let’s face it – from the moment you uncover a breach, every second counts. That’s why all healthcare organizations are under pressure to develop and implement a breach preparedness and actionable incident response plan. But having the plan is not enough; in light of the rigorous requirements, it’s best to make sure the plan is thoroughly tested and frequently reviewed for updates in the event of changes within the organization. Testing may include a tabletop drill, in which all stakeholders are brought together for a “dry run” of the response plan in the face of a mock breach scenario. Additionally, don’t be afraid to study other organizations’ breach events and learn from the experiences of others, as these real-life cases can be great teachers.

Understand the complexity of breach response and notification requirements. Even though the new requirements are federal, your organization will still be required to comply with state laws that govern the breach of PII and PHI. Depending upon the number of affected individuals, among other variables, your notification requirements under HITECH (and other applicable state laws) could include notifying Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), local media, state attorneys general offices, as well as affected businesses. Missing deadlines could result in hefty penalties or fines. Clearly, notification is about far more than mailing a letter. Perform a little due diligence and prepare a list of possible vendors that can assist in coordinating breach response, crisis communication, and notification responsibilities. Depending upon the size and scope of the breach, sometimes bringing in outside help is essential to maintaining the day-to-day operations of the organization.

It is important to remember that, although the provisions that appear in the legislative text of HITECH are aimed at expanding the use of electronic records, most of the privacy and security provisions apply to both electronic and paper records. Whether an organization plans to go electronic or not, the pre-breach checkup will be essential in being compliant with federal and state regulations.

For more information on data security issues, visit www.krollfraudsolutions.com or check out the new Kroll blog “A Dialogue on Data Security.”

Two unrelated and non-health IT security issues were identified this week.  Citibank admitted that their iPhone banking app stored  personal information including account numbers, bill payment information and  security access codes in a hidden file on users’ iPhones.  In addition Risky.Biz is reporting, the pizza chain Hell Pizza in New Zealand, the UK, and Ireland had their customer database compromised and that 230,000 rows of customer data was accessed.

Citibank has updated their banking app so that personal information is no longer stored on the iPhone.  Hell Pizza issued a statement that the customer database that was compromised had full names, addresses, phone numbers, e-mail addresses, passwords and order history but did not contain any credit card information.

The reason I mention both of these security incidents is because they reveal an alarming trend.  More and more personal information is being collected and put at risk by companies that do not properly secure and protect their customer information.

The application developers at Citibank ignored the fact that a high percentage of smartphones are either lost or stolen. One can only question why they would make the decision to store personal information on the iPhone when the risk of the phone being lost or stolen was so high?  My guess is that they were rushing to get the banking application out to customers and that storing personal data on the phone was the easiest method of developing the application.  The concern here is that there are over 200,000 apps for the iPhone and 30,000 for Google’s Android phones.  With all of these apps being developed how many others are making security mistakes and putting customers / user personal information at risk?

According to Risky.Biz, the Hell Pizza database was very easy to access.  It was as though Hell Pizza did very little to protect the database.  The issue here is that personal data was collected and not secured.  Granted the data did not contain credit card information but did contain email addresses and passwords.  If hackers obtained customer email addresses and passwords there is a good chance that they attempted to use the same email address and passwords at other sites such as Amazon, eBay and online banking sites.  As a personal note:  this is a very good example of why you do not want to use the same email address and password at different online websites.

Turning to health IT, both the Citibank and Hell Pizza incidents raise similar concerns.  Will EMR vendors, in their rush to develop an EMR for the iPhone, iPad or Android OS, make similar security mistakes and store patient data on these devices?  As medical practices implement new EMRs and start to give patients access to patient portals, will they properly secure the patient database.  Will hackers find it as easy to access patient information as it was the Hell Pizza customer information?  Will medical practices lack the security knowledge and resources to ensure that the patient databases are properly secured?  Unfortunately I think the answer to a lot of these questions is YES.   Some EMR vendors will make bad decisions and take security shortcuts in their race to bring a version of their EMR to the smartphone market.  Some medical practices will not protect patient databases and security breaches of patient information will occur.

Let’s hope that EMR vendors and medical practices learn from the mistakes that both Citibank and Hell Pizza have made.

South Shore Hospital in Massachusetts announced yesterday that personal records of 800,000 individuals may be missing.  The hospital sent backup tapes to a contractor for destruction.   The contractor has informed the hospital that only a portion of the tapes have been received and destroyed, the rest of the tapes are missing.

According to the Boston Globe:

The hospital said the files contained information on patients, employees, physicians, volunteers, donors, and other business partners associated with South Shore between Jan. 1, 1996, and Jan. 6 of this year.

The files may have included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits, and other personal information.

My first reaction to this story is to ask “why weren’t the backup tapes encrypted”?  On the South Shore Hospital FAQ website they answer the question:

These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information.

In this article, I posted about the U.S. Department of Health & Human Services’ (HHS) HITECH breach website.  The website list all privacy breaches affecting 500 or more individuals.  I recently went to the website to take another look at the amount of breaches.  I was interested in the total number of individuals that have been affected due to privacy breaches.   I exported the information into Microsoft Excel and added up each of the individual privacy breaches to come up with a shocking 3,459,108 individuals that have been affected.

It should be noted that most of the breaches were due to electronic data security issues but some also involved improper disposal of paper records and theft of paper records.

As I mentioned in this post – we are seeing a lot of security breaches even before the majority of health organizations make the switch from paper records to EHR.  In order for HITECH to succeed, we need a strong emphasis on patient security right now!

There are many things that you can do to protect patient information.  You can put in place security policies and procedures, ensure that you do a thorough risk assessment, implement data encryption, educate your staff, etc.  But sometimes nothing you can do can prevent a data breach from occurring.

As reported here, a laptop used by a hospice employee was stolen while in use at a patients house.  The laptop was encrypted which normally would be a safe harbor and would exclude the need to notify patients of the data breach.  In this case the laptop was already turned on and in use so that the data encryption key/password had already been entered and thus the information on the laptop could be accessed.  In other words, because the employee logged in with the correct password all the data on the laptop was unencrypted.  As long as the laptop remained powered on and in use, the data could be accessed without the need for the encryption password.  Once powered off, the laptop would then require the correct encryption password to access the information.

Rainbow Hospice and Palliative Care notified patients because the laptop contained  patient names, addresses, social security numbers, insurance information, medications, treatments and diagnoses. 

I would guess that Rainbow Hospice and Palliative Care had security policies and procedures in place.  They had already gone through the effort of ensuring that the laptop was encrypted.  They had to have trained the employee on how to access the encrypted information and probably went over best security practices to protect their patient’s information.  With all these efforts they still face a data breach. 

In no way should anyone read this and think that implementing security is a waste of time and effort.  Taking the steps to protect patient information is the right thing to do and it will go a long way to protect and prevent you from facing a data breach.  But sometimes no matter what you do, you could still face the negative consequences of a data breach.

In a story that makes you scratch your head, a missing CD with over 300,000 names of New Yorkers with developmental and other health issues has been missing for almost a month.

We have not been able to locate within our Early Intervention program unit one disc out of two discs that we received from New York City,” DOH spokeswoman Claudia Hutton said.”At this point, we have no reason to believe they’ve left the building.”

The contents of the disk were encrypted but unfortunately the encryption password may have been written on the outside of the disk.

Adding to concern is the fear that the disc’s password may be written on the outside, although Hutton said the disc is encrypted and could not be read without advanced technical skill.

 

Hutton conceded that putting the password on the disc was not a good idea and amounted to “sloppy housekeeping.”