The Verizon Business RISK team in cooperation with the United States Secret Service (USSS) released a report on data breaches.  The breaches were across all industries and were not specific to the Healthcare industry.  The report came out in July but I just got around to reading it.  A few interesting points in the report include:

Who is behind Data Breaches?
70% resulted from external agents
48% caused by insiders
11% implicated business partners
27% involved multiple parties

Driven largely by organized groups, the majority of breaches and almost all data stolen (98%) in 2009 was still the work of criminals outside the victim organization  Insiders, however, were more common in cases worked by the USSS, which boosted this fgure in the joint dataset considerably This year’s study has by far improved our visibility into internal crime over any other year Breaches linked to business partners continued the decline observed  in our last report and reached the lowest level since 2004.

How do breaches occur?

48% involved privilege misuse
40% resulted from hacking
38% utilized malware
28% involved social tactics
15% comprised physical attacks

Related to the larger proportion of insiders, Misuse sits atop the list of threat actions leading to breaches in 2009 That’s not to say that Hacking and Malware have gone the way of the dinosaurs; they ranked #2 and #3 and were responsible for over 95% of all data comprised  Weak or stolen credentials, SQL injection, and data-capturing, customized malware continue to plague organizations trying to protect information assets  Cases involving the use of social tactics more than doubled and physical attacks like theft, tampering, and surveillance ticked up several notches

What commonalities exist?

98% of all data breached came from servers
85% of attacks were not considered highly difficult
61% were discovered by a third party
86% of victims had evidence of the breach in their log files
96% of breaches were avoidable through simple or intermediate controls
79% of victims subject to PCI DSS had not achieved compliance

As in previous years, nearly all data were breached from servers and applications  This continues to be a defining characteristic between data-at-risk incidents and those involving actual compromise The proportion of breaches stemming from highly sophisticated attacks remained rather low yet once again accounted for roughly nine out of ten records lost  In keeping with this fnding, we assessed that most breaches could have been avoided without difficult or expensive controls  Yes, hindsight is 20/20 but the lesson holds true; the criminals are not hopelessly ahead in this game The more we know, the better we can prepare  Speaking of being prepared, organizations remain sluggish in detecting and responding to incidents  Most breaches are discovered by external parties and only then after a considerable amount of time

Some interesting points from the data above:

• 98% of all data breached came from servers.  Needless to say that servers are where you want to spend your time, money and effort on securing.
• 86% of victims had evidence in their log files.  Log monitoring is essential.  Without it, you have no idea what is happening to your data.
• 38% of breaches used malware.  Malware isn’t just about popping up porn pictures anymore.  Malware is about stealing data and profiting from that data.
• 96% of breaches were avoidable through simple controls.  That is an amazing figure that tells me with some proper security in place it is possible to avoid a majority of data breaches.

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.