Data Protection Remains Shaky

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Data remains exposed in significant numbers in the healthcare industry. The monthly Protenus Breach Barometer shows that the trend of at least one breach per day in a month is continuing. To be specific, Protenus and showed 37 breaches being disclosed for the first time in May. The number is significant, demonstrating the ongoing challenge for the healthcare industry. The not so old adage of it is not a matter of if you get breached, but when you get breached is only proving to be more and more accurate.

A couple of findings from the report stand out. First, three breaches were not reported for over 1000 days from the date of discovery. This is a substantial period of time during which a breach remained unreported. Why did it take so long for these organizations to report? What breakdown in auditing and monitoring of systems occurred? The delay in reporting could be attributed to the high number of insider breaches reported in May. A common concern about insider breaches is the difficulty in detecting. An insider can slowly leak data out of a system or otherwise mask activity. Additionally, despite widespread reports that insiders are a top threat, outside issues such as ransomware garner many of the headlines and the spotlights. Drawing attention away from insiders is dangerous though. As noted, insiders understand a system, have approved access to data, and have many opportunities to extract data. No organization should feel safe. It is not a matter of a lack of trust, so much as recognizing reality.

The concern about insider threats leads to the second standout item from the May report, namely that insiders caused 15 of the 37 breaches reported. As reported by Protenus, 10 of the insider breaches were the result of an error. While not a good, there is a silver lining that errors should be one-time events and without malicious intent. The other five insider breaches were the result of malicious conduct. Such conduct includes obtaining information for personal gain, selling information to known criminals, and other conduct in the same vein. The common theme of the malicious intent breaches is the desire to profit or personally gain from taking the information. If an individual has a strong desire to create a personal benefit, it will be difficult to stop ahead of time. However, organizations can do a better job of rooting out the internal bad actors. Organizations should be routinely auditing and monitoring systems, records and other aspects of protected health information. Further, automated systems can be deployed to enhance what individual efforts. Using a combination of tools can speed up the time of discovery, which in turn can enhance mitigation efforts.

As can be seen, the Breach Barometer should be mandatory monthly reading for many entities. Until security efforts can be improved, it is instructive to learn lessons from the monthly summary of breach reports. Optimistically, it is hoped that those lessons are from others and not from within one’s own organization.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.