Why Healthcare Must Operationalize Data Breach Response

Rick Kam, ID ExpertsCOMMENTARY
Rick Kam, President and co-founder ID Experts

Over the last decade, the scope of identity theft has widened from credit card and financial fraud to include widespread medical identity theft with potentially life-threatening consequences.

In that time, organizations have grown in awareness and readiness to combat identity theft. According to Larry Ponemon, chairman and founder of the Ponemon Institute, recent research shows that companies are doing a better job of detecting, containing, and responding to breach incidents than they were ten years ago.

“C-level executives and boards now realize the costly consequences of material data loss and appear to be more willing to approve investments in data protection technologies and expert personnel,” Ponemon explained. “That’s a hopeful sign.”

Even as organizations have improved their response to identity theft risks, new threats are emerging.

One of the biggest breach threats today is theft of Protected Health Information (PHI), specifically health insurance numbers, to commit medical identity theft and healthcare fraud. The significant value of this data to criminals along with the complexity of securing the healthcare ecosystem makes PHI vulnerable. And in particular, the mobile device explosion and “advanced persistent threats” are testing the data security readiness of healthcare IT organizations.

Surviving the BYOD explosion
Ponemon Institute research shows that the emergence of insecure mobile devices (including “bring your own device” or BYOD) substantially increases the risk of material data breaches. Yet BYOD is a reality in the healthcare workplace: 88.6 percent of healthcare professionals access patient information with unsecured smartphones, according to a study by Cisco Systems.

The issue has reached a critical point, according to James Christiansen, chief information risk officer at RiskyData. “We don’t have the policies and procedures in place to ensure that every PC, laptop, smartphone, and tablet meets security standards before employees can access data on the internal networks,” he said. “Data can be encrypted on the enterprise level, but the access points and distribution points are hard to control.”

To combat the risks posted by unsecured mobile devices, Christiansen said risk managers need to identify where data resides in all forms and compartmentalize use of that data to limit potential damage from a data breach.

“Part of the severity of breaches is because of the volume of information we expose. Why are we distributing bulk data at all? For example, many breaches have been caused by lost or stolen laptops. We should be asking ourselves, ‘Did they need all of that data on the laptop?’” Christiansen recommends that the bulk of healthcare information reside behind the corporate firewall. “Instead of sending users all the raw data, how about doing more processing internally and sending just the analytical data or the transactional data?” he asked.

Advanced persistent threat: The human factor… or termites?
Experts point to the “advanced persistent threat” posed by criminal hacking as one of the most serious emerging risks to PHI and PII. Ponemon predicts that, in the near future, the threat of cyber attacks will only increase.

“It appears that the malicious or criminal attackers — including hacktivists and national states — have an advantage over today’s defenders of corporate data and IT infrastructure,” he said. “These bad guys only have to be successful once to cause havoc for governments, companies, and people.”

With stolen medical records now selling for $50 each on the black market, cyber attackers can make huge amounts from a successful data theft, so they are very persistent.

“These people can find an opening and then operate below the radar, spreading from server to server and database to database, slowly discovering PII and PHI and moving it out in chunks,” Christiansen explained.

“And the most sophisticated ones are monitoring your systems to see if you are monitoring them.”
He added that IT organizations must find better ways to detect, isolate, and stop these hackers. “Today, even if you find them, it’s like having termites in your house,” he said. “You don’t know where you’re compromised, so you have to deal with the problem by removing one ‘board,’ one server at a time.”

Dealing with imminent danger
The 2012 Ponemon Study on Patient Privacy & Data Security showed that many organizations have not stepped up their data privacy and security programs to meet these evolving threats, and those organizations may be running out of time. I think the consolidation of millions of electronic health records (EHRs) in Health Information Exchanges (HIEs) will create an opportunity for the next big data breach. The stimulus money that funded HIEs is drying up, forcing the exchanges to find other sources of revenue. Lack of security funding and the opening up of these exchanges to additional organizations will create the potential for large data breaches.

I recommend that healthcare organizations operationalize incident response to data breaches. When response is built into normal operations, risks can be managed more effectively at all levels from the data center to customer-facing functions. There are also state and regulatory policies that urgently need to be addressed. For example, the Medicare identification number should be changed from the Social Security number to something unique.

Lessons from a decade of breaches
The news is not all bad. Over the past 10 years, I’ve seen the realization by many organizations that data breaches are something that can happen to them —not just to others.

The level of awareness has increased at all levels, from the executive suite to consumers. There are many more breaches discovered now versus in 2003, due in part to legislation such as HIPAA, HITECH, Red Flag, and state data breach notification laws that require disclosure and corrective actions.

So major challenges are ahead, but we have made progress.

This article was originally published on Government HealthIT and is re-published here with permission.