How To Avoid Health Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcaretechnologyonline.com/doc/how-to-avoid-health-data-breaches-0001

Healthcare Technology Online asked recently, Are Health Data Breaches An
Epidemic?

“As the healthcare industry continues to digitize patient data as part of
the EHR movement, instances of reported health data breaches are on the
rise,” wrote Ken Congdon, who then noted a number of examples, including:

The Utah Department of Health suffered a data breach in March 2012 when
hackers broke into a Medicaid server and removed patient files.
In April 2013, the William Jennings Bryan Dorn VA medical center notified
7,405 patients that an unprotected laptop containing their personal health
information was stolen.
Altamonte Springs, FL-based Adventist Health System/Sunbelt was slammed
with a class action lawsuit for allegedly failing to safeguard the
protected health information of more than 763,000 patients in its
electronic database

Now, with the HIPAA Final Omnibus Rule establishing new standards and
penalties for breaches such as those above, avoiding them is more important
than ever. A post on Mondaq reviews the HIPAA Final Rule, writing, “Any
acquisition, access, use or disclosure of unsecured PHI in a manner not
permitted by HIPAA will be presumed to be a breach. To overcome this
presumption, the Covered Entity or business associate must demonstrate (and
document) the low probability that the PHI was compromised. The factors to
be weighed in assessing the probability of compromise must include the
following four factors at a minimum:

The nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification;
The unauthorized person who used the PHI or to whom the disclosure was made;
Whether the PHI was actually acquired or viewed; and
The extent to which the risk of harm to the affected individuals has been
mitigated.”

Avoiding breaches is the best way to avoid the penalties associated with
them, and Healthcare IT News reports avoidance was the subject of the HIMSS
Media/Healthcare IT News Privacy and Security Forum held recently.

Jon Hale, vice president of security practice at Attachmate, spoke at the
forum and said the greatest danger of a security breach is “the unknown
unknown.” To combat that, a provider needs to familiarize him or herself
“with HIPAA and subject (their) organization to a rigorous risk assessment.”

Forest Blanton, senior vice president and CIO at Memorial Healthcare System
offered more advice - “prepare, and don’t panic.” Healthcare IT News
summarizes Blanton’s presentation, “With employees handling data every day,
we can't simply ‘look at an assessment just like a checklist,' a
once-and-done review to make sure that technology systems are sound and
compliant.

“Indeed, the most damaging security problems are often "low-tech," he said,
and can happen on any given day – employees stealing copies of face sheets,
for example, or taking pictures with camera phones.”

And keeping up with security risks is a never ending process according to
experts. “I don't think we'll ever be done. It's like a game of cops and
robbers, and technology is always moving,” said Blanton. And in his
experience, hospital audits constantly turn up risks from virtually all
technology. “We end up with thousands of listings of things that are
vulnerabilities, but that might not be the most important thing to put your
attention on," said Blanton. "That's where the analysis of the risk, and
where the threats are, becomes key. We could spend our whole lives fixing
things that might not be that important.”

Reviewing security, completing risk assessments, and making upgrades on
passwords and security can prevent dangerous security breaches but in the
event one does occur, the best advice Blanton can offer is to learn a
lesson and move forward. “In our case, we looked where we had personally
identifiable information stored and it turned out, quite frankly, to be
pervasive throughout our system," said Blanton. "We spent a long time, six
or eight months, figuring out where that information lies, who needs to
have access to it, removing it entirely from systems if it's not necessary,
finding a way to expunge the historical records.”

And they made a lot of system upgrades. "We reviewed our password reset
policies – we tightened them up,” said Blanton. “We put in processes to
look at our affiliated physicians and their activity, to make sure that
they're vouching that their employees legitimately have access to the
information – we do that about every 90 days now."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.