As Data Breaches Spread, Providers and Payers Must Prepare

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthleadersmedia.com/page-1/TEC-316074/As-Data-Breaches-Spread-Providers-and-Payers-Must-Prepare

Three words healthcare executives dread hearing—"we've been hacked"—are
reverberating in hospitals, health systems and physicians groups with
growing frequency.

Just last week, Boston-based Partners Healthcare notified 3,300 patients
that some information including names, addresses, dates of birth, telephone
numbers and Social Security numbers and clinical information had been
leaked to hackers. In February, the country's largest insurance company,
Anthem, announced that 80 million member and employee records had been
breached.

Most organizations will experience a data breach at some point, says
Elizabeth Hodge, of counsel at Akerman LLP, a lawyer representing a variety
of healthcare organizations in compliance-related matters from her firm's
West Palm Beach office.

"If you are a healthcare entity, you should anticipate that you will have
breach of unsecured health information at some point," she says.

The Ponemon Institute, a data security research and consulting firm, found
in its annual benchmark study that healthcare providers experience frequent
data breaches involving the loss, even the theft, of patient health
information.

About 90% of healthcare organizations were found to have had a data breach
within the last 24 months. "These are not like Anthem," says Larry Ponemon,
PhD, the firm's founder and chairman. "We're talking, 10, 20, maybe 100
individual records [involved]." While the numbers of patients who have had
personal data leaked might not be as high as a massive breach like
Anthem's, the implications for those people are no less troubling.

Social security numbers, credit card information, and other private data is
valuable. But the "crown jewel" for a data thief, Ponemon says, is a full
medical record, which can fetch a criminal as much as $250.

Frequently, the information is used to impersonate the victim or set up a
fake identity. A full chart with headers contains personal data, payment
information, and often social security numbers which can be used to obtain
medical treatment.

"This kind of crime is on the rise. These criminals use medical credentials
to get healthcare and pharmaceutical products. We've seen them get cosmetic
surgery, scooters, all kinds of treatments," he says.

Organizations are often taken by surprise. "A lot of providers are unable
to know with precision whether they've had data breach, or if data has been
lost or stolen," Ponemon says. While some breaches are due to malicious
intent, data is often lost due to a glitch or error, which are unlikely to
be reported.

And even when IT or security is aware of a breach, the news doesn't always
make its way up the ranks to the organization's leadership.

Be Prepared
Dealing with a data breach really starts by being prepared for it, says
Hodge.

"Before the breach ever happens, from a legal and good business planning
perspective, you should anticipate that you will have a breach of unsecured
health information at some point in your business' life," she says.

Decide ahead of time who will be responsible for handling each process and
have a plan in place. Hodge suggests that all stakeholders across the
organization be involved. "You want the head of the IT department involved…
if you have a security officer, you want that person involved, too," she
says. Any in-house counsel will need to work on this issue as well, and
likely the hospital CEO.

Insurance may help defray the costs of responding to a breach, but as the
Department of Homeland Security confirms, the cybersecurity insurance
market is young and confusion about policy costs and coverage is abundant.

Communicate Carefully
According to HIPAA regulations, organizations have 60 days from date of
discovery of the breach to provide notice to patients that their data has
been compromised. "There is an exception for situations where law
enforcement has requested a delay in notifying patients beyond that
window," Hodge adds, although those are fairly rare.

While regulations vary state by state, most require patients to be notified
in writing, via US mail. "If there is an emergency situation, you can
provide notification via alternate means, such as telephone, but follow up
in writing," suggests Hodge.

Publicly announcing that there has been a breach can inadvertently make the
situation worse if it is done too soon. One consequence of announcing a
malicious breach prematurely is that it can alert the criminals that they
have been discovered, which can foil any opportunity to properly
investigate or track them down.

And an announcement made before the extent of the breach is known can
discredit an organization. "What you don't want is to say on Monday, 'We've
experienced a data breach of 30,000 medical records,' then, on Tuesday,
come out and say, 'we were wrong, it was one million records'—only to come
out a week later and say it was actually 27 million," says Ponemon.

Hodge also warns against speculation when talking to outside parties,
whether they be the media, patients, or anyone else, which can be difficult
when confronted with tough or angry questions without apparent answers. "I
would say that we need to be truthful and communicate what we know," she
says.

Showing real concern for those impacted is important, however. "Communicate
that you take such incidents seriously. Describe efforts that you and your
organization are taking to fix the situation," she urges.

Also, Hodge advises not to give too much detail regarding measures the
organization takes to protect against future breaches, as that might put
the electronic data in even further trouble.

Damage Control
Once the public has been made aware of a breach, the next step is to focus
on repairing relationships with customers (patients). In the past it may
have been considered a bad idea from a legal perspective to apologize for a
data breach, but that is no longer the case.

"There are ways to apologize that someone's info was accessed without
accepting blame," Hodge says. "Maybe you can't escape that perhaps your
employee did something they should not do, but I think that in most notice
letters I've seen, the entity does make an attempt to express regret for
the incident."

She believes that refusing to express regret rather than issuing a simple
apology is more likely to inspire customer outrage or a potential lawsuit.

Ponemon's research suggest she is correct, finding that 43% of customers
will return to an organization that leaked their information if they
receive a heartfelt apology. Additionally, Ponemon and Hodge both suggest
offering impacted patients free credit monitoring services and legal
assistance should they become victims of identity theft as a result of a
breach.

Despite portrayals in film and TV, the majority of breaches are not easily
traced within hours. It can take weeks or months to determine the source of
a leak, and the full extent of the damage. It's also possible there will be
unpleasant surprises once the source comes to light.

"It's one thing if the records were infiltrated by an outside actor, but
it's different if one's own employees may have been improperly accessing
records internally," says Hodge.

As many as 75% of data breaches are estimated to be "inside jobs," although
many are not intentional. "As more organizations are relying on non-expert
IT people, these situations are becoming more prevalent," says Ponemon. "A
lot of these incidents are just good people doing stupid things."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!