HHS breach investigations badly backlogged, leaving us in the dark

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=11555

To say that I am frequently frustrated by HHS’s “breach tool” would be
an understatement. Their reporting form and coding often makes it
impossible to know – simply by looking at their entries – what type of
breach occurred. Consider this description from one of their entries:

“Theft, Unauthorized Access/Disclosure”,”Laptop, Computer, Network
Server, Email”

So what happened there? What was stolen? Everything? And what types of
patient information were involved?

Or how about this description:

“Unauthorized Access/Disclosure,Paper”

What happened there? Did a mailing expose SSN in the mailing labels or
did an employee obtain and share patients’ information with others for
a tax refund fraud scheme? Your guess is as good as mine. And HHS’s
breach tool does not include any data type fields that might let us
know whether patients’ SSN, Medicare numbers, diagnoses, or other
information were involved.

If HHS followed up on these entries in a timely fashion with
additional details, it would still be somewhat frustrating, but they
don’t. HHS withholds crucial information about breaches that are
“under investigation” and they are years behind in investigating
incidents.

Yes, years.

If you look at the .csv form of the breach tool, you’ll see that when
HHS closes an investigation, it enters a summary of the incident. But
if you scroll down their database, you’ll note that some incidents
from 2010 and many incidents from 2011 are presumably still open. And
not one incident’s investigation from 2012 has been closed. Not one.

It is possible that some investigations that appear open are open
because they have been referred to OCR for further action or may
involve some enforcement action or pending resolution. But for most of
the entries, it is not clear why the breach investigation has not been
closed. And until it is closed, HHS will not tell us anything.

Because many entities still do not post notifications on their web
sites and I cannot always find substitute notices in local media, the
breach tool is often the only information we have about a breach
involving more than 500 patients’ protected health information. HHS’s
reluctance to discuss a case under investigation is understandable,
but not if it takes them years to investigate and close a file. And
with the new HITECH breach notification rules, there will likely be an
increase in the number of breach notifications to HHS and even more
breaches that they will have to investigate.

Something needs to change. Those of us who track and analyze breach
trends need more transparency and information, not information that is
delayed by more than two years.

I’m not sure who in HHS or Congress might give a damn, but feel free
to pass these concerns along.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.