Can the new HIPAA rule cut PHI breaches?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2013/110813-can-the-new-hipaa-rule-275790.html?source=nww_rss

In the endless conflict over the protection of PHI -- Protected Health
Information -- the good guys appear to be losing more battles, but winning
the overall war, at least for the moment.

According to a study released early this year by IT security auditing
vendor Redspin, "large" (more than 500 records) breaches of PHI jumped 21.5
percent, 121 to 146, from 2011 to 2012. But, the total number of individual
records compromised dropped 77 percent, from 10.6 million to 2.4 million,
during the same period.

Dan Berger, president and CEO of Redspin, cautioned that this could be
misleading -- that it takes only one catastrophic breach to skew those
numbers in the other direction. "While that looked like a trend earlier
this year, it has been essentially negated by the Advocate Health breach of
more than 4 million patient records as a result of the theft of a desktop
computer this past July," he said.

That made the largest breach of 2012 -- 780,000 records from the Utah
Department of Health -- look paltry by comparison.

There was yet another major breach on Oct. 12, when two password-protected
laptops containing 729,000 patients' data were stolen from the
administrative offices of AHMC Healthcare Inc. Still, the total remains
well below the number of individual records breached in 2011.

And at least some experts say the downward trend could continue, or even
accelerate, with the implementation last month of the latest update of the
Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule.

The biggest change is that the update vastly expands the number of
organizations directly responsible for compliance with HIPAA requirements,
which also makes them liable for failure to secure PHI. Instead of those
regulations applying only to health care providers, known as "covered
entities," the list of responsible and liable parties now includes their
Business Associates (BA) as well -- dozens or even hundreds of vendors,
contractors and consultants they hire -- and even the subcontractors of
those BAs, if they handle PHI.

Rachel Seeger, of the federal department of Health and Human Services (HHS)
Office of Civil Rights (OCR), which enforces the HIPAA regulations, said
BAs and subcontractors are now "directly liable" for compliance with
certain HIPAA privacy and security rules, including:

Impermissible uses and disclosures (including more than the minimum
necessary)

Failure to provide breach notification to the covered entity (such as a
health care provider), or, if a subcontractor, to the BA

Failure to provide an individual with electronic access to his or her PHI

Failure to make internal practices, books, and records available to the HHS
secretary to determine compliance with the HIPAA Rules

Contractual liability for requirements of the business associate agreement

Liability for actions of agent subcontractors

The penalties per violation range from $100 to $50,000, depending in part
on whether the violation was caused by ignorance or willful neglect, with a
maximum of $1.5 million per year for violations of a specific provision.

Berger said he thinks the new focus on BAs will yield substantial
dividends. "Given that more than 50 percent of PHI breaches to date have
involved a business associate in some way or another, we should expect
great improvement," he said.

The HIPAA update requires custodians of PHI to make sure it is "unusable,
unreadable and undecipherable" by any unauthorized parties, which Redspin
also said it expected to curb the number of, and damage from, data
breaches, since that would require encryption on all portable devices (a
third of all large breaches to date were caused by the loss or theft of
portable devices).

Security experts offer mixed opinions on how much those recommendations and
the new Omnibus Rule will reduce breaches of PHI. Danny Lieberman, CTO of
Software Associates, is dubious. "I think the Omnibus Rule has low-balled
the amount of work that BAs and hospitals need to do to detect and prevent
data loss," he said.

Lieberman noted language in the new rule that says BAs and subcontractors,
"should already have in place security practices that either comply with
the Security Rule, or that require only modest improvements to come into
compliance..."

"There is no basis in the empirical data -- considering the volume of data
breaches -- to make statements like that," he said. "The U.S. healthcare
system is so complex, I don't see how making data breach a criminal offense
will mitigate the attacks on PHI."

Martin Fisher, director of information security for Wellstar Health System,
is more optimistic. While he does not think the number and breadth of
breaches will decline immediately, "if enough traction happens, over time
you'll see the number of breaches come down," he said, comparing it to
improvements in standards for the Payment Card Industry (PCI). "That is a
good template for what you are likely to see," he said.

Fisher said one of the best things about the update is that, "it provides a
sense of finality to the rule. Operating under an interim rule always makes
you question the investments you are going to make -- will the BlinkyLight
you're buying meet the final requirement? That sense of certainty is a very
good thing."

There is also some doubt that encryption will provide bulletproof
protection to PHI. The mantra in the security for years has been,
"encryption is not enough." Berger argues it is, "one heck of a way to
start," he said. "More than 50 percent of the breaches to date would not
even have qualified as reportable breaches if the devices had been
encrypted. Ultimately, security is about reducing risk," he said.

Cam Roberson, director of the Reseller Channel at Beachhead Solutions,
agrees that encryption provides some protection, but only some. "Encryption
protects data if the power is off and the password is unknown or can't be
learned or hacked," he said. "However, encryption cannot protect the data
if a device is stolen with the power on and the computer is authenticated
or if the password is somehow compromised."

While the update does not address it directly, there are also risks from
BYOD (Bring Your Own Device) in a world increasingly dominated by
smartphones and tablets. Bob Russo, general manager of PCI SSC (Payment
Card Industry Security Standards Council), said recently that mobile
devices for the consumer market do not meet PCI DSS (Data Security
Standard) compliance requirements.

But most experts agree with Fisher, who said attempting to ban them in
health care organizations would be "idiotic. Very few things will function
as an enabler of improving patient experience and safety than well deployed
mobile technologies. It is the way things are going. Fighting that is like
fighting a rising tide," he said, adding that it is possible to comply with
HIPAA standards through Mobile Device Management (MDM) technologies and
applications.

Still, all agree that the human element, both from innocent mistakes and
malicious intent, can trump policy and technology.

Lieberman agrees that encryption has some value, but said, "because it's so
easy to attack endpoints -- think people, default passwords, Windows
vulnerabilities and USB -- encryption is good for transporting data but as
long as you have endpoints you will have data breaches."

And he doesn't believe "security awareness" training is an effective
countermeasure. Those who do believe in it, he said, should let employees
know they will be held accountable. "Make sure you fire people immediately
if they break your data governance policy," he said. "If you don't have
one, write one today and work top down from the CEO to line managers making
sure everyone knows what data governance means -- the policy should be a
half page and should finish with, 'You get fired if you break it.'"

Lieberman said the major risk of a data breach due to loss or theft is not
employee carelessness. "It is a behavior issue but it's mostly a criminal
issue," he said, "and that is not mitigated by training. When there is a
financial incentive to steal data and you have an insider or partner with
access, then you have motivation and means and all you need is opportunity
to have a crime."

Fisher is also dubious that training employees in security consciousness
will curb breaches. "We need to 'build security in,' and make the secure
way of doing business the way the business people will use by default. I'm
not saying effective awareness training has no value but putting too much
reliance on it is not a winning strategy," he said.

Roberson agrees. "Productivity trumps security," he said. "Consider the
salesperson in the field who has a better chance of closing business if
they have immediate access to important data. Think he or she wouldn't do
it? The likely thought process would be that, 'Closing business is in the
best interest of my firm, and a security breach will never happen to me.'"

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.