Healthcare Data Breaches To Surge In 2014

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.informationweek.com/healthcare/policy-and-regulation/healthcare-data-breaches-to-surge-in-2014/d/d-id/1113259

Healthcare will be a hotbed of consumer data breaches in 2014, according to
an Experian report, "2014 Data Breach Industry Forecast."

"The healthcare industry, by far, will be the most susceptible to publicly
disclosed and widely scrutinized data breaches in 2014," according to the
report (registration required), which addressed healthcare risks as one of
six major trends. "The sheer size of the industry makes it vulnerable when
you consider that as Americans, we will spend more than $9,210 per capita
on healthcare in 2013. Add to that the Healthcare Insurance Exchanges
(HIEs), which are slated to add seven million people into the healthcare
system, and it becomes clear that the industry, from local physicians to
large hospital networks, provide an expanded attack surface for breaches."
The "attack surface" of a system refers to the parts that pose the greatest
opportunity for attack or error.

Best known as a credit bureau and consumer data tracking service, Experian
also has a business helping companies recover from personal data breaches.
The company has had its own data security problems this year. Michael
Bruemmer, vice president of its breach resolution service, Data Breach
Resolution, and author of the report, said healthcare accounted for about
46% of the breaches his division serviced in 2013 -- and he expects that to
rise significantly in 2014.

Bruemmer said he is basing this prediction at least partly on reports of
security risks posted by the HealthCare.gov website and the health
insurance exchanges established by various states. The web infrastructure
to support health insurance reform was "put together too quickly and
haphazardly." The most glaring problem for these sites has been their
inability to keep up with consumer demand. The organizational
infrastructure behind the implementation of Obamacare is also complex,
meaning that many parties have access to the personal data and could misuse
or mishandle it. "So we have volume issues, security issues, multiple data
handling points -- all generally not good things for protecting protected
health information and personal identity information."

Another factor: In 2014, the industry will feel the full force of tightened
rules that that went into effect in September for protecting health
information and disclosing breaches.

Part of the problem is that many participants in the healthcare industry,
such as individual doctor's offices, don't think of themselves as being in
the data management business, so they are inadequately prepared to protect
data against the threats that exist today, according to Bruemmer. In most
cases, data breaches have less to do with advanced hacking techniques than
with lost laptops, failing to shred paper records, and other employee
errors. Though the threat from malicious insiders is significant, a bigger
threat is "people doing dumb things."

In the IT realm, there are stories of people installing anti-malware
software but forgetting to turn it on. "And then there's my favorite: where
the people in the network operations center actually left the door
unlocked, and another employee came in, sat at a console, and played around
with the system to see what he could get."

Overall, Experian's remediation group worked on more than 2,200 breaches in
2013, versus 1,700 in 2012. In three of the top 10 breaches, the error was
traced to a system administrator's sloppy password practices, such as
neglecting to change a default password or carelessly sharing the password.

Whether stolen or accidentally disclosed, healthcare data is valuable, and
that makes it a target. On the black market, personal records suitable for
use in identity theft are worth $10-$12 each at the low end or maybe
$25-$28 for a particularly attractive identity, he said. When enriched with
health data, the value of an identity data set jumps to about $50 per
record, because then it can be used for medical and insurance fraud.

"The threat is out there, and the threat is going to get bigger," Bruemmer
said. "The point is to ensure that you're prepared and have a plan in
place."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.