Doctors: Is There a Data Breach In Your Practice’s Future?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.physiciansnews.com/2013/10/07/doctors-is-there-a-data-breach-in-your-practices-future/

Did You Know… that the number of people falling victim to identity theft
has more than doubled since 2003?  In 2003, five million people were
victims of identity theft. In 2012, that number jumped to 12.5 million. And
the number of people affected by data breaches in the U.S. continues to
climb each year.

In the prior decade, most data breaches were caused by human error (such as
lost devices or records being exposed in insecure ways). Now, breaches have
become more targeted and sophisticated with a large and growing number of
breaches being caused by hackers and cyber criminals. Because data can now
reside in multiple locations, including unsecured smartphones, laptops and
tablets, and can be transported to an infinite number of locations, thieves
have more areas to target. Most experts agree that the problem of data
breaches will get worse before it gets better, with breaches expected to
become not only more frequent, but also more severe.

There is also more awareness of data risk than there was a decade ago,
thanks in large part to the Health Insurance Portability and Accountability
Act (HIPAA), the HITECH Act, the Red Flags Rule and state data breach
notification laws that require disclosure and corrective action by
healthcare organizations.

How Much Does a Data Breach Cost a Practice?

A data breach at even a small physician practice could easily run into the
hundreds of thousands of dollars — enough to cripple a practice running
week to week financially. Some expenses physicians can expect to incur when
a breach occurs include legal fees, IT forensic costs, notification costs,
credit monitoring costs, public relations expenses to salvage patient
goodwill and advertising expenses to make the public aware of the steps
that have been taken to address the breach. There may also be significant
penalties assessed against a practice involved in a data breach, which may
range from $100 to $50,000 per violation. The Department of Health and
Human Services’ Office for Civil Rights has made clear that no practice is
too small to be fined.

Are You Complying With the Latest Requirements?

Physicians are becoming increasingly aware that compliance with regulations
like HIPAA is imperative. While training and preparation of compliance
plans is something many practices can accomplish, there remains a challenge
to control the multitude of data found on laptops, smartphones, memory
sticks, human resources systems and other devices that are used in
day-to-day operations of a medical practice.

Physician practices should have complied by September 23, 2013 with a final
set of HIPAA federal privacy rules. Under the new rules, doctors now must
assume the worst-case scenario in the event of a possible privacy breach.
Previous regulations had required a practice to notify affected patients
and the federal government only if it determined that a breach involving
patient records had occurred and that it carried a significant risk of
financial or reputational harm to patients. The new rules eliminate that
standard, and replace it with a stricter one. Now, any incident involving
patient records is assumed to be a breach, and unless a practice conducts a
risk assessment that proves a low probability that any protected
information was compromised, the breach must be reported. This new standard
is expected to result in many more official reports of breaches, as well as
additional work and costs to physician practices. (For the full rule, go to
www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

HIPAA typically has focused on healthcare professionals, health plans and
other entities that process health insurance claims. But because some of
the largest security breaches have involved healthcare providers’ business
associates, many of the law’s requirements were extended to these entities
as well as their subcontractors. For physicians, a business associate may
be any firm that handles patient data, such as a storage provider, a
shredding company or a benchmarking firm that measures physician
performance. With contractors becoming as fully liable as everyone else
affected by HIPAA, physicians’ offices are going to take on additional
legal responsibilities. For example, if someone paid to shred patient files
instead throws the documents into a trash bin and causes a breach, the
practice also is subject to enforcement violations caused by that business
associate. Although the rules specify September 23 as the compliance date
for the new regulations, healthcare professionals have an extra year to
revise existing business associate agreements to become compliant.

Additionally, physicians need to stay abreast of new risks that are
identified as needing attention. For example, the Department of Health and
Human Services now wants photocopy machines examined as part of data
security. Physician practices need to make sure that all personal
information is wiped from hardware before it is recycled, thrown away or
sent back to a leasing agent. For more information on safeguarding
sensitive data stored in the hard drives of digital copiers, go tohttp://
business.ftc.gov/documents/bus43-copier-data-security.

Are You Adequately Insured Against Data Breach Risks?

Physicians will certainly continue to work hard to assure compliance and
prevent protected health information breaches. Unfortunately, however, even
the best prepared practices may not be able to prevent a breach from
occurring. Consequently, every practice should have a plan in place
regarding how best to handle a breach if it does occur and must be
cognizant of the potentially high financial cost that comes with a breach.

Many organizations now consider cyber security threats to be as big as — or
bigger than — the threat of a natural disaster or fire. Just as those
organizations carry insurance for the relatively small chance that a
tornado or fire destroys their businesses, many now are looking at policies
that will cover the potentially devastating impact of a data breach. There
are specialized insurance products available that are directed at the
healthcare provider market and address the particular liabilities faced by
physician practices.

Even though data security insurance can be quite inexpensive, particularly
when compared to the average claims paid out, physicians often do not pay
as much attention to this type of coverage as they should. To many
physicians who are busy maintaining their practices while installing
electronic health records and meeting the requirements of meaningful use,
weighing the options of data security insurance may feel overwhelming. Yet
as more and more breaches are publicized, along with the amount of
associated fines, more practices are working with their brokers to make
sure they are managing their data security risks adequately. At the very
least, physicians should look deeper at their existing coverage to see
what, if any, of these types of risks may be covered by their liability
insurance policy. The peace of mind that comes from adequate protection
will be well worth the investment.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.