Why any organization can suffer a healthcare breach, and 5 tips for keeping PHI safe

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.csoonline.com/article/3026188/security/why-any-organization-can-suffer-a-healthcare-breach-and-5-tips-for-keeping-phi-safe.html

It appears that companies don’t have to be in the healthcare business to
suffer a health information breach
<http://www.csoonline.com/article/3024797/security/data-breach-numbers-still-high-in-2015.html>.
About 90 percent of all industries have had protected health information
compromised, according to Verizon’s PHI Data Breach Report
<http://www.verizonenterprise.com/resources/reports/rp_2015-protected-health-information-data-breach-report_en_xg.pdf>
2015.

More than 392 million PHI records have been disclosed from non-healthcare
businesses, according to the report, but the actual total could be much
higher since 24 percent of the breached organizations did not provide an
exact number of records involved.

Industries with the most PHI data breaches, not including healthcare or
government entities, are finance and insurance, education, retail and
professional services, such as law offices and tax preparers, according to
Verizon.

“I was surprised, but it does make some sense because most every
organization has things like their workers’ compensation data or employee
wellness programs,” says Suzanne Widup, lead author of the report. Some
companies are managing their own employee health benefits programs and are
becoming custodians of more healthcare information than ever before, she
says. Information security teams “may not even realize they have this kind
of information in their organization until it gets breached.”

Companies that are the victims of a PHI breach could face regulatory
fallout and other negative consequences. “Criminals are finding ways to
monetize health information more than they have in the past,” says Rob
Sadowski, director of technology solutions at RSA, the security division of
EMC. “It’s very plausible” that personal health information can be stolen
and sold to uninsured people, used to get medical supplies and equipment
that can be resold or used to submit fake insurance claims – “depending on
the type of data they’re able to get,” Sadowski adds.

HR departments gather and store much of the PHI data and need to review
their processes for securing PHI, Widup says. HR functions that are
outsourced to third parties should also be looked at, especially after
several highly publicized data breaches involved vendors or contractors.
*Uncovering PHI*

Protected health information is defined as personally identifiable health
information collected from an individual, and covered under one of the many
state, federal or international data breach disclosure laws. The main
criteria is whether there is a reasonable basis to believe the information
could be used to identify an individual.

PHI also goes beyond just medical records and includes email addresses,
vehicle license plate numbers, biometric data like fingerprints, retinal
scans or voice prints, and even full facial photographic images that have
unique identifying characteristics.

Even certain combinations of seemingly harmless information can coalesce to
become personally identifiable health data, Widup says. She has seen
breaches where emails were sent advertising a wellness program regarding a
certain condition, and the email addresses were exposed instead of being
hidden in the BCC field. “That ends up being a breach because suddenly all
these people know all these other people who have this condition,” she
says.

At human resources consulting firm Mercer, “I do see employees and clients
concerned about security and privacy of their PHI in particular. It’s not
top of mind yet, but it’s on their radar,” says Jen Faifer, a Mercer
principal and employee benefits attorney.

Faifer recently helped a major university audit its systems to determine
which university functions were covered by HIPAA, and which were covered by
the Family Educational Rights and Privacy Act (FERPA) that protects student
information. “There is overlap among the different privacy and security
statutes (as well as some gaps), and they’re not quite sure what
information they have and what to do about protecting it,” Faifer says.
“There’s also a lot of state-by-state requirements for workers’
compensation information and health information, so it’s hard to keep track
of what’s required.”
HIPAA’s 18 PHI Identifiers

   1. First and last names
   2. All geographical subdivisions smaller than a State, including street
   address, city, county, precinct, ZIP code
   3. Birth date, admission date, discharge date, date of death
   4. Phone numbers
   5. Fax numbers
   6. Email addresses
   7. Social Security numbers
   8. Medical record numbers
   9. Health plan beneficiary numbers
   10. Account numbers
   11. Certificate/license numbers
   12. Vehicle identifiers and serial numbers, including license plate
   numbers
   13. Device identifiers and serial numbers
   14. Web Universal Resource Locators (URLs)
   15. Internet Protocol (IP) address numbers
   16. Biometric identifiers, including finger and voice prints
   17. Full face photographic images and any comparable images
   18. Any other unique identifying number, characteristic or code

Across all industries, Faifer says HR needs to be involved in developing an
organization’s cyber risk management function. “When it comes to sensitive
personal data, HR needs to be involved and to have a stake with respect to
HIPAA and the health information that they handle,” she says.
*What to do*

Industry professionals say that companies should identify where PHI data is
hiding in their organization and take steps to lock it down.

   1. *Know what PHI data you have*. Companies should first identify the
   pieces of information that they own that should be considered high risk. It
   may be just five pieces from the HIPAA list of 18 identifiers, says Raul
   Ortega, a vice president at data security provider Protegrity. Companies
   should also develop a culture for security, Ortega says. “When you’re
   developing software, you have to consider security and protect data not
   only in greenfield apps, but you also need to go back to find that [PHI]
   data.”
   2. *De-identify data through encryption or tokenization.* Ortega
   recommends starting with the largest repositories of data and de-identify
   that data through encryption or tokenization, which is a non-sensitive,
   substitute identifier with no meaning or value. After encrypting at the
   repository level, work backwards to lines of business and to where the data
   originated.
   3. *Involve the BI team*. Companies should also know why they have this
   data, Sadowski says, and include it in their overall risk assessments. It
   also helps to get someone from the business intelligence team involved to
   help understand how the data is used, Ortega adds. PHI data used within
   lines of business can also be protected with encryption or tokenization, he
   adds.
   4.  *Strengthen security around data pathways between company and
   vendors*. Data can be used for analytics or it can be shared with
   business partners. Make sure PHI is identified and protected when it’s
   moving out of the company’s systems. Develop a security shared data room
   online, Faifer says. Require vendors to expose privacy and security
   practices. “Make sure vendor contracts require them to bear the cost of a
   security breach, or if the organization is big enough, they can negotiate
   audit rights into the contract,” Faifer says.
   5.  *Monitor access to data – even by privileged users. *The incidents
   that take the longest to detect are those being perpetrated by the
   organization’s trusted insiders – privileged users whose credentials were
   stolen by hackers, according to Verizon. Incidents that took years to
   discover were over three times more likely to be caused by an insider
   abusing their LAN access privileges, and twice as likely to be targeting a
   server, particularly a database. “It’s important to limit access to PHI
   data only to the users that are relevant, and then monitor access to that
   data even by privileged users,” Sadowski says. “Just because a privileged
   user logs on or has access to that data, are they actually using it or
   treating it appropriately and not dumping it out of a database and sending
   it outside the company?”

Training is also important for all employees who touch PHI and sensitive
personal data, both internally and for vendors who perform group health and
wellness program functions, Faifer says.

“Any industry must be aware that this kind of data lives in their
organization, as well as how it’s processed through its various stages of
use in the organization and where it goes outside the organization,” Widup
says. “Make sure it has controls in place all the way along. If they
haven’t done that with this kind of data, then I can pretty much guarantee
that it has been exposed someplace that they don’t know about.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.