94% of healthcare organizations had a data breach last year

The Ponemon Institute just released their third annual “Benchmark Study on Patient Privacy & Data Security.” Sponsored by ID experts, the survey and report looks at data breaches in the healthcare industry. While some organizations have taken steps to strengthen their privacy and security programs the research indicates the majority lack budget and resources to prevent or detect breaches.

The survey reveals some impressive data, similar to the trends last year. While 94% of the healthcare organizations have reported at least one incident, as many as 45% organisations reported more than 5 data breach incidents. The report is talking about clinics and hospitals that are part of a healthcare network (46%), integrated delivery systems (36%) and standalone hospital or clinic (18%).

Data breaches of health records information continue to be a problem for the entire health care industry. Healthcare organizations have been increasingly facing fines due to the unauthorized disclosure of patient information. High numbers of patient accounts are involved anytime a breach happens which can amount to several hundred thousand to several million dollars in fines.

Disclosures made regarding a patient’s protected health information (PHI) without their authorization is considered a violation of the Privacy Rule under HIPAA.

Costs of data breach

What causes the data breaches?

No doubt, the data breaches are costly in terms of HIPAA compliance and penalties, what really is causing this?

A report from the Health Information Trust Alliance (HITRUST) shows that the biggest cause of HIPAA data breaches is theft and loss of laptops and other portable media, not hackers. The perps are most likely not after the health data, they are after the devices themselves, and your staff unfortunately makes it relatively easy for them to gain access to the critical HIPAA data just came along for the ride.The HITRUST research found that only 8% of the breaches were caused by hacking and/or malware. HITRUST is a national consortium of healthcare professionals that helps the health industry protect patient data.

Is BYOD penetration a reason for high number of violations? Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure.

Sarah Kliff reported recently in the Washington Post’s Wonkblog that doctors emailing with their patients is becoming increasingly common. That means that the industry needs to pay particular attention to smartphones, wrote Art Gross at the HIPAA Secure Now blog. In a post titled, “Your Smartphone Will Cause Your Next Data Breach,” Gross aims his argument at healthcare workers who don’t think they have any patient information on their smartphones.

“Smartphones can be used to access EMRs [electronic medical records], PACS [picture archiving and communication system], to provide remote access to [spreadsheets and documents] and run thousands of applications that may contain patient information,” he wrote.

Recommendations

As the case with any information sensitive organization, healthcare industry to focus on their data security processes and best practises of information security. As the threat landscape changes rapidly and the value of information increases, management need to focus more on securing their IT assets. IT risk assessments need to be carried out at frequent intervals than a routine annual assessment. There is a need to set up[ a proper IT Governance mechanism at board level to ensure the important resource to the organization- data – is protected.

In its recent report, HITRUST recommends specific measures to control the data breaches in the health care industry.

Endpoint Security

o Conduct an accurate inventory of endpoint devices and develop a “bring your own

device” (BYOD) policy and management program.

o Ensure email access is controlled and encrypt email

o Encrypt mobile computing devices and consider encrypting desktops

o Ensure less mobile endpoints such as servers are adequately protected

Mobile Media Security

o Restrict the use of unencrypted mobile media, including backup media such as

unencrypted tapes
Paper Records

o Ensure paper records are adequately secured when transitioning to an EHR system

o Make employees aware of proper handling and disposal procedures

o Provide an adequate number of shredders or shredding bins in convenient locations9

o Ensure bins are emptied regularly and require onsite shredding if possible

o Centrally store and manage paper records in a secure location
Business Associates (BA)

o Formally assess and manage the risks incurred with a BA

o Classify and manage risks based on impact and likelihood of a breach by the BA

o Periodically rePevaluate BAs based on changing risks but no less than every three years

o Limit BA access to only the information minimally necessary to conduct business
Physician Practices

o Treat physician practices that connect to your organization as high risk

o Require similar assurances from physician practices that you obtain from BAs

o Ensure risks are comprehensively assessed: administrative, technical and physical

o Minimize effort by leveraging existing resources from HHS, HITRUST and others

Advertisements

Developing Information Security Policy


Every organization is required to have an effective information security program which maps to its business drivers,  regulatory requirements and threat profile. Although organizations across the globe are increasingly recognizing the importance of information security for businesses, the complexity of issues involved in formulating an appropriate information security policy greatly vary from company to company.

 This may depend on multiple factors including the importance of business information, size of the company, type of operations and businesses the company involved in and the numbers and types of information and information systems they use. Developing a robust Information Security Policy is a crucial first step in the program.

While small organizations can quickly deploy information security policy to address their needs, for large organizations, developing a single policy document encompassing all users and resources and addressing the entire gamut of information security issues is a herculean task. Rather, a more effective approach would be to develop a suite of policy documents to cover all information security assets; each targeting specific audience and address relevant information security concerns. This approach would ensure easy maintainability of the policy and focus on specific requirements in terms of emerging threats and risk assessments.

 Why do we need Policy?

A security policy should fulfil many purposes. According to http://www.sans.org, it should: 

  • Protect people and information 
  • Set the rules for expected behaviour by users, system administrators, management, and security personnel 
  • Authorize security personnel to monitor, probe, and investigate 
  • Define and authorize the consequences of violation
  • Define the company consensus baseline stance on security 
  • Help minimize risk 
  • Help track compliance with regulations and legislation 

Basic steps in Developing Information Security Policy

  • Identify all assets that are required to be protected
  • Identify all threats and vulnerabilities and likeliness of threats happening
  • Identify the measures to safeguard the assets in a cost-effective manner
  • Identify the roles and responsibilities of various parties and communicate them
  • Monitor and review the process continuously for improvement.

ISO 27002 provides a comprehensive set of guidelines and controls comprising best practices in information security whereby it can be used as a basis to develop security policy.  ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:

the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of 
information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).

Who is Responsible?

Today, many organizations have multiple pieces of  a security program in terms of policies, standards, firewalls, security team, IDS and so on  but the top management is not truly involved nor security has permeated throughout the organization. Rather all the responsibility has been delegated to a small security team responsible for securing the entire organization. This practice is because of a belief that security was just a technology issue.Information security governance is the responsibility of the board of directors and senior executives. It must be an integral and transparent part of enterprise governance and be aligned with the IT governance framework. To exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprise’s information security programme. They need to know how to direct the implementation of an information security programme, how to evaluate their own status with regard to an existing security programme and how to decide the strategy and objectives of an effective security programme. (http://www.isaca.org)

In 2013 Cyber Conflicts become the norm: Symantec predicts

Symantec released its 5 most important security threat expectations of the  year 2013. Symantec claims that these predictions are based on their expertise, “understanding of threat evolution” as well as “experience in previous cybersecurity trends”.  Symantec Corporation is an American global computer security software corporation headquartered in Mountain View, California.

The threat expectations for 2013 and beyond go like this – 

Cyber conflict becomes the norm among nations, organizations, and individuals. Espionage can be successful and easily deniable. Nation States, organizations and groups of individuals use cyber tactics to gain advantage over their opponents. The conflict is moving more and more on cyber assets from physical.




 
Ransomware is the new scareware: With online payment methods becoming omnipotent and omnipresent, criminals find it easy to extract money at anytime from anywhere!! Get ready for more professional ransom screens and methods. FBI keeps cautioning the users as more cases are already being reported.According to Kevin Haley, Director of Security Response at Symantec, during 2013, there’ll be increasing utilization of commercial ransom screens, exploitation of targets’ sentiments, along with utilization of techniques, which will make recovery more difficult following system compromise.


Madware adds to the insanity: Mobile adware or “madware” is a nuisance that disrupts the user experience and can potentially expose location details, contact information and device identifiers to cybercriminals.The past experience sees rapid growth in this menace, an increase of 210% in 9 months in 2012!! Free mobile apps are going to contribute more aggressive and potentially malicious approach.


Monetization of social networks introduces new dangers – the growing social spending trend also provides cybercriminals with new ways to lay the groundwork for attack. Symantec anticipates an increase in malware attacks that steal payment credentials in social networks and trick users into providing payment details, and other personal and potentially valuable information, to fake social networks.


As users shift to mobile and cloud, so will attackers – Symantec claims that mobile platforms and cloud services will be likely targets for attacks and breaches in 2013. The rapid rise of Android malware in 2012 confirms this. It is predicted that in 2013, mobile technology will continue to advance and thereby create new opportunities for cybercriminals.

 

Wrong use of devices in corporate networks that utilize clouds will witness growing danger of personalized assaults and breaches into the devices’ data, the security firm explains.

The threats could be more alrming to India. Identity fraud is turning out be as a major concern in India with the growing number of Internet, social media and internet users through mobile phone devices.

A recent Symantec report stated, of the total 137 million Internet users in India, 42 million have fallen prey to the cyber fraud in one way or the other. The financial loss per cyber crime victim is around Rs 10,000 for 2012, as per Semantec.

While this list is more on expected lines considering the cyber crime trends being witnessed in the recent past. The key to the threat management lies in end-user education in protecting the online privacy, a more disciplined online behaviour and much better understanding of their smart phone.

In a lighter vein: 

On January 17, 2012, Symantec admitted to their network getting hacked. A hacker known as “Yama Tough” obtained Symantec’s source code by hacking an Indian Government server. Yama Tough has released parts of the source code, and has threatened to release more.