By Stephen Treglia,
Instinctively, we think of our financial data as the most likely target of a cyber attack, while healthcare data is increasingly becoming more valuable. Healthcare data breaches have demonstrated a real appetite among cybercriminals for protected healthcare information (PHI). It begs the question: why might someone’s electronic medical records be considered more valuable than their bank account details?
According to Forrester, a single health record can sell for $20 on the black market. A complete patient dossier can be worth $500. When you extrapolate these figures by the number of patients who have had their information compromised – more than 77 million records in 2013 – the financial incentives are clear. The data for sale can include names, birth dates, policy numbers, diagnosis codes and billing information. Criminals can use this data to create fake identification to buy medical equipment or drugs that can be resold, or file false claims with insurers.
Under both the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information for Economic and Clinical Health Act (HITECH), governing bodies have determined that healthcare organizations are accountable for the proper storage and protection of patients’ PHI. At the risk of stating the obvious, in an age of electronic medical records and portable electronic devices, this is a severely daunting task.
The explosion of portable technology has made healthcare employees more mobile and flexible, but it has also allowed sensitive patient data to travel outside the confines of an organization, making it far more susceptible to attack. IT departments work diligently to reduce the risk of data theft and rightfully so. Recent data breaches and their respective consequences provide telling examples of how destructive these kinds of attacks can be, and the extent to which they can cripple an organization.
In July 2011, an employee of a healthcare organization left an unencrypted laptop containing the PHI of 23,500 patients inside a rental car which was subsequently stolen, never to be recovered. Data on the laptop included patient names, dates of birth, Social Security numbers, billing information, and medical diagnostic information. The organization ended up settling for $2.5 million and was prohibited from doing business in the state of Minnesota for a minimum of two years.
Moreover, the HIPAA penalty was only the start of the organization’s financial setbacks. In its next SEC filing, the organization acknowledged its inability to do business in Minnesota would result in an annual loss of revenue between $22 and $25 million. A shareholder class-action suit was settled for $14 million. This year, the FTC mandated the organization enter into a 20-year consent decree, during which time independent auditors will see to it that proper healthcare data security procedures will be in place. All told, the organization suffered losses well in excess of $60 million dollars for the theft of a single laptop.
This case may sound like an anomaly, but a significant number of devastating healthcare data breachcases originate from a misplaced device. In fact, 39 percent of healthcare security incidents are caused by device theft or loss.
So, how are healthcare organizations expected to protect information that is coveted by cybercriminals? While an organization can never guarantee that their network is impervious to a breach, there are steps your organization can follow to reduce the number of threats.
- Encrypt PHI stored on portable devices. When it comes to protecting PHI, encryption is the first line of defense and should be applied to all portable devices including laptops, tablets, and smartphones. The recent report from the state of California indicated that 70 percent of the breaches involving the California healthcare industry were due to unencrypted data on lost or stolen hardware or portable media, a problemthat strong encryption would sharply reduce.
- Implement an additional layer of persistent security and management software. Most encryption programs are still vulnerable to cold boot attacks and all software-based encryption systems are vulnerable to various side channel attacks. These are extreme cases but with the increase in Advanced Persistent Threats, organizations are experiencing them more frequently. There is also the human aspect – employees often set easy-to-guess passwords or tape passwords to the device. Additionally, it’s typically lack of attention by an employee that is the root cause of a lost or stolen device. Therefore, it is important to complement encryption with a persistent security and management solution. A persistence software solution offers IT a trusted lifeline to each device in deployment. Administrators can receive encryption status reports, monitor suspicious devices, and remotely invoke security measures to freeze devices and delete or retrieve information from the mobile device. Persistence software technology also restores remote tools back onto any stolen device if the unauthorized user tries common techniques to anonymize the user’s current possession of the devices, such as swapping out the hard drive or re-installing the operating system.
- Properly educate employees. Healthcare employees need to understand the severity of potential data breaches. If a lost device does become compromised, it’s important to flag the breach quickly to inform those affected and then take all necessary actions. Healthcare organizations should have a formal process in place so that lost devices are reported quickly and accurately. Promptly alerting IT of these issues can often have a significant impact on reducing corporate repercussions. Review and update HIPAA privacy and security policies/procedures and stay up to date with regulatory compliance requirements to ensure your processes adhere to all regulations.
About Stephen Treglia
As Legal Counsel at Absolute Software, Stephen provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. Stephen counsels the Absolute Investigations team who conduct data forensics, theft investigations, and device recoveries. Stephen has extensive knowledge of the US regulatory landscape, including SOX, HIPAA, and other industry-specific regulatory bodies.