Category Archives: Healthcare

Healthcare Industry Data Loss Problems – And Their Easy Solutions

According to a report by the Ponemon Institute, nearly 90% of healthcare organizations suffer data breaches. Internal threats such as mistakes—unintentional employee actions, stolen computing devices—account for nearly half of the data breaches. This statistic certainly serves to show the staggering problems around data loss in the healthcare industry. While the scale of the problem, and therefore the solutions to it, may seem incredibly vast, there are actually strategies healthcare organizations should be implementing in order to combat this high-risk situation.

Why is theft, or loss with malicious intent, so high?

Firstly, medical records can fetch up to 50 times that of credit card records on the black market. While that may seem far-fetched, it’s surprisingly not, given the amount of credibility medical records hold when it comes to identification. Criminals can easily use medical records to fraudulently bill insurance companies, obtain prescription medicine, in addition to other identity theft practices.

The move to digital and the losses that come with it

The digitization of medical records has been seen as a long overdue step by the medical community to reduce mounting hospital administration and provide patients with more reliable diagnoses and care. Proper due diligence isn’t being paid when it comes to data loss protection for a variety of reasons, budgeting, outdated technology and lack of knowledge among them. As a result, breaches into healthcare systems are becoming more and more commonplace, particularly as online criminals become more skillful, as well as hospital staff accidentally releasing sensitive patient information.

The problem areas

Data loss is considered to be one of the most commonplace ways for healthcare organizations to lose a patient’s medical files. The main problem areas include criminal attack, a stolen computing device, unintentional employee action and technical glitches in the system.

The root problem

At the root of these problems are outdated legacy systems and medical devices and poor training in data loss protection. Healthcare organizations have an extremely unique set of challenges when it comes to digitized information. Particularly for hospitals, the scale at which they work, is huge. The number of individuals who have files stored on their systems, as well as the number of medical professionals who are not highly skilled in computer literacy, is vast. Combine this with computer systems that need updating and a lack of budget to do so, and it is easy to see why data loss is so prevalent in the healthcare industry.

The solution

The solution to the problem can be simplified into two parts – update computer systems so that strong security measures can be put in place, and implement a data loss prevention strategy across the organization. The first solution requires budget, but it is imperative that this is prioritized. Ransomware and malware are becoming an increasingly prevalent, malicious, and ruthless way of obtaining data. Trends suggest that it will become even more of an issue in coming years and the only way to combat it is through state of the art security measures.

A data loss prevention strategy, while still costly, especially if implementing on a large scale, is more of an upfront cost and a slow burn investment. For healthcare organizations, a data loss prevention strategy is an incredibly cost-effective way to protect against data loss as much of it involves staff onboarding and communication in order to make it work. Of course, software systems need to be installed to protect files, but much of the hard work comes from ensuring that all staff understand what they need to be doing in order to avoid the inadvertent leakage of sensitive information.

With just a quick online search, you can see the mounting concern about protecting patient data in the healthcare industry, and the ever-growing and alarming statistics about how much data is currently being compromised. Healthcare organizations need to reprioritize budget in order to implement easy and effective solutions like state-of-the-art security, and a data loss prevention strategy that has buy-in from staff working both in hospitals and medical centers on network devices, and remotely on mobile.

Best Practices in Securing Healthcare Data

 

Health is wealth. An old saying but it upholds an important underlying meaning. Consumers spend a great amount of money on wellness, prescriptions, medical examinations, lab tests, various auxiliary health procedures etc. With this, healthcare organizations have become a repository of vast amounts of sensitive data that these consumers share, making them soft targets for data beaches.

ITRC, Identity Theft Research Center, studied the trends of data breaches and concluded that in 2015, 35.5% of the breaches occurred in the healthcare sector. And 66.7% of the total records that were exposed were from healthcare industry.  ITRC also claims that as of date in 2016, 34.9% of the breaches and 34.6% of the total records compromised are from healthcare; an overwhelming 4 million records have been reported to be affected in just the first few months of 2016.

Zecurion has put together a list of best practices that healthcare organizations are recommended to follow in order to protect themselves from such incidents.

Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if PHI and PII is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

Towards this, solutions such as Zecurion’s Zgate enable companies to monitor all forms of outbound network traffic and online communications. It also helps identify sensitive information and prevents it from leaving the network. Zgate uses hybrid content analysis – combining digital fingerprints, Bayesian methods, and heuristic detection – to filter outbound traffic and detect confidential data.

Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

Encryption, Encryption, Encryption

Healthcare servers have vast sources of confidential information stored. Proper encryption of stored data can prevent data loss. Zecurion’s Zserver offers an excellent solution in this context. The solution encrypts information on hard drives, disk arrays and SAN storage using innovative and sophisticated cryptographic techniques. This protects stored information whenever physical control of the media is impossible, whether moving data to the cloud, or in the case of hard drive loss.

Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

Set Up Dedicated Risk Assessment Team

The management should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PHI and/ or PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

Cyberinsurance

Cyberinsurance is an option that healthcare organizations should consider to offset any financial liabilities that may occur as a result of data breaches.

Conclusion

Data loss prevention solutions are a must-have for healthcare organizations. They should be deployed without hindering or slowing down the access of information to care givers. While there is no fool-proof solution to any breach, it is best to go with the saying “prevention is better than cure”.

Top Breaches in Healthcare in 2015-16

 

Last week, we read about top breaches in the higher education sector. In this blog, we have identified for you top breaches in the healthcare sector.

  1. Anthem – February 2015 saw the largest healthcare breach of all times, with nearly 80 million records, containing sensitive data, getting affected.
  2. Premera Blue Cross – In March 2015, the Washington-based organization found that its 11 million records were hacked and both medical as well as financial data was breached. FBI investigation concluded that Chinese hackers were involved as in the case of Anthem breach. The organization provided two years of free credit monitoring to individuals affected by this incident.
  3. Excellus Blue Cross Blue Shield has been the third largest breach where in more than 10 million records were exposed.
  4. UCLA Health, based in Los Angeles, had 4.5 million records exposed in May 2015, as unauthorized user gained access to classified information.
  5. In Indiana, Medical Informatics Engineering, stated that 3.9 million records with Personal Health Information (PHI) fell into the hands of hackers in May 2015. Two years of free credit monitoring has been provided to individuals affected by this incident.
  6. In November, 2015, Maine General found that data from its system had been uploaded on an external website. Though the site did not have any sensitive information, it still exposed the vulnerability of healthcare to insider and external threats.
  7. In another incident, Washington State Health Care Authority (HCA) notified that 91,000 Medicaid patient files got mishandled. In this case, and HCA employee was helping an employee of Apple Health, a free healthcare service for low income individuals, with an Excel problem when the information got exchanged inappropriately, which is a clear violation of HIPPA regulation. Though the exposed information was not misused, yet both the employees were relieved from their jobs and one year of free monitoring was provided.

It is worth mentioning that the Department of Health and Human Services is becoming very vigilant in connection to HIPPA violations. The department is determined and is making sure that healthcare organizations are complying with HIPPA. If in non-compliance, the organizations have to pay hefty fines. Below are some examples of organizations that had to pay heavy fees as a result of non-compliance.

  1. Cancer Care Group, Indianapolis, paid $750,000 as HIPPA settlement.
  2. Lahey paid an exorbitant $850K to DHHS.
  3. Triple-S Management Corporation, however, tops the list by defaulting and paying a fine of $3.5 million.

According to the Office of Civil Rights, there were 253 healthcare breaches in 2015, with a combined loss of over 112 million records. To reinforce the importance of implementing data loss prevention, we have put together a few statistics from Ponemon, an independent researcher, on how vulnerable healthcare is to data breaches.

  1. At least 91% of the healthcare organizations have had one breach.
  2. 39% of the healthcare organizations have faced 2 – 5 breaches.
  3. 40% of the healthcare industries have been exposed to breaches more than 5 times.
  4. Data breaches in healthcare cost nearly $6 billion annually.
  5. Most important of all, non-malicious employee error is the leading reason for the breaches.

Conclusion

In conclusion, we can see how vulnerable our healthcare industry is to data breaches. The need to have robust and agile data loss protection solutions is strong and immediate. Those that are proactive and take adequate measures are bracing themselves for an imminent risk, while others are left behind. Data loss is no more new; it is there and it can strike anytime. Prepare and act now.

2016: Data Breach Statistics*, Year until 02/23/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

1.7 Million Records Already Breached within Just Two Months of 2016

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted during the first two months of 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

2 February, 2016 – Washington State Health Authority (HCA) has notified that 91,000 records of Apple Health (Medicaid) clients were accessed without any authorization by an employee. Social Security numbers, dates of birth, Apple health client ID numbers and private health information was passed to another state agency’s employee. After internal investigation, it has been established that the classified information did not get beyond these two employees. However, as a precaution free year-long credit monitoring has been offered to the affected people. Both the employees have been fired since the incident came to light.

Source:  King 5 News

26 January, 2016 – The County of San Diego has confirmed that the classified records of all the employees were accidently sent to Wells Fargo as opposed to only those that are set up for Health Savings Accounts with the latter. The County and Wells Fargo are working together to delete unwanted records. A free year-long credit monitoring has been offered to the affected people. The breach is being deemed as an accidental error due to incorrect program code for data transfer by Hewlett- Packard Enterprise Services.

Source: California Attorney General, SC Magazine

Healthcare

25 January, 2016 – Health Equity has informed that an employee sent an email containing personal information including Social Security numbers of its clients to one of their business partners by error. An unknown number of people have been affected and are being given a year of free credit monitoring.

Source: California Attorney General

Education

5 January, 2016 – Southern New Hampshire University (SNHU) has confirmed that due to a configuration error, on part of a third party vendor, the database containing names, email addresses, IDs, course details, scores etc. of its students has been exposed. Reports show that about 140,000 students have been affected due to the breach even though the university has only 70,000 enrollments. It is believed that the discrepancy in numbers may mean that both former and current students have been affected. The investigation is still ongoing.

Source: CSO Online

Zecurion’s Annual Review: 2015 Data Breach Statistics

 

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

As we step into 2016, let’s look at the cost of data breach in 2015 and the trends that have impacted it.

Human Error Causes 19% of Data Breaches

Though malicious or criminal attacks pose as the main contributing factor for data breaches – almost 49%, yet negligent employees are responsible for an exorbitant 19% of the breaches, and 32% involved system glitches that includes both IT and business process failures.

Average Cost of Breached Record is $217

The average cost per lost or stolen record containing sensitive data is $217 for 2015. There has been a substantial increase of $16 per record breached in comparison to year 2014 which is close to an 8% increase. The average cost of $217 consists of $74 towards direct per capita cost and the remaining $143 towards indirect per capita cost. Direct costs are the costs that the companies spend to minimize the consequences of a data breach and to assist victims. Indirect costs pertain to what the companies spend on existing internal resources to deal with the data breach.

Higher than Average Data Breach Cost for Healthcare, Pharmaceutical, Financial, Energy, Transportation, Communications and Education

 

Some industrial sectors such as healthcare, pharmaceutical, financial, energy, and transportation, communications and education are more prone to the breaches and thus have higher data breach costs. They tend to have a per capita data breach cost more than the mean of $217. On the contrary, public sector (government), hospitality and research have a per capita cost well below the overall mean value.

Average Cost per Organization is $4.7 Mn to $11.9 Mn, Depending on Number of Records Breached

The number of breached records per incident in 2015 ranged from 5,655 to 96,550 records. The average number of breached records was 28,070. As the number of lost records increases, so does the cost of data breaches. In 2015, companies that had data breaches involving less than 10,000 records had an average cost of data breach of $4.7 million and the ones with the loss of more than 50,000 records had a cost of data breach of $11.9 million.

Among the number of factors that contribute to increased lost business costs, the significant ones are loss of business, legal services, investigation & forensics, increased customer acquisition activities and diminished goodwill.  In order to reduce the cost of data breaches, businesses need to make proactive decisions and make worthwhile investments in various strategies, key being setting up an incident response plan, implementing data loss prevention solutions, planning for business continuity and its management, appointing CISO with enterprise-wide responsibility and investing in employee training.

2015: Data Breach Stats*, Year until 11/24/2015

 

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

No Sector Left Behind – Confidential Data Loss Threat Looms in Some of the Other Forms

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted in the months of September to November of 2015. The excerpts below only provide a glimpse of some of these incidents.

Financial and Insurance Services

2 October 2015 – Schwab Retirement Plan Services Inc. (SRPS), California, notified customers of a data breach that occurred when an email having social security numbers, names, addresses, dates of birth, dates of termination, employment status, division code, marital status and account balance was accidently sent to a participant in another retirement plan serviced by SRPS.

Source: California Attorney General

25 September 2015Bed Bath and Beyond notified customers of a data breach at their New York City location. The breaches happened between March 7 and August 3, 2015, and involved a cashier. The employee has since been removed from the store and customers have been asked to contact their banks for possible credit card theft.

Source: Vermont Attorney General

25 September 2015Blue Cross BlueShield of North Carolina notified customers of two data breach incidents. In the first one, one member’s billing invoice information was being printed on the back of another member’s invoice. The information revealed names, addresses, internal BCBSNC account numbers, group numbers, coverage dates and premium amounts. The second breach happened when payment letters included incorrect information and were sent to the wrong members. This information exposed the type of health plan purchased, effective dates, health insurance marketplace identification numbers, payment amounts, telephone numbers and payment identification numbers.

Source: Health IT Security

 

Healthcare

26 October 2015 – Emergence Health Network notified their patients that the company’s server has been accessed without any authorization. EHN hired the services of a third party vendor to conduct an audit on the server and to find out if the breach affected its 11,100 records. Based on the audit, it was not immediately apparent of any confidential information had been accessed or misused.

Source:  Department of Health and Human Services

3 October 2015 – Sentara Heart Hospital, Virginia, notified patients that two portable hard drives containing information such as birthdates, names, diagnoses, types of procedures and other clinical notes was stolen on the weekend of August 14, 2015. About 1,040 records have been affected by this theft.

Source: Pilotonline.com

 

Education

6 October 2015 – The Lake Norman High School, California, notified its students of a beach when one of its students obtained an administrative password and accessed school without authorization. Seven students have been charged by the Iredell County Sheriff’s Office in this regard.  It has been reported that no personal data, testing or grades were accessed. Since then, the school has taken corrective measures to secure the computer system.

Source: Statesville.com

 

Government

18 November 2015 – The Georgia Secretary of State, Brian Kemps office is being sued by two Georgia women who claim that the Secretary’s office released personal information that involves 6 million Georgia voters. 2 separate entities received the files due to a clerical error and included drivers license information, Social Security numbers and dates of birth. According to the lawsuit, Mr. Kemps office never notified individuals regarding the breach, nor did they contact the consumer reporting agencies.

Source: AJC.com

22 October 2015The Juvenile Division of the Clerk of Courts of Osceola in Florida erroneously displayed information of juveniles charged in court cases on its official website. Not only were their names displayed, but also their foster system was exposed online via the e-file system. Authorities are investigating the breach and trying to fix the problem. An unknown number of records have been affected because of this.

Source: WFTV Channel

9 October 2015 – The Vacaville Housing Authority (VHA) notified individuals that one of their employees unintentionally sent an email to one person with an attachment containing names and social security numbers of their customers. The person immediately informed the VHA authorities who in turn deleted the email from this person’s computer. As a precaution, VHA has offered free credit monitoring service to the affected customers for 12 months.

Source: California Attorney General

 

Transportation

04 November 2015 – Avis Budget Group notified customers of a data breach when the third-party provider that manages their open enrollment process accidentally sent a file to another company that is also their client. The information exposed included names, addresses and Social Security numbers.

Source: California Attorney General

13 October 2015 – Uber’s new app “Uber partner” had a glitch that resulted in a data leak affecting nearly 674 US drivers. The data, exposed for a few hours, included taxi certification forms, driver licenses and W-9 forms with Social Security numbers for cab companies. According to Uber, the data was only visible to logged-in drivers who went to their documents page. Since then, Uber has fixed the issue.

Source: California Attorney General

Safeguarding the Devices can Reduce Data Leaks by Over 40 Percent in Healthcare

Healthcare is the top-most targeted sector for data breaches, accounting for nearly 78 percent of total number of records exposed over January-August 2015. Of all the data breaches in healthcare, 12 percent accounts for intentional insider leaks whereas 17 percent is due to unintentional disclosure. The biggest chunk of 41 percent is attributed to lost or missing devices. Therefore safeguarding just the devices themselves can reduce the threat of data loss significantly.

The following measures can help organizations in safeguarding their devices:

  1. Reporting Loss – The first and foremost step is to report the loss or theft of any such device immediately to the organization so that proper steps can be taken.
  2. Surveillance of Premises – One of the easiest and most widely used methods to avoid any theft is monitoring the workplace by security cameras or electronic log systems of employees. Even if the device or data gets stolen or goes missing, the security equipment will help in recovering it or in identifying the offender.
  3. Educating Employees – Creating security awareness among the employees is another important step in averting potential data thefts. Various programs must be conducted for employees to educate them and make them accountable for devices allocated to them. It should be a continuous process and should be enforced through regular email reminders, desktop screen savers, placards on the walls, etc.
  4. Data Management – It has two components – documenting data storage and removing unwanted information. Data should be stored in a methodical way by defining class of data with proper labelling of sensitive information. Another important aspect is to clean unwanted and duplicate files from the system to reduce the chances of data loss.

Apart from safeguarding devices, companies should also secure them so that in case of any unexpected loss, they are prepared to deal with the ensuing data loss. Following measures could help a company in dealing with data stored in lost devices in a more effective way:

  1. Data Encryption – This can be achieved by encrypting the data on portable devices and disabling the transfer of any information from these devices to any other device. Technologies such as on-the-fly encryption, redaction, DLP (Data Loss Prevention) solution and DRM (Digital Rights Management) on sensitive data are some of the ways for enhancing data protection.
  2. Geo-fencing – Geo-fencing is a kind of virtual barrier that uses Global Positioning System (GPS) to define the geographical boundary for any portable device. Once outside the boundary, data inside that particular device cannot be accessed. It also helps in recovering the lost device.
  3. Remote Wipe – With the help of the right set of tools, the information stored in stolen devices can be partly or totally wiped remotely.

It is imperative to change the outlook of healthcare companies to equally focus on both devices and data stored inside it. Measures for device safety and for data loss prevention should be planned proactively.