Tag Archives: Healthcare

Healthcare Industry Data Loss Problems – And Their Easy Solutions

According to a report by the Ponemon Institute, nearly 90% of healthcare organizations suffer data breaches. Internal threats such as mistakes—unintentional employee actions, stolen computing devices—account for nearly half of the data breaches. This statistic certainly serves to show the staggering problems around data loss in the healthcare industry. While the scale of the problem, and therefore the solutions to it, may seem incredibly vast, there are actually strategies healthcare organizations should be implementing in order to combat this high-risk situation.

Why is theft, or loss with malicious intent, so high?

Firstly, medical records can fetch up to 50 times that of credit card records on the black market. While that may seem far-fetched, it’s surprisingly not, given the amount of credibility medical records hold when it comes to identification. Criminals can easily use medical records to fraudulently bill insurance companies, obtain prescription medicine, in addition to other identity theft practices.

The move to digital and the losses that come with it

The digitization of medical records has been seen as a long overdue step by the medical community to reduce mounting hospital administration and provide patients with more reliable diagnoses and care. Proper due diligence isn’t being paid when it comes to data loss protection for a variety of reasons, budgeting, outdated technology and lack of knowledge among them. As a result, breaches into healthcare systems are becoming more and more commonplace, particularly as online criminals become more skillful, as well as hospital staff accidentally releasing sensitive patient information.

The problem areas

Data loss is considered to be one of the most commonplace ways for healthcare organizations to lose a patient’s medical files. The main problem areas include criminal attack, a stolen computing device, unintentional employee action and technical glitches in the system.

The root problem

At the root of these problems are outdated legacy systems and medical devices and poor training in data loss protection. Healthcare organizations have an extremely unique set of challenges when it comes to digitized information. Particularly for hospitals, the scale at which they work, is huge. The number of individuals who have files stored on their systems, as well as the number of medical professionals who are not highly skilled in computer literacy, is vast. Combine this with computer systems that need updating and a lack of budget to do so, and it is easy to see why data loss is so prevalent in the healthcare industry.

The solution

The solution to the problem can be simplified into two parts – update computer systems so that strong security measures can be put in place, and implement a data loss prevention strategy across the organization. The first solution requires budget, but it is imperative that this is prioritized. Ransomware and malware are becoming an increasingly prevalent, malicious, and ruthless way of obtaining data. Trends suggest that it will become even more of an issue in coming years and the only way to combat it is through state of the art security measures.

A data loss prevention strategy, while still costly, especially if implementing on a large scale, is more of an upfront cost and a slow burn investment. For healthcare organizations, a data loss prevention strategy is an incredibly cost-effective way to protect against data loss as much of it involves staff onboarding and communication in order to make it work. Of course, software systems need to be installed to protect files, but much of the hard work comes from ensuring that all staff understand what they need to be doing in order to avoid the inadvertent leakage of sensitive information.

With just a quick online search, you can see the mounting concern about protecting patient data in the healthcare industry, and the ever-growing and alarming statistics about how much data is currently being compromised. Healthcare organizations need to reprioritize budget in order to implement easy and effective solutions like state-of-the-art security, and a data loss prevention strategy that has buy-in from staff working both in hospitals and medical centers on network devices, and remotely on mobile.

Best Practices in Securing Healthcare Data

 

Health is wealth. An old saying but it upholds an important underlying meaning. Consumers spend a great amount of money on wellness, prescriptions, medical examinations, lab tests, various auxiliary health procedures etc. With this, healthcare organizations have become a repository of vast amounts of sensitive data that these consumers share, making them soft targets for data beaches.

ITRC, Identity Theft Research Center, studied the trends of data breaches and concluded that in 2015, 35.5% of the breaches occurred in the healthcare sector. And 66.7% of the total records that were exposed were from healthcare industry.  ITRC also claims that as of date in 2016, 34.9% of the breaches and 34.6% of the total records compromised are from healthcare; an overwhelming 4 million records have been reported to be affected in just the first few months of 2016.

Zecurion has put together a list of best practices that healthcare organizations are recommended to follow in order to protect themselves from such incidents.

Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if PHI and PII is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

Towards this, solutions such as Zecurion’s Zgate enable companies to monitor all forms of outbound network traffic and online communications. It also helps identify sensitive information and prevents it from leaving the network. Zgate uses hybrid content analysis – combining digital fingerprints, Bayesian methods, and heuristic detection – to filter outbound traffic and detect confidential data.

Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

Encryption, Encryption, Encryption

Healthcare servers have vast sources of confidential information stored. Proper encryption of stored data can prevent data loss. Zecurion’s Zserver offers an excellent solution in this context. The solution encrypts information on hard drives, disk arrays and SAN storage using innovative and sophisticated cryptographic techniques. This protects stored information whenever physical control of the media is impossible, whether moving data to the cloud, or in the case of hard drive loss.

Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

Set Up Dedicated Risk Assessment Team

The management should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PHI and/ or PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

Cyberinsurance

Cyberinsurance is an option that healthcare organizations should consider to offset any financial liabilities that may occur as a result of data breaches.

Conclusion

Data loss prevention solutions are a must-have for healthcare organizations. They should be deployed without hindering or slowing down the access of information to care givers. While there is no fool-proof solution to any breach, it is best to go with the saying “prevention is better than cure”.

Top Breaches in Healthcare in 2015-16

 

Last week, we read about top breaches in the higher education sector. In this blog, we have identified for you top breaches in the healthcare sector.

  1. Anthem – February 2015 saw the largest healthcare breach of all times, with nearly 80 million records, containing sensitive data, getting affected.
  2. Premera Blue Cross – In March 2015, the Washington-based organization found that its 11 million records were hacked and both medical as well as financial data was breached. FBI investigation concluded that Chinese hackers were involved as in the case of Anthem breach. The organization provided two years of free credit monitoring to individuals affected by this incident.
  3. Excellus Blue Cross Blue Shield has been the third largest breach where in more than 10 million records were exposed.
  4. UCLA Health, based in Los Angeles, had 4.5 million records exposed in May 2015, as unauthorized user gained access to classified information.
  5. In Indiana, Medical Informatics Engineering, stated that 3.9 million records with Personal Health Information (PHI) fell into the hands of hackers in May 2015. Two years of free credit monitoring has been provided to individuals affected by this incident.
  6. In November, 2015, Maine General found that data from its system had been uploaded on an external website. Though the site did not have any sensitive information, it still exposed the vulnerability of healthcare to insider and external threats.
  7. In another incident, Washington State Health Care Authority (HCA) notified that 91,000 Medicaid patient files got mishandled. In this case, and HCA employee was helping an employee of Apple Health, a free healthcare service for low income individuals, with an Excel problem when the information got exchanged inappropriately, which is a clear violation of HIPPA regulation. Though the exposed information was not misused, yet both the employees were relieved from their jobs and one year of free monitoring was provided.

It is worth mentioning that the Department of Health and Human Services is becoming very vigilant in connection to HIPPA violations. The department is determined and is making sure that healthcare organizations are complying with HIPPA. If in non-compliance, the organizations have to pay hefty fines. Below are some examples of organizations that had to pay heavy fees as a result of non-compliance.

  1. Cancer Care Group, Indianapolis, paid $750,000 as HIPPA settlement.
  2. Lahey paid an exorbitant $850K to DHHS.
  3. Triple-S Management Corporation, however, tops the list by defaulting and paying a fine of $3.5 million.

According to the Office of Civil Rights, there were 253 healthcare breaches in 2015, with a combined loss of over 112 million records. To reinforce the importance of implementing data loss prevention, we have put together a few statistics from Ponemon, an independent researcher, on how vulnerable healthcare is to data breaches.

  1. At least 91% of the healthcare organizations have had one breach.
  2. 39% of the healthcare organizations have faced 2 – 5 breaches.
  3. 40% of the healthcare industries have been exposed to breaches more than 5 times.
  4. Data breaches in healthcare cost nearly $6 billion annually.
  5. Most important of all, non-malicious employee error is the leading reason for the breaches.

Conclusion

In conclusion, we can see how vulnerable our healthcare industry is to data breaches. The need to have robust and agile data loss protection solutions is strong and immediate. Those that are proactive and take adequate measures are bracing themselves for an imminent risk, while others are left behind. Data loss is no more new; it is there and it can strike anytime. Prepare and act now.

Zecurion’s Annual Review: 2015 Data Breach Statistics

 

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

As we step into 2016, let’s look at the cost of data breach in 2015 and the trends that have impacted it.

Human Error Causes 19% of Data Breaches

Though malicious or criminal attacks pose as the main contributing factor for data breaches – almost 49%, yet negligent employees are responsible for an exorbitant 19% of the breaches, and 32% involved system glitches that includes both IT and business process failures.

Average Cost of Breached Record is $217

The average cost per lost or stolen record containing sensitive data is $217 for 2015. There has been a substantial increase of $16 per record breached in comparison to year 2014 which is close to an 8% increase. The average cost of $217 consists of $74 towards direct per capita cost and the remaining $143 towards indirect per capita cost. Direct costs are the costs that the companies spend to minimize the consequences of a data breach and to assist victims. Indirect costs pertain to what the companies spend on existing internal resources to deal with the data breach.

Higher than Average Data Breach Cost for Healthcare, Pharmaceutical, Financial, Energy, Transportation, Communications and Education

 

Some industrial sectors such as healthcare, pharmaceutical, financial, energy, and transportation, communications and education are more prone to the breaches and thus have higher data breach costs. They tend to have a per capita data breach cost more than the mean of $217. On the contrary, public sector (government), hospitality and research have a per capita cost well below the overall mean value.

Average Cost per Organization is $4.7 Mn to $11.9 Mn, Depending on Number of Records Breached

The number of breached records per incident in 2015 ranged from 5,655 to 96,550 records. The average number of breached records was 28,070. As the number of lost records increases, so does the cost of data breaches. In 2015, companies that had data breaches involving less than 10,000 records had an average cost of data breach of $4.7 million and the ones with the loss of more than 50,000 records had a cost of data breach of $11.9 million.

Among the number of factors that contribute to increased lost business costs, the significant ones are loss of business, legal services, investigation & forensics, increased customer acquisition activities and diminished goodwill.  In order to reduce the cost of data breaches, businesses need to make proactive decisions and make worthwhile investments in various strategies, key being setting up an incident response plan, implementing data loss prevention solutions, planning for business continuity and its management, appointing CISO with enterprise-wide responsibility and investing in employee training.

2015: Data Breach Stats*, Year until 11/24/2015

 

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

No Sector Left Behind – Confidential Data Loss Threat Looms in Some of the Other Forms

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted in the months of September to November of 2015. The excerpts below only provide a glimpse of some of these incidents.

Financial and Insurance Services

2 October 2015 – Schwab Retirement Plan Services Inc. (SRPS), California, notified customers of a data breach that occurred when an email having social security numbers, names, addresses, dates of birth, dates of termination, employment status, division code, marital status and account balance was accidently sent to a participant in another retirement plan serviced by SRPS.

Source: California Attorney General

25 September 2015Bed Bath and Beyond notified customers of a data breach at their New York City location. The breaches happened between March 7 and August 3, 2015, and involved a cashier. The employee has since been removed from the store and customers have been asked to contact their banks for possible credit card theft.

Source: Vermont Attorney General

25 September 2015Blue Cross BlueShield of North Carolina notified customers of two data breach incidents. In the first one, one member’s billing invoice information was being printed on the back of another member’s invoice. The information revealed names, addresses, internal BCBSNC account numbers, group numbers, coverage dates and premium amounts. The second breach happened when payment letters included incorrect information and were sent to the wrong members. This information exposed the type of health plan purchased, effective dates, health insurance marketplace identification numbers, payment amounts, telephone numbers and payment identification numbers.

Source: Health IT Security

 

Healthcare

26 October 2015 – Emergence Health Network notified their patients that the company’s server has been accessed without any authorization. EHN hired the services of a third party vendor to conduct an audit on the server and to find out if the breach affected its 11,100 records. Based on the audit, it was not immediately apparent of any confidential information had been accessed or misused.

Source:  Department of Health and Human Services

3 October 2015 – Sentara Heart Hospital, Virginia, notified patients that two portable hard drives containing information such as birthdates, names, diagnoses, types of procedures and other clinical notes was stolen on the weekend of August 14, 2015. About 1,040 records have been affected by this theft.

Source: Pilotonline.com

 

Education

6 October 2015 – The Lake Norman High School, California, notified its students of a beach when one of its students obtained an administrative password and accessed school without authorization. Seven students have been charged by the Iredell County Sheriff’s Office in this regard.  It has been reported that no personal data, testing or grades were accessed. Since then, the school has taken corrective measures to secure the computer system.

Source: Statesville.com

 

Government

18 November 2015 – The Georgia Secretary of State, Brian Kemps office is being sued by two Georgia women who claim that the Secretary’s office released personal information that involves 6 million Georgia voters. 2 separate entities received the files due to a clerical error and included drivers license information, Social Security numbers and dates of birth. According to the lawsuit, Mr. Kemps office never notified individuals regarding the breach, nor did they contact the consumer reporting agencies.

Source: AJC.com

22 October 2015The Juvenile Division of the Clerk of Courts of Osceola in Florida erroneously displayed information of juveniles charged in court cases on its official website. Not only were their names displayed, but also their foster system was exposed online via the e-file system. Authorities are investigating the breach and trying to fix the problem. An unknown number of records have been affected because of this.

Source: WFTV Channel

9 October 2015 – The Vacaville Housing Authority (VHA) notified individuals that one of their employees unintentionally sent an email to one person with an attachment containing names and social security numbers of their customers. The person immediately informed the VHA authorities who in turn deleted the email from this person’s computer. As a precaution, VHA has offered free credit monitoring service to the affected customers for 12 months.

Source: California Attorney General

 

Transportation

04 November 2015 – Avis Budget Group notified customers of a data breach when the third-party provider that manages their open enrollment process accidentally sent a file to another company that is also their client. The information exposed included names, addresses and Social Security numbers.

Source: California Attorney General

13 October 2015 – Uber’s new app “Uber partner” had a glitch that resulted in a data leak affecting nearly 674 US drivers. The data, exposed for a few hours, included taxi certification forms, driver licenses and W-9 forms with Social Security numbers for cab companies. According to Uber, the data was only visible to logged-in drivers who went to their documents page. Since then, Uber has fixed the issue.

Source: California Attorney General

2015: Data Breach Stats*, Year Until 10/06/2015

Stats Chart Updated

 

*The ITRC tracks seven categories of data loss methods:Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information:Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Reports of Data Breaches Continue Across All Sectors

Let us see how some sectors have been impacted between January and August of 2015. The excerpts below only provide a glimpse of some of these incidents.

Financial Services

12 Aug 2015 – Nationstar Mortgage sent letters to their customers informing them of possible leakage of their personal information. All the affected customers were provided with a complimentary 1 year Experian’s ProtectMyID Elite membership, a product to detect possible data breach and to provide a feasible solution.

25 Jun 2015 – Bank of Manhattan Mortgage Lending notified their customers of a possible data breach as one of their employees responsible for handling loan files was found storing the data in a manner contrary to the bank’s policies and instructions. The Bank of Manhattan Mortgage Lending has offered services for better protection of its customers’ data like credit monitoring and identity theft protection for 12 months, solution support call center and insurance.

Healthcare

29 Jul 2015 – East Bay Perinatal Medical Associates notified their patients after a former employee was found with a list containing patient names and their contact details. The patients’ financial and bank information was not found on the employee’s laptop and the entire data was deleted from his laptop’s hard drive.

17 Jun 2015 – Patients of UC Irvine Medical Center were notified of a situation wherein an employee,not having authority to access particular patient records, was found to be going over those records. UC Irvine hired computer experts to gain insights on the volume of data accessed and solutions to overcome such problems in future. In addition, patients were also provided with credit monitoring and recovery services free of cost.

Retail

18 Jul 2015 – A pharmacy technician at CVS in San Diego was accused of stealing patients’ records, including personal information of 100 patients, for the purpose of identity theft. The data stolen was used by the technician’s property manager to obtain credit and credit cards.

Government 

13 Jul 2015 – Visitors to the Mule Creek State Prison were notified by prison authorities of possible misuse of their personal information, when the information was discovered to be in possession of individuals outside the facility. The  affected people were recommended to put a fraud alert on their credit files.

29 Jun 2015 – Twin brothers from Virginia pled guilty to charges ranging from identity theft,conspiracy to commit wire fraud to accessing protected and government computers without authorization.  The brothers stole sensitive information related to passport and visas and also planned to install a device in the State Department to get easy access to confidential information.

Consumer Spending Volume, Security Issues and Multiple Data Handling Points Make Healthcare One of the Most Susceptible to Data Breaches

In this issue of our newsletter, Zecurion provides a synthesis of research undertaken by various organizations in order to quantify the impact of data loss caused by a breach, accidentally or intentionally. Though our focus for this issue is the healthcare sector, the impact on other sectors is the same, but the only difference is the size of the impact.

According to Experian, a credit bureau and consumer data tracking service, healthcare is one of the most susceptible sectors to data breaches because of the sheer size of per capita spending – amounting to a whopping US$ 9,210 per capita in 2013.

With another seven million people added to the healthcare system because of Healthcare Insurance Exchanges, the sector offers a “lucrative” data theft opportunity to insiders. Studies have revealed other facts about healthcare – making proactive data loss prevention so much more important.

  1. Healthcare accounted for about 50.5% of the 270 breaches as compiled by the Identity Theft Resource Center for the year until May 6, 2014. These include breaches caused by insider theft and employee error/negligence.
  1. Personal records suitable for use in identity theft fetch US$ 10 – US$ 28 each in the black market. When enriched with health data, the value jumps to around $ 50 per record, as it can then be used for medical and insurance fraud, according to Experian.
  1. Healthcare groups that experience a data breach can expect to pay out a whopping US$ 2 million over a two-year period, according to the Ponemon Institute.
  1. Surveys with healthcare groups have revealed that nearly 90% of the organizations have reported at least one data breach over the past two years, with 38% reporting more than five data breaches in the same time period. Employee negligence continues to be at the root of most data breaches in this study, according to the Ponemon Institute.

Source: Identity Theft Resource Center, Experian, Ponemon Institute