There are strategies to cope with customer expectations of privacy when there are no boundaries around their data, reports Deb Radcliff.
The upside of consumer education is that people are more careful when it comes to their personal, financial and medical data. The downside is that consumers expect entities handling their sensitive data to do so without blemish.
Even though the majority of consumers trust their health care and financial services providers, a single breach can immediately erode that trust — by six percent in the case of medical breaches and five percent in the case of financial breaches, according to the latest “Cost of a Data Breach” report by the Ponemon Institute and PGP.
“Where there's an expectation of good security around sensitive data, there's more likely to be a negative reaction if a breach does occur,” says Larry Ponemon, chair and founder of the institute. “Health care organizations, particularly, are subject to high privacy expectations.”
Mix into this tenuous trust relationship the American Recovery and Reinvestment Act (ARRA), which offers stimulus payments starting in 2011 to medical organizations successfully upgrading their systems to enhance care and response by making patient data mobile and accessible as needed regardless of geography.
As medical organizations move to accommodate e-health records, threats against them are on the rise. Attacks against medical-related data stores doubled in the second half of last year – from 6,500 to 13,400 attacks a day – while attacks on other verticals went unchanged, according to a study released in January by compliance services company SecureWorks.
As with retail and financial systems, criminals are after health systems to derive financial value from Social Security numbers and billing information, medical ID numbers, login credentials and more, according to Phil Dunifer, CEO of PGP.
Just some of the things that health care organizations are grappling with as they follow the more seasoned financial industry into opening their critical records to outsiders include lost laptops and USB sticks containing adult and children's medical records, insider mistakes and abuse (for example, looking up records of famous patients), sniffers on networks and data-stealing malware on endpoints, adds Bryan Cline (right), CISO at Catholic Health East.
“The government gives us this new carrot [ARRA] to develop e-health records and ties it to HIPAA to comply with meaningful use of the records,” Cline explains. “How do you install, configure and use the new system securely and demonstrate compliance? These processes are almost foreign to the health care industry.”
Slash and scramble
Along with continued user education, organizations must assess their business and understand how sensitive data is being used and if that data is absolutely needed, says Mike Del Guidice, senior manager of risk consulting and privacy for the public accounting and consulting firm Crowe Horwath.
“The first aspect when managing a business is the least necessary principal,” he says. “If the data is not needed, redact or minimize the data. If the data is needed, disassociate, encrypt or mask the data so a criminal that does get access can't read or put together the data.”
By disassociating or de-aggregating data, Del Guidice (left) is referring to the process of separating sensitive data fields into separate databases or servers so it can't be associated with a specific individual. This may more easily be accomplished through use of virtualization.
As an example of data masking, Voltage Security uses format preserving encryption (FPE) to replace real credit card numbers with fake numbers to render them unusable if captured. By maintaining consistency of a card number format, the applications in the payment networks don't have to be changed to accept the scrambled data fields.
The Voltage tool covers a subset of privacy data specific to the payment processing industry. Health care data will also need this level of protection for its specific types of sensitive data whether at the endpoint, the database, on the network or in increasingly mobile applications.
In all these scenarios, encryption will be a key component of data protection, says Steve Elefant, CIO of Heartland Payment Systems.
Heartland uses the Voltage technology as a layer of security in its new E3 payment lifecycle end-to-end encryption payment systems. The payments solutions company also uses additional AES encryption to protect track data in the magnetic stripe on the back of the card, such as cardholder name, expiration date and additional security information.
“For years, merchants and processors sent card data like this in the clear,” says Elefant (right). “We're trying to roll out end-to-end encryption to live up to consumer expectations that all their credit card data will be protected.”
However, setting up end-to-end, standards-based encryption of personal data that's in use, at rest and moving around will, for a long time, take multiple layers and control points, says PGP's Dunifer.
“Encrypting card data is only part of the story. Now go to email, USB drives and smaller and smaller mobile endpoints with web browsers,” he says. “Think about data in motion. How do you enforce classification and encryption policy as it transacts through the firewall, into the supply chain, into the cloud?”
Map this complexity to an access and authentication framework that includes customer and partner portals, as well as data transmission, out to emergency responders at accident scenes and other remote locations.
In this equation, Catholic Health East, based in Newton Square, Penn., must consider more than 90 facilities (including 34 acute care hospitals) with 54,000 full-time employees. Then it must consider its partners, since partner connections accounted for 32 percent of breached records last year, according to a recent data breach report by Verizon Business.
“As we update our systems to prepare for e-health records, we must develop corrective action plans to identify and remediate risk where appropriate,” Cline advises. “When I was in the Department of Defense, we had a framework, standard and process for everything.”
Cline spent five years as an information security officer for NATO's Allied Air Forces and two years as a security engineer for the Defense Information Systems Agency. For health care, he points to the Common Security Framework (CSF) developed by the Health Information Trust (HITRUST) Alliance.
Backed by Kaiser Permanente, Highmark BCBS, Johnson and Johnson, McKesson and other large medical and medical supplier chains, the framework is standards-based (HIPAA, NIST, ISO, PCI, FTC and Cobit) and scaleable to size and complexity of organization. It evolves through community input and prescribes methodologies for assessing, protecting, enforcing and reporting in digital health care environments.
Because it is a scaleable framework, CSF could also be used to assess business partners, notes Omar Khawaja, global product manager, security and privacy practice for Verizon Business, a qualified HITRUST CSF assessor. The larger medical establishment is ultimately responsible for the data and for reporting if a breach to that data occurs at the partner organization, he continues.
As you can see, there are many control areas when it comes to meeting customer expectation of privacy over their personal, financial and now their medical data.
“Health care organizations need to treat information security as a business problem,” says Cline. “Assess across the enterprise and focus on people, processes and technology.”
Control points: Embrace controls
When one considers the many places that personal, financial and medical data is stored, used, analyzed, shared and processed, the thought of protecting that data can be overwhelming. Here are 10 control points offered by experts at we spoke with in researching this story.
- Know what data your organization is collecting and how it facilitates the business processes.
- Locate and minimize sensitive data that is collected. This may mean re-engineering applications and removing fields from databases. A good example is the Social Security number, which used to be a common identifier for health insurance and used to be printed on checks and driver's licenses in some states. Use of SSNs in those ways is now rare.
- Protect what you do collect. Split off data fields to separate systems. Obscure and encrypt data throughout its lifecycle in the database, during transit and on endpoints. Don't forget to protect data from the key administrators by splitting their duties so that no one administrator has keys to the kingdom.
- Control access with strong, multifactor authentication.
- Work with developers during upgrades, maintenance and development of applications interacting with sensitive information.
- Set risk thresholds and requirements with partners that access and share personal, medical and financial information. Include scheduled assessments of partners' security posture and access.
- Purge systems (including temp files and memory on endpoints) when data is no longer required.
- Stay up to date on latest privacy regulations (a good central resource for financial and medical privacy laws is epic.org). Follow requirements and frameworks. In the case of health care, these include HIPAA/HITECH and the new Common Security Framework developed by the Health Information Trust (HITRUST) Alliance.
- Have response and remediation plans in place ahead of time and practice them. Include forensics, public relations, call centers, legal and other critical players. A recent Ponemon survey revealed that responding too quickly (without proper assessment) results in more costly response.
- Keep employees, IT staff and executives educated about safe handling of data as devices and uses continue to change