At a recent gathering, IT security pros discussed how risk management can protect patients. Illena Armstrong reports.
About 24,000 Medicaid patients in Utah got word in early April they’d have to check their credit and bank statements for fraudulent activity much more diligently after hackers breached a Utah Department of Health (UDOH) server storing thousands of their records.
Then, a couple of days later the news became much worse when the still-continuing investigation uncovered that Children’s Health Insurance Plan (CHIP) recipients also were affected.
The tally of client records removed by cyber criminals from the server currently stands at 780,000. Of those, some 280,000 patients have seen their Social Security numbers compromised.
Such breaches of health care data now are happening at an unprecedented frequency, according to many experts. Often, when they do occur greater volumes of critical data are impacted, as well.
Speaking at a recent SC Magazine Health Care Security Roundtable, Paul Contino, corporate chief technology officer (CTO) at New York City Health and Hospitals Corp. (HHC), said there were only a handful of major health care data breaches being reported some three years ago. These commonly involved the simple loss or theft of laptops or backup tapes. But, things have rapidly changed.
“In truth, health care has become a much softer target to a lot of hackers for a lot of reasons,” he said during the roundtable, which was sponsored by HP Enterprise Security. “Today we’re seeing an escalation in the number of those breaches both in quantity and magnitude. Also, we’re starting to see other types of theft. [Some are] internal to the organizations. We’re starting to see hacking attempts where [cyber criminals] are successfully breaking into systems. So the threat landscape is changing to where it’s not just dumb mistakes [such as an unencrypted laptop getting left in a taxi or backup tapes falling off a delivery truck] anymore. There are more organized hacking attempts that are confronting health care now.”
“We’re starting to see hacking attempts where cyber criminals are successfully breaking into systems. So the threat landscape is changing to where it’s not just dumb mistakes anymore.”
– Paul Contino, corporate chief technology officer (CTO) at New York City Health and Hospitals Corp.
Statistical data bears this trend out. The Office of Civil Rights for the U.S. Department of Health and Human Services maintains a tally of breaches. Not only is the office tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA), it implements the additional data security provisions noted in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the economic stimulus package known as the American Recovery and Reinvestment Act of 2009.
Starting the breach incidence count with the inception of HITECH and its data breach notification requirement that first year, the civil rights office shows that a mere 50 incidents were reported from September to December 2009, which affected about 2.4 million individuals. Come 2010, the number of breaches jumped to 259 with 5.4 million individuals exposed. Last year, 147 incidents were reported, but those affected went well into the millions given that a few organizations alone saw huge exposures, including TRICARE at 4.9 million patients hit, Health Net at 1.9 million individuals affected and The Nemours Foundation at 1.2 million people compromised. This year, some 31 incidents already have been reported.
As the investigation is still underway, the UDOH breach hasn’t made that list just yet. But, some information has been released. The Utah Department of Technology Services (DTS) initially thought 24,000 claims were affected by the attack. It turns out, however, that one of those files can contain claims on hundreds of individuals. And the kinds of information often found on these include Social Security numbers, addresses, tax ID numbers, doctors’ names and more.
Also early on in the investigation, it was stated that the cyber criminals, believed to be based in Eastern Europe, used passwords to gain access to the server and then siphon off the claims. The latest findings, though, point to an improperly configured server out of bounds with normal procedures as the primary culprit.
“DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again,” according to a UDOH press release. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.”
However, some professionals at the SC Magazine Roundtable likely would have contended that had proper risk management protocols, such as regular risk assessments and external audits, been established and put into practice, such server misconfigurations and any resulting brand-damaging breaches may have been avoided.
Currently, there is a gigantic dearth of risk assessments being undertaken, Contino said at the SC Magazine event. Yet such documented and objective risk barometers could assist organizations in keeping plans updated, as well as help them prioritize security needs. According to a recent Health Care Information and Management Systems Society (HIMSS) survey of large health care organizations, 47 percent conduct annual risk assessments and this is despite the fact that these are a requirement noted in the original HIPAA security mandates.
One problem may be lingering budget issues, said Richard Kaplan, a senior security consultant with Open Sky, who attended the event. To undertake activities such as these, money is needed, but the C-suite often has other priorities, he said. “The cost of security is a big issue, especially when money is tight.”
However, organizational leaders must understand that security is just as big an issue and neglecting it could cost the company much more money after it gets victimized by hackers. Risk assessments and external audits are far from mere cost centers. They actually help address worries about financial support for security improvements by pushing business units to implement proper mechanisms – or accept a certain amount of risk, Kaplan said.
“There is a little bit more talk about audit, but it’s always internal audit rather than external audit, which I think is a lot different,” he said. “You must constantly pitch it. Security and privacy need to be C-level issues. Security is not just an IT issue, it’s a business issue. We need to educate them on this.”
In addition to the changing threat landscape and the lack of attention still sometimes paid to security needs, Contino said at the roundtable that there are other reasons for the increasing numbers of health care breaches. These include everything from persistent insider threats, mobile security problems and use of cloud applications.
“There’s technology that we’re starting to build out that is increasing security threats,” he said. “Mobile devices, both personal and corporate, are changing the landscape of how we need to address security. Then, of course, there are external factors. The exchange of data – it’s no longer us sharing data within our four walls, but it’s us sharing data with all kinds of community partners and other organizations, so that increases the risk.”
“Security is not just an IT issue, it’s a business issue.”
– Richard Kaplan, senior security consultant at Open Sky
Accounting for these raft of security challenges, a representative from HP at the event said “it’s always a good rule to trust but verify” – both when it comes to corporate-controlled devices and partner networks. This requires understanding at all times what’s happening on the organization’s infrastructure and knowing who’s accessing what and when. By aggregating and correlating this kind of information – even when cloud services or mobile devices are becoming part of the fabric of the infrastructure – the company will address problematic visibility concerns and, then, be able to set security and privacy priorities.
Sometimes, though, as institutions look to deploy new technologies to suit necessary business needs, a certain amount of risk must be accepted. One of the SC Magazine Roundtable attendees, who wished to remain anonymous, noted that he and his team conduct a risk assessment for every corporate technology-related roll-out and then task the primary business unit to sign off on it. In doing this, he documents that a particular business executive and the higher-ups are making the call to move forward even if some risk and security concerns are present.
While sometimes accepting a level of risk associated with a business deployment is a common practice among health care entities, adhering to IT security best practices and implementing necessary technologies – such as encryption, two-factor authentication, security information and event management solutions and others – still is not for some organizations.
“The challenge I see is that we’re going to need more and more security as we go forward,” said Contino. “Yet the conversations at the C-suite level tend to be about other priorities. So I guess the question is, ‘How do we elevate the security discussion so that [executives] realize [security] goes hand in hand with all the technologies being implemented.’ Without it, we’re creating enormous risks for our institutions.”
This event was sponsored by HP Enterprise Security
Photo caption: The safeguarding of patient information was the topic under discussion at a recent SC Magazine Health Care Security Roundtable. Photo by Jason Gardner.