Threat hunting is also emphasized in a second Ponemon study sponsored by Raytheon, which recommended offensively hunting down threats to data security, and defensively setting up a security barrier to protect patient data and care systems. With nation-state attacks (think China and Russia), ransomware, compromises due to IoT (add outdated software), and physical data theft, the game is now complete control rather than plain ol’ disruption. After the attack, when most healthcare organizations finally get into gear on cyberthreats, is far too late. Ponemon/Raytheon ‘Don’t Wait’. Healthcare IT News
Reporting from the HIMSS Connected Health Conference (CHC)
Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR).
It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”
Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.
When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)
Confirmation that your Editors (including Founder Steve) are no longer Voices Crying In The Wilderness on health data insecurity came this weekend on the front page (print) of The Wall Street Journal. It concentrated less on the profit of stolen PHI–$50 per record on average versus $7 for a credit card, according to Ponemon Institute–than on the horror of the 2.3 million individuals suddenly finding out that hospitalizations, procedures and prescriptions in their name were being used by others, leaving them with the bill and unable to clear both their financials and their health records.
EHRs are treasure troves of health and financial information. Unlike credit card theft, there’s no warning–and no limits. Providers and insurance companies put the onus on the person with the stolen data. There is no healthcare equivalent of the Fair Credit Billing Act (FCBA) and the Fair Credit Reporting Act (FCRA), which since 1974 and 1970 respectively have limited the individual impact of fraudulent credit card charges.
Consumer security programs like LifeLock are not particularly effective in proactive notification. In other words, you’re stuck. You may run through your benefits and then be responsible for the bills. Second, you may never get the bad information and diagnoses out of the supposedly accessible health record because of privacy laws, especially if you are a caregiver.
Victims sometimes only find out when they get a bill or a call from a debt collector. They can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show she has diabetes when she doesn’t, say, or list a blood type that isn’t hers—errors that can lead to dangerous diagnoses or treatments.
Adding insult to injury, a victim often can’t fully examine his own records because the thief’s health data, now folded into his, are protected by medical-privacy laws. And hospitals sometimes continue to hound victims for payments they didn’t incur.
According to Ponemon, “65% of victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records.”
Very rarely does this Editor look for a Federal remedy to a problem, (more…)
Concatenation is one of those lovely English words that express far more than its simpler synonyms: sequence, series or chain of events. Perhaps we have experienced that concatenation of data breaches which connect and demonstrate a critical mass that motivate healthcare organizations, including insurers, to ensure that data security and privacy gets primacy in HIT. Our Readers know we’ve been on the case since 2010; we’ve been noting Ponemon Institute and ID Experts studies since then.
While simple, straightforward theft can be the cause of smaller breaches and not part of a Big Hack, it’s not as Three Stooges or Benny Hill-esque as perhaps the JAMA study earlier this year made it out to be, especially if it’s your personal record, or your patient’s, which is breached, identity and financials damaged. (See this Security Intelligence article on a minor health breach and how it affected an individual who happens to be in IBM’s security arm.)
Just in the past few weeks, in the US we have experienced the following major and minor breaches:
- CareFirst BlueCross BlueShield in Maryland–an insurer, not a hospital or practice–had a Big Hack of 1.1 million health records, with names, birth dates, email addresses and insurance identification numbers (but not SSI or credit card numbers) revealed.
- Beacon Health Systems (Indiana) had a phishing attack into employee email boxes dating back to 2013. This was a Medium Hack that affected about 220,000 patients. Data taken included SSI and driver’s license. Health Data Management today.
- Advantage Dental in Redmond, Washington had a 152,000 patient hack during three days in February.
- Also in February, a New York City Health and Hospitals Corporation employee transferred patient files to her personal and new work email. 90,000 patients may have compromised data as a result. Becker’s
Ponemon Institute’s 2015 Cost of a Data Breach Study: Global Analysis, with IBM, was published last week. (more…)
Do we need the Hulkster Running Wild against Hacking? It’s so heartwarming to see the mainstream press catch up to what your Editors have been whinging on for the past few years: that healthcare data is the Emperor With No Clothes. Here we have Reuters and the New York Times with a case of the vapors, seeking a fainting couch. Reuters dubs 2015 ‘The year of the healthcare hack’. The FBI is investigating the AnthemHealth breach, while their counterparts UnitedHealth, Cigna and Aetna are in full, breathless damage control mode. The Times at least delves into the possibility that it was at least partially instigated by China and the People’s Liberation Army (PLA) unit that trolls for intellectual property.
Our Readers, savvy to your Editors’ warnings since at least 2010, were aware that the drumbeat accelerated this past summer. (more…)
[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2014/10/screenshot-med-25.jpg” thumb_width=”170″ /]Harry Lime Lives! It’s the 1949 Vienna of ‘The Third Man’ when it comes to the black market of medical identity theft. Data breaches are easier than heisting penicillin off an Army Medical Corps truck and far less noticeable–there’s always a lag time in discovery as more than one health system (Community Health System) found. And protected health information (PHI) has value down the line. According to a report cited by FierceHealthIT:
- Simple data comes cheap: names, birth dates and health insurance contract with group numbers fetch a pedestrian $20.
- Add Social Security (SSI) numbers, banking and credit card information, and these ‘kits’ fetch $1,500. These can be used for financial fraud of multiple types or alternate identities.
- Add medical data, and direct marketing data brokers and pharmacy benefit companies are willing to pay. They use it for legitimate (but annoying) purposes, such as targeting those with specific diseases.
- Add physical identification, and the value goes through the roof for fake passports, driver’s licenses and visas.
The ways PHI can be accessed are many: EHRs, paper records, stolen laptops, CDs, accounting systems, provider, insurer and supplier systems, and simple ‘friendly fraud’ (more…)
[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Breaking News–updated at end Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware. (more…)
[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions
The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:
- The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
- The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
- Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
- ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way. (more…)
Security firm Redspin reports a total of 7.1 million affected records in 2013, up from 3 million in 2012. The five largest breaches accounted for 85 percent of the total: Advocate Health, Horizon BCBSNJ, AHMC Healthcare, Texas Health Harris Methodist Hospital Fort Worth and Indiana Family & Social Services Administration. Hardware theft of unencrypted devices accounted for the first three; Texas Health was perhaps the most unique because it disposed of over 277,000 microfiche patient records in a city park, making it the winner of last May’s ‘It’s Just Mulch’ award in ‘The exploding black market in healthcare data’. Not included in the Redspin report (free download here) was a mid-December breach of 405,000 records at Bryan, Texas-based St. Joseph Health System which would have put it fourth on the list. This took place in a two-day data security attack on their servers traced to China and reported to the FBI. While Redspin attributes only six percent of breaches to hacking, this is an amount sure to increase as more information is digitized. Health Data Management, iHealthBeat, FierceHealthIT Security breaches, natural disasters and outages are events that cost US hospitals over $1.6 billion annually, and 82 percent of health IT executives surveyed by MeriTalk said that their technology infrastructure is “not fully prepared for a disaster recovery incident.” The $1.6 billion seems low in light of the Ponemon Institute’s 2012 health data breach estimate of $7 billion annually–and the $12 billion in victim costs [TTA 14 Sept 13]. FierceHealthIT
.…and wait till Healthcare.gov-related security breaches start. This Editor stopped beating the dead and quartered horse of Healthcare.gov last year, finding that what was suspected and detailed from the start was simply borne out by subsequent revelations. Another example: the recent revelation that US intelligence agencies are highly concerned that code in the website was produced by programmers in Belarus, a former Soviet republic closely allied to that hotbed of hacking, Russia. That means that ‘backdoors’ are right in the code, waiting to be opened. This affects more than the website–but through the hub, states, HHS, IRS and DHS. How did our Washington types find out about it? When a top Belarusian official bragged on state radio about it! Ace intelligence writer Bill Gertz in the Washington Times broke the story. (Want more on the website’s security problems? See here for more on the Gertz story plus the David Kennedy/TrustedSec testimony and more. But bring your preferred headache remedy!)
August ended with the report of the second highest-ever identity breach traced to a healthcare provider–4 million patient names, addresses, dates of birth, Social Security numbers and clinical information, contained on four unencrypted Advocate Health System (Illinois) office computers. It was a ‘behemoth breach’ in Healthcare IT News‘ words and has led to the filing of a class-action lawsuit (Privacy Rights Clearinghouse). Now security consultant Ponemon Institute’s latest report, released yesterday, increases the breach anxiety level with its 2013 Survey on Medical Identity Theft: (more…)