Healthcare // Policy & Regulation
News
12/26/2013
09:00 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Healthcare Data Breaches To Surge In 2014

The healthcare industry will see even bigger breaches of data and patient privacy in 2014, an Experian report says.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
(click image for larger view)

Healthcare will be a hotbed of consumer data breaches in 2014, according to an Experian report, "2014 Data Breach Industry Forecast."

"The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014," according to the report (registration required), which addressed healthcare risks as one of six major trends. "The sheer size of the industry makes it vulnerable when you consider that as Americans, we will spend more than $9,210 per capita on healthcare in 2013. Add to that the Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches." The "attack surface" of a system refers to the parts that pose the greatest opportunity for attack or error.

Best known as a credit bureau and consumer data tracking service, Experian also has a business helping companies recover from personal data breaches. The company has had its own data security problems this year. Michael Bruemmer, vice president of its breach resolution service, Data Breach Resolution, and author of the report, said healthcare accounted for about 46% of the breaches his division serviced in 2013 -- and he expects that to rise significantly in 2014.

[Peer-to-peer patient data? Read Patient Data On Filesharing Service Provokes Legal Trouble.]

Bruemmer said he is basing this prediction at least partly on reports of security risks posted by the HealthCare.gov website and the health insurance exchanges established by various states. The web infrastructure to support health insurance reform was "put together too quickly and haphazardly." The most glaring problem for these sites has been their inability to keep up with consumer demand. The organizational infrastructure behind the implementation of Obamacare is also complex, meaning that many parties have access to the personal data and could misuse or mishandle it. "So we have volume issues, security issues, multiple data handling points -- all generally not good things for protecting protected health information and personal identity information."

Another factor: In 2014, the industry will feel the full force of tightened rules that that went into effect in September for protecting health information and disclosing breaches.

(Source: Sh4rp_i, Flickr)
(Source: Sh4rp_i, Flickr)

Part of the problem is that many participants in the healthcare industry, such as individual doctor's offices, don't think of themselves as being in the data management business, so they are inadequately prepared to protect data against the threats that exist today, according to Bruemmer. In most cases, data breaches have less to do with advanced hacking techniques than with lost laptops, failing to shred paper records, and other employee errors. Though the threat from malicious insiders is significant, a bigger threat is "people doing dumb things."

In the IT realm, there are stories of people installing anti-malware software but forgetting to turn it on. "And then there's my favorite: where the people in the network operations center actually left the door unlocked, and another employee came in, sat at a console, and played around with the system to see what he could get."

Overall, Experian's remediation group worked on more than 2,200 breaches in 2013, versus 1,700 in 2012. In three of the top 10 breaches, the error was traced to a system administrator's sloppy password practices, such as neglecting to change a default password or carelessly sharing the password.

Whether stolen or accidentally disclosed, healthcare data is valuable, and that makes it a target. On the black market, personal records suitable for use in identity theft are worth $10-$12 each at the low end or maybe $25-$28 for a particularly attractive identity, he said. When enriched with health data, the value of an identity data set jumps to about $50 per record, because then it can be used for medical and insurance fraud.

"The threat is out there, and the threat is going to get bigger," Bruemmer said. "The point is to ensure that you're prepared and have a plan in place."

David F. Carr is the editor of Information Healthcare, a contributor on social business, and the author of Social Collaboration For Dummies. Follow him on Twitter @davidfcarr or Google+.

Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs (free registration required).

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Strategist
12/28/2013 | 10:16:16 AM
Itís not if your systems will be breached, but when
I agree that "The threat is out there, and the threat is going to get bigger," and "The point is to ensure that you're prepared and have a plan in place."

As the saying goes – it's not if your systems will be breached, but when. Every organization, especially those that handle sensitive data, should operate under the assumption that sooner or later, they will be breached. There are innumerable ways that data thieves can attack and penetrate your network.

The new best practices to protect sensitive data and the data flow throughout the enterprise are designed with this assumption in mind. They are about reducing risk of data loss, and responding quickly to attacks when they occur. I recently read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data. Aberdeen has also seen "a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity
Sachin Kawalkar
100%
0%
Sachin Kawalkar,
User Rank: Apprentice
4/28/2014 | 3:32:58 AM
Re: Itís not if your systems will be breached, but when
 The primary control to be implemented is access to (PHI and PII ) Information on Need to know basis, Stringent Access control mechanism needs to be in place as even a single digit health information in very critical and lots of legal and regulatory compliance requirements are mandatory, fines, penalties if disclosed. Regular Audits and Risk assessments will help to analyze the flaws/ gaps in the current system and controls implemented. Key focus area is Disclosure of Information so related controls needs to be implemented to safeguard the same. Training and Awareness to same is required amongst users accessing the Information.
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
12/29/2013 | 3:14:40 AM
The "attack surface" is computer recycling
From my perspective, the "attack surface" - the part that poses the greatest opportunity for attack or error – is computer recycling.  Why?

Many employees charged with computer disposal approach the process as a recycling event; data destruction is viewed only as a function of electronic recycling.  The employee allows an electronic recycler to remove old computers from his/her custody with hard drives intact.  The promise is "full erasure" when they get back to their warehouse.  The hard drive will, most likely, be resold on the secondary market. 

If the computer disposal project is approached as a data destruction event, the employee has many questions to answer.  Should we erase, degauss or shred hard drives?  Do our computers have one or two hard drives?  Does our printer/copier have a hard drive? Onsite data destruction is the safest but, is offsite acceptable?

Staying compliant with HIPAA & HITECH is very difficult, especially if you don't understand how digital data is stored and properly destroyed...

Hire a NAID Certified vendor that will: 1) physically shred computer hard drives, 2) perform the service onsite (at your location), give you a Certificate of Destruction with a Serial Number report, and 3) show proof of Professional Liability Insurance specific to data destruction.  

 

KarenFedder
50%
50%
KarenFedder,
User Rank: Apprentice
12/30/2013 | 11:46:14 AM
Healthcare Data Breaches To Surge In 2014
Creating a data security policy from cradle to grave(from acquisition to decommissioning) can help prevent many  data breaches.  There are opportunities during the life of the device that are high risk...For example, when a device is reissued to another employee; what happens to the current data on the device?  An E-Stewards or R2 certified ITAD (IT Asset Disposition) company can assist in putting these policies in place and provideing the  sevices to enforce them.  Depending on the size of the organization, you may also be able to facilitate the erasures yourself. 

 

Karen Fedder

Blancco US
asksqn
50%
50%
asksqn,
User Rank: Ninja
12/30/2013 | 7:17:20 PM
The best defense is always a superior offense
First up, given Experian's less than comp!imentary track record pertaining to consumer privacy/security matters, I hardly agree that it is the best source to consult with for anything beyond cautionary tales of fail. Secondly, if companies would properly train employees handling sensitive data proactively instead of after security breaches occur, it would go a long way to prevent the ridiculous, comp!etely avoidable snafus that are part and parcel of the penny and pound foolish policies currently in place and espoused by the major corporations least expected.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
1/2/2014 | 12:26:59 PM
Re: The best defense is always a superior offense
Do you believe healthcare is more vulnerable than any other industry? Or is this just the way the world is going?
RobPreston
50%
50%
RobPreston,
User Rank: Author
1/2/2014 | 1:08:05 PM
Re: The best defense is always a superior offense
Follow the money. Whether healthcare industry data is "the most vulnerable" relative to other industries' data depends on the money that data can generate for hackers (assuming comparable security systems). Is private medical information more vulnerable than credit card numbers? The recent Target breach suggests otherwise.
Research: Healthcare IT Priorities
Research: Healthcare IT Priorities
Meeting regulatory requirements barely inched out managing digital patient data as the top priority for our 363 healthcare provider IT pros.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.