HealthCare.gov Breach: The Ripple Effect - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
HealthCare.gov Breach: The Ripple Effect
Threaded  |  Newest First  |  Oldest First
PaulS681
0%
100%
PaulS681,
User Rank: Ninja
9/6/2014 | 1:28:45 PM
healthcare breaches

It's alarming how many breaches there continues to be. It's a good point about people not being so quick to switch doctors due to a breach. I can't imagine picking a doctor by how few breaches an office has had.

 

Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 9:47:12 AM
Re: healthcare breaches
I agree, @Paul, that it's not the first -- or fifth or sixth -- consideration many of us have when choosing a doctor! But I think, at some point, it could well make the list when people select a hospital. Sure, many experts say consumers are getting numb to breaches but I believe anger will occur after numbness, and that anger could well crop up with healthcare providers since we sometimes have so little choice in their selection once you go through the insurance hoops. 
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
9/6/2014 | 1:31:48 PM
276 Breaches

There were 276 beaches last year but how many go unreported? I thought I read somewhere that it depended on the severity of the breach if it needed to be reported or not. I could be wrong but if there is any truth to that that is ridiculous.

Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 9:41:45 AM
Re: 276 Breaches
You are correct, @PaulS681: Breaches don't have to be reported unless they affect more than 500 people. So if your doctor's office loses a drive that, say, contains records of 467 people, s/he doesn't need to report that... even if it happens 10 times in a month.
progman2000
50%
50%
progman2000,
User Rank: Ninja
9/8/2014 | 10:41:21 AM
Re: 276 Breaches
Ew, that's disturbing.  I have never heard that before (a breach doesn't need to be reported unless it affects more than 500 people).  Is that a Healthcare thing?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 11:02:00 AM
Re: 276 Breaches
Yes. It is a healthcare rule, which can be found under the HHS website. You can copy/paste the link, below, to see the so-called Wall of Shame and rules surrounding reporting of healthcare breaches. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

 
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
9/8/2014 | 12:35:58 PM
Re: 276 Breaches
Actually that is not quite accurate.  Breaches of over 500 must be reported quickly to the HHS and no later than 60 days after it's discovery.  But breaches of under 500 are still required to be reported, the difference is that is must be reported within 60 days after the end of the calendar year in which it is discovered.  They simply have more time to report, and if there are a series of them they would be reported in a batch together.  So it does have to be reported but it is not in a timely manner, it is after the end of the calendar year.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 4:54:42 PM
Re: 276 Breaches
Thanks for clarifying, Ed. You're right. 
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
9/8/2014 | 8:12:24 PM
Re: 276 Breaches

Who makes these rules? 60 days after the end of the calendar year in which the breach occurred could be over a year after the breach happened. Shouldn't the patients potentially affected be the #1 concern when a breach happens? Clearly they are not.

Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
9/9/2014 | 10:57:19 AM
Re: 276 Breaches
I couldn't agree more ! There is the reality of what the rules and regulation dictate but to me clearly the right thing to do is to notify the individuals whose information has been breached.  I think the genesis of this kind of provision is that it reflects the reality that there are probably so many small breaches that it would clog the available enforcement resources as they are currently structured.  They will focus on the "big" ones as a natural consequence.  The problem with that reality is that the focus of many organizations will also follow suit and only focus on preventing "big ones". 
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
9/8/2014 | 12:29:07 PM
Just a test server, but ...
The one reason I can see why the hacking of a test server should be of concern is that it potentially gives an attacker insight into the technical architecture that would also be used on live servers, providing a roadmap for attacks on them.

Otherwise, I can't see this as much of a hair on fire moment. It's not really a "breach" at all, just a garden variety dumb mistake.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 4:56:43 PM
Re: Just a test server, but ...
One thing that concerned one exec is that, in the future, IT folk may not fess up but will instead conceal these mistakes because they don't want to deal with all the furor. In turn, that will weaken the system further, making it easier for breaches to occur -- and data to actually get stolen. Not sure of the legalities at play here but if there are situations when IT is voluntarily disclosing mistakes, I don't think they should be excoriated for it. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
9/9/2014 | 7:35:57 AM
Re: Just a test server, but ...
That is an excellent point but there were multiple failures there that I'm sure more than one person/department knew about. "A hacker installed malicious code on a device that had kept its default manufacturer's password. As a test server, it was not supposed to be hooked to the Internet, "   I don't know how many people are afraid of stepping up and speaking out against doing dumb things but I suspect that number is pretty high when a manager/supervisor tells them to do it.  I think we're starting to see the need for some checks and balances in the security realms, especially when they are dealing with this much sensitive data.   
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/9/2014 | 9:05:51 AM
Re: Just a test server, but ...
One thing I've heard is the need for some kind of clearinghouse -- an Experian-type place, if you will -- where consumers can determine if their data has been breached. This is for all kinds of data -- credit, health, other personal info (such as address, phone, etc.). I think we can usually figure out when our emails or phone numbers have hit the black market; we suddenly see an influx in spam calls and emails. But it can be more difficult to ascertain whether our other information is out there. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
9/10/2014 | 7:34:19 AM
Re: Just a test server, but ...
I think we are going to need more than a clearing house. When very large retailers are losing millions of records at a time what we need is an industry shift toward customer protection both from the retail side and from the finance side.  Anyone issuing me an ATM card should bend over backward to get my information secured otherwise they are losing a customer and gaining a very vocal opponent. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/10/2014 | 4:58:47 PM
Re: Just a test server, but ...
Oh absolutely, @SaneIT! But I want an additional third-party, independent place where I can get unbiased news about all breaches, large and small; updates on arrests or other criminal penalties; impact on consumers (such as news that records are for sale), etc. You can sometimes find that information if you dig around but it's time-consuming and you have to do it on a case-by-case basis. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
9/11/2014 | 7:13:06 AM
Re: Just a test server, but ...
Given the fact that little information is released when a retailer is compromised how would that clearing house work to notify victims of data loss?   I'm not saying that such a process couldn't happen I'm just wondering how this third party is going to get clear, truthful and accurate reports on data loss when consumers have a hard time getting this when it is their personal information on the line.  I think that the third party is a good idea and it falls into the checks and balances of any sane security program but I feel like they may end up fighting on many fronts and being overwhelmed or stalled to the point of being largely ineffective. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/11/2014 | 10:35:55 AM
Re: Just a test server, but ...
You're right, in that it could -- no, probably WOULD -- be difficult to do. I'm thinking it would be modeled on the credit reporting agencies in a way, which use formulas (which I'm not totally clear on, to be honest!) to determine consumers' (and companies') credit-worthiness. In the same way, you could have a neutral, third-party determine business (and government agency) privacy worthiness, based on public information (such as reporting mandates - like HHS' Wall of Shame, for example) and any confidential information these organizations opt to share. It would be in their self-interest to share information about their processes, technologies, and other relevant things because their 'privacy meter' would improve, thereby providing consumers with more trust in their organization. 

The clearinghouse itself should not store this data, thereby avoiding any allure to external (or internal) cyber thieves -- and further assuring businesses/agencies of the sanctity of their data. I don't know if this would work, but it's one way of bolstering consumer confidence in private and public security. Any others?


State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
News
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
Slideshows
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll