Say goodbye to bulky manila folders. Today’s healthcare organizations are zipping through medical histories and writing prescriptions using mobile devices. But the new found convenience hasn’t been without cost – not just in implementing new systems and tools but in losing data when security measures aren’t implemented too.

A recent study suggests that adopting new technology is a far greater priority than securing it. Eighty-one percent of healthcare organizations are using mobile devices to “collect, store and/or transmit” protected health information (PHI) but 49% “do nothing” to protect the devices.

The lack of security has been detrimental. The same study found that the breach of protected health information (PHI) records increased 97% from 2010 to 2011.

While data loss is certainly a burden to organizations, mobile security doesn’t have to be. Here are four key considerations for mobile-equipped medical offices:

1. Encryption
   Consider the encryption capabilities of a device before you purchase, not after. Carefully choose tablets and phones that offer a high level of encryption across the various functions and facets, including removable storage, of the device. If your office is already mobile-equipped, be sure encryption is standard procedure.
2. Storage
   Think of a mobile device as a way to access data, not store it. A secure server or cloud network is more appropriate for a centralized storage location, to which your mobile devices can connect and disconnect. The latter function is essential, as the portability of a mobile device makes it both easier to lose and more attractive to thieves. According to the Department of Health and Human Services, stolen physical devices account for 71% of breached healthcare records. A missing device that’s online with your data bank poses a serious threat to you and your patients.
3. Access
   Mobile devices should be password-protected, and so should access to your data bank through the devices. Job requirements should determine what devices and passwords each employee in your office can access. Also consider whether bring your own device (BYOD), when employees use their personal devices to access work data, fits with your security approach.
4. Employees
   Don’t overlook the element of human error in your mobile security plan. In 2011, the volume of breached medical records resulting from an employee losing an unencrypted device jumped 525%. Since you can’t ever completely eliminate human error, be sure to train your employees on properly using and handling mobile devices, as well as reporting any loss, theft or signs that a device has been tampered with.

It’s safe to say that healthcare data is/are under attack. Breaches of medical records increased 97% from 2010 to 2011 according to HHS data. Statistics like that lend new urgency and importance to gatherings such as the upcoming HCCA 2012 Compliance Institute.

Be prepared: Does your organization observe security protocols and have controls in place to protect patient health information (PHI)?

Have a response plan ready to deploy: In the event of a data breach, the first thing to do is activate your response plan. In general, this plan spells out in great detail everything from who will lead the response team to step-by-step processes for sending out notifications, customer care and more.

Evaluate your situation post-breach: Once you’ve weathered the storm of a data breach and its consequences, take time to review the ways your organization responded and grade your response plan. This is also the time to make changes, small and substantial, to the response plan and implement any other protections or processes that you feel would improve your readiness and ability to respond in the event of another incident.

Look for Experian at the 2012 Compliance Institute in Las Vegas from April 29 to May 1. It’s a great opportunity to immerse yourself in solutions for preventing and managing data breaches, as well as meet experts who can help your organization be better prepared in the event of an incident.

Data breaches occur in every industry, but, in healthcare, they’re a whole different ballgame. Black market prices and mobile devices drive data theft and loss. Federal regulations govern breach reporting.
With breaches of medical records increasing 97% from 2010 to 2011, the medical field has been especially hard hit. Here’s a look at five factors that make breaches in this one industry so cumbersome, dangerous and difficult to deter.
 
1. Heavy regulations
While various state laws govern many breaches, a healthcare breach falls under federal law—both for providers and their business associates. The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to govern PHI management. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 further enforced it. HITECH’s tiered system of fines can cost a company as much as $1.5 million for mishandling a breach.

2. Black market premium
By many estimates, a medical record sells for $50 on the black market, compared to just $1 for a Social Security number (SSN), according to a GovTech.com article. A single breach can be highly lucrative with an average of 49,000 records impacted per incident. This profitability makes it all the more difficult to deter medical breaches and protected health information (PHI) fraud stemming from both internal and external threats.

3. Substantial harm to patients
Ninety percent of healthcare organizations in a recent study agreed that breaches cause patients harm. One example of this is medical identity theft. Another study found that resolving medical identity theft costs victims $20,663, an extrapolated average. Patients with breached PHI may face even worse. They could lose their medical insurance altogether, due to abuse of their benefits by an imposter. And that imposter’s health conditions, blood type, allergies and prescriptions could end up being part of the victim’s medical file. That misinformation could lead to improper medical care, potentially resulting in a life-threatening situation for the victim.

4. High volume of breaches
According to data from the Identity Theft Resource Center, the overall volume of breached records increased 35% from 2010 to 2011. Yet, according to HHS data, the volume of breached PHI records increased 97% in the same timeframe. In fact, three of the top six breaches of 2011 were in healthcare, according to the Privacy Rights Clearinghouse. The numbers point to an industry in crisis. Ninety-six percent of providers in a recent study have experienced at least one breach in the past two years.

5. Unprepared entities
The increase in medical breaches comes at a time when entities are updating their offices with both electronic health records (EHR) and mobile devices. Many are doing so without putting the proper security measures and access controls in place first. In a recent study, 81% of healthcare entities reported using mobile devices to “collect, store and/or transmit” PHI but 49% haven’t implemented any protection measures for the devices.

With so many different factors at play in healthcare breaches, the sector will continue to be an interesting one to watch. As the HHS promotes greater transferability of EHR, the road ahead may become even rockier.

As companies accumulate vast amount of data to improve their business intelligence, the risks of data breaches accumulate accordingly.  While organizations are rapidly increasing their ability to store, process and analyze huge amount of information collected from social networks, sensors, IT systems and other sources, they’re often failing to consider that much of this data can be personal, sensitive and subject to regulation.  A recent Forrester report highlights the escalating security threats of this sort of “big data processing,” meaning the tools and techniques that handle extreme data volumes and formats.

The report underscores the importance of identifying the “toxic data” within these big data stores – in other words, the kind of data that will spell big trouble if it slips from an organization’s control.  This includes credit card numbers, personally identifiable information (PII) like Social Security Numbers, and personal health information (PHI) — and sensitive intellectual property, including business plans and product designs.  This is, of course, exactly the type of data that hackers and fraudsters are eager to steal.  Further, big data can include information that companies control but don’t own, such as customer and business partner data.  Big data can make a thief’s job easier by concentrating disparate toxic data in one place.

Forrester suggests a framework to help security and risk professionals control big data:

1) Define the data

Data discovery locates and indexes big data, while data classification catalogs data to make it easier to control. Classify data based on toxicity, which will determine where it is stored.  Implement strong policies regarding data handling, storage, and records management, which will preclude the storage of sensitive information on laptops and mobile devices.  Security professionals must continuously discover and classify data as users create it throughout the organization’s network.

2) Dissect and analyze the data

Experts can extract important data from big data sets that will help protect corporate assets; in other words, big data can be used to protect big data.  Analyzing this information is helpful in understanding how to protect big data.

3) Defend and Protect the data.

Limit access to all resources, strictly controlling the number of people that can access data and continuously monitoring those users’ access levels throughout their employment. ·Inspect data usage patterns so that you can detect potential abuses.  Dispose of data when it’s no longer needed, and “kill” data  – using data abstraction techniques such as encryption, tokenization, and masking – to devalue it for use on the underground market.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

Our guest blogger this week is Paul Luehr, Managing Director, General Counsel, Stroz Friedberg, LLC - a global digital risk management and investigations firm.

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Law – Track fast-changing data breach laws, privacy regulations, and notification mandates before a breach should occur.  This can help your organization identify protected health or personally identifiable information (PHI/PII which may trigger liability), navigate the HITECH Act and state law, understand reporting timelines, and effectively reach select constituents (i.e. Health and Human Services, victims, law enforcement and/or the media).

Action – Outline clear action items to accomplish within the first seventy-two hours. One early misstep can destroy crucial evidence, delay an effective response, and trigger government penalties or class-action lawsuits.

No time to waste – Remember that time is of the essence. Once a breach is identified, the clock starts ticking and may require immediate notice to regulators and/or notification to individual victims within 60 days.  

A comprehensive preparedness plan can promote extraordinary efficiencies when a breach threatens a healthcare entity. So, create your PLAN now.

Recently I addressed the importance of having plans in place to protect personal health information in light of the sharp increase in healthcare data breaches.  Unfortunately, research studies are finding that incidents of fraud resulting from exposed healthcare data are on the rise. A recent Javelin Strategy and Research study noted that fraud resulting from exposed health data has more than doubled over the past year.

This sharp spike is due to the extensive personal information available on an individual’s health record.  According to a recent RSA Online Fraud Report, the types of fraud that can be committed using full information profiles are limitless. Not only is the individual a potential victim, the healthcare providers, insurers and the pharmaceutical companies are as well.

The RSA Report sites examples where a cybercriminal steals personal health information (PHI) to file false patient claims to an insurer.  A second example includes making false prescription orders to fuel the underground prescription drug trade.  Unfortunately, the consumer whose PHI is being abused may incur damages beyond being a victim of someone stealing their medical information.  Consumers may come under criminal investigation for defrauding the insurer or buying prescriptions illegally.  That doesn’t sound fair, does it?

It is of paramount importance to develop policies to deter and detect data breach threats.  However, it is of equal importance to keep customers informed of how to protect their health privacy themselves. National Cyber Security Awareness Month begins October 1 this year. Please consider informing your clients and customers of how they can remain safe online.

Just as the healthcare industry came up to speed on the regulations defined in The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, additional modifications are being proposed. These proposed rules focus on expanding obligations and penalties for covered entities (CEs) to now include business associates (BAs).

So why is this significant? For two reasons. First, combined with the HITECH Act, the new rules will expand both the application of certain HIPAA Security and Privacy requirements and penalties to business associates.  Secondly, the proposal expands the definition of BA to include subcontractors who handle health information. Subcontractors would be considered BAs and are subject to direct liability under the HIPAA rules.

Many provider networks, physician practices and insurance plans work with outside vendors to manage their businesses and patient health information.  Many of these providers are BAs who use sub-contractors.  Under the proposed new regulations, these subcontractors must also be HIPAA compliant and follow the HITECH regulations or face penalties. This also means that CEs could be held liable when a BA does not comply.

How well does your company know its business associates…and the businesses that they do business with? As health care organizations expand their operations, it is imperative that due diligence is performed to avoid potential liability stemming from non-compliant vendors.  Some privacy professionals feel the best way to prevent liability under the new requirements is to be proactive about adhering to compliance standards.

Companies should consider actively working with their vendors to address the stringent HITECH requirements and ensure that anyone that falls under the BA category is aware of the full implications as it relates to HITECH and HIPAA.  The more proactive you are the better chance you have of avoiding potentially heavy fines due to the ignorance of a BA that was not aware of the law.

According to a recent study by the Identity Theft Resource Center, data breaches in the healthcare sector are occurring at a higher rate than in other industries.  The study found that of the 385 data breaches that occurred in the U.S. in the first half of 2010, 30% of those affected were healthcare providers.  In comparison, data breaches reported in banking and other financial institutions for the same time period totaled 10%.

What is the cause of this large discrepancy between industries?  According to commentary provided by eSecurity Planet, the increase may be due to the many different types of workers that have access to areas in healthcare organizations buildings where sensitive data is stored. This unrestricted access provides an opportunity for unauthorized employees to access laptops, USB drives or desktops with sensitive information from areas that are far less secure than at a bank or other financial institutions.

This sharp increase has caught the attention of the US Congress that is set to approve $1.7 billion to fight healthcare fraud. A large portion of that spend will go towards creating fraud “task forces” in up to 20 cities across the U.S. Watchdog groups and patient privacy advocates are also putting pressure on healthcare organizations to protect patient’s medical records and personal information especially as patient records become digital and are stored by third parties.

Deterring and detecting data breach threats does not happen by chance.  Now more than ever, it is important for healthcare companies to take advantage of proven data security solutions and to develop policies, like those used in other industries, to help protect patient data.