A Washington woman searching the Web for information about a deceased friend was taken aback. There in plain view were her late friend's medical records.
It was the tip of the iceberg.
It turns out that employees for a billing contractor doing business with some 40 to 60 hospitals nationwide had inadvertently left a firewall down while transferring data from one server to another. While the firewall was down, Google indexed the data. Ultimately, that single IT error resulted in security breaches at five different hospitals across the country, exposing some 90,000 patient records.
This article looks at how the rise in data security breaches is a wakeup call for the healthcare industry
. It then considers the steps healthcare providers can take to protect their data and so avoid financial loss, preserve brand reputation, and demonstrate regulatory compliance.
Although healthcare providers have more security measures in place today than ever before, the number of data breaches continues to rise. Indeed, data breaches involving sensitive information have become almost a regular occurrence. A cursory search of DataLossDB
, an online archive of information about data breaches involving personally identifying information, reveals the following healthcare-related breaches in the last few weeks alone:
- 8/7/08, at a county hospital in Texas: Financial and medical information of 1,200 patents downloaded to a Flash drive later reported missing
- 8/1/08, at a hospital in the UK: Personal information of 1,581 patients on a stolen laptop
- 7/29/08, at a health care provider in Georgia: 202,000 people notified about letters containing personal and medical information sent to wrong addresses
- 7/24/08, at a regional medical center in Nevada: 128,000 people notified about possible database intrusion
- 7/19/08, at a veterans home in Minnesota: Stolen server contains Social Security numbers, addresses, and medical information for 336 residents.
- 7/18/08, at an infirmary in the UK: Names, addresses, and patient details of 89 were on stolen laptop
- 7/7/08, at a health care agency in Florida: Names, addresses, birth dates, driver licenses, and Social Security numbers of 55,000 organ donors exposed.
Why such a rash of security breaches? Primarily it has to do with where the breaches are coming from.
While securing the network from outside attack was the #1 data security priority just a few years ago, today the majority of threats come from inside, and they're generally attributable to faulty business processes and employee oversight. In fact, Symantec estimates that 96% of all data leaks are inadvertent and less than 1% are malicious.
That's a major shift.
Consider: According to a recent Vontu/Forrester Consulting survey, one out of every two companies has lost data on USB drives. And a Vontu/Ponemon Institute survey found that four out of five companies have lost data on laptops.
To protect their infrastructures, most healthcare providers today rely on antivirus software, firewalls, intrusion protection, and other measures. While these are important parts of a layered defense, they're not enough for today's threats. For example, they wouldn't be able to prevent an instance of medical identity theft. Instead, healthcare providers need to focus on the critical information itself and protect it.
What does it mean to focus on the information? It means having answers to the following questions:
- Where is my confidential data? The answer might surprise you. Data can be in many places – some you expect and some you don't. Has confidential data been copied to a local disk? Is it posted on a network share?
- How is it used? Is it sent via email by a doctor to a referring doctor to consult on a patient? Is it copied on a USB disk to take home for work? Is it being sent to an outsourced transcription service?
- How are policies enforced? Can you apply them to everyone – inside and outside of the hospital, staff, contractors, and volunteers? Are policies automatically enforced? How do you compile information on compliance or report breaches?
Think about how a typical hospital's network is continually exposed nowadays. To keep up with end-user demands, IT administrators are enabling more mechanisms that allow connections to the network. For their part, end users want to be productive no matter where they are; they also want to do business with the hospital's partners. As a result, IT administrators must strike a difficult balance between providing the right amount of access to the network for the sake of productivity and keeping the network secure.
Of course, there's a third piece to the puzzle. Healthcare providers also face a constantly changing regulatory landscape.
Today, healthcare providers must operate in a landscape of regulations imposed by a wide variety of organizations: federal, state, and even local governments, accrediting bodies, and regional health organizations. The Health Insurance Portability and Accountability Act (HIPAA) security and privacy provisions and the standards promulgated by the Joint Commission on Accreditation of Healthcare Organizations represent the most significant standards healthcare providers face.
When the U.S. Department of Health and Human Services (HHS) initiated an audit of Atlanta's Piedmont Hospital in March 2007, it was the first of its kind related to the data security requirements of HIPAA. The move immediately raised concerns in the healthcare industry about the prospect of more enforcement actions.
In fact, HHS, which oversees HIPAA compliance, has contracted with the firm PricewaterhouseCoopers to conduct surprise audits of hospitals this year. HHS has stated publicly that the first 10 or so reviews will be at hospitals where complaints about security have been made.
Healthcare providers must also comply with Payment Card Industry Data Security Standards (PCI DSS) since they accept credit cards for payments. Sarbanes-Oxley regulations also pose compliance challenges, while many regional organizations face a patchwork of regulations that change from jurisdiction to jurisdiction.
Symantec believes healthcare providers can best control their own destiny in an environment of increasing data breaches and ever-changing regulations by developing and deploying a comprehensive compliance program. Key elements in such a program include:
Best practices suggest that the program should move beyond deployment of piecemeal technology solutions, which are designed to comply with this or that regulation, to an approach that integrates technology tools with policies. Such an approach includes:
- Defining the parameters of the compliance program, including regulations requiring compliance, provider's risk categories, and policies it must implement. Developing specific, actionable policies can be difficult. That's where teaming with a trusted advisor who brings substantial experience in compliance issues and a comprehensive perspective on information security can reap dividends.
- Automating compliance by mapping policies to multiple frameworks, standards, and regulations. For instance, a network of hospitals in California would need to map its policies to HIPAA, California requirements such as SB1386, and the relevant provisions of the Joint Commission Accreditation Manual, as well as other accrediting organizations.
- Self-auditing, automatic generation of enterprise-wide metrics, and comprehensive reporting to appropriate authorities. The latest generation of tools includes dashboard style screens that provide at-a-glance information to C-level information security personnel while still being capable of generating the detailed reports required by regulators.
The rise in data security breaches is a wake-up call for healthcare providers, who at the same time are also grappling with constantly changing regulations. By taking steps now to protect sensitive data, healthcare providers will be in a better position to avoid financial loss, protect brand reputation, and demonstrate regulatory compliance.