Risk
4/24/2012
09:15 AM
Connect Directly
RSS
E-Mail
50%
50%

2 Medicaid Data Breaches, 1 Weak Link: Employees

Second data breach at a state Medicaid agency in less than a month shows need to limit employee access to confidential data, regardless of other security procedures.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
For the second time in less than a month, there has been a major data security breach at a state Medicaid agency. The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10 that an employee of the state's Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.

After the department detected the transfers, it contacted the state law enforcement agency. The employee was terminated, and the affected individuals were notified of the security breach. Christopher Lykes Jr. of Swansea, Ga., has been arrested and charged with the offense, according to South Carolinian website The State.com.

Just a few weeks ago, hackers broke into a server at the Utah Department of Technology Services and stole Medicaid records of 780,000 people. Of those, about 280,000 had their Social Security numbers compromised. Less-sensitive personal information on an additional 500,000 individuals, including names, addresses, dates of birth, and diagnostic codes, also was stolen.

In the South Carolina case, the compromised records had patient names, phone numbers, addresses, birth dates, and Medicaid ID numbers, but no private medical records or financial information. In 22,604 cases, the records included Medicare numbers that contained Social Security numbers.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

To address the possibility of identity theft, SCDHHS is offering a free year of identity protection services to every affected individual. The service, provided by Experian, includes a free credit report, daily credit monitoring, and a $1 million identify theft insurance policy. In addition, the department has created a website and a toll-free number to answer the questions of affected beneficiaries.

Meanwhile, the SCDHHS announcement said, the department is impounding all files and computers where the compromised information might have been stored; has frozen access for much of its staff to software that allows the aggregation of personally identifiable information; and has hired an external IT security firm to conduct a risk assessment of its data and IT systems security.

The risk of this type of transfer of confidential information by employees is increasing because many organizations are using Web browsers as the primary platform for viewing information, Bill Morrow, a security expert and CEO of Quarri Technologies, told InformationWeek Healthcare.

"Standard Web browsers contain critical security gaps that create significant risks to organizations' confidential data, and online resources like webmail and social networking sites can be open windows for data leakage," he said. "A careless or malicious employee can easily steal company trade secrets, intellectual property, or leak sensitive customer information."

Employees can access such information regardless of whether their organization uses an on-premises server or a remote server. But organizations, including healthcare providers, are increasingly using browsers to link together multiple sites and provide mobile access to systems, Morrow noted.

Moreover, many healthcare organizations are moving toward the use of cloud-based applications that are accessed over the Internet. In a recent Harris Interactive survey, nearly 60% of CIOs in healthcare systems that had an EHR and a health information exchange said they planned to invest in "cloud-based open systems." Storage and retrieval of medical imaging data in the cloud also is becoming widespread.

The best way to prevent employees from using browsers to replicate confidential information, Morrow said, is to deploy what he calls "hardened browsers," which are available from several vendors. Such a viewing platform allows organizations to limit the aggregation of data and to specify which data can be saved, printed or transferred, and how, he noted.

The key to using a hardened browser, he added, is to strike an appropriate balance between employees' need to use data and a security policy that prevents unauthorized movement of confidential information.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/25/2012 | 1:16:02 AM
re: 2 Medicaid Data Breaches, 1 Weak Link: Employees
Thankfully, these organizations are catching these breaches.

However, wouldn't it be better in the first place if these breaches never took place? What act/failure to act allowed these breaches to take place? I get the strong feeling that both organizations are going to be in the market for IT security resources in the very near future.

What is the final impact of these two breaches? How much money is this going to cost the taxpayers of Utah and South Carolina (and possibly the US, if any Federal funds are used to clean up this mess)?

At least South Carolina seems to be stepping up and working to protect those who were subject to the breach.

The more that these organizations move to make their EHRs (data) available everywhere, the more surface area that attackers have to work with. I'm sure there's a business opportunity there for someone who's willing to step up and take on the task of making these things more secure.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.