Risk
4/24/2012
09:15 AM
50%
50%

2 Medicaid Data Breaches, 1 Weak Link: Employees

Second data breach at a state Medicaid agency in less than a month shows need to limit employee access to confidential data, regardless of other security procedures.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
For the second time in less than a month, there has been a major data security breach at a state Medicaid agency. The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10 that an employee of the state's Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.

After the department detected the transfers, it contacted the state law enforcement agency. The employee was terminated, and the affected individuals were notified of the security breach. Christopher Lykes Jr. of Swansea, Ga., has been arrested and charged with the offense, according to South Carolinian website The State.com.

Just a few weeks ago, hackers broke into a server at the Utah Department of Technology Services and stole Medicaid records of 780,000 people. Of those, about 280,000 had their Social Security numbers compromised. Less-sensitive personal information on an additional 500,000 individuals, including names, addresses, dates of birth, and diagnostic codes, also was stolen.

In the South Carolina case, the compromised records had patient names, phone numbers, addresses, birth dates, and Medicaid ID numbers, but no private medical records or financial information. In 22,604 cases, the records included Medicare numbers that contained Social Security numbers.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

To address the possibility of identity theft, SCDHHS is offering a free year of identity protection services to every affected individual. The service, provided by Experian, includes a free credit report, daily credit monitoring, and a $1 million identify theft insurance policy. In addition, the department has created a website and a toll-free number to answer the questions of affected beneficiaries.

Meanwhile, the SCDHHS announcement said, the department is impounding all files and computers where the compromised information might have been stored; has frozen access for much of its staff to software that allows the aggregation of personally identifiable information; and has hired an external IT security firm to conduct a risk assessment of its data and IT systems security.

The risk of this type of transfer of confidential information by employees is increasing because many organizations are using Web browsers as the primary platform for viewing information, Bill Morrow, a security expert and CEO of Quarri Technologies, told InformationWeek Healthcare.

"Standard Web browsers contain critical security gaps that create significant risks to organizations' confidential data, and online resources like webmail and social networking sites can be open windows for data leakage," he said. "A careless or malicious employee can easily steal company trade secrets, intellectual property, or leak sensitive customer information."

Employees can access such information regardless of whether their organization uses an on-premises server or a remote server. But organizations, including healthcare providers, are increasingly using browsers to link together multiple sites and provide mobile access to systems, Morrow noted.

Moreover, many healthcare organizations are moving toward the use of cloud-based applications that are accessed over the Internet. In a recent Harris Interactive survey, nearly 60% of CIOs in healthcare systems that had an EHR and a health information exchange said they planned to invest in "cloud-based open systems." Storage and retrieval of medical imaging data in the cloud also is becoming widespread.

The best way to prevent employees from using browsers to replicate confidential information, Morrow said, is to deploy what he calls "hardened browsers," which are available from several vendors. Such a viewing platform allows organizations to limit the aggregation of data and to specify which data can be saved, printed or transferred, and how, he noted.

The key to using a hardened browser, he added, is to strike an appropriate balance between employees' need to use data and a security policy that prevents unauthorized movement of confidential information.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/25/2012 | 1:16:02 AM
re: 2 Medicaid Data Breaches, 1 Weak Link: Employees
Thankfully, these organizations are catching these breaches.

However, wouldn't it be better in the first place if these breaches never took place? What act/failure to act allowed these breaches to take place? I get the strong feeling that both organizations are going to be in the market for IT security resources in the very near future.

What is the final impact of these two breaches? How much money is this going to cost the taxpayers of Utah and South Carolina (and possibly the US, if any Federal funds are used to clean up this mess)?

At least South Carolina seems to be stepping up and working to protect those who were subject to the breach.

The more that these organizations move to make their EHRs (data) available everywhere, the more surface area that attackers have to work with. I'm sure there's a business opportunity there for someone who's willing to step up and take on the task of making these things more secure.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.