Risk
4/24/2012
09:15 AM
Connect Directly
RSS
E-Mail
50%
50%

2 Medicaid Data Breaches, 1 Weak Link: Employees

Second data breach at a state Medicaid agency in less than a month shows need to limit employee access to confidential data, regardless of other security procedures.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
For the second time in less than a month, there has been a major data security breach at a state Medicaid agency. The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10 that an employee of the state's Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.

After the department detected the transfers, it contacted the state law enforcement agency. The employee was terminated, and the affected individuals were notified of the security breach. Christopher Lykes Jr. of Swansea, Ga., has been arrested and charged with the offense, according to South Carolinian website The State.com.

Just a few weeks ago, hackers broke into a server at the Utah Department of Technology Services and stole Medicaid records of 780,000 people. Of those, about 280,000 had their Social Security numbers compromised. Less-sensitive personal information on an additional 500,000 individuals, including names, addresses, dates of birth, and diagnostic codes, also was stolen.

In the South Carolina case, the compromised records had patient names, phone numbers, addresses, birth dates, and Medicaid ID numbers, but no private medical records or financial information. In 22,604 cases, the records included Medicare numbers that contained Social Security numbers.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

To address the possibility of identity theft, SCDHHS is offering a free year of identity protection services to every affected individual. The service, provided by Experian, includes a free credit report, daily credit monitoring, and a $1 million identify theft insurance policy. In addition, the department has created a website and a toll-free number to answer the questions of affected beneficiaries.

Meanwhile, the SCDHHS announcement said, the department is impounding all files and computers where the compromised information might have been stored; has frozen access for much of its staff to software that allows the aggregation of personally identifiable information; and has hired an external IT security firm to conduct a risk assessment of its data and IT systems security.

The risk of this type of transfer of confidential information by employees is increasing because many organizations are using Web browsers as the primary platform for viewing information, Bill Morrow, a security expert and CEO of Quarri Technologies, told InformationWeek Healthcare.

"Standard Web browsers contain critical security gaps that create significant risks to organizations' confidential data, and online resources like webmail and social networking sites can be open windows for data leakage," he said. "A careless or malicious employee can easily steal company trade secrets, intellectual property, or leak sensitive customer information."

Employees can access such information regardless of whether their organization uses an on-premises server or a remote server. But organizations, including healthcare providers, are increasingly using browsers to link together multiple sites and provide mobile access to systems, Morrow noted.

Moreover, many healthcare organizations are moving toward the use of cloud-based applications that are accessed over the Internet. In a recent Harris Interactive survey, nearly 60% of CIOs in healthcare systems that had an EHR and a health information exchange said they planned to invest in "cloud-based open systems." Storage and retrieval of medical imaging data in the cloud also is becoming widespread.

The best way to prevent employees from using browsers to replicate confidential information, Morrow said, is to deploy what he calls "hardened browsers," which are available from several vendors. Such a viewing platform allows organizations to limit the aggregation of data and to specify which data can be saved, printed or transferred, and how, he noted.

The key to using a hardened browser, he added, is to strike an appropriate balance between employees' need to use data and a security policy that prevents unauthorized movement of confidential information.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/25/2012 | 1:16:02 AM
re: 2 Medicaid Data Breaches, 1 Weak Link: Employees
Thankfully, these organizations are catching these breaches.

However, wouldn't it be better in the first place if these breaches never took place? What act/failure to act allowed these breaches to take place? I get the strong feeling that both organizations are going to be in the market for IT security resources in the very near future.

What is the final impact of these two breaches? How much money is this going to cost the taxpayers of Utah and South Carolina (and possibly the US, if any Federal funds are used to clean up this mess)?

At least South Carolina seems to be stepping up and working to protect those who were subject to the breach.

The more that these organizations move to make their EHRs (data) available everywhere, the more surface area that attackers have to work with. I'm sure there's a business opportunity there for someone who's willing to step up and take on the task of making these things more secure.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.