Risk

3/5/2012
02:52 PM
50%
50%

5 Steps To Assess Health Data Breach Risks

New report delves into the threats healthcare providers face for potential patient data breaches, and provides steps and tools to help assess those risks.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)

A new report outlines the financial costs of breaches of protected health data--and offers a five-step method for healthcare providers of any size to assess their risk.

In the last two years, the protected health information (PHI) of 18 million Americans was breached electronically, according to "The Financial Impact of Breached Protected Health Information—A Business Case for Enhanced PHI Security," a collaborative research effort by more than 70 healthcare providers, payers, legal firms, security products, services firms, and other organizations. During that time, about 66% of healthcare data breaches have involved lost or stolen devices, such as mobile devices and laptop computers. Still, the biggest threats,"are not hackers….but professional, well financed and often state supported" cybercriminals, said Larry Clinton, president of Internet Security Alliance, a cybersecurity trade association that participated in the research project.

The overwhelming theme of the report's findings was that the healthcare system is founded on patients' trust that their medical information is private and secure. Unfortunately, although electronic health records are a "game changer" for improving access to patient information for better-coordinated, quality care, they also expose millions of patient records to cybercriminals, said Joe Bhatia, president and CEO of the American National Standard Institute (ANSI), another research participant, during a teleconference discussing the report.

[ Apathy, not security concerns, stop people from taking advantage of EHRs, says Paul Cerrato. See Why Personal Health Records Have Flopped. ]

"Now [trust] will be severely tested as more healthcare providers adopt e-health records," making PHI increasingly vulnerable to loss, theft, disclosure, he said. Breaches of healthcare data are not only expensive to affected healthcare providers financially due to potential regulatory fines, lawsuits and settlements, but also have great repercussions clinically, operationally and on organizations' reputations.

For patients, the breaches also are potentially damaging for a number of reasons, ranging from possibly destroying individuals' trust in their providers; unauthorized access and distribution of highly personal information; safety risks in care if health data is altered; to identity theft.

The research aims to provide healthcare business leaders with a clearer understanding of what's at risk when healthcare data is breached, and also provide tools to help health IT leaders--CIOs, chief security officers, and compliance teams--to assess their organizations' potential risks and the impact of health data privacy and security violations.

To help healthcare leaders better assess their risks, the researchers created a five-step methodology that includes an estimator tool. The free tool, included with the report, predicts overall potential data breach costs, and appropriate level of investment needed to improve privacy and security vulnerabilities to reduce the chance of a breach incident.

Protecting health data isn't a technology issue, but also involves people, policies, and procedures, said Lynda Martel, director of privacy compliance communication at DriveSavers Data Recovery, a security services firm.

The five steps are: conduct a risk assessment; determine a security readiness score; assess the relevance of a cost; determine a breach's impact; and calculate the total cost of a breach.

The methodology can be used by healthcare providers of any size, including large hospitals to small physician practices, said the researchers. The healthcare providers would take into consideration the number of patient records, where the records are stored, how they're shared, who has access to data, and other factors.

"When it comes to cybersecurity, we all have a role," said White House cybersecurity coordinator Howard Schmidt during the teleconference discussing the report.

Among those that have a responsibility to protect health data include clinicians at the point care; payers; clinical support organizations like labs and pharmacies; business associates including pharmacy benefit managers and other administrators; IT services firms such as software services, cloud computing and outsourcing firms; and other players, including law firms and consulting firms.

The cost "on the street" of a stolen medical record is $50, versus about $1 for a stolen social security records, said Catherine Allen, CEO of the Santa Fe Group, a consulting firm that contributed to the report. "This is very valuable data," she said. And while HIPAA fines from the federal government can range up to $1 million annually for an organization that has a breach, lawsuit settlements involving patients affected by those violations "are in the $20 million range," said Jim Pyles, an attorney and principal of law firm Power Pyles Sutter & Versville, during the teleconference.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12716
PUBLISHED: 2018-06-25
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its l...
CVE-2018-12705
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
CVE-2018-12706
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authorization HTTP header.
CVE-2018-12714
PUBLISHED: 2018-06-24
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
CVE-2018-12713
PUBLISHED: 2018-06-24
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...