Risk
3/5/2012
02:52 PM
Connect Directly
RSS
E-Mail
50%
50%

5 Steps To Assess Health Data Breach Risks

New report delves into the threats healthcare providers face for potential patient data breaches, and provides steps and tools to help assess those risks.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)

A new report outlines the financial costs of breaches of protected health data--and offers a five-step method for healthcare providers of any size to assess their risk.

In the last two years, the protected health information (PHI) of 18 million Americans was breached electronically, according to "The Financial Impact of Breached Protected Health Information—A Business Case for Enhanced PHI Security," a collaborative research effort by more than 70 healthcare providers, payers, legal firms, security products, services firms, and other organizations. During that time, about 66% of healthcare data breaches have involved lost or stolen devices, such as mobile devices and laptop computers. Still, the biggest threats,"are not hackers….but professional, well financed and often state supported" cybercriminals, said Larry Clinton, president of Internet Security Alliance, a cybersecurity trade association that participated in the research project.

The overwhelming theme of the report's findings was that the healthcare system is founded on patients' trust that their medical information is private and secure. Unfortunately, although electronic health records are a "game changer" for improving access to patient information for better-coordinated, quality care, they also expose millions of patient records to cybercriminals, said Joe Bhatia, president and CEO of the American National Standard Institute (ANSI), another research participant, during a teleconference discussing the report.

[ Apathy, not security concerns, stop people from taking advantage of EHRs, says Paul Cerrato. See Why Personal Health Records Have Flopped. ]

"Now [trust] will be severely tested as more healthcare providers adopt e-health records," making PHI increasingly vulnerable to loss, theft, disclosure, he said. Breaches of healthcare data are not only expensive to affected healthcare providers financially due to potential regulatory fines, lawsuits and settlements, but also have great repercussions clinically, operationally and on organizations' reputations.

For patients, the breaches also are potentially damaging for a number of reasons, ranging from possibly destroying individuals' trust in their providers; unauthorized access and distribution of highly personal information; safety risks in care if health data is altered; to identity theft.

The research aims to provide healthcare business leaders with a clearer understanding of what's at risk when healthcare data is breached, and also provide tools to help health IT leaders--CIOs, chief security officers, and compliance teams--to assess their organizations' potential risks and the impact of health data privacy and security violations.

To help healthcare leaders better assess their risks, the researchers created a five-step methodology that includes an estimator tool. The free tool, included with the report, predicts overall potential data breach costs, and appropriate level of investment needed to improve privacy and security vulnerabilities to reduce the chance of a breach incident.

Protecting health data isn't a technology issue, but also involves people, policies, and procedures, said Lynda Martel, director of privacy compliance communication at DriveSavers Data Recovery, a security services firm.

The five steps are: conduct a risk assessment; determine a security readiness score; assess the relevance of a cost; determine a breach's impact; and calculate the total cost of a breach.

The methodology can be used by healthcare providers of any size, including large hospitals to small physician practices, said the researchers. The healthcare providers would take into consideration the number of patient records, where the records are stored, how they're shared, who has access to data, and other factors.

"When it comes to cybersecurity, we all have a role," said White House cybersecurity coordinator Howard Schmidt during the teleconference discussing the report.

Among those that have a responsibility to protect health data include clinicians at the point care; payers; clinical support organizations like labs and pharmacies; business associates including pharmacy benefit managers and other administrators; IT services firms such as software services, cloud computing and outsourcing firms; and other players, including law firms and consulting firms.

The cost "on the street" of a stolen medical record is $50, versus about $1 for a stolen social security records, said Catherine Allen, CEO of the Santa Fe Group, a consulting firm that contributed to the report. "This is very valuable data," she said. And while HIPAA fines from the federal government can range up to $1 million annually for an organization that has a breach, lawsuit settlements involving patients affected by those violations "are in the $20 million range," said Jim Pyles, an attorney and principal of law firm Power Pyles Sutter & Versville, during the teleconference.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.