Risk
3/5/2012
02:52 PM
50%
50%

5 Steps To Assess Health Data Breach Risks

New report delves into the threats healthcare providers face for potential patient data breaches, and provides steps and tools to help assess those risks.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)

A new report outlines the financial costs of breaches of protected health data--and offers a five-step method for healthcare providers of any size to assess their risk.

In the last two years, the protected health information (PHI) of 18 million Americans was breached electronically, according to "The Financial Impact of Breached Protected Health Information—A Business Case for Enhanced PHI Security," a collaborative research effort by more than 70 healthcare providers, payers, legal firms, security products, services firms, and other organizations. During that time, about 66% of healthcare data breaches have involved lost or stolen devices, such as mobile devices and laptop computers. Still, the biggest threats,"are not hackers….but professional, well financed and often state supported" cybercriminals, said Larry Clinton, president of Internet Security Alliance, a cybersecurity trade association that participated in the research project.

The overwhelming theme of the report's findings was that the healthcare system is founded on patients' trust that their medical information is private and secure. Unfortunately, although electronic health records are a "game changer" for improving access to patient information for better-coordinated, quality care, they also expose millions of patient records to cybercriminals, said Joe Bhatia, president and CEO of the American National Standard Institute (ANSI), another research participant, during a teleconference discussing the report.

[ Apathy, not security concerns, stop people from taking advantage of EHRs, says Paul Cerrato. See Why Personal Health Records Have Flopped. ]

"Now [trust] will be severely tested as more healthcare providers adopt e-health records," making PHI increasingly vulnerable to loss, theft, disclosure, he said. Breaches of healthcare data are not only expensive to affected healthcare providers financially due to potential regulatory fines, lawsuits and settlements, but also have great repercussions clinically, operationally and on organizations' reputations.

For patients, the breaches also are potentially damaging for a number of reasons, ranging from possibly destroying individuals' trust in their providers; unauthorized access and distribution of highly personal information; safety risks in care if health data is altered; to identity theft.

The research aims to provide healthcare business leaders with a clearer understanding of what's at risk when healthcare data is breached, and also provide tools to help health IT leaders--CIOs, chief security officers, and compliance teams--to assess their organizations' potential risks and the impact of health data privacy and security violations.

To help healthcare leaders better assess their risks, the researchers created a five-step methodology that includes an estimator tool. The free tool, included with the report, predicts overall potential data breach costs, and appropriate level of investment needed to improve privacy and security vulnerabilities to reduce the chance of a breach incident.

Protecting health data isn't a technology issue, but also involves people, policies, and procedures, said Lynda Martel, director of privacy compliance communication at DriveSavers Data Recovery, a security services firm.

The five steps are: conduct a risk assessment; determine a security readiness score; assess the relevance of a cost; determine a breach's impact; and calculate the total cost of a breach.

The methodology can be used by healthcare providers of any size, including large hospitals to small physician practices, said the researchers. The healthcare providers would take into consideration the number of patient records, where the records are stored, how they're shared, who has access to data, and other factors.

"When it comes to cybersecurity, we all have a role," said White House cybersecurity coordinator Howard Schmidt during the teleconference discussing the report.

Among those that have a responsibility to protect health data include clinicians at the point care; payers; clinical support organizations like labs and pharmacies; business associates including pharmacy benefit managers and other administrators; IT services firms such as software services, cloud computing and outsourcing firms; and other players, including law firms and consulting firms.

The cost "on the street" of a stolen medical record is $50, versus about $1 for a stolen social security records, said Catherine Allen, CEO of the Santa Fe Group, a consulting firm that contributed to the report. "This is very valuable data," she said. And while HIPAA fines from the federal government can range up to $1 million annually for an organization that has a breach, lawsuit settlements involving patients affected by those violations "are in the $20 million range," said Jim Pyles, an attorney and principal of law firm Power Pyles Sutter & Versville, during the teleconference.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0547
Published: 2015-07-04
The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0548
Published: 2015-07-04
The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0551
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P2...

CVE-2015-1966
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafte...

CVE-2015-4196
Published: 2015-07-04
Platform Software before 4.4.5 in Cisco Unified Communications Domain Manager (CDM) 8.x has a hardcoded password for a privileged account, which allows remote attackers to obtain root access by leveraging knowledge of this password and entering it in an SSH session, aka Bug ID CSCuq45546.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report