Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5 Steps To Assess Health Data Breach Risks

New report delves into the threats healthcare providers face for potential patient data breaches, and provides steps and tools to help assess those risks.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)

A new report outlines the financial costs of breaches of protected health data--and offers a five-step method for healthcare providers of any size to assess their risk.

In the last two years, the protected health information (PHI) of 18 million Americans was breached electronically, according to "The Financial Impact of Breached Protected Health Information—A Business Case for Enhanced PHI Security," a collaborative research effort by more than 70 healthcare providers, payers, legal firms, security products, services firms, and other organizations. During that time, about 66% of healthcare data breaches have involved lost or stolen devices, such as mobile devices and laptop computers. Still, the biggest threats,"are not hackers….but professional, well financed and often state supported" cybercriminals, said Larry Clinton, president of Internet Security Alliance, a cybersecurity trade association that participated in the research project.

The overwhelming theme of the report's findings was that the healthcare system is founded on patients' trust that their medical information is private and secure. Unfortunately, although electronic health records are a "game changer" for improving access to patient information for better-coordinated, quality care, they also expose millions of patient records to cybercriminals, said Joe Bhatia, president and CEO of the American National Standard Institute (ANSI), another research participant, during a teleconference discussing the report.

[ Apathy, not security concerns, stop people from taking advantage of EHRs, says Paul Cerrato. See Why Personal Health Records Have Flopped. ]

"Now [trust] will be severely tested as more healthcare providers adopt e-health records," making PHI increasingly vulnerable to loss, theft, disclosure, he said. Breaches of healthcare data are not only expensive to affected healthcare providers financially due to potential regulatory fines, lawsuits and settlements, but also have great repercussions clinically, operationally and on organizations' reputations.

For patients, the breaches also are potentially damaging for a number of reasons, ranging from possibly destroying individuals' trust in their providers; unauthorized access and distribution of highly personal information; safety risks in care if health data is altered; to identity theft.

The research aims to provide healthcare business leaders with a clearer understanding of what's at risk when healthcare data is breached, and also provide tools to help health IT leaders--CIOs, chief security officers, and compliance teams--to assess their organizations' potential risks and the impact of health data privacy and security violations.

To help healthcare leaders better assess their risks, the researchers created a five-step methodology that includes an estimator tool. The free tool, included with the report, predicts overall potential data breach costs, and appropriate level of investment needed to improve privacy and security vulnerabilities to reduce the chance of a breach incident.

Protecting health data isn't a technology issue, but also involves people, policies, and procedures, said Lynda Martel, director of privacy compliance communication at DriveSavers Data Recovery, a security services firm.

The five steps are: conduct a risk assessment; determine a security readiness score; assess the relevance of a cost; determine a breach's impact; and calculate the total cost of a breach.

The methodology can be used by healthcare providers of any size, including large hospitals to small physician practices, said the researchers. The healthcare providers would take into consideration the number of patient records, where the records are stored, how they're shared, who has access to data, and other factors.

"When it comes to cybersecurity, we all have a role," said White House cybersecurity coordinator Howard Schmidt during the teleconference discussing the report.

Among those that have a responsibility to protect health data include clinicians at the point care; payers; clinical support organizations like labs and pharmacies; business associates including pharmacy benefit managers and other administrators; IT services firms such as software services, cloud computing and outsourcing firms; and other players, including law firms and consulting firms.

The cost "on the street" of a stolen medical record is $50, versus about $1 for a stolen social security records, said Catherine Allen, CEO of the Santa Fe Group, a consulting firm that contributed to the report. "This is very valuable data," she said. And while HIPAA fines from the federal government can range up to $1 million annually for an organization that has a breach, lawsuit settlements involving patients affected by those violations "are in the $20 million range," said Jim Pyles, an attorney and principal of law firm Power Pyles Sutter & Versville, during the teleconference.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-1067
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
CVE-2021-1068
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
CVE-2021-1069
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...