Because of the migration to the digital world, new risks around data management must be understood. In a recent article, we discussed how the top three recent data breaches affected about 1.3 million people. Even still, many organizations forget that not all data breach points occur in the “high-tech” world. An unlocked door or a misplaced backup disk will result in a potential data breach.
In the past, if a file or two were stolen – the impact of the breach could still be limited. Now, with a single server housing, potentially, thousands of patient records – modern-day healthcare data breaches have huge implications.
In the past few months alone – we’ve already seen more healthcare data become compromised:
- University of Virginia alerts 18,700 students of data breach
- Cedars-Sinai experiences celebrity patient data breach
- Long Beach Memorial Medical Center announces data breach
- Texas Health Harris Methodist Hospital reports data breach
- Office of the Medicaid Inspector General reports N.Y. breach
Healthcare organizations must stay ahead of the competition and using technology is a big way of doing so. Problems arise when new security measures are applied to modern platforms, but old infrastructure is forgotten about. In looking at today’s healthcare data breach landscape, it’s important to understand where these security holes are, what they mean to individual healthcare organizations and what can be done to prevent a breach from happening.
How a breach can happen
There are many ways that a data breach can actually occur. Believe it or not – not a single “high-tech” method really needs to be applied when we look at some of the biggest healthcare breaches. Let’s take a look at the top three recent healthcare data breach reports.
Number affected: About 780,000
What happened: A weak password policy was in effect on a network server.
Number affected: About 315,000
What happened: 10 backup disks went missing due to an unlocked storage facility door.
Number affected: About 230,000
What happened: 17 Excel spreadsheets were illegally copied.
To really drive home the point, a recent data breach really points to the fact that modern healthcare IT organizations must also focus on data aspects outside of their data center and server platform. As reported in a recent article, Texas Health Harris Methodist Hospital Fort Worth has put up a notice on its website titled “Microfiche Incident” in which it explains to patients how on May 11 a portion of the microfiche meant to be destroyed by its paper-shredding vendor, Shred-it, was found in a park. This microfiche data contained patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance information and in some instances Social Security numbers.
These four, pretty major examples, show that basic security policies are being ignored when dealing with non-technology related data points. Unlocked doors, poor passwords, unsecured end-points and microfiche can still result in very serious data loss.
This part is always one of the most difficult. Even when a couple hundred records are compromised, it may take a long time to hear the announcement and remediation process (or sometimes there may be none at all). Although, in some cases, the actual data breach might not actually cause a lot of damage, the ensuing process of reporting, alerting patients and documentation can extremely costly.
The announcement: Once a breach is identified, if the breach involves more than 500 individuals, the organization must make the announcement and alert the media. This is never an easy task and can be quite damaging. Regardless of size, however, notifications have to go out to the patients that were affected.
The coverage: This is not good PR. No hospital or healthcare organization wants to be in the news because of a data breach; unless it directly helped prevent one. This is bad press and leads to very bad publicity.
The fallout: Depending on the size of the breach, the reporting, analysis and review of the situation can be quite damaging. Remember, the fallout after a data breach can have horrible ramifications to a healthcare organization’s image and reputation. Furthermore, large healthcare data breaches can have large monetary implications as well. The 2011 Tricare Management Activity data breach resulted in about 4.9 million records to be compromised. Who was affected in this instance? The United States Military and the Defense Department. In what is believed to be one of the largest healthcare data breaches on record; the ensuing class-action lawsuit seeks $4.9 billion in damages. Basically, $1,000 for each compromised record or victim.
Remediation: Once a breach happens, healthcare organizations must scramble to ensure that this doesn’t happen again. But what do you do when IT really has nothing to do with an unlocked door or lost microfiche? There need to be more processes under review to ensure all healthcare data points are accounted for and secured. Never forget about older data which still contains very private information about patients. This could be something as simple as a floppy disk or a lost manila folder. Healthcare data breach remediation must happen at all levels. IT, business, and the end-point must all be a part of the process.
A recent report from the Health Information Trust Alliance (HITRUST) really paints the picture around the ramifications of a healthcare data breach. Over the recent years, the numbers around healthcare data breaches can be quit sobering:
Total breaches: 495
Total records: 21.12 million
Total cost: $4.1 billion
Average size: 42,659 records
Average cost: $8.27 million
Average time to identify: 84.78 days
Average time to notify: 68.31 days
What you can do to stop security holes
Unfortunately, there really is no one single way to plug all security holes and curtail every healthcare data breach. However, there are certain best practices that can be applied to lessen the chance that a healthcare breach will actually happen.
1. Stay proactive: Good monitoring and proactive measures can help lock down data points.
2. Apply good security policies across the board: This means securing physical, virtual and any other data locations. Security policies can range from data loss prevention (DLP) and intrusion prevention services (IPS/IDS) to better camera systems and improved physical data warehousing.
3. Conduct internal audits and security checks: Why not find your own weak points before anyone else does? Staying ahead of the security curve can really help shine a light to where better policies can be applied. Check your servers, doors and backup tapes. Ensure that, for example, USB drive support is disabled for certain workstations. Or, test your data loss prevention systems to make sure they’re catching the right content.
3. Never forget about the little data points: A single lost backup tape can land your organization in the news. One lost CD can contain hundreds or even thousands of patient records. Securing large systems is absolutely important. However, applying similar security policies to physical data points is equally important – no matter how small.
4. Lock down the end-user and your infrastructure: Simple policies can prevent the copying of information, records and so on. Healthcare computers and even personal devices within the network can be locked down very thoroughly. New technologies allow for very granular controls around many different types of end-points.
In many of these cases, data loss happens when a policy is improperly applied or a piece of tangible information is lost. These events can be better controlled only when there is a better understanding around where healthcare data really resides. This includes servers, end-points and physical locations. Even in today’s modern healthcare infrastructure, a lost set of microfiche prints can have serious ramifications for your healthcare environment. Remember to stay proactive, apply good policies and remain as vigilant as possible around information that is so critical.
Bill Kleyman, MBA, MISM, has heavy experience in network infrastructure management. He has served as a technology consultant and taken part in large virtualization deployments while be involved in business network design and implementation. He is currently the Virtualization Architect at MTM Technologies Inc. and his prior work includes Director of Technology at World Wide Fittings Inc.