Within
a few weeks' time, massive
health care breaches have been made public at Emory Healthcare in Atlanta,
the South Carolina Department of Health and Human Services (SCDHHS) and the
Utah Department of Health, showing a need for health care organizations to boost
their security budgets, according to Judy Hanover, research director at IDC
Health Insights.
"There's
been a chronic underinvestment in breach protection and in securing our network
and our data," Hanover told eWEEK.
New
requirements under the 2009 Health
Information Technology for Economic and Clinical Health (HITECH) Act mean health care companies need to
go public with breaches and report them to the news media in addition to the
U.S. Department of Health and Human Services (HHS), said Hanover.
"Increased
reporting requirements are definitely making them more visible," she said.
"You don't have to pop through HHS
briefings to find out about these breaches any longer." Breaches
affecting more than 500 people must be reported to local media outlets,
according to the federal notification rule.
Of
the three recent breaches, the Utah breach was the most serious due to the surreptitious
nature of the breach and the potential for fraudulent use of financial data as
well as medical data, said Hanover.
On
March 30, a weak password enabled an Eastern Europe cyberattacker to hack into
a server at the Utah
Department of Technology Services. Of the compromised
records about 280,000 included Social Security numbers and about 500,000 included
a name, date of birth and address.
The
Utah case is also serious because it involved children's information, Hanover
noted. Data about the beneficiaries of the Children's Health Insurance Program was
stolen, and their cases remain in a high-fraud risk monitoring database until
age 17, according to Hanover.
"Child
identity theft is just a different animal because children aren't using their
credit all the time and aren't accessing it," said Hanover. "And that
kind of identify theft tends to go unnoticed, and so those children need to be
placed in a high-risk fraud file and monitored longer."
Unlike
the Utah case, the South Carolina breach is "fairly well contained,"
said Hanover, noting that officials managed to seize some machines from which
the data had been transferred.
In
South Carolina, SCDHHS
reported on April 19 that an employee in the Medicaid program moved personal
information for 228,435 Medicaid beneficiaries to his personal email account.
The department discovered the breach on April 10 and then reported it to the
South Carolina Law Enforcement Division.
The
illegally transferred data came from 17 spreadsheets dating back to Jan. 31.
They included names, phone numbers, addresses, birth dates and Medicaid ID
numbers, SCDHHS reported. The Medicaid ID numbers contain Social Security
numbers and also matched up with beneficiaries' names in 22,604 cases.
Meanwhile,
Emory Healthcare in Atlanta announced on April 18 that it had misplaced
10 backup disks containing data on 315,000 patients. Social Security
numbers were included on 228,000 of the patient file, and Emory Healthcare CEO
John Fox's own health data may have been among the missing records. The health
system stored the disks in an unlocked cabinet. They may have been missing for
a long time and gone undetected, Hanover suggested.
A
recent survey by HIMSS Analytics and Kroll highlighted a need
for more proactive security policies by health care organizations. To avoid
data breaches, health care companies can acquire software that performs data
mining and intrusion protection, Hanover suggested. Vendors include FairWarning
and Sensage. Products from these companies run data mining to detect if
intrusions have occurred, said Hanover.
Companies
should also conduct audits of security practices and vulnerabilities, either by
an internal or external firm, she said.
Health
care organizations also need to adopt proper device management for mobile
devices, particularly as companies join the "bring your own device"
(BYOD) trend. In fact, 85
percent of hospital IT departments allow doctors and staff to employ personal
devices on the job, a Feb. 21 survey by mobile networking vendor Aruba
Networks revealed.
For
mobile devices, health care facilities should adopt a "no client
strategy" in which users don't store data on the units. The policy
involves "keeping the data as tightly held in the data center as possible
and really just providing access to the device but not storing the
information," said Hanover.
0 comments:
Post a Comment