Assume You’ve Been Breached

Ninety-one percent of healthcare organizations have had one or more breaches in the last two years, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. “I’m actually surprised that nine percent have not experienced some form of notable breach in two years,” Rick Kam, co-founder and president of ID Experts told attendees at a webinar which highlighted findings from the study. Dr. Larry Ponemon, chairman and founder of Ponemon Institute, co-presented.

Webinar: Bringing Incident Response and Data Breach Management Out of the Dark Ages

On the other hand, 41 percent of business associates reported no breaches. “From our experience, business associates have more exposures and more incidents than covered entities,” Mr. Kam said. “They may not understand or know what a notifiable breach looks like.”

Whether or not they realize it, most—if not all—companies have or will experience a data breach. Healthcare organizations, business associates, as well as other companies cross-industry responsible for healthcare data (think of the Sony breach) have valuable insights to gain from the Ponemon study:

1. The majority of healthcare organizations and business associates use an ad hoc process, manual process, or internal tool to perform risk assessments following security incidents involving electronic documents: “Many organizations are being tested daily from various forms of malware and other types of attacks they’re trying to defend against,” Mr. Kam said. “If you have an ad hoc or manual process, eventually you’re going to be overrun and not be able to control the process.”
2. Employee negligence is a far greater concern for healthcare organizations (70 percent) than is cyber attackers (40 percent). The [lack of concern over] cyber attacks is both surprising and concerning,” Mr. Kam said. “We’ve seen the results of a systematic attack of criminals against the healthcare industry, and we’re seeing organization after organization announce that they’ve been breached.”
3. Security incidents involving lost or stolen devices, spear phishing, and web-borne malware attacks top the list for healthcare organizations and business associates. “It looks like the pattern is very similar [for both healthcare organizations and business associates], even though we’re dealing with different types of organizations with different types of IT configurations,” Dr. Ponemon said.
4. Most data breaches for healthcare organizations were discovered during an audit or assessment. Mr. Kam paralleled the retail breaches with those in healthcare, saying that once Target announced its breach, many other organizations did assessments and discovered their own malware intrusions. After the Anthem breach, Premera, and BlueCross BlueShield each completed an audit and discovered malware in their systems from months ago.
5. For healthcare organizations, the primary root cause of data breach is criminal attacks—a 125 percent increase since 2010. Mr. Kam cited FBI findings that healthcare records—including financial information, health insurance numbers and clinical data—can fetch between $50 and $70 on the black market versus less than a dollar for credit cards or social security numbers. “[We see the increase in attacks because of] the value of the data and the consolidation of healthcare data due to electronic health records,” he said.
6. Both types of respondents to the study feel the primary harm to patients whose data has been lost or stolen is the increased risk that their personal health facts will be disclosed. “But for both business associates and covered entities,” Mr. Kam said, “the first issue for people whose information has been disclosed [is that they] may fall victim to medical identity theft and all the issues that creates.” He predicted an increase in medical identity theft and medical fraud over the next year.

Conclusion

Cyber criminals recognize that healthcare organizations have a treasure trove of financially lucrative personal information, and that they lack the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data. While the study findings show a slow but steady increase in technologies, the pace of investments is not fast enough to keep up with the threats to achieve a stronger security posture. “The criminal element is winning, unfortunately, in many of these cases,” Mr. Kam said, “but at least it’s trending in the right direction.”

He added: “You have to assume that your organization has been breached, and once you do that, your mindset changes. What things would I need to do to reduce the risk and be better prepared to respond?”

Some of these steps, which can apply to healthcare, retail, and other companies cross-industry, include:

1. Conduct risk assessments and risk management on an annual/periodic basis to understand where your regulated data is, such as protected health information (PHI), as well as the types of threats you face. This will allow you to properly allocate resources.
2. Have and test a current incident response plan (IRP). Bring together your executive/management team and your board so they can identify priorities during a security incident or notifiable breach.
3. Operationalize the security incident and the response processes using a tool that is automated and consistent. This should be part of your daily operation.
4. Look at cyber liability insurance. Choose your policies carefully, because of variances among policies as well as insurers. Look for the policy that best fits your needs and the risks that you identify.

For more insights, view the webinar and download your complimentary copy of the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data.

Webinar: Bringing Incident Response and Data Breach Management Out of the Dark Ages