2 HIPAA breaches show continuing weaknesses

Continuing reports of security breaches resulting in the loss of sensitive patient data show the weaknesses of some healthcare organizations, and some experts say criminals are targeting healthcare for cyber attacks.

In one particularly bad loss of data, a Utah Department of Technology Services computer server in Salt Lake City that stores Medicaid claims data was the target of a deliberate cyber attack. In addition to Medicaid clients, the breach also involved information from Children's Health Insurance Plan recipients. The Utah Department of Health reports that the hackers stole the Social Security numbers of an estimated 280,000 Medicaid beneficiaries and made off with less-sensitive personal information of an additional 500,000 individuals.

Howard University Hospital in Washington, DC, recently sent notification to 34,503 patients notifying them of a potential disclosure of their protected health information that occurred when a former contractor's personal laptop containing patient information was stolen. The data included Social Security numbers and financial information.

The laptop was stolen from the former contractor's vehicle, according to a hospital statement. The computer was password-protected, but the data was not encrypted, the hospital statement says. Downloading the data to the contractor's laptop was a violation of hospital policy.

The recent spate of healthcare security breaches shows that simply adhering to HIPAA regulations is not enough to protect sensitive information, says Neil Roiter, research director at Corero Network Security in Hudson, MA. Compliance should be a result of a comprehensive healthcare security program rather than ensuring that its components comply with government and industry standards, he says.

"The recent Utah healthcare records breach, in which hackers reportedly stole some 780,000 claims, is a wakeup call that simply complying with regulations that are not part of an overall security program can put the organization at serious risk," Roiter says. "The reported explanation on the part of the Utah officials that the stolen data wasn't encrypted — a basic security fundamental — because federal regulations don't require it, attests to this point."

Roiter says there are other aspects of the breach that appear to potentially contradict officials' claims that they have a strong, multi-layered security program in place. In particular, he notes, the reports indicate that a single password controlled access to all the information on the compromised server. Organizations that hold health records must restrict access to only those people that need it to perform their jobs, enforced with strong, multifactor authentication, such as tokens or biometrics.

The constant reports of healthcare-related data breaches recently are causing growing alarm in the healthcare industry as well as the population in general, says Joe Santangelo, principal consultant with Axis Technology in Boston, which provides data security services. There have been more than 400 incidents affecting more than 19 million individuals since 2009, he says, and more than 20% of these have involved business associates.

"Breaches are now causing contractual issues when inking an IT business associate," he says. "Allocating liability for confidential information to which a service provider had access to and any resulting data breaches is a major cause of concern."

Breaches are having a direct financial impact on healthcare providers, Santangelo says. He notes that Impairment Resources filed for bankruptcy in April 2012 after a break-in at its San Diego headquarters led to the loss of detailed medical information for roughly 14,000 people. Impairment Resources is a national company that reviewed medical records taken on workers' compensation and auto casualty claims for roughly 600 insurance companies and other customers. Also, the Minnesota attorney general brought the first formal enforcement action against a business associate, Accretive Health, a Chicago-based company that provides debt collection and other financial services to healthcare providers, for an alleged violation under the Health Insurance Portability and Accountability Act (HIPAA).

Minnesota Attorney General Lori Swanson, JD, is suing the company and alleging that Accretive Health debt collectors allowed themselves to be perceived as hospital employees in order to obtain access and protected health information from hospital patients. Swanson also accuses Accretive of "issuing emergency room employees 'scripts' for conversations with patients that 'can lead a patient or her family to believe the patient will not receive treatment until payment is made.'"

The biggest unknown is how much insider crime goes unreported, Santangelo says. "It's difficult to catch someone who uses legitimate authority to accomplish mischief that might be mistaken for normal activity under ordinary circumstances. No one has ventured to guess the cost of damage insiders really cause."

Santangelo says many organizations have not yet invested in risk assessments, even though the HIPPA and Health Information Technology for Economic and Clinical Health Act (HITECH) requirements have been known for some time. Organizations' leaders believe that they have proper policies in place, but they have failed to test them, especially where business associates are concerned, he says. On top of this problem, the industry is entering a period of uncertainty as it adopts electronic health records more widely.

There are a number of steps that organizations need to take in order to ensure that data privacy is maintained and business viability is not impacted. Santangelo advises taking these steps:

• Monitor network traffic and event logs for unusual patterns.

• Perform a sensitive data analysis.

• Incorporate data de-identification techniques wherever least-use principles would apply, such as in test environments.

• Implement data leak detection and prevention products.

• Evaluate access management processes and procedures.

• Make use of encryption and data masking wherever sensitive data resides.

• Develop a data management and enterprise governance, risk, and compliance framework.

"If your organization does not have staff that is knowledgeable in these areas, consider hiring or employing firms that have experience in the financial industry where this has been a priority for some time," Santangelo says.

Roiter also makes the point that, in any industry, the commitment to data security must come from high within the organization. Security is not simply a tactical or operational task for IT personnel, he says.

"Management must make security a priority and mandate a risk-based program, supported by policies and enforced with strong controls," Roiter says. "Regulatory compliance will flow naturally from a sound security program, as opposed to a compliance-centric approach, which is not risk-based and may leave serious data protection gaps."


• Neil Roiter, Research Director, Corero Network Security, Hudson, MA. Telephone: (978) 212-1500. Email: Corero@schwartzmsl.com.

• Joe Santangelo, Principal Consultant, Axis Technology, New York City. Telephone: (646) 596-2670. Email: jsantangelo@axistechnologyllc.com.