Healthcare pros flag security concerns

Powered by SC Magazine
 

Experts warn risks aren't just "dumb mistakes".

In April, some 24,000 Medicaid patients in the US got word  they'd have to check their credit and bank statements for fraudulent activity after hackers breached a Department of Health (UDOH) server storing thousands of their records.

A couple of days later a still-continuing investigation uncovered that Children's Health Insurance Plan (CHIP) recipients also were affected.

The tally of client records removed by cyber criminals from the server currently stands at 780,000. Of those, some 280,000 patients have seen their Social Security numbers compromised.

Such breaches of health care data now are happening at an unprecedented frequency often affecting greater volumes of critical data.

Paul Contino, corporate chief technology officer (CTO) at New York City Health and Hospitals Corp. (HHC), said three years ago, there were only a handful of major health care data breaches reported.

These commonly involved the simple loss or theft of laptops or backup tapes. But, things have rapidly changed.

“In truth, health care has become a much softer target to a lot of hackers for a lot of reasons,” he said during an SC Magazine Health Care security roundtable. “Today we're seeing an escalation in the number of those breaches both in quantity and magnitude. Also, we're starting to see other types of theft. [Some are] internal to the organisations. We're starting to see hacking attempts where [cyber criminals] are successfully breaking into systems."

"So the threat landscape is changing to where it's not just dumb mistakes [such as an unencrypted laptop getting left in a taxi or backup tapes falling off a delivery truck] anymore. There are more organised hacking attempts that are confronting health care now.”

Statistical data bears this trend out. The Office of Civil Rights for the US Department of Health and Human Services maintains a tally of breaches.

Not only is the office tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA), it implements the additional data security provisions noted in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the economic stimulus package known as the American Recovery and Reinvestment Act of 2009.

Starting the breach incidence count with the inception of HITECH and its data breach notification requirement that first year, the civil rights office shows that a mere 50 incidents were reported from September to December 2009 which affected about 2.4 million individuals.

Come 2010, the number of breaches jumped to 259 with 5.4 million individuals exposed.

Last year, 147 incidents were reported, but those affected went well into the millions given that a few organisations alone saw huge exposures, including TRICARE at 4.9 million patients hit, Health Net at 1.9 million individuals affected and The Nemours Foundation at 1.2 million people compromised. This year, some 31 incidents already have been reported.

As the investigation is still underway, the UDOH breach hasn't made that list just yet. But, some information has been released. The Utah Department of Technology Services (DTS) initially thought 24,000 claims were affected by the attack.

It turns out, however, that one of those files can contain claims on hundreds of individuals. And the kinds of information often found on these include Social Security numbers, addresses, tax ID numbers, doctors' names and more.

The cyber criminals were believed to be based in Eastern Europe and used passwords to gain access to the server and then siphon off the claims. The latest findings, though, point to an improperly configured server out of bounds with normal procedures as the primary culprit.

“DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again," according to a UDOH press release. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.”

However proper risk management protocols such as regular risk assessments and external audits could avoid such brand-damaging breaches.

There is a gigantic dearth of risk assessments being undertaken, according to Contino. Yet such documented and objective risk barometers could assist organisations in keeping plans updated, as well as help them prioritise security needs.

According to a recent Health Care Information and Management Systems Society (HIMSS) survey of large health care organisations, 47 percent conduct annual risk assessments and this is despite the fact that these are a requirement noted in the original HIPAA security mandates.

One problem may be lingering budget issues, said Richard Kaplan, a senior security consultant with Open Sky. Money is needed to undertake activities such as these, but the C-suite often has other priorities. “The cost of security is a big issue, especially when money is tight,” he said.

However, organisational leaders must understand that security is just as big an issue and neglecting it could cost the company much more money after it gets victimised by hackers.

Risk assessments and external audits are far from mere cost centers. They actually help address worries about financial support for security improvements by pushing business units to implement proper mechanisms – or accept a certain amount of risk, Kaplan said.

“There is a little bit more talk about audit, but it's always internal audit rather than external audit, which I think is a lot different,” he said. “You must constantly pitch it. Security and privacy need to be C-level issues. Security is not just an IT issue, it's a business issue. We need to educate them on this.”

In addition to the changing threat landscape and the lack of attention still sometimes paid to security needs, Contino said persistent insider threats, mobile security problems and use of cloud applications were reasons numbers of health care breaches could increase. 

“There's technology that we're starting to build out that is increasing security threats,” he said. “Mobile devices, both personal and corporate, are changing the landscape of how we need to address security. Then, of course, there are external factors. The exchange of data – it's no longer us sharing data within our four walls, but it's us sharing data with all kinds of community partners and other organisations, so that increases the risk.”

As institutions look to deploy new technologies to suit necessary business needs, a certain amount of risk must be accepted.

One attendee, who wished to remain anonymous, noted that he and his team conduct a risk assessment for every corporate technology-related roll-out and then task the primary business unit to sign off on it.

In doing this, he documents that a particular business executive and the higher-ups are making the call to move forward even if some risk and security concerns are present.

While sometimes accepting a level of risk associated with a business deployment is a common practice among health care entities, adhering to IT security best practices and implementing necessary technologies – such as encryption, two-factor authentication, security information and event management solutions and others – still is not for some organisations.

“The challenge I see is that we're going to need more and more security as we go forward,” said Contino. “Yet the conversations at the C-suite level tend to be about other priorities. So I guess the question is, ‘How do we elevate the security discussion so that [executives] realise [security] goes hand in hand with all the technologies being implemented.' Without it, we're creating enormous risks for our institutions.”

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Healthcare pros flag security concerns
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1455

Vote