In April, some 24,000 Medicaid patients in the US got word they'd have to check their credit and bank statements for fraudulent activity after hackers breached a Department of Health (UDOH) server storing thousands of their records.
A couple of days later a still-continuing investigation uncovered that Children's Health Insurance Plan (CHIP) recipients also were affected.
The tally of client records removed by cyber criminals from the server currently stands at 780,000. Of those, some 280,000 patients have seen their Social Security numbers compromised.
Such breaches of health care data now are happening at an unprecedented frequency often affecting greater volumes of critical data.
Paul Contino, corporate chief technology officer (CTO) at New York City Health and Hospitals Corp. (HHC), said three years ago, there were only a handful of major health care data breaches reported.
These commonly involved the simple loss or theft of laptops or backup tapes. But, things have rapidly changed.
“In truth, health care has become a much softer target to a lot of hackers for a lot of reasons,” he said during an SC Magazine Health Care security roundtable. “Today we're seeing an escalation in the number of those breaches both in quantity and magnitude. Also, we're starting to see other types of theft. [Some are] internal to the organisations. We're starting to see hacking attempts where [cyber criminals] are successfully breaking into systems."
"So the threat landscape is changing to where it's not just dumb mistakes [such as an unencrypted laptop getting left in a taxi or backup tapes falling off a delivery truck] anymore. There are more organised hacking attempts that are confronting health care now.”
Statistical data bears this trend out. The Office of Civil Rights for the US Department of Health and Human Services maintains a tally of breaches.
Not only is the office tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA), it implements the additional data security provisions noted in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the economic stimulus package known as the American Recovery and Reinvestment Act of 2009.
Starting the breach incidence count with the inception of HITECH and its data breach notification requirement that first year, the civil rights office shows that a mere 50 incidents were reported from September to December 2009 which affected about 2.4 million individuals.
Come 2010, the number of breaches jumped to 259 with 5.4 million individuals exposed.
Last year, 147 incidents were reported, but those affected went well into the millions given that a few organisations alone saw huge exposures, including TRICARE at 4.9 million patients hit, Health Net at 1.9 million individuals affected and The Nemours Foundation at 1.2 million people compromised. This year, some 31 incidents already have been reported.
As the investigation is still underway, the UDOH breach hasn't made that list just yet. But, some information has been released. The Utah Department of Technology Services (DTS) initially thought 24,000 claims were affected by the attack.
It turns out, however, that one of those files can contain claims on hundreds of individuals. And the kinds of information often found on these include Social Security numbers, addresses, tax ID numbers, doctors' names and more.
The cyber criminals were believed to be based in Eastern Europe and used passwords to gain access to the server and then siphon off the claims. The latest findings, though, point to an improperly configured server out of bounds with normal procedures as the primary culprit.
“DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again," according to a UDOH press release. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.”
However proper risk management protocols such as regular risk assessments and external audits could avoid such brand-damaging breaches.
There is a gigantic dearth of risk assessments being undertaken, according to Contino. Yet such documented and objective risk barometers could assist organisations in keeping plans updated, as well as help them prioritise security needs.
According to a recent Health Care Information and Management Systems Society (HIMSS) survey of large health care organisations, 47 percent conduct annual risk assessments and this is despite the fact that these are a requirement noted in the original HIPAA security mandates.
One problem may be lingering budget issues, said Richard Kaplan, a senior security consultant with Open Sky. Money is needed to undertake activities such as these, but the C-suite often has other priorities. “The cost of security is a big issue, especially when money is tight,” he said.
However, organisational leaders must understand that security is just as big an issue and neglecting it could cost the company much more money after it gets victimised by hackers.
Risk assessments and external audits are far from mere cost centers. They actually help address worries about financial support for security improvements by pushing business units to implement proper mechanisms – or accept a certain amount of risk, Kaplan said.
“There is a little bit more talk about audit, but it's always internal audit rather than external audit, which I think is a lot different,” he said. “You must constantly pitch it. Security and privacy need to be C-level issues. Security is not just an IT issue, it's a business issue. We need to educate them on this.”
In addition to the changing threat landscape and the lack of attention still sometimes paid to security needs, Contino said persistent insider threats, mobile security problems and use of cloud applications were reasons numbers of health care breaches could increase.
“There's technology that we're starting to build out that is increasing security threats,” he said. “Mobile devices, both personal and corporate, are changing the landscape of how we need to address security. Then, of course, there are external factors. The exchange of data – it's no longer us sharing data within our four walls, but it's us sharing data with all kinds of community partners and other organisations, so that increases the risk.”
As institutions look to deploy new technologies to suit necessary business needs, a certain amount of risk must be accepted.
One attendee, who wished to remain anonymous, noted that he and his team conduct a risk assessment for every corporate technology-related roll-out and then task the primary business unit to sign off on it.
In doing this, he documents that a particular business executive and the higher-ups are making the call to move forward even if some risk and security concerns are present.
While sometimes accepting a level of risk associated with a business deployment is a common practice among health care entities, adhering to IT security best practices and implementing necessary technologies – such as encryption, two-factor authentication, security information and event management solutions and others – still is not for some organisations.
“The challenge I see is that we're going to need more and more security as we go forward,” said Contino. “Yet the conversations at the C-suite level tend to be about other priorities. So I guess the question is, ‘How do we elevate the security discussion so that [executives] realise [security] goes hand in hand with all the technologies being implemented.' Without it, we're creating enormous risks for our institutions.”