CHS is the latest reminder that security breaches are a matter of 'when, ' not 'if'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bizjournals.com/nashville/blog/health-care/2014/08/chs-is-the-latest-reminder-that-security-breaches.html

Personal information — social security numbers, birthdays and more— of more
than 4 million patients of doctors affiliated with Franklin-based Community
Health Systems looks to have found its way into the hands of a China-based
group of hackers.

But while the attack was severe, health IT experts say it isn't
particularly surprising.

"Particularly with a health system, with access to all this personal data,
all this health information, what we’re seeing with talking to the IT
departments … in health care and health care services, people are trying to
access their networks and their systems hundreds and a lot of times
thousands of times every day," said Blake Wiedman, a commercial insurance
advisor focused on IT security in health care with Nashville-based private
insurance agency Crichton Group.

"This is no longer an ‘if’ it’s going to happen, it’s a ‘when,'" Wiedman
said.

Still, Jeff Miller, an attorney with Harwell Howard Hyne Gabbert & Manner,
said this is the first breach of this magnitude and style he's aware of
concerning a health system. Most HIPAA breaches he sees stem from the loss
of portable electronic devices carrying patient information, or an
unencrypted hard drive or laptop.

Regardless of the source, the rising frequency of attempted attacks and a
higher threshold for fines following breaches has led the insurance
industry to up its offerings in recent years when it comes to insuring
companies against data losses and related costs, said Wiedman and Parker
Rains, vice president of Fisher Brown Bottrell Insurance.

"It’s not a coverage that you’ve talked about since the beginning of your
insurance," Rains said. "In recent years this cyber policy availability has
really kind of come into the mainstream."

And while most small-business owners aren't as protected as they need to
be, Rains said, a big company like CHS generally is. In its filing on the
breach, in fact, the company said it does not expect "a material adverse
effect on its business or financial results," despite the fact that "this
matter may result in remediation expenses, regulatory inquiries, litigation
and other liabilities."

"The company carries cyber/privacy liability insurance to protect it
against certain losses related to matters of this nature," the filing says.

Miller said CHS' biggest costs will most likely stem from Centers for
Medicare and Medicaid Services fines. Studies have shown that when data
breaches occur, if a company offers credit monitoring or other protection —
as CHS plans to do with identify theft protection — you're less likely to
get sued, Miller said. Even if a class action suit is filed, he added, it's
tough for the plaintiffs to prove they've been harmed.

And although there's likely to be a "pretty steep fine" for the Franklin
system when all is said and done, Miller said, the highest fees are usually
relegated to violators who don't cooperate with regulators, which is
unlikely to be the case here.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!