Why cyber thieves love health care--and what you can do about it

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.propertycasualty360.com/2014/12/01/why-cyber-thieves-love-health-care--and-what-you-c?t=erm

Technology has left an indelible imprint on health care delivery, improving
the accuracy and accessibility of patient information, but what about the
risks? Consider the following scenarios:

A hospital nurse lost an iPad containing the names, social security
numbers, medical conditions and other protected health information for
25,000 patients vaccinated against the flu.

A physician group gave its billing company the names and health care
spending account numbers of 450 patients. The billing company accidentally
posted these files on its public website, where they remained until a
patient saw the information.

A physician office’s server, which contained unencrypted information on
2,500 patients, was hacked and encrypted. The hackers demanded $50,000 to
unencrypt the information and return control of the server.

Stories like these are a reminder that not all data breaches are created
equal. Health care organizations have access to sensitive data regarding
not only patients’ finances, but on their health as well. Unfortunately,
while health care data breaches are more personal in nature, they’re also
more common than most people think.

The numbers paint a startling picture:

- Medical identity theft is more lucrative than credit card theft.
According to PhishLabs, a provider of cybercrime protection and
intelligence services, stolen health credentials are worth about 10 to 20
times that of a U.S. credit card number.
- Forty-three percent of all identity theft is caused by medical records
theft,according to a credit.com article, “Nearly Half of Identity Thefts
Involve Medical Data.”
- The cost of a health care data breach averages $316 per record, well
above the $201 per record for all industry segments combined, according to
the Ponemon Institute’s “2014 Cost of Data Breach Study.”

For patients whose medical identity is stolen, the costs range far beyond
the challenge of repairing medical records. Patients’ credit ratings can be
damaged. Their health insurance policies could potentially be cancelled or
their premiums increased. Worse yet, if the person who stole the medical
identity changes the existing medical information, an individual’s health
could be at risk.

For health care organizations responsible for safeguarding protected health
information, the costs of addressing a breach range from notification and
crisis management costs to potential legal action.

The HITECH Act (Health Information Technology for Economic & Clinical
Health Act of 2009) has dramatically strengthened information privacy and
security requirements for health care organizations. It has also heightened
enforcement of the rules.

For instance, the Health Insurance Portability and Accountability Act of
1996, or HIPAA, did not require notification of a breach of medical
information. Under HITECH, a breach is presumed and must be reported after
the impermissible use or disclosure of protected health information. The
only exception is if a documented risk assessment determines a low
probability of a breach.

In addition, although individuals cannot sue under HIPAA, state attorneys
general can now bring actions on behalf of their residents. HITECH also
increases potential fines and penalties for a breach; the price tag ranges
from $50,000 to $1.5 million per violation.

It’s not just health care organizations that are affected by HITECH.
“Business associates” —third parties with access to patients’ medical
data—are now also liable for data breaches.

Risk Mitigation: From the Top Down

The potential risks are significant, but the good news is that they can be
reduced. Effective risk mitigation begins at the top. If senior managers
make data security a priority, employees will likely do the same. Training
and awareness programs, required under HITECH, help build a culture of data
protection.

One critical, and constantly changing, element of a health care
organization’s risk profile is mobile technology. Tablets, smart phones and
other devices make it easy to access and record medical information on the
spot—but they also increase risk. A mobile device security policy
communicates how employees are expected to safeguard sensitive data. If
providers use their own devices on the job, a bring-your-own-device (BYOD)
policy should be included. Encryption, while sometimes overlooked, adds a
critical layer of protection for all devices.

Another way to mitigate risk is by reducing contractual liability. Health
care providers should develop written indemnification agreements with all
vendors and third party service providers and have them reviewed by outside
counsel. Third parties should have data breach security controls comparable
to those of the health care organization. These providers also should carry
data breach or cyber insurance.

In addition, a written network privacy and security incident response plan
has been proven to lower breach costs. Having an incident response plan
reduces the cost of a data breach by $17 per record, according to the
Ponemon Institute.

Given the frequency with which data breaches occur, cyber insurance from a
carrier that provides robust risk mitigation and risk management support is
also key. Look for a carrier that can provide referrals to qualified
vendors and outside counsel with expertise in health care including loss
prevention premium reimbursement.

As long as a lucrative market for stolen health care information exists,
safeguarding that data will be a challenge. But by understanding the risks
and taking steps to address them, health care organizations can keep their
patient information safer.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!