As was required under the Health Information Technology for Clinical and Economic Health (HITECH) Act, the US Department of Health and Human Services (HHS) released an Interim Final Rule for data breach notification provisions that went into effect earlier this year.

As noted by Healthcare IT News, “this coming May, HHS will also issue new proposed rules that will address additional privacy, security and enforcement requirements for HIPAA covered entities and their business associates that acquire and handle protected health information (PHI).

“The rule also toughens related provisions in the Health Insurance Portability and Accountability Act (HIPAA) as the adoption of electronic health records and health information exchange expands the number of organizations that may have access to personal data.

The proposed rule focuses on the liability of business associates of healthcare providers and plans; new limitations on the sale of protected health information; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information, HHS has said.”

These rules will continue to expand what has become a daunting regulatory environment during 2010 for healthcare organizations to that must digest numerous requirements for securing the privacy of patient health records.

Given that healthcare organizations are now obligated to report all data breaches that affect over 500 individuals to the Office of Civil Rights at HHS for posting on their website, for the first time we will be able to get a window into the actual volume and nature of data breach incidents that are occurring in healthcare. At least this should be the case, once covered entities and their business associates develop sound processes and technologies for detecting data breach incidents as required under HITECH.

Given that data breach incidents in healthcare are moving in the wrong direction, they are on the rise, it behooves all organizations entrusted with PHI to have a comprehensive data breach incident response plan in place and to have business contracts with all organizations with whom they share this data that ensure compliance with privacy rules and determine who will bear the costs of data breach notification if/when such incidents do occur.

Symantec released their Global Internet Security Report for 2009 which explores in great detail the causes of data breach incidents. It finds that hacking attacks are responsible for the majority of personal identity records exposed in 2009.

“In 2009, 60 percent of identities exposed were compromised by hacking attacks, which are another form of targeted attack. The majority of these were the result of a successful hacking attack on a single credit card payment processor.13 The hackers gained access to the company’s payment processing network using an SQL-injection attack. The attackers then installed malicious code designed to gather sensitive information from the network, which allowed them to easily access the network at their convenience. The attacks resulted in the theft of approximately 130 million credit card numbers. An investigation was undertaken when the company began receiving reports of fraudulent activity on credit cards that the company itself had processed. The attackers were eventually tracked down and charged by federal authorities. This type of targeted hacking attack is further evidence of the significant role that malicious code can play in data breaches. Although data breaches occur due to a number of causes, the covert nature of malicious code is an efficient and enticing means for attackers to remotely acquire sensitive information.”

The report also highlights trends in terms of countries that originate the majority  of cybercrime activity. Brazil and India show very rapid growth in malicious activity and are both now ranked in the top 10.

In the past, a significant percentage of data breach incidents have been attributed to carelessness.  The lost laptop is one of the most common data breach causes, especially given how few use encryption technology and how common it is for employees to have access of private data.

With the economic meltdown of 2009, and the subsequently high unemployment rates,  there is now emerging a growing trend of data breaches caused by disaffected or displaced employees.

Recently noted by San Francisco Chronicle writer Alejandro Martínez-Cabrera in his article titled “How some ex-employees turn to cybercrime“:

“Corporations across all industries have been dealing with a steadily growing number of internal data breaches since the financial meltdown. A Verizon data loss report noted that individuals with insider knowledge of organizations accounted for 20 percent of all breaches last year, and that number has been increasing as economic malaises drag on, said Chris Novak, managing principal of Verizon Business’ Global Investigative Response Team.”

“Stolen data can range from employees’ health care records or clients’ credit card numbers to merger and acquisition plans, confidential agreements or valuable source code, said Rick Kam, president and co-founder of data breach prevention firm ID Experts.

Thieves can easily sell the information to cyber-criminal rings or use it as a bargaining chip to get a job with their former employer’s competitors. According to the Ponemon Institute study, 67 percent of respondents said they would use “their former company’s confidential, sensitive or proprietary information to leverage a new job.”

‘The issue of identity theft is all about opportunity,’ Kam said. ‘And our first instinct is to protect ourselves.’

In one case handled by Kam’s company six months ago, a disgruntled man went as far as trying to extort his former employer, a large health care provider, by threatening to release thousands of sensitive patient records that would have triggered an avalanche of lawsuits.”

This past week, the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) released a groundbreaking document that is aimed at assisting the Chief Financial Officer of major corporations and organizations in managing the financial risks inherent in protecting an organization from cybercrime.

Titled “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“, the document is literally a “how to” guide to understanding and addressing the finanical implications of cyber risk.

Melissa Hathaway, President of Hathaway Global Strategies and fomer Acting Senior Director for Cyberspace for the National Security Council notes that this is “an excellent guide for organizations to manage the risk and exposure derived from digital dependence.”

This paper is must reading for the CFO of any organization that has exposure to data breach risks. It is especially valuable to healthcare financial executives because of the enhanced regulatory environment in healthcare due to the recently passed Health Information Technology for Economic and Clinical Health (HITECH) Act. But CFOs in all industries and organizations that are entrusted with sensitive personally identifiable information (PII) and protected health information (PHI) should make the time to read this.

The context and perspective of this paper is best summarized in the executive summary where it states:

“Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data….In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addresssed from a strategic, cross-departmental, and economic perspective. The CFO as opposed to the CIO or CSO, is the most logical person to lead this effort.”

If one were to ask the CFO at a Fortune 500 company to quantify their level of risk to cybercrime and associated risks of data breach, most would have a difficult time answering the question. Financial officers tend to defer the management of data breach risks to the information security team. Unfortunately, this leaves many organizations exposed to risks that are misunderstood, unquantified, and uncovered.

If you are the CFO of an organization of any size and in any industry — healthcare, financial services, manufacturing, retail — or in the public sector or higher education, don’t wait to read this document.