Security breaches are now remarkably commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010.  In fact, healthcare is the second most breached industry, according to the Identity Theft Resource Center.  And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive.  Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats and medical identity theft.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a leading researcher and voice in addressing data breach risks and issues, noted about RADAR that:

“Organizations may need guidance, especially when dealing with PHI breaches, so they cover their bases to protect individuals and follow all of the rules and laws. ID Experts’s RADAR new tool offers consistency and efficiency for evaluating and reporting a security breach, and provides the analysis and documentation required of a mandated risk assessment.”

Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.  The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.

RADAR is current in beta test with several leading US healthcare providers and will be generally available in August, 2010. RADAR is available as software-as-a-service on a subscription basis with pricing starting at $1,500 per user per year.

The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents.

If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should:

1. The requirement for a mandatory incident-specific risk assessment for every incident
2. The fact that HITECH notification provisions do not pre-empt state notification laws
3. Encryption of data does not necessarily alleviate the risk of data breach
4. If your business associate exposes your protected health information (PHI), you are responsible

1. Mandatory incident-specific risk assessment. When HHS issued its Interim Final Rule giving healthcare organizations guidance for complying with the HITECH Act data breach provisions, it added a new requirement.  The requirement is that the organization carry out an incident-specific risk assessment to determine the potential risk of harm to the individuals affected by each and every data breach incident.  The rules establish a “harm threshold” for notification, but unfortunately, don’t make the determination of risk and the potential of harm. It is essential to become well versed in these rules and be prepared to carry out a HITECH compliant data breach incident risk assessment.

2. HITECH doesn’t pre-empt state notification laws. While HITECH is the first national law for notification in the case of privacy information breaches, most U.S. states also have breach notification laws.  And while the intent of these laws is similar — to make individuals aware that their PHI may have been improperly disclosed — the specific details in all of these laws can actually vary a great deal.  But because HITECH is not “preemptive,” a healthcare organization that has experienced a data breach must ensure that it complies with both HITECH regulations as well as the regulations in every state where individuals are affected.  This can be daunting especially because HITECH and state laws in some cases are conflicting.

3.  Encryption not a silver bullet. There is a lot of advocacy for encryption of PHI as a means to avoid data breach incidents.  The general argument is that if data is encrypted, that data breaches will not occur.  Unfortunately, this is overly simplistic. While encryption will assist healthcare organizations in avoiding certain types of data breach incidents, it is not a panacea.  For instance, a common threat approach is for a criminal or organized crime entity to enlist an “insider” to assist in extracting PHI.  An insider with valid access credentials will not find encryption to be an obstacle in any way.  As a result, consider encryption one of many tools for information protection, not a silver bullet.

4.  You are responsible for your business associate. For the first time, HIPAA business associates are required to meet the HIPAA Privacy and Security Rule requirements based on HITECH.  While this is a good thing, a covered entity should not consider this a “free pass” if one of your business associates exposed PHI that was provided by your organization.  While you may be able to hold them financial accountable, if you’ve specified for such eventualities in your business associate agreements, the obligation for notification is still with the covered entity.  It is your responsibility to maintain the privacy for the PHI, no matter to whom you entrust it. And of course, the affected patients will hold you responsible as well.

As you put processes and procedures in place to meet HITECH obligations, consider also putting in place a comprehensive and current data breach incident response plan.  This will prevent a lot of headaches and last-minute scrambling, should you be faced with a data breach.

Titled “Three things you may not know about the HITECH Act…but should“, the article hones in on aspects of the rulemaking from the US Department of Health and Human Services that healthcare organizations must follow in determining whether a privacy breach incident meets the requirements to notification.

HITECH is known primarily for the manner in which it motivates healthcare providers to implement electronic health records (EHR) systems. But as more and more of our medical information is going online, the Act also wisely enhanced the privacy and security provisions that are required of healthcare providers and added penalties and enforcement mechanisms for the breach of private healthcare information.

One of the three things you may not know, per this article, is that when your organization experiences a potential privacy incident, that you are required to carry out a “risk assessment” in order to determine the nature of the protected health information (PHI) that was disclosed, and whether it poses a risk of harm to the affected patients.Based on the results of this risk assessment, your organization may or may not be obligated to notify the affected individuals, along with HHS and the media. So this assessment process is very important.

Unfortunately, the risk assessment process is not at as well defined or straightforward as might be hoped. And this gets to one of the 2nd items that you may not know about in HITECH. In carrying out a risk assessment, the goal is to determine whether there is a risk of financial, reputational or other harm to the patients affected. And in this process, not all PHI is created equally, and in fact, you must consider the nature of the information disclosed in a manner that is situationally aware.

For instance, disclosure of a persons name and their medical procedure may not be cause for any risk of harm if the procedure was having a bunion removed. However, if the procedure was for the diagnosis of AIDS, disclosure of this information could result in substantial harm. As a result, it is not just the data types that need to be considered, but the nature of the data and the environment of their release. Not at all straightforward.

And then the 3rd thing that you may not know about HITECH from this article is that its data breach notification provisions don’t “preempt” those of each of the states. In fact, if your organization experiences a data breach, you need to assess the requirement to notify and how to notify not just using not just the requirements of HITECH, but also the requirements as stated in state data breach notification laws.

For example, you may find that based on your risk assessment, that HITECH requires notification. But you may also find that in some states, the timeframe for notification is shorter than the 60 days from discovery of incident that is required by HITECH. In other words, you must look at your breach notification requirements both under HITECH as well as under each state law where you have patients that were affected by the incident.

Needless to say, this is a complex process and you would be well advised to document your processes and decisions very carefully. You really don’t want to be the target of one of those $1.5MM fines that are beginning to surface.

The Blue Cross Blue Shield Association recently released a report that highlights a 7-to-1 savings for every dollar spent on anti-fraud activities. In their announcement they note that this represents a 47% increase in fraud savings in 2009 compared to 2008.

With growing evidence of the expansion in medical identity theft crimes, the focus of private insurers on fraud reduction is most welcome. There is a direct correlation between eliminating fraud and the reduction in medical identity theft. Unfortunately, while their progress appears to be solid, there remains the fact that the incidence of medical identity theft is on the rise.

In a recent Wall Street Journal article, it was noted that”

“‘Medical identity theft is the fast-growing form of identity theft,’ says Jim Quiggle, spokesman for the Coalition Against Insurance Fraud. He says individuals often don’t know that they have been victimized until the thief has distorted their medical records and run up medical bills.”

While statistics on actual number of victims and level of financial harm in medical identity theft are hard to come by, the fact that the incidence of these events is increasing is not good news for patients.

As noted by InformationWeek Healthcare:

“While advancements in security technology better protects patient data, and regulations like HIPAA aim to set rules for information security and privacy, some breaches boil down to humans making mistakes. ‘Everything in our environment is encrypted,’ said William Fandrich, senior VP and CIO at Blue Cross Blue Shield of Massachusetts. However, despite solid attempts at security protection and other precautions, healthcare organizations need to emphasize–and continue to remind–employees about simple things they need to do to prevent patient privacy breaches.”

We continue to find that organizations turn primarily to technology to solve the data breach “problem”. This is exemplified by the perspective that once all data is encrypted, that data breach risks will be eliminated. It is great to see the thoughtfulness of healthcare CIOs at this conference where there is a prominent recognition that human error (and of course, human fraud) is a weak link for data breach risks despite the best of technologies applied.

One of the keys to meeting the notification requirement is completing and documenting a data breach incident “risk assessment” for each and every incident that is detected. The “rules” for carrying out this mandated assessment are specified by the department of Health and Human Services (HHS) in their rulemaking. This webinar will assist information security, compliance and privacy officers and professionals at hospitals, health insurers, and other covered entities in understanding what they need to do and how to go about doing it, when faced with a potential data breach incident.

A description of the webinar follows.

The HITECH Act requires HIPAA-covered entities to carry out a careful risk assessment, including an evaluation of potential harm, for every potential data breach incident. This risk assessment will assist organizations in deciding whether they are obligated to then notify affected individuals, the Department of Health and Human Services (HHS) and the media about data breach incidents.

Kirk Nahra, CIPP, a partner at the premier healthcare law firm Wiley Rein LLP, and Rick Kam, president and founder of ID Experts, will review and discuss the HHS rules for completing these mandated data breach incident risk assessments in order to ensure compliance and utilize evolving best practices.

Learn about considerations for HIPAA-covered entities in carrying out mandated HITECH data security breach incident risk assessments. To enroll to attend the webinar, click here.

As was required under the Health Information Technology for Clinical and Economic Health (HITECH) Act, the US Department of Health and Human Services (HHS) released an Interim Final Rule for data breach notification provisions that went into effect earlier this year.

As noted by Healthcare IT News, “this coming May, HHS will also issue new proposed rules that will address additional privacy, security and enforcement requirements for HIPAA covered entities and their business associates that acquire and handle protected health information (PHI).

“The rule also toughens related provisions in the Health Insurance Portability and Accountability Act (HIPAA) as the adoption of electronic health records and health information exchange expands the number of organizations that may have access to personal data.

The proposed rule focuses on the liability of business associates of healthcare providers and plans; new limitations on the sale of protected health information; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information, HHS has said.”

These rules will continue to expand what has become a daunting regulatory environment during 2010 for healthcare organizations to that must digest numerous requirements for securing the privacy of patient health records.

Given that healthcare organizations are now obligated to report all data breaches that affect over 500 individuals to the Office of Civil Rights at HHS for posting on their website, for the first time we will be able to get a window into the actual volume and nature of data breach incidents that are occurring in healthcare. At least this should be the case, once covered entities and their business associates develop sound processes and technologies for detecting data breach incidents as required under HITECH.

Given that data breach incidents in healthcare are moving in the wrong direction, they are on the rise, it behooves all organizations entrusted with PHI to have a comprehensive data breach incident response plan in place and to have business contracts with all organizations with whom they share this data that ensure compliance with privacy rules and determine who will bear the costs of data breach notification if/when such incidents do occur.

Symantec released their Global Internet Security Report for 2009 which explores in great detail the causes of data breach incidents. It finds that hacking attacks are responsible for the majority of personal identity records exposed in 2009.

“In 2009, 60 percent of identities exposed were compromised by hacking attacks, which are another form of targeted attack. The majority of these were the result of a successful hacking attack on a single credit card payment processor.13 The hackers gained access to the company’s payment processing network using an SQL-injection attack. The attackers then installed malicious code designed to gather sensitive information from the network, which allowed them to easily access the network at their convenience. The attacks resulted in the theft of approximately 130 million credit card numbers. An investigation was undertaken when the company began receiving reports of fraudulent activity on credit cards that the company itself had processed. The attackers were eventually tracked down and charged by federal authorities. This type of targeted hacking attack is further evidence of the significant role that malicious code can play in data breaches. Although data breaches occur due to a number of causes, the covert nature of malicious code is an efficient and enticing means for attackers to remotely acquire sensitive information.”

The report also highlights trends in terms of countries that originate the majority  of cybercrime activity. Brazil and India show very rapid growth in malicious activity and are both now ranked in the top 10.

With the economic meltdown of 2009, and the subsequently high unemployment rates,  there is now emerging a growing trend of data breaches caused by disaffected or displaced employees.

Recently noted by San Francisco Chronicle writer Alejandro Martínez-Cabrera in his article titled “How some ex-employees turn to cybercrime“:

“Corporations across all industries have been dealing with a steadily growing number of internal data breaches since the financial meltdown. A Verizon data loss report noted that individuals with insider knowledge of organizations accounted for 20 percent of all breaches last year, and that number has been increasing as economic malaises drag on, said Chris Novak, managing principal of Verizon Business’ Global Investigative Response Team.”

“Stolen data can range from employees’ health care records or clients’ credit card numbers to merger and acquisition plans, confidential agreements or valuable source code, said Rick Kam, president and co-founder of data breach prevention firm ID Experts.

Thieves can easily sell the information to cyber-criminal rings or use it as a bargaining chip to get a job with their former employer’s competitors. According to the Ponemon Institute study, 67 percent of respondents said they would use “their former company’s confidential, sensitive or proprietary information to leverage a new job.”

‘The issue of identity theft is all about opportunity,’ Kam said. ‘And our first instinct is to protect ourselves.’

In one case handled by Kam’s company six months ago, a disgruntled man went as far as trying to extort his former employer, a large health care provider, by threatening to release thousands of sensitive patient records that would have triggered an avalanche of lawsuits.”

Titled “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“, the document is literally a “how to” guide to understanding and addressing the finanical implications of cyber risk.

Melissa Hathaway, President of Hathaway Global Strategies and fomer Acting Senior Director for Cyberspace for the National Security Council notes that this is “an excellent guide for organizations to manage the risk and exposure derived from digital dependence.”

This paper is must reading for the CFO of any organization that has exposure to data breach risks. It is especially valuable to healthcare financial executives because of the enhanced regulatory environment in healthcare due to the recently passed Health Information Technology for Economic and Clinical Health (HITECH) Act. But CFOs in all industries and organizations that are entrusted with sensitive personally identifiable information (PII) and protected health information (PHI) should make the time to read this.

The context and perspective of this paper is best summarized in the executive summary where it states:

“Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data….In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addresssed from a strategic, cross-departmental, and economic perspective. The CFO as opposed to the CIO or CSO, is the most logical person to lead this effort.”

If one were to ask the CFO at a Fortune 500 company to quantify their level of risk to cybercrime and associated risks of data breach, most would have a difficult time answering the question. Financial officers tend to defer the management of data breach risks to the information security team. Unfortunately, this leaves many organizations exposed to risks that are misunderstood, unquantified, and uncovered.

If you are the CFO of an organization of any size and in any industry — healthcare, financial services, manufacturing, retail — or in the public sector or higher education, don’t wait to read this document.