In recent weeks, there have been two bills introduced in Washington, D.C. that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. The “Data Security and Breach Notification Act of 2010” was introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010. The bill requires businesses and organizations that handle and store private consumer information, such as social security numbers, to use reasonable security policies and procedures” to protect such information and to “provide nationwide notice in the event of a security breach.”

This act would require organizations to use appropriate security technologies and processes to safeguard the personal information of consumers. It would also require them to periodically assess their risk profile and take corrective actions in addressing security weaknesses. It also would require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”

Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010” a few weeks earlier. This bill focuses on entities such as financial institutions, retailers, federal agencies that handle vast amounts of consumer data. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is a substantial risk to the consumer of identity theft or account fraud, but it does not prescribe that consumers be provided with free access to credit monitoring or other services to prevent or detect identity theft and fraud.

Today, there are data breach notification laws in 46 states that each have somewhat different and inconsistent provisions for notification of consumers. One of the intents of a national bill would be to eliminate these inconsistencies ensuring that all consumers are treated fairly and consistently when affected by a data breach incident. This is likely to be controversial, however in states like California and Massachusetts where they have enacted stricter regulations that either of these two bills for the privacy protection of their consumers.

Additionally, these bills are likely to have some of the same issues that currently exist with the HITECH Act which provides for the security and privacy of protected health information (PHI). While the HITECH Act specifies notification of patients whenever a data breach occurs, the companion rules from the Department of Health and Human Services (specifically the Interim Final Rule) clarify that the provision for data breach notification is only for cases where there is a “substantial risk of financial, reputational or other harm” to the affected consumers.  While this may sound fairly logical, it has been met with resistance and distain from consumer advocates.

The issue with establishing and regulating use of a “harm threshold” for data breach notification is in the details. First, can we assume that the organizations affected will carry out a proper risk assessment and come to a fair and accurate conclusion as to whether there is a risk of harm. Such a determination can cost them millions of dollars in data breach remediation costs alone, not even considering the less measureable costs such as customer churn and reputational damage, which are just as real.  Such costs really could make it difficult for the same individuals that caused the data breach to admit that it could cause harm to the affected people.

Second, it has proven difficult to provide clear and objective guidance that would allow organizations to carry out a risk assessment to make the determination as to whether financial, reputational or other harm exists, when these factors are so subjective, quite open to interpretation and judgment. For example, if you were a patient at a hospital where you were admitted to have your appendix taken out, if the clinical records from this hospital were exposed, you may not consider the fact that everyone now knows that you are appendix-less to adverse to your reputation. On the other hand, if you were admitted for a procedure where it was necessary to do an analysis of your blood, and it was determined that you carry the AIDS virus, you may in this instance consider this as having a very negative impact to your reputation if this information was exposed. This situation illustrates how the same type of exposure (personal medical records) can in some instances be rather benign and in others be quite acute.

If legislation requires notification based on an interpretation as to a risk of harm to the affected population, the government regulators should consider whether organizations should be put in the conflicted position of self-assessing such situations. They also should consider how to provide more specific and concrete means to measure the risk of harm to consumers.

I’m sure we haven’t seen the end of new bills in Congress focused on providing for a national approach personal data privacy and security, and the associated requirements for notification in cases of a data breach. But it would be helpful to see additional thought going into this topic of how to assess whether a “data security incident” is in fact a “data security breach” for purposes of notification.

As was required under the Health Information Technology for Clinical and Economic Health (HITECH) Act, the US Department of Health and Human Services (HHS) released an Interim Final Rule for data breach notification provisions that went into effect earlier this year.

As noted by Healthcare IT News, “this coming May, HHS will also issue new proposed rules that will address additional privacy, security and enforcement requirements for HIPAA covered entities and their business associates that acquire and handle protected health information (PHI).

“The rule also toughens related provisions in the Health Insurance Portability and Accountability Act (HIPAA) as the adoption of electronic health records and health information exchange expands the number of organizations that may have access to personal data.

The proposed rule focuses on the liability of business associates of healthcare providers and plans; new limitations on the sale of protected health information; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information, HHS has said.”

These rules will continue to expand what has become a daunting regulatory environment during 2010 for healthcare organizations to that must digest numerous requirements for securing the privacy of patient health records.

Given that healthcare organizations are now obligated to report all data breaches that affect over 500 individuals to the Office of Civil Rights at HHS for posting on their website, for the first time we will be able to get a window into the actual volume and nature of data breach incidents that are occurring in healthcare. At least this should be the case, once covered entities and their business associates develop sound processes and technologies for detecting data breach incidents as required under HITECH.

Given that data breach incidents in healthcare are moving in the wrong direction, they are on the rise, it behooves all organizations entrusted with PHI to have a comprehensive data breach incident response plan in place and to have business contracts with all organizations with whom they share this data that ensure compliance with privacy rules and determine who will bear the costs of data breach notification if/when such incidents do occur.

by Doug Pollack

Recent events have highlighted the issue of insider access to private information and associated security within healthcare organizations. The access to Octomom’s health records by numerous hospital employees illustrates a serious and broad problem. It also is notable in that it is the first case where California has assessed penalties for such behavior.

Kirk Nahra, Partner with Wiley Rein, a leading law firm in the privacy arena, notes that:

“…the Bellflower Hospital in California was fined $250,000 after 23 employees of the hospital and affiliated companies accessed these medical records without authorization. The government finding in the case indicated that the breaches extended beyond the specific hospital in question, to other hospitals in the same corporate family, and continued even after initial reports to the state regulators about the breach. The state regulators also found that the security efforts to protect patient privacy were insufficient.”

With the passage of the HITECH Act, such situations are likely to become all the more visible given the requirement to report any such data breach incidents to the US Department of Health and Human Services. Healthcare organizations must take a serious look at how and to whom they provide access to personal health information of their patients in order to avoid the up to $1.5MM penalties that are prescribed by HITECH for such incidents.

by Doug Pollack

Amit Yoran, former National Cyber Security Czar, concluded during a recent address at a security conference in Boston reported by Information Security Magazine that the “traditional models used by organizations to calculate risk are fundamentally broken.”

Empirical evidence would support his claim. Despite growing investments in security technology, the incidence of data breach events is rising. For every Heartland Payments Systems that is in the news, there are thousands of other data breaches that go undiscovered or unreported.

Privacy professionals note that many of today’s organizations do not have accurate inventories of the personal identity and health information (PII/PHI) that they store, manipulate and access. Nor have many performed data breach risk assessments nor put in place cross-functional data breach response plans. And fewer still have budgets for implementing technologies and procedures for reducing their risk of data breach, since it isn’t as prominent an industry “category” as say “intrusion detection” or “antivirus protection”.

“Yoran would like organizations to refocus their energy, and determine the impact of loss of data, rather than concentrate on system or infrastructure security. For too long, he said, security has focused on availability of service rather than focusing on the value of data and keeping it confidential.”

Seems like good advice.

by Doug Pollack

An article published by the Wall Street Journal titled “Are Your Medical Records at Risk; Amid Spate of Security Lapses, Health-Care Industry Weighs Privacy Against Quality Care” discusses the growing incidents of data breaches and contributing factors within the health care world.

The article highlights the extent of this problem as follows:

“In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised. The incidents have included the theft of an unencrypted laptop from an employee of the National Institutes of Health and the inadvertent posting of personal data unsecured on the Web from insurers WellCare Health Plans Inc. and WellPoint Inc.”

The premace here is that the health care industry is inclined to have greater incidence of data breaches due to the broader access to private patient information by employees and health care workers. This was illustrated in recent weeks by the highly publicized access to medical records of Britney Spears by works at the UCLA medical center.

“Health care isn’t the only industry whose slip-ups can upset consumers or expose them to identity theft. But hospitals are notable for the sheer number and types of employees — including billing staff, nurses, doctors, researchers and lab technicians — who have quick access to individuals’ private information.”

But there seem to be structural requirements for patient record access, dictated by the need to ensure high quality and emergency medical care, that will make it difficult to reduce the risks of data intrusion and breach.

“Many hospitals are reluctant to control access to data too tightly for fear that it will create red tape in emergency situations. “We have to be able to take care of patients, too,” says Wendy Mangin, president of the American Health Information Management Association and director of medical records and privacy officer at Good Samaritan Hospital, in Vincennes, Ind., which audits clinical staff’s access to medical data but doesn’t block it. ”

Unfortunately, it would appear that we will be seeing more rather than fewer data breaches within the health care industry for the foreseeable future.