CJ Michael

This past week, Sutter Health released a statement stating that they are notifying 2,582 patients that personal information was included in billing documents a former employee emailed to their personal account without authorization. For all but two of the affected patients, no Social Security numbers, financial information or driver’s license data were included.

Despite the incident occurring on April 23, 2013, the breach was only discovered “during a thorough review of the former employee’s email activity and computer access.” The internal investigation began on August 27, 2015, more than two years after the incident. What stands out in this instance was the inability for Sutter Health to discover, mitigate, and remediate this incident within a reasonable timeframe. When it comes to HIPAA, breaches must be reported to HHS and the individuals affected without unreasonable delay and in no case later than 60 days following discovery of a breach or when it reasonably should have been known that a breach occurred.

The last point is key and clearly indicates the need for tools that allow organizations to better understand when PHI or other types of sensitive data leave their network. The best option to track and stop data from leaving your network is a Data Loss Prevention (DLP) solution. In this incident, the third large data breach involving Sutter Health, they have found “no evidence that any of the patient information was used or disclosed to others.” Since the data was sent to a personal email account, it is unlikely, truly impossible, that Sutter Health can determine with 100% certainty that the patient information was not disclosed inappropriately and this is reflected in their offering affected individuals one year of free credit monitoring.

In some other breach cases, however, data is available to forensically determine with certainty what happened after a breach occurred, and sometimes long after a breach occurred. If this is the case, then the information existed when the breach actually occurred. The takeaway in those instances is that logs or other forensic data were not reviewed proactively to catch the breach sooner. In a digital information world with bigger and bigger data hurtling down the road faster and faster, no one seems to be watching the gauges for trouble!

With the many tools available and the ease with which an employee can move data outside of an organization, a DLP solution is a necessity. Not only would your organization be able to watch sensitive information flowing into, throughout, and out of your network without impacting performance, you can lock down many of those outlets for data leakage. In addition to performing a HIPAA Risk Analysis and publishing policies and procedures, DLP can help your organization maintain compliance with regulations such as HIPAA, Red Flags Rule, PCI, and other state and Federal privacy regulations. As the costs for remediating a breach rise, DLP becomes a more prudent decision that can offer real value as well as peace of mind.

If you are interested in learning more about DLP or other related services, contact RISC Management and Consulting, LLC at 800.648.4358 or visit www.RISCsecurity.com.

References

http://news.sutterhealth.org/2015/09/11/sutter-health-informs-patients-of-unauthorized-document-handling-by-former-billing-unit-employee/

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

There have been multiple breaches in the news recently, headlined by the hack of the Office of Personnel Management (OPM) that exposed the information of potentially 18 million people at last tally. It was also recently announced that Blue Shield of California had also experienced a minor breach that affected 843 individuals through a coding error on one of their secure web sites. Within the past month, other notorious events included breach alerts from password manager LastPass and the Houston Astros, a professional MLB club.

While the cause may be different (or still unknown) for each of these events, they can all serve one purpose for any organization: take security seriously. Potential risks exist internally and externally for any organization that maintains or processes important and valuable data such as electronic Protected Health Information (ePHI). With the black market value of health records on the rise, it is imperative for all organizations to make efforts to ensure the confidentiality, integrity, and appropriate availability of sensitive data.

Straightforward steps towards building or maintaining a successful security program always start with a Risk Analysis. Without quantifying the potential risks to your organization, it is difficult to make informed decisions, especially when trying to purchase the right tools or delegate your workforce efforts. The next step is generally to analyze your policies and procedures. These documents state your organizations intent to comply with applicable regulations or frameworks. Maintaining up-to-date procedures is important for ensuring continuity in all of your regular processes and saves valuable time. Once each of the above has been addressed, it is then time to train your workforce. This accomplishes a number of goals including increasing the effectiveness of security controls, improving workforce efficiency, and protecting the organization in the event of a breach or other security incident.

These are just the first steps towards building a security program; there are a number of other technical, administrative, and physical controls that must be implemented to avoid breaches and comply with the standards and regulations of your industry. However, without these building blocks for long-term success, it might not be farfetched to find your organization on the OCR’s Wall of Shame.

To find help with a third-party Risk Analysis, policies and procedures, training, or any other security controls, contact RISC Management & Consulting today!