Data Breach, News Events, Risk Analysis/Risk Management

Sutter Health Breach Update

This past week, Sutter Health released a statement stating that they are notifying 2,582 patients that personal information was included in billing documents a former employee emailed to their personal account without authorization. For all but two of the affected patients, no Social Security numbers, financial information or driver’s license data were included.

Despite the incident occurring on April 23, 2013, the breach was only discovered “during a thorough review of the former employee’s email activity and computer access.” The internal investigation began on August 27, 2015, more than two years after the incident. What stands out in this instance was the inability for Sutter Health to discover, mitigate, and remediate this incident within a reasonable timeframe. When it comes to HIPAA, breaches must be reported to HHS and the individuals affected without unreasonable delay and in no case later than 60 days following discovery of a breach or when it reasonably should have been known that a breach occurred.

The last point is key and clearly indicates the need for tools that allow organizations to better understand when PHI or other types of sensitive data leave their network. The best option to track and stop data from leaving your network is a Data Loss Prevention (DLP) solution. In this incident, the third large data breach involving Sutter Health, they have found “no evidence that any of the patient information was used or disclosed to others.” Since the data was sent to a personal email account, it is unlikely, truly impossible, that Sutter Health can determine with 100% certainty that the patient information was not disclosed inappropriately and this is reflected in their offering affected individuals one year of free credit monitoring.

In some other breach cases, however, data is available to forensically determine with certainty what happened after a breach occurred, and sometimes long after a breach occurred. If this is the case, then the information existed when the breach actually occurred. The takeaway in those instances is that logs or other forensic data were not reviewed proactively to catch the breach sooner.  In a digital information world with bigger and bigger data hurtling down the road faster and faster, no one seems to be watching the gauges for trouble!

With the many tools available and the ease with which an employee can move data outside of an organization, a DLP solution is a necessity. Not only would your organization be able to watch sensitive information flowing into, throughout, and out of your network without impacting performance, you can lock down many of those outlets for data leakage. In addition to performing a HIPAA Risk Analysis and publishing policies and procedures, DLP can help your organization maintain compliance with regulations such as HIPAA, Red Flags Rule, PCI, and other state and Federal privacy regulations. As the costs for remediating a breach rise, DLP becomes a more prudent decision that can offer real value as well as peace of mind.

If you are interested in learning more about DLP or other related services, contact RISC Management and Consulting, LLC at 800.648.4358 or visit www.RISCsecurity.com.

 

References

http://news.sutterhealth.org/2015/09/11/sutter-health-informs-patients-of-unauthorized-document-handling-by-former-billing-unit-employee/

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

Advertisements
Business Continuity, Cyber Security, Data Breach, Education, HIPAA / HITECH Enforcement, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

Data Loss Prevention Solutions

Critical to Enterprises With Sensitive or Confidential Information

Data Loss Prevention, often abbreviated DLP, is no longer an optional solution for organizations that:

  1. Are in possession or use of data that is regulated, confidential, sensitive, or otherwise limited from public access;
  2. Are large enough to have more than a single, structured data repository such as only one server and dumb terminals (hardly the case anymore);
  3. Need to be able to prove to management, auditors, or regulatory bodies that they know where their data is, and how it is being protected.

Business owners should consult with security professionals according to Siciliano (Entrepreneur, 2014), CEO of IDTheftSecurity.com, Inc. Siciliano reported the importance of installing data-loss prevention software and performing a risk assessment, “it’s possible to monitor the entire network’s activities to detect events that could lead to a data breach and detect trespassers before it occurs” (p. 3).

Part of the Guide to Privacy and Security of Health Information explains the HIPAA Security Rule requirement that a covered entity must conduct a Risk Analysis [§ 164.308(a) (1) (ii) (A)] to identify risks and vulnerabilities to electronic protected health information. Performing a “risk analysis is the first step in an organization’s Security Rule compliance efforts” (Office of the National Coordinator for Health Information Technology, 2014, p. 10) in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. In addition, organizations must perform an Application and Data Criticality Analysis [§ 164.308(a) (7) (ii) (E)] to, “Assess the relative criticality of specific applications and data…”

The first step in any information security and compliance program is understanding what data your organization has, where it is located, and who is using it; authorized or unauthorized. Complete and accurate knowledge is necessary in order to understand what laws or requirements apply to your organization, and which members of your workforce may require training or monitoring.

Data Classification

Classifying your data into categories such as a Data Classification Matrix makes it easier to apply controls based upon the data type, rather than in a discretionary manner, or simply guessing. Most organizations know that they should protect credit card information differently than public marketing materials. But can they explain the differences in controls applied to ePHI versus Social Security Numbers? What are the requirements for this data? Who enforces them? How much trouble are we in if we have an unauthorized breach of this data?

Every organization should determine the classes that their data types fall into, not the data repositories. For example, classify your data as “Regulated” as opposed to “ePHI” or “Confidential” as opposed to “Payroll Records”. Remember, for data privacy and security regulations and industry requirements, the purpose of the data is irrelevant, it’s the existence of the data that matters.

An example of a data classification matrix that RISC has assisted its clients in successfully deploying is:

  1. Regulated
  2. Confidential
  3. Non-public
  4. Public

Once your data is classified, control mechanisms can be assigned to that classification as a whole, rather than piecemeal.

Roads

Now, your DLP solution is ready to find that data, and let you know where it is, at high speed, with pretty good accuracy. A DLP solution, or even a DLP assessment, can perform a year’s worth of human analysis in a week or two of close to pure automation!

RISC Management’s DLP solution

  • Can assist you in finding the sensitive information that is created, collected, stored, processed, transmitted, disclosed, or archived by your organization;
  • Will deliver Data Loss Prevention (DLP) solutions that protect regulated, sensitive, or confidential employee, customer, or company information and safeguard intellectual property across all electronic communications channels;
  • Can help you watch the sensitive information flowing into, throughout, and out of your network without impacting performance or requiring infrastructure modifications.

Key Benefits

  1. Compliance with regulations such as HIPAA, Red Flags Rule, PCI, and state/federal privacy regulations
  2. Automated email encryption utilizing policy-driven healthcare data classification and filtering
  3. Unobtrusive enforcement of data loss prevention policies across all popular Internet communication channels
  4. Healthcare code sets (e.g. HCPCS, ICD-9, LOINC, and NDC) as built-in dictionaries
  5. Inclusive data logs of confidential data copied, sent, or downloaded

An important definition to understand is the term Vulnerability and Technical vulnerability. Vulnerability is defined in NIST (2012) Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems. The NIST (SP) 800-30 guide is a 95 page document published and developed by the National Institute of Standards and Technology (NIST) under the Federal Information Security Management Act (FISMA), Public Law 107-347.

Vulnerability Testing

Included in the risks that should be identified by an organization regularly are technical vulnerabilities. These vulnerabilities may include missing patches on computing devices, misconfigurations accidentally performed by staff members or consultants, or insecure network architecture. While the reasons are many, the result is the same, elevated risk to the confidentiality, integrity, and availability of your organization’s sensitive information.

RISC Management & Consulting can assist your organization in performing comprehensive technical vulnerability testing. The Security Engineers at RISC use numerous best in class tools to establish a thorough view of your security posture. The output of these tools is used in a number of ways including:

  •  Comparing security controls and system configuration to organizational policy.
  • Comparing the state of security to compliance requirements such as HIPAA, PCI-DSS, and ISO 27002.
  • Comparing the actual network architecture to the organization’s understanding of the network architecture.
  • Developing a technical vulnerability assessment report that provides a compliance, business, and technical review of the state of information security.

Contact RISC Management and Consulting today to discover how we can help you! www.RISCsecurity.com or 630-270-9336

References

Entrepreneur.(2014). 11 Ways to protect your business from cyber criminals. Retrieved from http://www.entrepreneur.com/article/238369

National Institute of Standards & Technology. (2012). Guide for conducting risk assessments: Information security. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

 

 

Business Continuity, Data Breach, Disaster Recovery, Education, HIPAA / HITECH Enforcement, News Events, OCR HIPAA Audits, Risk Analysis/Risk Management, Tip of the Week

Breaches Affecting 500 or More Individuals

Sylvia Matthew Burwell is the 22nd Secretary of Health and Human Services (HHS) and took office last June 9th, 2014. According to her Biography, “Secretary Burwell has called for the Department to operate under three guiding tenets: to deliver results on a wide range of complex issues; to strengthen the relationships that drive progress; and to build strong teams with the talent and focus needed to deliver impact for the American people”.

Included in her job description along with overseeing more than 77,000 employees is ensuring that data breaches of unsecured protected health information affecting 500 or more individuals are posted on the HHS website. The Secretary is required to do this by section 13402(e) (4) of the HITECH Act. The following unauthorized access/disclosure breaches have been reported to the Secretary between May 2014 and August 2014.

May to August 2014 breach of unauthorized access or disclosure

 

Brought to you by RISC Management and Consulting, LLC as part of  Privacy and Security Awareness Program

References

http://www.hhs.gov/ocr/privacy/

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf

Data Breach, HIPAA / HITECH Enforcement, News Events

An Employee Mistake Leads to a HIPAA Data Breach

Just last month, a Pennsylvania-based hospital suffered a breach of patient data caused by unauthorized access and transmission of PHI by an employee. The 551-bed Penn State Milton S. Hershey hospital discovered through an internal investigation that a lab technician accessed and transmitted protected health data outside of the hospital’s secure network. The key in this breach was that the employee was authorized to work with PHI but in this case did not access and transmit the PHI securely. He used his own USB device and sent patient data through his own personal email address to two physicians.

The important thing to note in this situation is what your organization can do to avoid a situation like this: train your workforce. Not only is workforce training required by HIPAA, it is a prudent means of improving efficiency and confidence in your workforce. Many organizations believe that their biggest threat lies outside their walls. While it is a smart business decision to implement security controls to prevent intrusions from external threats, your organization should also prioritize properly training your workforce. Below is a list of the most investigated issues as noted in the OCR Enforcement highlights.

 

From OCR Enforcement highlights:

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Security Rule Enforcement Results as of the Date of This Summary

With regard to the subset of complaints specifically pertaining to the Security Rule, since the OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, HHS closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews.

 

Penn Breach Table

Here is the direct link to the Breaches Affecting 500 or More Individuals: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Data Breach, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

Information Security Operations Planning

One of the biggest threats for organizations today is the threat of the unknown. For many IT departments and Security Teams, it is a constant battle to know your enemy and protect the organization’s assets from being stolen or corrupted. Not long ago, installing a firewall for the network and anti-virus on workstations was adequate protection. Times have changed, and building a security program requires planning, specifically a good balance of Strategic, Tactical and Operational planning.

Strategic planning is all about allocating the right resources to satisfy long-term goals and protecting the data that helps make your organization valuable. As Darren Dannen explains, “Strategic planning is an organization’s process of defining its strategy or direction and making decisions about allocating its resources to pursue this strategy.” The decisions come mostly from management and are the guiding principles for everyday decisions made throughout the organization. Things to consider would include: What is important to protect? What needs to be monitored? How would you respond to threats? And how do you determine if you need outside assistance?

With these decisions made, the next step is to address Tactical planning, or the implementation of your organization’s strategy. The key here is building a security operations structure that is clear and effective in helping identify and stop attacks. One of the most important aspects of Tactical planning is clearly defining the proper roles within management and your security teams to define the structure of the organization. For healthcare organizations, that means stating who the Security Officer is and outlining Emergency Response Teams to react during a breach or security incident. The next step in Tactical planning is addressing training and techniques. This is when your organization establishes administrative, technological, operational, and analytical procedures to support both immediate and long-term goals.

In support of Strategic and Tactical planning is Operational planning. These activities revolve around protecting information assets through everyday tasks. According to Darren Dannen, there are five basic functions to plan for:

  1. Vulnerability management
  2. Device management
  3. Monitoring
  4. Threat Analysis
  5. Incident Response

Some key areas to address within these functions include patch management, vulnerability scanning, log, auditing, and risk mitigation. This planning process does not happen overnight and can require extra resources to get off the ground. If your organization needs assistance, contact RISC Management. Remember that the first step in establishing any security program is a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

Sponsored by: RISC Management, www.RISCsecurity.com

References

Implementing Information Security in Healthcare: Building a Security Program