435 PHI breaches documented by HHS impacted 20,066,249 individual records.
Under Federal law requiring disclosure, the HHS reports on data breaches of over 500 records (these are the ones they know about, not the incidents never detected at healthcare provider organizations) – you can see that stats on patient privacy breaches here.
They’ve been doing this since 2009. That seems like a lot. We need to consider the potential damage of patient privacy breaches and the vulnerabilities that lead up to a breach.
Unlike a credit card breach where the card holder is insured, the damage when patient privacy is breached is not minimal.
Your data is brokered to potential employers and insurance companies. The privacy of you and your family doesn’t exist anymore – anyone can pay a darknet healthcare information broker a small sum of money and know your personal healthcare issues, deny you employment, raise your insurance premiums or blackmail you for financial gain.
Considering the increasing numbers of patient privacy breaches and potential damage to patients and families, the HHS numbers should be a strident wake-up call for the executive management of healthcare providers.
Why are healthcare systems vulnerable to patient privacy breaches?
A key vulnerability is system complexity. EHR systems store patient electronic health records and transported data insider healthcare organizations and between healthcare business units and in and out of HIEs. These systems are big and complex.
In addition, the HIE and EHR IT vendors are highly fragmented, competing in typical American free market economy fashion with no vendor-neutral standards for patient privacy enforcement.
Lack of vendor neutral standards leads to the implementation of proprietary interfaces between systems for electronic healthcare data transfer and exchange. Every interface developed by a healthcare systems integrator is potential attacker entry point.
For example – you have a machine in the nuclear medicine department that transfers data to the hospital PACS system. There’s an interface. If an attacker can tap into the network and listen to the PACS connection – he has unlimited access to PHI and the scans.
Are patient privacy breaches being stimulated by the US government?
EHR interconnected with HIE systems have a big threat surface, because of big, very complex software systems with a large number of attacker entry points. Healthcare system vulnerabilities are compounded since everyone is using the same technology from Microsoft and following the same HIPAA compliance checklists from HHS.
It follows that the threat surface of patient privacy is growing under the direct stimulus of the HITECH Act that encourage investment in EHR systems and HIE (health information exchanges). The more stimulus we get in this space, the worse the patient privacy situation will be.
As Rich Mogull noted on his Securosis blog back in 2008 Breach notification statistics don’t tell us anything, at all, about fraud or the real state of data breaches.
"The statistics we’re all using are culled from breach notifications- the public declarations made by organizations (or the press) after an incident occurs. All a notification says is that information was lost, stolen, or simply misplaced. Notifications are a tool to warn individuals that their information was exposed, and perhaps they should take some extra precautions to protect themselves. At least that’s what the regulations say, but the truth is they are mostly a tool to shame companies into following better security practices, while giving exposed customers an excuse to sue them."
But notifications don’t tell us a damn thing about how much fraud is out there, and which exposures result in which losses and which vulnerabilities were exploited by employees, hackers or criminals to get at patient records.
So you don’t have data on which vulnerabilities were exploited. Now what?
Not having data, and being a physicist by training, do what any sensible physicist does given a limited amount of time and resources and lack of hard data: build a hand-waving argument based on a simple-minded 3 parameter model.
My hand-waving argument shows that there must be a correlation between fraud, porn and data breach; i.e. an organization that has one type of violation will be likely to have other types of violations on satisfying 3 conditions:
- High porousness of the healthcare enterprise network: A porous healthcare provider network invites attackers in and trusted insiders to take good stuff out using pen drives, tablets, DropBox and Gmail.
- Low level of ethics of top executives: Executives should be taking leadership positions in security and HIPAA compliance as an example to the rest of the employees and as proof that they believe that good security is key to protecting customers. When a top executive doesn’t let internal risk management guidelines get in the way of his personal goals, it sets the stage for additional fraud at lower echelons and fosters an environment where it’s OK to take company documents, just as long as you don’t get caught.
- Minimal network monitoring: Organizations with minimal network monitoring are living a life of ignorance that is bliss. If there is a porous network and lack of security and compliance leadership, then even if there is a fraud event, violation of company policy in regards to fraud, online gambling or sexual harassment in the workplace; it will not be detected. Security and fraud violations that are not detected cannot be used for corrective action and future deterrence.
An organization, with strong values, management leadership, a well run network and will have more ethically behaved employees (less adult content at work) and less data loss incidents. Effective network monitoring will enable the management leadership to enforce their company’s values and protect patient assets.
Conversely, a healthcare provider organization has weak network security, executives that do not lead by example and minimal monitoring will be prone to almost every type of security, fraud and privacy violation and as a result stand a higher likelihood of fraud and data loss.
Cross-posted from PathCare