Massive health care data breaches in Atlanta, South Carolina and Utah show a need for securing mobile devices, increasing audits and using intrusion-protection software.
a few weeks' time, massive
health care breaches
have been made public at Emory Healthcare in Atlanta,
the South Carolina Department of Health and Human Services (SCDHHS) and the
Utah Department of Health, showing a need for health care organizations to
boost their security budgets, according to Judy Hanover, research director at
IDC Health Insights.
been a chronic underinvestment in breach protection and in securing our network
and our data," Hanover told eWEEK.
requirements under the 2009 Health Information Technology for Economic and
Clinical Health (HITECH) Act mean health care companies need to go public with
breaches and report them to the news media in addition to the U.S. Department
of Health and Human Services (HHS), said Hanover.
reporting requirements are definitely making them more visible," she said.
"You don't have to pop through HHS
to find out about these breaches any longer." Breaches
affecting more than 500 people must be reported to local media outlets, according
to the federal notification rule
the three recent breaches, the Utah breach was the most serious due to the
surreptitious nature of the breach and the potential for fraudulent use of
financial data as well as medical data, said Hanover.
March 30, a weak password enabled an Eastern Europe cyber-attacker to hack into
at the Utah Department of Technology Services
. Of the compromised records,
about 280,000 included Social Security numbers and about 500,000 included a
name, date of birth and address.
Utah case is also serious because it involved children's information, Hanover
noted. Data about the beneficiaries of the Children's Health Insurance Program
was stolen, and their cases remain in a high-fraud risk monitoring database
until age 17, according to Hanover.
identity theft is just a different animal because children aren't using their
credit all the time and aren't accessing it," said Hanover. "And that
kind of identify theft tends to go unnoticed, and so those children need to be
placed in a high-risk fraud file and monitored longer."
the Utah case, the South Carolina breach is "fairly well-contained,"
said Hanover, noting that officials managed to seize some machines from which
the data had been transferred.
South Carolina, SCDHHS
reported on April 19 that an employee in the Medicaid program moved personal
information for 228,435 Medicaid beneficiaries to his personal email account.
The department discovered the breach on April 10 and then reported it to the
South Carolina Law Enforcement Division.
illegally transferred data came from 17 spreadsheets dating back to Jan. 31.
They included names, phone numbers, addresses, birth dates and Medicaid ID
numbers, SCDHHS reported. The Medicaid ID numbers contain Social Security
numbers and also matched up with beneficiaries' names in 22,604 cases.
Emory Healthcare in Atlanta announced on April 18 that it had misplaced
10 backup disks
containing data on 315,000 patients. Social Security
numbers were included on 228,000 of the patient files, and Emory Healthcare CEO
John Fox's own health data may have been among the missing records. The health
system stored the disks in an unlocked cabinet. They may have been missing for
a long time and gone undetected, Hanover suggested.
recent survey by HIMSS Analytics and Kroll highlighted a need
for more proactive security policies
by health care organizations. To avoid
data breaches, health care companies can acquire software that performs data
mining and intrusion protection, Hanover suggested. Vendors include FairWarning
and Sensage. Products from these companies run data mining to detect if intrusions
have occurred, said Hanover.
should also conduct audits of security practices and vulnerabilities, either by
an internal or external firm, she said.
care organizations also need to adopt proper device management for mobile
devices, particularly as companies join the "bring your own device"
(BYOD) trend. In fact, 85
percent of hospital IT departments allow doctors and staff to employ personal
on the job, a Feb. 21 survey by mobile networking vendor Aruba
mobile devices, health care facilities should adopt a "no client
strategy" in which users don't store data on the units. The policy
involves "keeping the data as tightly held in the data center as possible
and really just providing access to the device but not storing the
information," said Hanover.