Health Care Data Breaches Highlight Need for Security Investment

Massive health care data breaches in Atlanta, South Carolina and Utah show a need for securing mobile devices, increasing audits and using intrusion-protection software.

Within a few weeks' time, massive health care breaches have been made public at Emory Healthcare in Atlanta, the South Carolina Department of Health and Human Services (SCDHHS) and the Utah Department of Health, showing a need for health care organizations to boost their security budgets, according to Judy Hanover, research director at IDC Health Insights.

"There's been a chronic underinvestment in breach protection and in securing our network and our data," Hanover told eWEEK.

New requirements under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act mean health care companies need to go public with breaches and report them to the news media in addition to the U.S. Department of Health and Human Services (HHS), said Hanover.

"Increased reporting requirements are definitely making them more visible," she said. "You don't have to pop through HHS briefings to find out about these breaches any longer." Breaches affecting more than 500 people must be reported to local media outlets, according to the federal notification rule.

Of the three recent breaches, the Utah breach was the most serious due to the surreptitious nature of the breach and the potential for fraudulent use of financial data as well as medical data, said Hanover.

On March 30, a weak password enabled an Eastern Europe cyber-attacker to hack into a server at the Utah Department of Technology Services. Of the compromised records, about 280,000 included Social Security numbers and about 500,000 included a name, date of birth and address.

The Utah case is also serious because it involved children's information, Hanover noted. Data about the beneficiaries of the Children's Health Insurance Program was stolen, and their cases remain in a high-fraud risk monitoring database until age 17, according to Hanover.

"Child identity theft is just a different animal because children aren't using their credit all the time and aren't accessing it," said Hanover. "And that kind of identify theft tends to go unnoticed, and so those children need to be placed in a high-risk fraud file and monitored longer."

Unlike the Utah case, the South Carolina breach is "fairly well-contained," said Hanover, noting that officials managed to seize some machines from which the data had been transferred.

In South Carolina, SCDHHS reported on April 19 that an employee in the Medicaid program moved personal information for 228,435 Medicaid beneficiaries to his personal email account. The department discovered the breach on April 10 and then reported it to the South Carolina Law Enforcement Division.

The illegally transferred data came from 17 spreadsheets dating back to Jan. 31. They included names, phone numbers, addresses, birth dates and Medicaid ID numbers, SCDHHS reported. The Medicaid ID numbers contain Social Security numbers and also matched up with beneficiaries' names in 22,604 cases.

Meanwhile, Emory Healthcare in Atlanta announced on April 18 that it had misplaced 10 backup disks containing data on 315,000 patients. Social Security numbers were included on 228,000 of the patient files, and Emory Healthcare CEO John Fox's own health data may have been among the missing records. The health system stored the disks in an unlocked cabinet. They may have been missing for a long time and gone undetected, Hanover suggested.

A recent survey by HIMSS Analytics and Kroll highlighted a need for more proactive security policies by health care organizations. To avoid data breaches, health care companies can acquire software that performs data mining and intrusion protection, Hanover suggested. Vendors include FairWarning and Sensage. Products from these companies run data mining to detect if intrusions have occurred, said Hanover.

Companies should also conduct audits of security practices and vulnerabilities, either by an internal or external firm, she said.

Health care organizations also need to adopt proper device management for mobile devices, particularly as companies join the "bring your own device" (BYOD) trend. In fact, 85 percent of hospital IT departments allow doctors and staff to employ personal devices on the job, a Feb. 21 survey by mobile networking vendor Aruba Networks revealed.

For mobile devices, health care facilities should adopt a "no client strategy" in which users don't store data on the units. The policy involves "keeping the data as tightly held in the data center as possible and really just providing access to the device but not storing the information," said Hanover.