While these 10 breaches have been listed on the ‘Wall of Shame’ website, one common cause has been identified in all these breaches – theft/loss of unencrypted computing devices or storage media. It has been noted that lack of encryption has accounted for nearly half of all major breaches in the federal tally. Although the importance of encryption has been stressed by experts time and again, a considerable number of healthcare entities and their associates are yet to encrypt their data.

Security experts believe that while encryption is one of the fundamental steps to be taken by every healthcare organization, lack of encryption is not the only security deficiency that worries them. Unencrypted data is often just a sign of deeper security deficiencies that need to be addressed. Experts also believe that failing to encrypt is a bad management decision and not just a security mistake,such as not identifying where data resides or what security risks surround the data.

Several healthcare entities also fail to manage user access efficiently. All this points to the fact that these entities are not practicing security fundamentals, and that they are making fragmented efforts without formally integrating security essentials and aligning them with risk functions in the organization. The lack of an effective risk assessment process and frequent failure to identify internal and external threats and vulnerabilities can also be attributed to the absence of security fundamentals.

What have these security breaches taught us?

There are a few valuable lessons to learn from every information security breach that has been reported so far:

• Every breach is completely avoidable if basic security practices are in place
• Most breaches are not high-end sophisticated attacks but merely result from lapses of judgment and sound application of security measures
• Simple deviations from good security practices can have major consequences for the business
• Encryption of data is of primary importance, and can come a long way in mitigating risks to information
• Business associates have been responsible for some of the largest breach incidents, and are directly liable for HIPAA compliance just like all covered entities. Hence ensuring that data processed by business associates and subcontractors is well-protected, is critical.

What should healthcare entities do?

• Define security policies and standards clearly, and ensure they are being executed as intended
• Establish well-defined ownership and accountability for all security practices, improve poor practices and drive improvements where gaps are identified
• Train employees adequately and help them understand the need to protect the privacy of patients’ health information
• Adopt a comprehensive security solution such as Aegify Security Posture Management or Aegify SecureGRC that can considerably simplify security processes and compliance, while mitigating risks and adequately protecting health data.

The post Health Breach Tally Hits a New Milestone appeared first on Aegify.

Adding to the number, is a class action lawsuit filed against insurer Horizon Blue Cross Blue Shield of New Jersey, following a data breach which occurred late last year. This lawsuit will be one among the many breach-related suits in healthcare and other industries, to be filed this year.

Horizon had notified 840,000 members about the breach incident. The affected members, whose social security numbers may have been compromised, are being offered free credit monitoring and identity theft protection for one year, according to the company. However, the plaintiffs in the case, Karen Pakelney and Mark Meisel are suing the insurance company for failing to secure and safeguard sensitive, personally identifiable information adequately. They have alleged the insurer of acting negligently and of violating the Fair Credit Reporting Act and the New Jersey Consumer Fraud Act, and are seeking unspecified damages.

However, according to a Horizon Spokesperson, the lawsuit is without merit, and the company intends to defend itself vigorously. But one thing is for sure. This lawsuit opens the floodgates to many more such breach-related lawsuits, and it can be expected that settlements in such cases could be substantial.

David Navetta of the Information Law Group points out to the court ruling in 2011 in favor of the payment card breach victims who were affected by the 2007 breach involving Hannaford, a grocery chain in northwestern United States. He says that the ruling in this case meant that victims of the breach could sue for damages resulting from the costs of card replacement, theft, insurance and other reasonable mitigation efforts, and emphasizes that government enforcement actions related to breaches are heating up in healthcare.

According to Navetta, breaches such as the one involving Horizon and the recent complaint filed by the Federal Trade Commission against the medical testing firm LabMD, highlight the importance of data protection and prompt breach notification, and also bring the importance of cyber-insurance to the forefront. He points out that such cases could turn out to be very expensive to fight, and could potentially put small healthcare entities out of business. LabMD for example, had announced in January this year that its Atlanta-based medical testing lab would be winding down operations because of the cost of fighting the battle with the Federal Trade Commission over the breach case.

It does look very likely that 2014 will be the year of lawsuits for the healthcare sector as predicted by experts. However, the most important lesson for healthcare providers to take home is that data protection and breach prevention are to be taken with utmost seriousness. Providers have to adopt comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC in order to be able to identify vulnerabilities and detect threats in their systems and prevent breaches, rather than facing legal action and suffering dire consequences. The in-depth certification courses offered by 4Med could further strengthen your compliance understanding in remaining secure and compliant.

The post 2014 – The Year of Data & Privacy Lawsuits? appeared first on Aegify.

The ‘Wall of Shame’, to which the Department of Health and Human Services’ Office for Civil Rights adds breaches affecting more than 500 individuals, shows that as on December 20^th, more than 5.7 million individuals have been affected by over 130 health data breaches in 2013, as against 2.7 million affected by 160 breaches in 2012.

And what is noteworthy is that three large breaches are yet to be added to this federal tally. They include:

• The data breach reported by Horizon Blue Cross Blue Shield of New Jersey in November this year, where two unencrypted desktop computers were stolen from the company’s headquarters, affecting nearly 840,000 individuals.
• The malware breach reported by the University of Washington Medicine, affecting 90,000 individuals.
• The breach at Cottage Health System in California, which affected 32,500 patients who had their patient health information exposed on Google for 14 months because of a lapse in a business associate’s systems.

Out of the numbers included in the federal tally so far, more than 90 percent affected individuals have been victims of four large breaches including the July breach at an office of the Advocate Medical Group that affected 4 million individuals and resulted in a class action lawsuit; a breach in October at AHMC Healthcare, which involved two unencrypted laptop computers stolen from the administrative offices in California, affecting 729,000 individuals; a breach incident in May at Texas Health Harris Methodist Hospital Fort Worth, involving decades-old microfiche medical records, affecting 277,000 patients; and an incident reported in April at the Indiana Family and Social Services Administration, impacting 188,000 clients whose personal information was disclosed in mailings to other clients due to a programming error by a business associate.

It has been repeatedly noted that a large percentage of breaches involved business associates, and the most common cause for breaches has been loss/theft of unencrypted devices or media. Despite continued emphasis on the role of encryption in safeguarding patient data, most healthcare entities seem to be missing the point, and data breaches caused by lack of encryption continue to fill the ‘wall of shame’.

Moreover, with business associates becoming directly liable for HIPAA compliance, they are seen moving from a reactive to a proactive model for data security. It is only logical that with this shift, more data breach incidents will be identified and reported in the coming future.

How to Keep Breaches Away

By taking certain key steps, healthcare data breaches of all sizes can be prevented. Firstly, a thorough risk analysis is crucial to help identify security risks and threats looming over healthcare data. This can significantly help bringing down the possibility of a breach. Secondly, monitoring the practices of business associates and subcontractors can further improve the security posture of a healthcare entity. While modifying Business Associate agreements alone is not sufficient to prevent a breach, periodical review of their operations and ensuring their compliance with security standards are also essential to keep breaches at bay. And most importantly, data encryption is a crucial step in protecting healthcare data. Encrypting data can come a long way not only in avoiding breach incidents, but also in preventing legal action in the event of a breach.

This is where comprehensive security solutions such as Aegify Security Posture Management and Aegify SecureGRC prove extremely helpful. They address all security concerns with an in-built framework that follow all key steps necessary to safeguard healthcare information, thus eliminating the possibility of a breach incident.

The post Number of Data Breach Victims Doubled in 2013 appeared first on Aegify.

The Department of Health and Human Services confirmed that this major breach incident is the second largest health data breach reported so far in 2013. A noteworthy fact is that the three largest breach incidents in 2013 have involved thefts of unencrypted computers. This clearly reveals that lack of encryption remains one of the top reasons for data breaches.

A review led by forensic experts at Horizon Blue Cross Blue Shield confirmed that the stolen laptops may have contained files with varying levels of patient information, including names, addresses, identification numbers, dates-of-birth, some amount of clinical information, and in some cases, social security numbers too. However, it was not clear whether all of the information stored in these laptops is accessible. The company is notifying over 839,700 members about the breach, and those whose social security numbers may have been compromised will be offered free credit monitoring and identity theft protection for one year. The company is working with law enforcement to locate the stolen laptops, and is also strengthening encryption processes. Enhancing policies and procedures and educating staff about security of member information is also one of its immediate goals.

This incident is a clear warning bell that irrespective of the physical security measures, encrypting PHI stored on mobile/desktop computing devices is a crucial task. While physical safeguards are important too, unless data is encrypted, there will always be significant risks posed by insider threats, and others who have access to locked facilities.

Why Encrypt?

According to Adam Greene, a privacy attorney, there is no substitute for encryption or the use of a data loss protection technology that can ensure that data is kept centrally and does not end-up on the end-user device. Moreover, those entities that fail to encrypt PHI will find it hard to defend themselves during breach investigations and other such regulatory actions. And with the cost of encryption reducing significantly, the government has great expectations from entities for employing this method to secure PHI. So, physical safeguards will no longer suffice.

And not to forget, the penalty for non-compliance under the HIPAA Omnibus rule may go up to $1.5 million per violation. So entities are better-off paying for encryption and preventing a breach, rather than being subject to such high penalties. Solutions like Aegify Security Posture Management or Aegify SecureGRC could prove extremely useful in preventing data breaches from taking place. They address the need for encryption while also providing comprehensive security for PHI, making them ideal for healthcare providers, their business associates and subcontractors to ensure PHI is safeguarded throughout its lifecycle.

The post Lack of Encryption Causes Major Breach, Yet Again appeared first on Aegify.

What the Breaches Have Taught Us

Need for Encryption

Time and again, breach incidents bring the need for ‘encryption’ to the forefront. A majority of the beaches reported since September 2009 was caused by lost/stolen unencrypted devices, especially laptops. This fact further underscores the value of encryption as a breach preventer. Moreover, the Director of OCR, Leon Rodriguez, is also of the opinion that ‘encrypting’ data is the most risk-avoidant thing that healthcare entities can do, but often entities overestimate the cost and difficulty of encrypting data and consequently avoid encryption.

Need to Monitor Vendor Partners

It has been noted that some of the largest breaches have involved business associates. This accounted for nearly 22% of the total number of breach incidents, highlighting the need for covered entities to ensure that their vendor partners also implement effective security safeguards. This is of utmost relevance now that the HIPAA Omnibus Rule makes business associates and their subcontractors also directly liable for HIPAA compliance.

Need for Effective Security Policies and Practices

20% of the breaches in the last four years involved ‘unauthorized access’ to patient information. So healthcare entities have to direct attention towards how this can be prevented. Monitoring and managing access to health information should therefore be one of the top priorities for covered entities.

While these are some lessons learned from the breach incidents reported so far, the enforcement actions taken by OCR also offer a number of valuable insights.

Lessons to Learn from OCR’s Enforcement Actions

OCR’s enforcement actions have repeatedly highlighted the need for a thorough risk assessment to help uncover vulnerabilities and weaknesses in the system that could potentially lead to bigger issues and pose significant threats. According to Rodriguez, OCR investigations have repeatedly shown that the failure to do a thorough risk analysis has often been the cause behind the lack of encryption on devices that were stolen or lost, resulting in many large reportable breaches. Those entities that failed to do a risk analysis to assess where electronic PHI resides, and to determine vulnerabilities, also failed to do encryption.

The Value of Preventing a Breach

So far, federal investigations of some major breaches have resulted in significantly high monetary settlements such as the one with insurer Wellpoint, where the settlement amount was $1.7 million. In addition to this, the largest enforcement action taken by OCR was against Cignet Health where OCR levied a penalty of $4.3 million for failing to provide patients access to their health information and then failing to cooperate with OCR investigators.

Under HIPAA Omnibus, penalties for each violation can range up to $1.5 million, and according to Rodriguez, OCR is likely to leverage more penalties to fund its permanent audit program that is to begin next year. Taking this into consideration, the primary focus of healthcare entities should be on how to prevent a breach and avoid such expensive incidents.

What’s in store?

Although the number of breaches has shown a decline since the beginning of this year, it is expected that as a result of the HIPAA Omnibus rule, more major breaches will be reported in the coming months. This is because, the Omnibus rule has changed the standards for HIPAA breach notification from assessing whether an incident is likely to result in a significant risk of financial, reputational or other harm, to a more objective assumption that any incident should be reported unless there is a very low probability of data compromise.

Next Steps for Healthcare Entities

With the permanent audit program set to begin in 2014, all healthcare entities should draw a definite plan of action to comply with HIPAA Omnibus, if they are not already compliant, and prepare for the upcoming audits well in advance. Here are a few steps that entities can take to simplify the compliance process:

• Conduct a thorough risk assessment at the earliest
• Encrypt all devices containing electronic health records
• Adopt a comprehensive security solution such as Aegify Security Posture Management or Aegify SecureGRC and leverage its built-in HIPAA Omnibus compliance and security frameworks
• Revisit business associate agreements and ensure they are compliant with HIPAA Omnibus
• Document all security policies, practices, and compliance initiatives.

These steps can help entities steer clear of breach incidents and face HIPAA audits with confidence.

The post Lessons Learned From the ‘Wall of Shame’ appeared first on Aegify.