Blog

Tag: Anthem

Encrypt PHI and apply persistent security policies to stop healthcare data breachesToday, nobody argues that the healthcare industry is a gold mine for the bad guys and theft of protected health information is becoming a regular event. The “Verizon 2015 Protected Health Information Data Breach Report,” indicated that 90 percent of industries in the medical and health care arena have experienced a PHI breach and with all the reports in the media, it is clear to everyone that the situation has reached a critical point.

In 2015, we witnessed numerous health insurers and hospital systems fall victim to data breaches. While Anthem and Premera were just some of the bigger names making regular headlines last year, attacks were seen to reach even physicians’ offices.  Just recently Centene Corporation and IU Health Arnett lost hard drives that compromised almost 1,000,000 people.

Every direction we look, there is significant use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Whether it is the physician’s office, hospitals, insurers, medical associations, laboratories, disease registries, or government agencies, everyone is gathering digital pieces of information on the health status, care details, and health care costs of Americans. Along with personally identifiable information (PII) like names, mailing addresses, email aliases and dates of birth, healthcare entities also hold extremely personal and protected health data, such as lab results, reports, prescribed medications and medical conditions.  In the event of a breach, unlike a credit card number, none of this information can be easily changed and the lifecycle of such information is very long – in some cases forever.

The Affordable Care Act has created significant incentives for doctors’ offices to embrace EHR systems as a replacement for paper-based medical records systems. So, now data has been integrated in an effort to do away with siloed approaches within provider groups, health plans, or government offices.

While the industry and governance bodies talk compliance, and claim protected health information is safe and secure, this is far from the truth as evidenced by the constant data breaches that are disclosed. With all the time, effort and money spent on traditional security tools used to achieve compliance, thieves bent on theft are still able to gain access to PHI for monetary gain.

The healthcare industry should consider the following steps to remain secure and stop healthcare data breaches:

  • Realize and accept your risk – Take note that the protected health data you possess is a target of criminals. Simply complying with HIPAA does not equate to properly securing and locking away PHI data from unauthorized use.
  • Identify where your PHI data is and who has access to it – Most often healthcare entities have false ideas on where sensitive data is stored and who has access to PHI. It often escapes people’s minds that their users copy sensitive data accessed from secure locations by localizing them or moving copies around. The result is security and control being lost and copies floating around on thumb drives, disks, email, laptops, home computers, and paper printouts.
  • Properly secure your data – Most, if not all, entities dealing with healthcare data secure PHI at rest and in motion while they completely miss a significant threat gap – “data in use”.
    • Label or classify data
    • Encrypt your data
    • Persistently protect data using policy-driven methods
    • Track and monitor usage
    • Dynamically adjust usage policies and access
  • Plan for breach response
    • Have means to render breached data useless
    • Have an Incident Response Plan

You can stop healthcare data breaches by putting in place data-centric, persistent security to avoid finding yourself scrambling around after the damage has been done to you and your patients.

Airlines and Schools, Data Breaches Are Going from Bad to Worse in 2015!

Will the bad news every stop making the headlines? Evidence now indicates that hackers with connections to China were responsible for the recent data breaches at United Airlines, Office of Personnel Management (OPM), and health insurer Anthem. In addition, on July 31, the University of Connecticut (UConn) announced that their engineering school servers were hit by a cyberattack originating from China.

United Airlines, the second-largest airline in the world detected a cyberattack into its computer systems in May of this year after being warned by the FBI and federal investigators. Some of the stolen information includes flight manifests which include names, birthday and travel information. United is one of the biggest contractors with the United States government among airlines and is a gold mine for data on the travel of government officials, military personnel and contractors.

As this was not enough already, on July 31 another headline about a cyberattack of an unclassified email system in the Pentagon. The attack, affected the unclassified email network of 4,000 military and civilian personnel working for the Joint Chiefs of Staff.

“This is a key moment in our Nation’s history,” said United States Chief Information Officer Tony Scott in his blog post. “As the number of threats continues to increase, affecting both the public and private sector, we must take aggressive and decisive steps to protect our networks and information. Our economy, and the credibility and viability of our most cherished and valuable institutions depend on a strong foundation of trust and the protection of critical assets and information.”

The question now is how do we defend against the threats? How do we close this “threat gap” that has been causing all of these data breaches?

A data centric approach is the only way to protect against these threats and provide persistent data security for these organizations. Without this kind of continuous control of your data, they are extremely vulnerable and could be in grave danger of providing hackers with the necessary information to sell, use or provide sensitive information to the wrong people. As legislation and regulations are being put forward, it is important to be ahead of the game. With data-centric security which includes, strong encryption and permission control, none of these recent data breaches would have hit the headlines in a negative way. Instead, these organizations would have been commended for their proactive thinking prior to these attacks.

 

Photo credit by: Lars Steffens

Common Headline in 2015: Healthcare Data Breach

How many more data breaches can patients take? This could ultimately be the question based on last year and this year’s surge of healthcare data breaches. Once again, the personal health information of 3,000 people was leaked after a data breach at a Georgia program that offers services for seniors. The breach included the health diagnoses of people in the Community Care Services Program.

What was the cause? An email was mistakenly sent to a “contracted provider”.

We are all but too familiar with this kind of data breach. An insider not malicious, but nevertheless, accidently sends the sensitive data to wrong person, is one of the main reasons for these data breaches. Back in March 2015, an article at that point the Anthem and Premera data breaches had just occurred, and we were worried at that time as well. Four months have passed and the numbers are not slowing down.

In a recent study by the Ponemon Institute, a shockingly high 91 percent of respondents reporting falling victim to at least one data breach in the last two years. The majority of respondents had suffered 11 or more incidents. However, the main reason for that report, and what healthcare organizations should of realized is not that this industry has failed in the realms of data security. It should be that these organizations should now, even right this minute, take the necessary steps to securing and encrypting their data. More and more laws are being put into place, and those in violation of not abiding by these laws to secure customers’ data will result not only in loss of customers, but hefty fines.

Unfortunately, even at a time where legislation is making the push for these laws to encrypt all data, there was a recent announcement by UCLA Health System, and now the data breach has affecting over 4.5 million people. The stolen data was totally unencrypted making the threat to the people whose data was in the UCLA Health Systems computers more serious. But then again, as we just mentioned it is not too late to make the decision to secure the data.

How do we secure that data? Well, using a multilayered approach to information security that focuses on the data rather than the perimeter is a more effective way to deal and mitigate these threats. A data-centric security model with people-centric policy allows you to implement effective file-level security policies and granular permission controls for all kinds of data no matter where they are.

Here are some advantages from a previous blog, but still applies to providing a data-centric security approach to protecting your sensitive information:

 

· Encrypt PHI (Protected Health Information) to meet HIPAA and new data protection legislation

· Secure files downloaded from heath information systems

· Control who can View, Edit, Print and take a Screen Capture of protected documents

· Dynamically control who can access the file

· Trace and control user/file activities in real-time

· Scan files to identify PHI and apply security policies automatically

 

Protecting your patient’s information ensures you meet healthcare regulations and ensures patient confidentiality.  Reduce the risk of HIPAA violations and PHI exposure in a time where healthcare data breaches alone are reaching record numbers in 2015.

 

Photo credit by: Purple Slog

New Trend: Healthcare

I don’t know how much more we can continue talking about healthcare data breaches. This is again a multi week of data breaches in the healthcare industry, and again over and over. With Anthem Inc. and then again with Premera Blue Cross, and Advantage Dental, all announced they had data breaches, however nothing about if there data was encrypted.

How can 80 million and then 11 million then finally 150,000 patient records all in a month or so get exposed? Have we become so sure that we will not be a target to hackers and insider threats? The question now is not if, but when will a data breach happen. This is even more common in the healthcare industry.

 

Just by looking through the list of blogs that we have written alone, covers a lot about how we can help the healthcare industry protect PHI against being exposed. This is not only against outside attacks, but also to malicious and accidental insider threats. What is the reason behind this? The reason is that we protect the data itself, no matter where it is.

In addition, many states are very close to imposing regulations and laws to protect patient health information. They will also penalize organization that deal with this information and do not have the proper protection against such attacks.

It’s time to also not focus on the perimeter as for the past couple years, that perimeter can no longer be defined as it has become so wide. Meeting the proper steps to protect sensitive information of this nature must currently be paramount to all healthcare organizations.

Making sure that data is DRM protected, as this can prevent hackers from accessing the data even after the data has been stolen.

Remember the new threat even now is that your data is under attack. Even at this very moment it could be with all the recent APT (Advanced Persistent Threat) attacks. Don’t ignore the threat as it has become very real at a big scale.

 

Picture Credit: Adrian Clark

The Debate of Encrypting to Prevent Data Breaches

All the data breaches in the news these days have caused many to think about encrypting their data to prevent the losses a breach will bring.  With one of the biggest private health care providers in the US falling victim to a massive data breach, we can learn from its experience.

Even though credit card information wasn’t exposed, other sensitive data was, including names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

So the question here is why no encryption?  According to SC Magazine, the institution felt it had other security strategies.  Unfortunately this is not the only incident of a data breach in the healthcare industry.  From stolen laptops containing sensitive patient information to back doors planted in systems, information detailing abnormalities in usage behavior should be enough for IT administrators to notice and act upon.

The topic that needs to be discussed and agreed upon is a clear understandable encryption standard for the US and globally.  Other countries are pushing these standards and requiring further encryption details for companies to abide by.

Encryption can be tuned to limit the amount of data that even authorized users can view at one time. That makes it harder for an outsider to copy a whole stockpile of records.  All data nowadays, especially health care providers, should expect their data to be encrypted from end to end.

Fasoo Enterprise DRM (Digital Rights Management) could have prevented the exposure in this situation, even though credentials were stolen and used to access the data.  If Fasoo monitored this situation, it would have noticed the excessive activity and the access to this data would have been revoked.  Even if the information had been stolen, it would be inaccessible to unauthorized users.

 

Photo Credit: Yuri Samollov

It’s a Bad Week for the Healthcare Industry

It definitely has been one of the worst weeks for data breaches in the healthcare industry. We went from big news from Worcester, MA with UMASS Memorial Medical Group (UMMG) reporting an insider data breach of about 14,000 patient health information, to probably the biggest not healthcare data breach but potentially the biggest breach of the year with up to 80 million patient personal records on the line. The recent breaches have sparked debate whether federal law should be changed so healthcare companies would be required to encrypt sensitive data they hold. The FBI last year also warned healthcare companies industry wide that their data security practices needed to be strengthened amid the growing threat of cyberattacks.

Although the Anthem Inc. breach was commended for detecting the breach only weeks after it apparently began, unlike the UMMG breach, it still says to patients who entrust their sensitive information to these organizations that these breaches will continue to occur. However, with big names like Anthem making the headlines, it is with great hope that these organizations are coming along and understanding the need to protect their data. Healthcare data holds a much longer shelf life than just a stolen credit card, which is

why that data is becoming increasingly popular to cyber criminals. That type of information can be used to open up credit accounts, perform identity theft, medical billing fraud, and insurance fraud.

Although security awareness and training is valuable and helpful, the time to make sure that data itself is secure is now. Making sure that the data is encrypted and permissions to those data are in control proves to mitigate the risk of exposure even after the data is stolen. Whether this is by outside hackers or insiders, data itself must be persistently secure.

Fasoo Enterprise DRM (Digital Rights Management) provides organization such as the two mentioned above and whole lot more in many different industries with the ability to protect, control and trace sensitive data containing intellectual property, patient health information (PHI), personally identifiable information (PII) and more. It maintains file protection and prevents unintended information disclosure no matter where the data is.

Having your data DRM protected with Fasoo, will mitigate the risk and ensure that you won’t make the news for the same reasons as UMMG or Anthem Inc. are. Doesn’t that sound like a plan?

Photo Credit: Perspecsys Photos

Categories
Book a meeting