January 2019

HIPAA Challenges: Data Breaches: Insights Into a Pervasive Problem
By Keith Fricke, MBA, CISSP, PMP, and Susan Lucci, RHIA, CHPS, CHDS, AHDI-F
For The Record
Vol. 31 No. 1 P. 6

The health care industry has increasingly become a target of intent by criminals who seek to monetize unauthorized access to and acquisition of patient information. These health care data can be used for identity theft, medical identity theft, and other fraudulent activities. Unlike compromised credit cards, a person's medical record cannot be cancelled and replaced.

Metrics published from 2009 through September 30, 2018, at the Health and Human Services site commonly referred to as the Wall of Shame identify 2,428 breaches affecting nearly 183 million patients. Each reported breach involved more than 500 patients.

Theft tops the list of breach types, accounting for 35% of the total incidents, with unauthorized access placing second at 28% of total incidents. Interestingly, hacking accounts for only 21% of reported breaches in this same period. However, breaches due to hacking affected nearly 137 million patients, a whopping 75% of all patients affected by reported incidents. Hacking generally tends to provide access to a larger number of records as compared with a stolen device exposing unprotected patient information.

Over this nine-year period, business associates were responsible for 16% of reported breaches. On a year-to-year basis, the range is usually somewhere between 14% and 24%. An examination of 2018 breach metrics between January 1 and September 30 reveal that 255 breaches were reported to the Office for Civil Rights, 64 of which involved a business associate. Drilling down one step deeper, 12 breaches involved 100,000 patients or more. Four of those breaches were caused by business associates.

Although it appears to make sense to blame business associates for most breaches, the majority (and certainly the large breaches) continue to occur at health care organizations.

The theft or loss of patient information, along with unauthorized access, erode the confidentiality of patient information. The following usual suspects continue to contribute to the growing number of exposed patient records:

• Phishing attacks trick e-mail users into opening attachments or clicking on website links that harbor malicious software. Such malware often provides unauthorized remote access into hospital networks or computer systems. Other malware may capture and forward keystrokes containing login credentials or exfiltrate data via covert communication channels out to the internet.

• Lost or stolen mobile devices missing necessary security controls can expose stored patient information. A lack of encryption, a password/PIN, or remote management (including remotely wiping the device) play a role in fueling these breach metrics.

• Misconfigured access controls are frequently cited as the root cause of breaches. A failure to enable account lockouts after a number of failed login attempts permits attackers to use brute force access attempts. Adding weak passwords to the mix becomes a recipe for failure to protect sensitive information.

• Failing to maintain security patches that fix vulnerabilities in operating systems and application software leaves the door unlocked, waiting for a bad actor to discover it and enter.

Financial Repercussions
The impact on patients is only part of the story—breach costs must also be considered.

The obvious costs are the fines levied against health care organizations or business associates by the Office for Civil Rights or state attorneys general offices. However, resolution agreements are the tip of the iceberg.

Incident response costs quickly escalate, primarily for two reasons. First, criminals have unauthorized access to an organization's network with a median of 75.5 days, according to Mandiant's 2018 M-Trend report. That is down from 99 days in 2017; in previous years the median hovered around 204 days.

This long dwell time to detection means incident investigators must spend more time getting their arms around the scope of the breach. Insufficient retention of electronic activity logs makes it difficult or impossible to piece together what happened.

The steady decrease in the amount of time it takes to detect unauthorized access is encouraging, a result of better awareness of what bad actors are doing and leadership driving investments that improve security. However, 75 days is still too long for unwanted visitors prowling the network in search of sensitive data before being discovered.

Second, the complexities of today's technology infrastructure and the volume of stored data add time to the incident response process. Costs can soar when highly skilled but expensive forensic talent is brought in to triage, diagnose, and remedy data breaches. Once analysis is completed to the extent possible, efforts shift to containment, eradication, and recovery. Each phase has associated costs, including labor.

There are other costs that also can impact the bottom line of breached health care organizations. For example, notification letters to affected patients must be issued. Call centers may be activated to handle inquiries from patients receiving these letters or hearing about the incident via news broadcasts, on the internet, in print, or by word of mouth.

In addition, credit monitoring may be offered. Affected parties may pursue litigation, generating legal costs. Managing overall public relations also increases the financial burden. Third parties may be brought in to review security and privacy programs, perform risk analyses, and address the gaps in detective and protective controls.

If compromised patient records are used for medical identity theft, the resulting billing errors must be corrected and medical records must be amended.

All these costs are quantifiable, tangible expenses. On the other hand, reputation damage and the subsequent loss of customers is difficult to quantify. All told, the combination of direct, indirect, and opportunity costs can significantly impact a health care organization's financial state.

The "2018 Cost of a Data Breach Study: Global Overview," sponsored by IBM Security and conducted by the Ponemon Institute, notes that the price of health care data breaches outpaces all other industries. The cost per individual record lost or stolen is tagged at $408, nearly three times higher than the cross-industry average of $148.

The same collaborative partnership published the "2018 Data Breach Study: Impact of Business Continuity Management" in October, an extension of a July 2018 report that includes expanded survey results and commentary on the value of a business continuity management plan. Data breaches can cause business interruption, especially if parts of the technology infrastructure must be taken offline as part of the forensic response.

These study findings validate that business continuity management plans can help save organizations time and money related to breach resolution.

Organization Awareness
When considering the aspects of health care breach metrics and costs, every organization must be consistently vigilant in making their workforces aware of security concerns. Workforce awareness training and security risk analyses must be done properly and updated regularly.

The evidence is clear that insider errors and external threats can cause serious and costly breach events. Consider education and training that zeros in on the current cyberattack methods of choice such as phishing and ransomware. Addressing the "usual suspects" must become part of any effort to improve the maturity of security and privacy programs.

Business Associate Agreements
In essence, business associates are an extension of a health care organization's workforce and operations. Therefore, it is essential that organizations work closely with their partners to help support compliance efforts. For example, they should share successful strategies and look beyond having them simply sign a business associate agreement. Take the time to assess their compliance levels and security practices. After all, business associates are equally responsible to protect health information.

An effective business associate agreement must clearly spell out responsibilities and accountabilities. It should address organization-specific policies, not basic templates downloaded from the internet that may miss the mark. Policies tailored specifically to the organization are more likely to be followed. Any business associate agreement should also include tight timelines for security incident reporting, breach mitigation, and financial responsibility.

Build a security-focused relationship throughout the organization—from the executive level on down—to ensure a culture of privacy that becomes part of everyone's routine. Extend that privacy culture to business associates to hopefully influence their mindset as well.

— Keith Fricke, MBA, CISSP, PMP, is a partner and principal consultant with tw-Security.

— Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, is a senior privacy/security consultant with tw-Security.