Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation

Transcription

1 WHITE PAPER Global Digital Security: The Human Element March 2014 Written by: Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation

2 TABLE OF CONTENTS Introduction... 3 Health Care Vulnerability & Financial Impact... 4 Prevention, Preparation & Response... 5 The Front Line Against Data Breaches is the Front Desk... 5 Security Strategy, Training & Enforcement... 6 Conclusion... 7 About inventiv Health... 8 References

3 INTRODUCTION Massive data breaches have dominated global headlines in recent months, and security experts predict we will see more this year. Personal data, financial credentials and health care records are targets of an evolving breed of cloaked malware wielded by increasingly sophisticated thieves. With each new level of security around digital data, we create a new target. As a result, building thicker walls and more sophisticated security systems, while important, will never be enough to thwart data breaches. Security experts insist that every organization is vulnerable and, for a variety of reasons, health care organizations are among the most vulnerable. The question is not whether you will suffer a data breach, but when, and how serious the consequences will be for your business. Consequences include both legal and financial repercussions, but data breaches and the publicity that follows also can do incalculable harm to your reputation that are long-lasting and difficult to overcome. 3

4 HEALTH CARE VULNERABILITY & FINANCIAL IMPACT The health care industry will be among the most susceptible industries to publicly disclosed and widely scrutinized data breaches, according to Experian s 2014 Data Breach Industry Forecast. 1 The increasing volume of digital health data creates a particularly attractive target for identity thieves seeking valuable forms of personal information. In addition to providing a gateway to the usual forms of financial fraud, health data also can be used to commit medical and insurance fraud. In the U.K., health record security breaches by the National Health Service were up 20 percent last year, according to an investigation by Pulse magazine. Data from 55 hospitals indicated that breaches included records dumped in public places, records being given to the wrong patient, and patient data given to relatives without permission. 2 Kaiser Permanente suffered two breaches of patient data last fall. In the first incident, 670 patients learned that a document with their information was sent to a recipient outside the Kaiser network. The second breach involved 49,000 patients at Anaheim Medical Center whose information was on an unencrypted USB flash drive that went missing. 3 Privacy and disclosure laws vary around the world, but nearly everywhere, the stakes for such data breaches are higher than ever. In the wake of recent breaches, a legislative rallying cry has gone up in the U.S., the European Union and Japan, seeking to require businesses to issue prompt and informative notifications to affected consumers. On Jan. 23, the State of California sued Kaiser Foundation Health Plan, alleging that the company violated the state's breach notification law. In 2011, Kaiser discovered that a hard drive including employees' personal data was sold at a thrift store, but it did not notify affected individuals until March In Japan, the fine for not disclosing a breach has been increased from 500 yen to 10,000 yen per record breached. This translates into a potential fine of about $7.5 billion for a breach of 100 million records. 4 Every organization, regardless of location, needs a comprehensive strategy for protecting private data and for responding to attacks. And every employee, agent, customer, vendor and patient must be involved. There is no foolproof way to physically protect digital records that are frequently accessed, altered and shared, sometimes internationally. But you can up the ante for hackers and malware by focusing on how you handle this data in the first place. Every organization, regardless of location, needs a comprehensive strategy for protecting private data and for responding to attacks. And every employee, agent, customer, vendor and patient must be involved in understanding and implementing the strategy. The days of ad-hoc data privacy, if they ever existed, are at an end. 4

5 PREVENTION, PREPARATION & RESPONSE If your organization is responsible for personal health information, there are five minimum requirements. You need a Cyber Defense Office to oversee a preparedness strategy, solid and regular employee training, enforcement of security protocols, a data breach response plan and the best technology available, applied correctly. The recent, well-publicized breach of 110 million personal financial records of Target customers is a good example of the necessity of training employees in a sound and thorough security policy. While the Target breach involved sophisticated malware, the network was accessed with credentials that Target gave a maintenance vendor for the purpose of monitoring. Because the access was not segmented, the thieves were able to access not only the maintenance information, but the company s payment systems, where the malware was loaded and the personal data was stolen. 5 In Korea's worst data breach, citizens recently learned that sensitive financial information for more than 20 million people was leaked by their credit card companies. The breach, which affected virtually all of Korea's economically active citizens, was blamed on lax data security by the credit card firms. 6 If your organization is responsible for personal health information, you need: 1. A Cyber Defense Office to oversee a preparedness strategy 2. Regular employee training 3. Security protocol enforcement 4. A data breach response plan 5. The best technology available A recent study by Rand Secure Data discovered that 44 percent of companies surveyed have no formal data governance policy, and 22 percent of them have no plans to implement one. 7 Global organizations have particularly high demands in the arena of data protection, as they must understand and comply with regulations in each country where they do business. With more data moving to the cloud and seamlessly across borders, the risk of complex international breaches increases. Response plans will be essential this year as new regulations are enacted and enforced. In the European Union, for example, regulations are being enforced based on where the customer lives, not where the data resides. THE FRONT LINE AGAINST DATA BREACHES IS THE FRONT DESK Meanwhile, even if you implement recommended security measures for your health care information, such as encryption, unique access codes, and firewalls, these efforts can be undermined by anyone in your organization with access to the records. A single records clerk in a doctor s office can undo the work of a dozen IT employees by mishandling data or ignoring security protocols. Whether or not they realize it, every employee who handles personal data is in the data management business. As the cost and harm from these breaches increases, they also are in the data security business. 5

6 Many data breaches begin not with a hacker, but with a lost laptop, failure to shred paper records, the thoughtless transfer of sensitive information to personal devices, the use of non-secure data files or systems or sloppy password practices. An advantage of electronic records is that they provide an audit trail of who has accessed them. Encryption of all internal and traveling data is labor-intensive and expensive, but in light of the risks, it is worthwhile. Encryption of computers and mobile devices should be mandatory. SECURITY STRATEGY, TRAINING & ENFORCEMENT A Cyber Defense Office begins by developing a comprehensive security plan, followed up with rigorous employee training, surveillance, enforcement and counter-attack measures. The office should not only work to protect your organization s data, but should embed decoys and distraction devices into surveillance tactics that enable your organization to respond effectively, rather than simply reacting to a breach. Employees must understand just how serious you are about maintaining the integrity data and patient privacy. It s not enough to merely explain the policies. Employees should receive regular reminders of the policies and the serious consequences of non-compliance. When a breach does occur, planning can make the difference between a mere problem and a full-scale disaster with catastrophic costs. Development and distribution of a preparedness plan will not only augment your organization s regular security training and help increase employee awareness of the risks, but it can help you act quickly if a breach occurs. Acting quickly can minimize further data loss, significant fines and costly customer backlash. HIPAA enforcement has improved since it was moved from Medicare Operations to the Office of Civil Rights under the HHS. HIPAA-covered entities and individuals who fail to protect patient information could face up to $1.5 million in annual fines. In 2009, OCR initiated audits that have increased HIPAA awareness. Yet your organization s management team may still be more inclined to allocate budget to a new MRI machine than data security. It is time to educate management on the increased threats around data security so that spending priorities start to recognize that patient care also mean protecting patient privacy and sensitive health data

7 CONCLUSION Data breaches are a reality of doing business. How you incorporate this reality into your security, training and preparedness programs will determine how well you are protected and how well you can respond to a security breach. The best approach for health care organizations is: Create a Cyber Defense Office with responsibility for planning, surveillance, enforcement and counter attack. Raise the visibility of security executives, giving them the responsibility and authority to keep the organization s data secure. Conduct a comprehensive assessment of your security systems and policies and determine how well they are understood and practiced. Invest in the necessary technology. Update software and systems where necessary and make regular adjustments to policies to address the increasing threat levels. Develop rigorous training and maintenance programs to ensure that everyone in the organization not only understands your security policies, but is complying with them and understands the consequences of non-compliance. Develop a Data Breach Response Plan. Train employees and assign responsibilities so you can respond quickly and appropriately in the event of a breach. Follow up regularly, at least quarterly, reviewing programs created against the rise of new threats. 7

8 ABOUT INVENTIV HEALTH inventiv Health, Inc. is a leading global provider of best-in-class clinical, commercial and consulting services to the life sciences industry. inventiv offers convergent services that accelerate the performance of companies working to improve human life. In 40 countries around the world, inventiv s 12,000 employees work with more than 550 pharmaceutical, biotech and device companies, as well as companies that see health as a central part of their mission. inventiv Health, Inc. is privately owned by inventiv Group Holdings, Inc., an organization sponsored by affiliates of Thomas H. Lee Partners, L.P., Liberty Lane Partners and members of the inventiv management team. inventiv Health helps clients transform promising ideas into commercial reality. For more information, visit REFERENCES 1. Health Care Data Breaches to Surge in 2014, InformationWeek, Dec. 26, Surge in NHS Security Breaches, Daily Express, July 10, Kaiser Reports Second Fall Data Breach, Health Care IT, Nov. 26, International Data Breach Laws Are All Over the Map, The Wall Street Journal, Nov. 26, Target Breach Happened Because of a Basic Network Segmentation Error, Computerworld, February 06, Korea's Disastrous Data Breach, The Korea Herald, Jan. 22, Data Governance Plans: Many Companies Don't Have One, Information Week, Feb. 3, HIPAA Healthcare Data Breach Fines Climb with Enforcement Boost, CRN, Jan. 8,