White Paper. Data Breach Mitigation in the Healthcare Industry



Similar documents
CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

CYBERCRIME AND THE HEALTHCARE INDUSTRY

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

CYBERCRIME AND THE HEALTHCARE INDUSTRY

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Compromises in Healthcare Privacy due to Data Breaches

Cyber Security Protecting critical health care information

Data Breach and Senior Living Communities May 29, 2015

Big Data, Big Risk, Big Rewards. Hussein Syed

Healthcare Information Security Today

2015 CENTRI Data Breach Report:

Healthcare Utilizing Trusted Identity Credentials

Medical Information Breaches: Are Your Records Safe?

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Network Security & Privacy Landscape

I ve been breached! Now what?

Anatomy of a Healthcare Data Breach

Oakland Family Services - Was Your Hacked?

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

White Paper #6. Privacy and Security

Transforming the Customer Experience When Fraud Attacks

Reducing Cyber Risk in Your Organization

Stay ahead of insiderthreats with predictive,intelligent security

The High Price of Medical Identity Theft and Fraud

Who Controls Your Information in the Cloud?

The Growing Threat of Medical Identity Fraud: A Call to Action. Presented by: Bill Barr, Development Coordinator, MIFA

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Teradata and Protegrity High-Value Protection for High-Value Data

Stopping the Flow of Health Care Fraud with Technology, Data and Analytics

ALERT LOGIC FOR HIPAA COMPLIANCE

Internet threats: steps to security for your small business

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

Finding a Cure for Medical Identity Theft

THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE

How To Stop A Cybercriminal From Stealing A Credit Card Data From A Business Network

Safeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security

Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things

Data Security in Development & Testing

Choosing The Right Data Breach Response Services for Consumer Remediation

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

White Paper: Are there Payment Threats Lurking in Your Hospital?

2015 VORMETRIC INSIDER THREAT REPORT

THE COST OF A DATA BREACH FOR HEALTHCARE ORGANIZATIONS

Critical Issues in Fraud Analytics

PCI Compliance for Healthcare

Application Security in the Software Development Lifecycle

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Combating Identity Theft: Tips to Reduce Your Cybersecurity Risks. September 16, 2015

10 Smart Ideas for. Keeping Data Safe. From Hackers

Privacy Rights Clearing House

Verizon 2014 PCI Compliance Report

The High Price of Medical Identity Theft and Fraud. Ann Patterson Medical Identity Fraud Alliance

Cybersecurity Workshop

The Importance of Perimeter Security

The 2014 Bitglass Healthcare Breach Report

CYBERSPACE SECURITY CONTINUUM

ITAR Compliance Best Practices Guide

Aftermath of a Data Breach Study

Workspace-as-a-Service Defining Security and Mobility for Healthcare. vertiscale.com

Overview. Figure 1 - Penetration testing screenshot examples showing (i) PACS image and (ii) breached Electronic Health Record system

Three Steps to Help Manage Security Alert Overload

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY

THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY

90% of health insurers surveyed have had a data breach 3. 72% increase in cyberattacks against healthcare companies occurred between 2013 and

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

Impact of Data Breaches

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Understanding Professional Liability Insurance

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

Information Security Addressing Your Advanced Threats

Preemptive security solutions for healthcare

March 22, Tennessee State Employees Association 627 Woodland Street Nashville, TN 37206

The Hidden Dangers of Public WiFi

Information Security Incident Management Guidelines

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Collateral Effects of Cyberwar

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Proofpoint HIPAA Breach Report:

Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked

Data Breach Lessons Learned. June 11, 2015

State of Security Survey GLOBAL FINDINGS

LIGC-ACC Presentation November 9, 2015

2H 2015 SHADOW DATA REPORT

How To Protect Your Organization From Insider Threats

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Network Security & Privacy Landscape

INDUSTRY OVERVIEW: HEALTHCARE

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Cards at School. Why Banks View Campuses as High Risk Customers. Payments

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Securing Today s Healthcare Enterprise Systems Time to Rethink Your Cybersecurity Strategy

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Transcription:

White Paper Data Breach Mitigation in the Healthcare Industry Thursday, October 08, 2015

Table of contents 1 Executive Summary 3 2 Personally Identifiable Information & Protected Health Information 4 2.1 Medical Identity Theft and the Cost to Remediate 5 3 The Data Breach Problem 6 4 The PII, Data Storage, Usage and Access Problem 7 4.1 Personally Identifiable Information in BI and Operations 7 4.2 How PII Data is Stored 7 4.3 Data Usage and Access 8 5 Clarity s Approach 9 5.1 Strategy & In Depth Analysis Methodology 9 5.2 Architectural Considerations & Designs 9 5.3 Legacy Data Stores 10 6 Outcomes 11 7 About the Author 12 8 About Clarity Solution Group 13 Proprietary - 2015 Clarity Solution Group, LLC 2

1 Executive Summary For the healthcare industry, the risk of being the target of a malicious data breach is higher than ever before. Since the U.S. Department of Health and Human Services started tracking unauthorized data breaches of Personally Identifiable Information (PII) and Protected Health Information (PHI) in 2009 there have been over 1200 major data breaches with over 135,000,000 individual records or health records lost or stolen. 1 In a recent poll, more than 90% of healthcare organizations responding to a survey claim they have been part of a data breach that exposed patient data within the past two years. 2 The healthcare industry as a whole lags far behind the retail and financial industries when it comes to cyber security. Even with the industry spending billions of dollars to catch up to the more advanced industries, the approaches and mitigation attempts to secure data from outside intruders may not be enough to avoid loss of these records. This paper outlines the technical designs that the healthcare industry as a whole and individual organizations must accept and drive toward in order to properly and safely secure the data of their patients and to ensure that the medical identity of these patients remains out of the hands of cyber criminals and those who would use this information for nefarious means. Keeping criminals from obtaining the data is the best case scenario, but securing, masking, normalizing and encrypting the data internally and keeping it so that all the data does not exist in one place for all users can ensure that those with malicious intent cannot tell a story with the data they obtain illegally. 1 Breaches Affecting 500 or More Individuals, HHS.gov. 2 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary - 2015 Clarity Solution Group, LLC 3

2 Personally Identifiable Information & Protected Health Information In U.S. privacy laws and related language, Personally Identifiable Information (PII) is any information that can be used on its own or in collaboration with other information to identify, contact or locate a single person. Similar to PII, Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to an individual, as defined by the HIPAA Privacy Rule. The major differences between PII and PHI are that PII is a legal definition of any information that can be used to uniquely identify an individual and PHI identifiers are a subset of PII that can be used to identify an individual related to a medical record. Within the classifications of what is considered PHI/PII, there are certain attributes which when either standing alone or combined with a minimal amount of other identifiers can be used to identify or give one the means to tell a story about an individual. These are sometimes referred to as Major Identifiers. Some of the major identifiers used in the health care industry with regards to PII/PHI include: First Name Last Name Social Security Number Home Address Date of Birth The Value of Health Records and the Cost of Identity Theft According to a recent study, the cost of data breaches in the healthcare industry as a whole are costing healthcare providers and insurers up to 6 billion dollars per year. The average cost of being part of a data breach is over 2.1 million dollars per healthcare organization. 3 The average cost of a healthcare breach worldwide is $363 per exposed record in contrast with an average cost of $398 per record in the U.S. alone. For comparison purposes, the average cost per record stolen in other industries comes in at $154. It should come as no surprise that a data breach in the healthcare industry would come in at double the average cost of other industries. Black market prices for medical records and health history can be worth ten times the value of PII from data breaches in other verticals. Whereas a stolen credit card number is worth roughly a dollar on the black market, a medical record is worth, on average, between ten and fifty dollars, with some specific records being valued at thousands of dollars. Why would a criminal care about a medical record when they can make actual purchases with a pilfered credit card? 3 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary - 2015 Clarity Solution Group, LLC 4

2.1 Medical Identity Theft and the Cost to Remediate Aside from the first and last name, billing address, and potential billing information that may be obtained within a medical record the record also contains policy and account numbers, birth date, insurance and policy numbers, social security numbers and diagnosis codes that are related to the patient/member. So while this information can be used for traditional identity theft to make purchases, it is even more valuable to utilize this information to conduct medical fraud. This fraud can be extremely profitable and harder to detect. Medical identity theft is many times undetected for years by a patient, insurer or provider. Criminals use these medical records to buy medical equipment or prescription drugs which are then resold or they utilize insurance information coupled with false or stolen provider numbers and file false claims with healthcare payers. In some cases, fraudsters create fake credentials based on stolen records and obtain expensive healthcare which then is billed to the real member. The financial identity theft can lead to overages in medical expenses and denial of services or claims due to these medical procedures that were procured under false identity. Not only does this contain the hassle of having to clear up financial obligations and burdens, but there is a life threatening risk that the member s health record is contaminated with someone else s medical history and diagnoses. If this false data is not properly identified by the patient or medical care professional there can be life threatening consequences caused by incorrect bio-metrical data or prescription information or allergies. There is also the looming threat of having one s personal health information available. There can be negative stigmas associated with certain diagnoses or procedures. Unlike financial identity theft, there is no canceling or reissuing of cards that will clear this information from being out there. If the data is breached and the medical history leaked, it is out there forever. Insurers and providers lag behind other industries in identifying and fixing health records and helping identity theft victims manage the consequences of identity theft. As of 2014 many medical identity theft victims reported that they spent on average $13,500 to restore their credit, reimburse and clear up healthcare claims and correct inaccuracies in their health care records. 4 4 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary - 2015 Clarity Solution Group, LLC 5

3 The Data Breach Problem The healthcare industry and its organizations are being targeted by cyber criminals like never before. With the large amount of records taken in the Premera Blue Cross and Anthem Health cyberattacks in 2015, cyberattacks and intentional criminal activity have officially surpassed employee or insider negligence actions as the number one cause of data breach in healthcare organizations. Medical records are often more easily obtained than traditional bank, financial services and retail operations as these entities have been stepping up their online security for many years to stay ahead of hackers. With all of the major attacks occurring and the healthcare industry being a top target for criminals and internal breachers, half of all healthcare organizations have little to no confidence that they can identify whether or not they have had patient/member data taken. Even with billions spent on preventing cyberattacks and unwanted external exposure as well as remedies in the case of a malicious breach, the industry and all the patients they serve are still at risk from exposure and identity theft. Only 50% of organizations have procedures and policies in place to effectively prevent and detect unauthorized access. 5 Cyberattacks may make up the majority of data breaches, but cybersecurity alone will not fully protect patients and members from identity theft. Lost or stolen computing devices containing identifying information and medical records and employee mistakes such as lost print out or PHI information being improperly disposed of make up nearly the same percentage of data breach reasons as malicious attacks. In fact, healthcare organizations are almost twice as likely to respond that they have concerns with employee negligence being a cause for breach as they are with cyber attackers. Besides negligence, cyber hacks, and phishing scams to steal employee passwords healthcare organizations have to deal with malicious insiders who have access to the data (in some cases whether they need access or not). Internal technical security initiatives can help prevent some of these reasons for breach and help log who accessed what data, but it cannot 100% safeguard PII/PHI data by itself. How else can an organization protect its members from identity theft in the inevitable case that someone gets access to personal health records? 5 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary - 2015 Clarity Solution Group, LLC 6

4 The PII, Data Storage, Usage and Access Problem 4.1 Personally Identifiable Information in BI and Operations Healthcare payers and providers rely on personally identifiable information for not only reporting, but in order to match customers internally throughout time and externally in order to match up the same patient / member as they relate to third party services. Most of the current and legacy reporting and operational systems in place in healthcare organizations today were built around personally identifiable information. Major Identifiers such as Social Security numbers, names, and date of birth are used to tie a member s history together. While these identifiers were never intended by the SSA to be used to identify an individual, they are so slowly changing that they were natural candidates to be used to identify a person across a multitude of systems within one organization. Unfortunately these systems that utilized these major identifiers for matching and identification are now the systems that are most at risk and easily targets for hackers. Due to the propagation of these major identifiers throughout host systems and the fact that these systems were built around PII in many cases, it is extremely hard for stewards of these systems to reengineer to remove or replace these identifiers without a major impact to performance and stability of legacy operating and BI systems. At this point in time, many healthcare organizations have implemented tokenization by assigning an arbitrary internal identifier to an individual in order to track this person s activity in an easier way. Tokens such a patient number and healthcare ID are widely used internally within organizations across systems. While this way to track a member over time could be applied in data security, in many instances it is only a supplement to the current structures for ease of use. The underlying major identifiers that are tied to these surrogate numbers are often still exposed in the same structures where the unique identifier resides. Furthermore, many systems are designed so that patients may not have continuity across their tokens if there is ever a break in coverage or a change in information, making reporting on BI difficult, therefore forcing the identity matching to be performed using the major identifiers noted earlier. 4.2 How PII Data is Stored Throughout the healthcare industry s landscape, much of this PII and PHI data is located in multiple marts and stored in almost every single operational system and potentially in multiple tables per systems wherever membership or patient data exists. Given the current landscape and the emphasis on protecting data sensitive data, many organizations are trying to get away from this propagation of PII, however due to the years of this data not being considered a risk many of these organizations are in no position to identify where all of the data resides let alone address how to remedy how the data should be stored to enable security and performance. Proprietary - 2015 Clarity Solution Group, LLC 7

4.3 Data Usage and Access As stated earlier, employee negligence is the greatest concern for healthcare organizations, however many organizations have reporting and operational environments were all PII data is exposed to all users of that data. Even without malicious intentions being factored in, allowing all employees to have access to all data, whether they need that data to perform their work tasks or not allows for more risk of exposure in the event of a data breach. A user having a password stolen via a phishing scam or just having that user be negligent to best practices on data security such as leaving a laptop open or downloading data to an unencrypted machine means that a user that had no need for that data in the first place can be the reason for a healthcare organization to end up on the Human Health & Services Wall of Shame. The same approach for data access to users can apply to operational applications and BI reporting data stores. In many cases the underlying tables contain all of the data about all of the members/patients, even if that data is not actually necessary to complete the functional of the operation system or if the data mart that feeds a certain user group has no need for member birth date or social security number. Once again in the event of a data breach, having all of these identifying attributes in one place, easily accessible under one log in allows fraudsters to tell a story with someone else s data, leading to identity theft and in some cases, irreparable harm. Proprietary - 2015 Clarity Solution Group, LLC 8

5 Clarity s Approach 5.1 Strategy & In Depth Analysis Methodology A full assessment of all pertinent data sources would first be performed of all systems where personal identifiers and PHI information exist. This would allow for a high level overview of the health organization s IT architecture as a whole and will serve as the foundation for the strategy to identify and prioritize where the most information lives and assess which systems are at greatest risk of a data breach. A risk assessment will be performed to determine which identifying attributes are of the greatest risk in the event of a breach. Combinations and locations of these major identifiers will be documented and a strategic decision will have to be reached how best to remove or better secure these identifiers. Once a strategic approach is agreed upon and mapped out a more tactical method will be applied to each of the IT systems where identifying information exists. Full profiling of each of these sources will be performed in order to better understand and fully document where all PII information exists. Impact analysis will follow to determine all extracts, stored procedures, ETL jobs, reports, etc. and to identify the downstream impacts of modifying data architecture. A strategy to modify these impacted jobs will then have to be developed. Interviews with the business community and consumers of any and all data affected will have to be performed. A partnership with the teams in charge of data security and access should be forged so that any enterprise wide initiatives around security or data security are accounted for in any designs and releases. 5.2 Architectural Considerations & Designs The architectural designs to protect PII and PHI have to take into account the ability to minimize and secure data, while still ensuring that data continues to be readily available for reasonable business needs and analytical purposes. In the case of highly de-normalized data structures with multiple identifiers available, segmentation of this data may be applied. Certain identifiers can be removed from underlying tables and replaced with a token that allows for the tracking of a member throughout time to establish continuity, if desired. In the case that tokenization and unique identification are not established at an organization, a program to implement this should be considered for not only security purposes, but also for accuracy in tracking membership over time and if there are ever changes to customer data. Once this unique identifier is established and validated, the identifying information can be removed as desired and replaced with this meaningless token. Aggregated analytics can be performed as before, but with secure data. Data that can be used to identify individuals but is also useful for reporting can be altered to still allow analytics, but with better security measures in place. An example of this is birth date. Birth date may be useful to an analytics team trying to group members by age, however, having the birth date readily available can also be a cause for concern, as birth date is commonly used as a validation question to Proprietary - 2015 Clarity Solution Group, LLC 9

confirm identity. The member Date of Birth could be transformed during ETL to be age banded, or have birth year if that is useful for analytics. This is just one example of how attributes can be altered to be secure but still be readily available for business purposes. In the case where more detailed information containing PII or PHI is necessary, encryption and decryption views can be applied with appropriate security measures taken into account. Examples of this could include extracts that need Social Security numbers, or specific birthdates coupled with first and last name. 5.3 Legacy Data Stores Another consideration around data security is in regards to legacy data stores and IT systems. Identifying information lives throughout many legacy systems and in some cases these legacy systems are not utilized or used for a minor amount of reporting/operations. Patching and security processes are not properly applied in some cases and the data is considered out of sight out of mind, but the data contained within these tables contain the same PII as modern systems and can be used maliciously if they fall into the wrong hands. An approach should be developed at the enterprise level on how to decommission, archive and encrypt legacy data stores so that identifying information is not set to open security and is not unencrypted in the instance of a data breach. This data can be secured and removed from data access, but still retained in a secure matter in order to meet legal obligations for data retention. In the special instance where this data needs to be accessed for any purpose, the data can be temporarily restored and decrypted and put into a temporary space with special security granted to the users who need to access this data. The data should then once again be decommissioned, archived, and re-encrypted and special security be stripped from the users once the special case analysis has been completed. Proprietary - 2015 Clarity Solution Group, LLC 10

6 Outcomes Clarity s extensive background in the Healthcare & Life Sciences industry coupled with its exclusive focus on data and analytics led to the current approach we leverage to assess and mitigate any of the data storage design and user access faults that can lead to problems in the event of a breach. Healthcare organizations should begin to look at their own internal IT systems and evaluate data risk and how it can better protect its members and patients. Clarity s implementation experience has led us to believe that a clearly defined strategy, approach and implementation allows for performance while leveraging techniques to better secure data. To learn more about Clarity s approach to data breach risk mitigation, please contact us at info@clarity-us.com. Proprietary - 2015 Clarity Solution Group, LLC 11

7 About the Author Kevin Knoll Senior Consultant at Clarity Solution Group Kevin Knoll brings years of delivering reporting and analytics solutions with a specialization in Healthcare and Life Sciences. Kevin has been key in delivering data strategies and full lifecycle implementation for healthcare payers and major players within the pharmaceutical industry. Before joining Clarity Solution Group, Kevin worked in finance with a background in healthcare and manufacturing, later becoming a consultant in the financial consolidation space and with a heavy background in government, pharmaceuticals, manufacturing and non-profit organizations. Proprietary - 2015 Clarity Solution Group, LLC 12

8 About Clarity Solution Group Clarity Solution Group is the largest on-shore consulting company in the US whose sole focus is data and analytics. Clarity delivers enterprise-scale solutions with boutique focus, helping Fortune 1000 clients leverage data to drive superior business outcomes. For more information, visit www.claritysolutiongroup.com Proprietary - 2015 Clarity Solution Group, LLC 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information