The 2014 Bitglass Healthcare Breach Report



Similar documents
HIPAA Compliance, PHI and BYOD

The Pros and Cons of Cloud Services

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Executive s Guide to Cloud Access Security Brokers

PCI Compliance for Healthcare

Internet threats: steps to security for your small business

Anatomy of a Healthcare Data Breach

Medical Information Breaches: Are Your Records Safe?

How-To Guide: Cyber Security. Content Provided by

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

National Cyber Security Month 2015: Daily Security Awareness Tips

Cybersecurity: Safeguarding Your Business in the Digital Age

Finding a Cure for Medical Identity Theft

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

Protecting Your Data On The Network, Cloud And Virtual Servers

White Paper. Data Security. The Top Threat Facing Enterprises Today

Document Imaging Solutions. The secure exchange of protected health information.

Cover your SaaS! It s time to get serious about cloud security

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Security Breaches. There are unscrupulous individuals, like identity thieves, who want your information to commit fraud.

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Network Security & Privacy Landscape

Why Encryption is Essential to the Safety of Your Business

White Paper. Data Breach Mitigation in the Healthcare Industry

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Safeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security

Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS

THE COST OF A DATA BREACH FOR HEALTHCARE ORGANIZATIONS

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11

HIPAA Compliance: Efficient Tools to Follow the Rules

NATIONAL CYBER SECURITY AWARENESS MONTH

Cyber Security An Exercise in Predicting the Future

Compromises in Healthcare Privacy due to Data Breaches

Securing Corporate on Personal Mobile Devices

CLOUD ACCESS SECURITY BROKERS

Five keys to a more secure data environment

WHITE PAPER AUGUST 2014

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Workspace-as-a-Service Defining Security and Mobility for Healthcare. vertiscale.com

Kaspersky Security for Mobile

Top 5 Reasons to Choose User-Friendly Strong Authentication

Neoscope

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

10 Quick Tips to Mobile Security

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

10 Smart Ideas for. Keeping Data Safe. From Hackers

HIPAA: Bigger and More Annoying

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

DSHS CA Security For Providers

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

The Cloud App Visibility Blindspot

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

7 Myths of Healthcare Cloud Security Debunked

Introduction to Computer Security

ITAR Compliance Best Practices Guide

KEEPING UNSTRUCTURED DATA SECURE IN AN UNSTRUCTURED WORLD

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

10 Hidden IT Risks That Threaten Your Practice

Data Breach and Senior Living Communities May 29, 2015

Teradata and Protegrity High-Value Protection for High-Value Data

Are your people playing an effective role in your cyber resilience?

Meeting the Information Security Management Challenge in the Cyber-Age

How to Justify Your Security Assessment Budget

Information Security Addressing Your Advanced Threats

Encryption Buyers Guide

Computer Security at Columbia College. Barak Zahavy April 2010

CONNECTED HEALTHCARE. Trends, Challenges & Solutions

10 Hidden IT Risks That Might Threaten Your Business

Why Secure Communication Software is Critical for HIPAA Compliance

SECURE FILE SHARING AND COLLABORATION: THE PATH TO INCREASED PRODUCTIVITY AND REDUCED RISK

2H 2015 SHADOW DATA REPORT

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Advanced Biometric Technology

Plan of Attack 5 Step Plan

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

HIPAA Training Part III. Health Insurance Portability and Accountability Act

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

Have you ever accessed

Information Security. Annual Education Information Security Mission Health System, Inc.

Small businesses: What you need to know about cyber security

Introduction to HIPAA Privacy

Office 365 Adoption & Risk Report

I D C V E N D O R S P O T L I G H T. S e c u r i n g Cloud and Mobile W h i le Keeping E m p l o ye e s H a ppy

What s Hot and What s Not in the World of Cyber Security and Cyber Crime

4 Steps to Effective Mobile Application Security

Understanding Professional Liability Insurance

Don't Be The Next Data Loss Story

The Business Value of a Comprehensive All-in-One Data Protection Solution for Your Organization

SAFELY ENABLING MICROSOFT OFFICE 365: THREE MUST-DO BEST PRACTICES

From Data Breaches and Information Hacks, to Unsecure Computing - Know Your Defense

Healthcare Utilizing Trusted Identity Credentials

Mobile Security: Controlling Growing Threats with Mobile Device Management

Research Information Security Guideline

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

REGULATIONS AND COMPLIANCE FOR ENTERPRISE MOBILE HEALTH APPLICATIONS

BYOD AND ME. How cell phone hacking effects your business.! Richard Rigby CEO Wraith Intelligence

Protecting Yourself from Identity Theft

Transcription:

The 2014 Bitglass Healthcare Breach Report Is Your Data Security Due For a Physical? BITGLASS REPORT

Executive Summary When hackers break into U.S. hospital health records to steal patient data, it s a big story. When a laptop is stolen from the local hospital not so much. But, according to Bitglass analysis, hacking only accounts for 23% of healthcare data breaches. Leaving us all to ask, will the real offenders please stand up? Loss or theft of employee mobile devices with information on them accounts for 68% of all breaches since 2010. As part of the Health Insurance Portability and Accountability Act (HIPAA), health organizations must report data breaches that affect more than 500 people. HHS recently made that data available for analysis via its website which it calls The Wall of Shame, www.hhs.gov. In this report, we take a close look at reported healthcare data breaches over the past three years, and discuss what it means for consumers, healthcare organizations, and the future of digital healthcare records. 23% 68% What s really important when it comes to securing health records? Read on and learn the steps healthcare organizations can take now to protect consumers. Data breaches due to hacking Breaches due to lost or stolen devices 2

The Bitter Truth: You re More Likely to be Robbed than Hacked Healthcare data breaches affect all sizes and types of healthcare entities, but the overwhelming majority have one thing in common: inadequate security around devices (or paper) containing PHI. According to data from Department of Health and Human Services breach records, A whopping 68% of healthcare data breaches since 2010 occurred when devices or files were lost or stolen, with only 23% due to hacking. 48% of breaches involved a laptop, desktop, or mobile device. 4% of breaches accounted for 80% of total records compromised. Of these 100k record and above megabreaches, an above-average 78% of compromised records were the result of loss or theft. What are these facts teaching us? THIS: Beware of hackers but pay even closer attention to that employee packing up for the weekend, or taking his/her laptop out the door to his/her car. If healthcare organizations don t start securing the protected health information (PHI) that resides on laptops, desktops, and mobile devices, now then they re bound to lose the data security fight, no matter how hard they fight to protect their data. What s the Big Deal about Healthcare Data? HIPAA was passed in 1996 for a very good reason: Medical identity theft can have terrible financial and medical consequences. A report by the Ponemon Institute calculates the average out-of-pocket loss per victim of medical identity theft at $18,660. For healthcare data breach victims, bad credit, lost insurance coverage, mixed-up records, higher premiums, and the stress of dealing with it are just the beginning. If an identity thief changes patient medical information and a physician diagnoses a problem incorrectly, serious medical harm or even death can result. In many ways, healthcare data breaches make credit card theft look like child s play. If someone steals your credit card and charges a sky-diving spree, your bank will probably be the first to let you know (and will most likely cancel the charges). Yes, you may be slightly inconvenienced, but rarely does this type of theft result in personal loss. With PHI breaches, consumers have no such protections. Healthcare organizations, by and large, are not set up to identify illicit records activity and put a stop to it. Healthy patients may not learn about a breach until they have reason to get treatment probably the worst time to have to deal with such a problem. 3

But how big an issue is medical identity theft, really? According to HHS, the total number of breaches per year has remained fairly constant for the past three years averaging about 200 breaches per year. About 6x as many credit card numbers as medical records are stolen each year. Is PHI theft a growing problem, or is HIPAA doing its job, just as it has been for the past 18 years? In comparison to other industries, healthcare accounts for a whopping 44% of data breaches! HIPAA may be having some impact, but it certainly isn t keeping your local hospital chain from becoming a poster child for stolen personal information. TARGET: ANATOMY OF A BREACH Community Health Services, a Fortune 500 group of 206 hospitals in the U.S. TIME: April - June 2014 EXPLOIT: IMPACT: COST: Heartbleed vulnerability used to steal user credentials and gain network access. 5.4 Million patient names, addresses, phone numbers, and social security numbers. Estimated at $75-$150M in fines, security upgrades and related costs. 4

4 Reasons why we believe healthcare consumers and providers should be on the alert: 1. Electronic health records have 50 times the black market value of a credit card. According to a 2013 EMC report, stolen credit card numbers sell for $1 on the black market, while even a small piece of someone s electronic health record goes for $50. Why? Because you can cancel a credit card not so with your date of birth, medical diagnosis, or other PHI. Thieves use medical data in many different kinds of fraud and CREDIT CARD NUMBERS GO FOR $1 HEALTH RECORDS GO FOR $50 identity theft, and can continue using or selling the information even after the victim knows it s been compromised. 2. Healthcare data is increasingly pervasive. If you think all your health data is locked up in a hospital database, think again. Today, you can download an iphone app that can tell if you re depressed. Would you share that information intentionally? Smart devices, such as glucose meters and heart rate monitors, go with you everywhere, uploading your vital details to the cloud in real time. It doesn t take a criminal mind to imagine the implications of such data getting into the wrong hands. 3. Cloud-based email is on the rise among healthcare organizations. According to Bitglass 2014 Cloud Adoption Report, 13% of healthcare organizations now use cloud-based email services, such as Gmail or Microsoft Office 365. While cloud providers generally excel at protecting their infrastructure against attacks, they have no control over what happens to email once it leaves their servers. 13% OF HEALTHCARE ORGANIZATIONS USE CLOUD EMAIL Is your doctor s assistant sending PHI to her mobile phone? Do employees at your insurance company routinely re-use the same password for all their online applications? 4. 90% of healthcare professionals use personal smart phones for work. Bring-your-own-device (BYOD) is a growing phenomenon, and the healthcare community participates as much as anyone. If a doctor has affiliations with multiple providers, existing solutions, such as Mobile 90% OF HEALTHCARE WORKERS USE PERSONAL PHONES Device Management are out of the question because they require the user to cede control over all applications and data to one organization. As these factors converge and grow, the threats to healthcare consumers will become increasingly apparent, and with consumer risk comes increased risk for the healthcare organizations that serve them. 5

The Cost of Data Loss for Healthcare Organizations Because data breaches are a big deal for healthcare consumers, the cost of breaking the rules is steep: Up to $50,000 per HIPAA violation, or up to $1,500,000 per $50K PER HIPAA VIOLATION OR UP TO $1.5M PER IDENTICAL VIOLATION calendar year per identical violation. In one notable case, an employee of Mass General Hospital absent-mindedly left a file folder on the subway a mistake that cost Mass General $1 million dollars in fines, since the folder contained the PHI of 192 patients! Lawsuits can be even more expensive, although U.S. judges tend to insist that plaintiffs demonstrate evidence of compensable harm, in addition to increased risk of identity theft. In 2014, most of a $4.9 billion class-action lawsuit involving the U.S. Department of Defense and its TRICARE health insurance program was dismissed for that reason. The ding on an organization s reputation, is a tough one to recover from one s that trust has been lost. Patients trust healthcare organizations with their most personal and private information, and they expect that information to remain confidential, not end up in the hands of a cyber criminal. 6

The 5 Essentials For Healthcare Data Security Solutions Fortunately, healthcare providers have some powerful tools, when it comes to protecting PHI. Today, emerging security technologies, like Cloud Access Security Brokers (CASBs), allow organizations to take a data-centric approach to cloud and mobile security. When you put these solutions into place, you can take device loss or theft out of the equation, and offer true PHI security: 1 2 Establish comprehensive IT visibility and control over data transactions. Emerging technologies known as CASBs, proxy traffic to and from corporate cloud applications and mobile devices, and are essential for any healthcare organization concerned about regulatory compliance and audits. They reverse proxy services are completely transparent to users, and do the heavy lifting of inspecting and securing data, logging activities as they occur, and alerting IT immediately to unusual or unauthorized behavior. Saving IT the headache and man hours. Control the flow of information. A $500 device can easily contain $1,000,000 (or more) of company data so take the focus off the devices themselves, and focus on securing the actual data. Today, it s possible to block sensitive information from being downloaded to certain devices, through a set of rules that syntactically and contextually recognize PHI. To maintain HIPAA compliance, your solution must dynamically detect and redact PHI as data flows to BYOD clients. 7

3 5 Track and protect sensitive data anywhere it goes. With today s technology, you can place a digital watermark on all sensitive information, allowing you to track the information, see who downloaded it and see what they do with it. When staff members leave the organization, you can selectively wipe corporate data from their personal devices without disturbing any personal data or invading their privacy. Something MDM solutions can t do. Make data security easy to deploy and use. No IT organization has money to burn healthcare organizations least of all. Cloud applications and mobile devices are ultimately designed to save time and money, so the process of securing them needs to make financial and administrative sense, as well. Any security solution should deploy and scale easily, and with minimal administrative overhead. 4 Deploy a Single Sign-On (SSO) solution throughout your organization. Know any busy doctors who take pride in their ability to remember 10 or 15 different passwords? Unlikely. SSO solutions deter hackers who may take advantage of common password habits, such as using the same password for different services, or keeping a sticky note underneath the keyboard. They automatically redirect staff to a company login page on the way to accessing any company application. One login one password. So healthcare workers can focus on saving lives, rather than on logging into the system. In addition, security solutions should always be either invisible to users or built seamlessly into their workflow. Any solution that slows busy healthcare workers down or invades their personal privacy is bound to attract workarounds that defeat security policies. In this business, seconds can mean the difference between saving a life and losing one. 8

Conclusion If you look at the HHS Wall of Shame and see your own organization, you re certainly not alone. Even if your name isn t listed for all to see, the likelihood that it could be may be high enough to make you lose sleep at night. But true security for your customers PHI is not an overly complicated and expensive undertaking. If you lead an organizations that has avoided the cloud and forbidden BYOD for reasons we ve outlined above, it may be time to consider BYOD, now that security technologies have caught up with mobility advancements. We ve reached a point where responsible healthcare leaders no longer have to sacrifice staff productivity and morale for the sake of PHI security. LEARN MORE ABOUT BITGLASS SECURITY SOLUTIONS FOR HEALTHCARE ORGANIZATIONS. About Bitglass In a world of cloud applications and mobile devices, IT must secure corporate data that resides on third-party servers and travels over third-party networks to employee-owned mobile devices. Existing security technologies are simply not suited to solving this task, since they were developed to secure the corporate network perimeter. The Bitglass Cloud Access Security Broker solution transcends the network perimeter to deliver total data protection for the enterprise in the cloud, on mobile devices and anywhere on the Internet. For more information, visit www.bitglass.com Phone: (408) 337-0190 Email: info@bitglass.com 9

[Watermark Notice] Watermarked by Bitglass: Uploaded 2015-01-20 17:25 GMT by chines@bitglass.com from 209.36.5.194, Transaction VL6PdX8AAQEAAHj0WDcAAABW.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information