DATA BREACHES IN
HEALTHCARE
BY CHUCK EASTTOM
WWW.CHUCKEASTTOM.COM
CHUCK@CHUCKEASTTOM.COM
ABOUT THE SPEAKER
• 18 books (#19 in progress)
• 29 industry certifications
• 2 Masters degrees (#3 in progress)
• 5 Computer patents
• Over 20 years experience, over 15 years
teaching/training
• Worked on EMR/EHR and medical billing software
• Frequent consultant/expert witness
www.chuckeasttom.com
chuck@chuckeasttom.com
GENERAL FACTS
•
•
•
•
•
As required by section 13402(e)(4) of the HITECH Act, the
Secretary must post a list of breaches of unsecured protected
health information affecting 500 or more individuals. Since federal
reporting requirements U.S. Department of Health and Human
Services' database of major breach reports
944 incidents affecting personal information from about 30.1
million people.
Smaller breaches are also at issue. In 2012, there where 21,194
reports of smaller breaches affecting 165,135 patients.
Health care data has seemingly become increasingly targeted.
According to some sources, it accounts for 43 percent of major
data breaches reported in 2013.
In April 2014, the FBI warned healthcare providers many that their
cybersecurity systems are lagging behind systems used in other
industries, making the healthcare industry more vulnerable to
cyber attacks
LARGE BREACHES
• Breaches involving 500,000 records or more are
uncommon, but not unheard of.
• In 2014 Chinese Hackers stole information
regarding 4.5 million patient records. The attack
was on Community Health Systems and reportedly
included patient social security numbers.
STATISTICS AS OF NOVEMBER 2014
• More than 146 of the 1,135 of major HITECH breaches
reported as of as of Oct. 17 , were ongoing and not
attributed to one-time events, ranging from one day to
2,891 days.
SMALLER DATA BREACHES
•
•
•
•
Laptops Stolen from New York Podiatrist's Office Contained 6,475
Patients' Information-Poughkeepsie, N.Y.-based Sims and
Associates Podiatry notified patients of a data breach that
occurred when its office was burglarized and three laptops
containing patients' personal and health information were stolen.
Laptop Containing Patient Information Stolen From Coordinated
Health Bethlehem, Pa.- Coordinated Health notified patients of a
data breach that occurred when a laptop containing patient
information was stolen from an employee's vehicle.
The Kaiser Permanente Northern California Division of Research
in Oakland, Calif., notified patients their personal and health
information was compromised when its research server was
infiltrated by malware.
Decatur, Ala.-based PracMan, a billing company utilized by many
Alabama physicians, announced a subcontractor caused a data
breach that exposed the personal and health information of 3,100
patients.
TOP THREATS
• Physical theft
• Insider mis-use
• Accidental disclosure/Unintentional
actions
SPECIFIC ISSUES/THREATS
The following have been reported as part of known
breaches:
Employees and contractors leaving media containing ePHI in
vehicles which were broken into.
Physical burglary of servers with data.
USB devices with PHI left unsecure.
MAJOR SECURITY ISSUES
This list is compiled from several sources:
•
EHRs are still new to many health care providers, so they lack experience
securing electronic patient data
•
Lack of detection controls -- Health care providers may have adequate
perimeter security but not intrusion detection and forensics.
•
Other financial priorities/budgetary issues.
•
Insufficient information sharing.
•
Lack of a ‘security attitude’
SOME GOOD NEWS
• More attention to this issue
• As evidenced by this symposium
• The IEEE is giving more attention to medical devices and their
security
• More training available for staff
• Better technology is available