DATA BREACHES IN HEALTHCARE BY CHUCK EASTTOM WWW.CHUCKEASTTOM.COM CHUCK@CHUCKEASTTOM.COM ABOUT THE SPEAKER • 18 books (#19 in progress) • 29 industry certifications • 2 Masters degrees (#3 in progress) • 5 Computer patents • Over 20 years experience, over 15 years teaching/training • Worked on EMR/EHR and medical billing software • Frequent consultant/expert witness www.chuckeasttom.com chuck@chuckeasttom.com GENERAL FACTS • • • • • As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. Since federal reporting requirements U.S. Department of Health and Human Services' database of major breach reports 944 incidents affecting personal information from about 30.1 million people. Smaller breaches are also at issue. In 2012, there where 21,194 reports of smaller breaches affecting 165,135 patients. Health care data has seemingly become increasingly targeted. According to some sources, it accounts for 43 percent of major data breaches reported in 2013. In April 2014, the FBI warned healthcare providers many that their cybersecurity systems are lagging behind systems used in other industries, making the healthcare industry more vulnerable to cyber attacks LARGE BREACHES • Breaches involving 500,000 records or more are uncommon, but not unheard of. • In 2014 Chinese Hackers stole information regarding 4.5 million patient records. The attack was on Community Health Systems and reportedly included patient social security numbers. STATISTICS AS OF NOVEMBER 2014 • More than 146 of the 1,135 of major HITECH breaches reported as of as of Oct. 17 , were ongoing and not attributed to one-time events, ranging from one day to 2,891 days. SMALLER DATA BREACHES • • • • Laptops Stolen from New York Podiatrist's Office Contained 6,475 Patients' Information-Poughkeepsie, N.Y.-based Sims and Associates Podiatry notified patients of a data breach that occurred when its office was burglarized and three laptops containing patients' personal and health information were stolen. Laptop Containing Patient Information Stolen From Coordinated Health Bethlehem, Pa.- Coordinated Health notified patients of a data breach that occurred when a laptop containing patient information was stolen from an employee's vehicle. The Kaiser Permanente Northern California Division of Research in Oakland, Calif., notified patients their personal and health information was compromised when its research server was infiltrated by malware. Decatur, Ala.-based PracMan, a billing company utilized by many Alabama physicians, announced a subcontractor caused a data breach that exposed the personal and health information of 3,100 patients. TOP THREATS • Physical theft • Insider mis-use • Accidental disclosure/Unintentional actions SPECIFIC ISSUES/THREATS The following have been reported as part of known breaches: Employees and contractors leaving media containing ePHI in vehicles which were broken into. Physical burglary of servers with data. USB devices with PHI left unsecure. MAJOR SECURITY ISSUES This list is compiled from several sources: • EHRs are still new to many health care providers, so they lack experience securing electronic patient data • Lack of detection controls -- Health care providers may have adequate perimeter security but not intrusion detection and forensics. • Other financial priorities/budgetary issues. • Insufficient information sharing. • Lack of a ‘security attitude’ SOME GOOD NEWS • More attention to this issue • As evidenced by this symposium • The IEEE is giving more attention to medical devices and their security • More training available for staff • Better technology is available