Category Archives: Electronic Health Records

PC World: Self-Encrypted Drives Set to Become Standard Fare

Although they have been out now for a few years, it is only recently that manufacturers have decided to mass market self-encrypting hard drives, i.e., drives that have integrated keys within their chip set.  According to standards experts quoted in a recent PC World article, in a few years, companies will be relying on self-encrypting drives “and you won’t even realize it-because it will be so pervasive. The encryption just works, it doesn’t impact you.”

Companies looking to better navigate notification breach safe harbors and any recently enacted security standards should take an immediate hard look at deploying laptops, desktops, and storage devices using this relatively painless way of encrypting sensitive data.  That hard look should especially be taken by firms looking to comply with state laws such as the Massachusetts Data Protection Law or steer clear of possible penalties available under the HITECH Act.

Ponemon Institute: Lost Laptops Cost Billions

The Ponemon Institute’s latest report, “The Billion Dollar Laptop Study,” shows that 329 organizations surveyed lost more than 86,000 laptops over the course of a year.  Based on these findings and an earlier survey that put the average cost of lost laptop data at $49,246, the total cost amounts to more than $2.1 billion or $6.4 million per organization.

Some other key findings of the report:  (1)  while 46 percent of the lost systems contained confidential data, only 30 percent of those systems were encrypted; (2) only 10 percent had any other anti-theft technologies; and (3) 71 percent of laptops lost were not backed up so all work in progress was lost.

At the release media event reported on by InformationWeek, Larry Ponemon explained that most of the cost “is linked to the value of intellectual property on these laptops and the fees associated with data breaches and statutory notification requirements.”   During this same press conference, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years:  “She claimed she wasn’t really that careful with laptops because the only way she could get a better one was to lose it.”

It is this disconnect — the value of the information lost vs. the relative interest in the user in protecting such information — that becomes the ultimate challenge faced by most firms.   Employee training remains the front line in addressing this challenge but having employees pay for their lost corporate laptops may actually yield more desirable results.   It would be interesting to have the next Ponemon lost laptop study include the ratio of lost business laptops compared to lost personal laptops, i.e., those actually purchased by an employee.

IW: CIOs See Smartphones As Data Breach Time Bomb

As recently reported by InformationWeek, a study conducted by market researcher Ovum and the European Association for e-Identity and Security found that eight out of 10 CIOs believe using smartphones in the workplace increases their firm’s vulnerability to attack.  Although these CIOs rank data breaches as their top related security concern, half of the organizations acknowledge that they fail to provide some basic security measures for the use of smartphones.

This report should be of major concern to doctors and lawyers — two groups of professionals that rely heavily on the use of smartphones to manage their workloads.    At the very least, an easily applied security precaution for smartphones should be the use of a strong password that is changed every 60 days or sooner.  Two-factor authentication is preferable.   Users should back up data regularly and not have it remain solely on a mobile device – unfortunately, default settings can have the communications emanating from your mobile device remain resident solely on a mobile network.  Make sure your mobile device is equipped with anti-virus protection and if you receive an e-mail from a company or person that you’re not familiar with, do what you do on your work computer – just delete it.   Use your idle timer feature to lock down your smartphone as you would your laptop.  

If you have an IT support team (in-house or outsourced), make sure it keeps your operating system and server patches up to date and strictly enforces what applications can be used and what connections can be accessed.   What OS is even used may impact security.   For example, researchers have recently discovered flaws in the WebOS smartphone platform that could let an attacker build a mobile botnet or execute other remote attacks.  More advanced security features include the use of remote wiping applications, encryption and data loss/leak prevention tools.  

Notwithstanding the fact it can also place a call, the key to improving your security posture is to respect the fact your mobile smartphone is now no different from any other computer you use at work.  Act accordingly.

CA Hospital Appeals Fine of $250,000 for Failure to Report a Laptop Theft

Lucile Packard Children’s Hospital (LPCH) at Stanford is appealing a California Department of Public Health (CDPH) penalty issued on April 23, 2010.  The fine of $250,000 was levied as a result of a late reporting of a security incident.  According to a September 9, 2010 press release issued by the hospital, the incident was related to “the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients.”  The press release further states:

The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
 
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.   Theft charges have been filed against the former employee.

The LPCH data breach is generally considered the most common form of breach, namely one that involves a stolen or lost laptop.  No matter how much training you provide or how many times you emphasize there is zero tolerance for mishandling laptops, there will always be negligent or reckless conduct involving laptops.    On top of all the hard forensics and notification costs associated with such events, California hospitals also now have to deal with significant regulatory penalties for these mistakes.  Thankfully, incidents have been slightly decreasing due to better practices and there exist low-cost insurance solutions that pick up breach expenses/fines on those occasions when an incident is not avoided.

HITECH Public Data Breaches: Majority Caused by Theft

Last month, the Health Information Trust Alliance published an analysis of the 108 breaches reported to HHS from Sept. 23, 2009 (when reporting first started under the HITECH Act) to mid-July.  This review illustrates the major impact of theft on healthcare providers.   Of 108 total reported breaches, 68 were the result of theft.  Indeed, the only type of breach experienced by every healthcare industry sector was theft.   The most common thefts involved laptops and removable data drives and devices.   The majority of the data found on these devices remains unencrypted.  This lack of encryption is significant given that, as with the breach notification laws in most states, there is a notification safe harbor under the HITECH Act implementation regulations whenever the stolen data is encrypted. 

This review of HHS reported breaches highlights what risk managers have likely known for some time now, namely that it is important to better train employees regarding the use and maintenance of laptops/memory devices.  Although not nearly as “top of mind” as better training, risk managers are now understanding the value in deploying system-wide encryption solutions.  There is obviously much less likelihood of the breach turning into a major financial incident when there is no notification.  In other words, whether the added expense of encryption — both financial and time-driven — is worth it to a healthcare provider gets answered each day there is another publicly noticed breach.

AON Disclosure Impacts 22,000 Retirees

According to a story published today in the News Journal, Aon Consulting is mailing letters to approximately 22,000 State of Delaware retirees after it inadvertently posted social security numbers, gender information and dates of birth in a Request for Proposal (RFP) the company prepared for the State.  The RFP information was posted by AON to the procurement section of the Delaware website for five days before it was discovered and removed.  This is not the first data breach for Aon Consulting.  In May 2008, an AON laptop containing the names and Social Security numbers of 57,160 people related to a Verizon engagement was stolen from a New York City restaurant. The laptop was never recovered.

Moreover, it is not the first time a global broker has compromised client data.  On May 9, 2006, a Marsh subsidiary lost a personal computer containing records of more than a half million New Yorkers.  The lost data includes social security numbers and dates of birth.   And, in 2008, Willis lost a data tape in India that contained data belonging to numerous clients who, in turn, had to report to their clients

These events are a stark reminder that no one is 100% immune — even those who are in the risk management business are vulnerable to a data breach.  Indeed, Marsh, AON and Willis are the three largest brokers in the world and have built over the years very sophisticated risk management practices to assist clients address their exposures.   Accordingly, the message here is not to think any less of these brokers but rather to recognize the magnitude of the challenges faced by all firms when  managing data risk.  In other words, if a breach can hit these folks, it can hit just about anyone.

Healthcare Industry Hit Hard with Data Breaches

According to the ID Theft Resource Center, 97 of the 341 organizations that sustained a significant data breach in the first half of 2010 were in the healthcare industry.  By comparison, only 38 breaches were reported at banking and other financial institutions.   As shown by the breach sustained by BCBS Tennessee, the direct costs for breaches can exceed $10 million.  And, the repercussions for these breaches are not even limited to direct mitigation or liability expense.  For example, the California Department of Health has fined five hospitals a total of $675,000 for repeatedly failing to provide adequate security for patient data. 

Given the HITECH Act’s desire to increase usage of EHRs, healthcare providers are now scrambling with new software systems that leave them quite vulnerable until full tested.  Moreover, the public may be losing patience with healthcare providers given more and more breaches are now being reported.  This can only lead to an emboldened plaintiffs’ bar. 

What’s a healthcare provider to do? 

It can be argued that there is not much a healthcare provider can do to avoid a breach other than improve security and continue to train its staff.   After all, how can you stop an employee from going around security protocols and stealing data?   As for lost or stolen laptops, that will likely never abate — as illustrated by recent laptop thefts in Texas and Oregon.  Having a robust vendor management program in place is helpful but can never fully prevent rogue contractors from losing or stealing data.  In other words, the risk can be mitigated against (somewhat) but never fully removed so long as healthcare data remains valuable, healthcare providers stay in the healthcare business (and not data security business), and workers continue to make mistakes.  There is a risk management approach, however, that should be seriously evaluated by every participant in the healthcare industry. 

In the same manner medical malpractice insurance is standard in the healthcare industry, network security and privacy insurance should be seriously considered as a risk transfer tool.  Depending on the size, sophistication, and needs of an organization, the terms can be very affordable and flexible.  For example, a hospital with $30 million in revenue can now obtain a comprehensive policy that will safeguard against a breach impacting 250,000 patients for under $15,000.   The bad news is that most insurance professionals or brokers are unaware of the correct pricing or terms for such coverage.  Accordingly, they rely on wholesale brokers who are inundated with submissions and have a tough time qualifying leads (given they do not interact directly with  insureds) — which, in turn, prevents some organizations from getting the attention they deserve.  Thankfully, there are risk professionals out there with the right background to help cash-strapped healthcare organizations obtain the right protection at the right price.  At the very least, healthcare providers and plans should reach out to these risk professionals to obtain a “ballpark” quote. 

Armed with a ballpark quote,  organizations are at least able to determine whether it makes sense to pursue coverage.  Getting a ballpark quote requires minimal effort.  In order to obtain a ballpark, please simply provide your revenue.  We will get back to you within several days with a ballpark insurance quote for network security and privacy insurance.

Hospital Data Continues to be at Serious Risk with Third-Party Vendors

According to the 2010 HIMSS Analytics Report: Security of Patient Data, even though providers continue to update their security infrastructure, patient data remains at serious risk.  And, despite new statutory requirements for healthcare privacy and security, these critical gaps remain.  The study’s conclusion is not that surprising given new healthcare breaches are being reported on a daily basis.

One improvement that can be immediately implemented with little cost outlay is the initiation of a vendor risk management program.  Recent changes to how HHS views business associates and new data security laws in states such as Massachusetts  actually now make it imperative that hospitals affirmatively manage the risks inherent in having third-party companies handle sensitive data.  There are certainly enough incidents to justify the attention.  For example, a company hired by South Shore Hospital to dispose of patient records simply outsourced the work to a second company.  It was this second company – a company that did not directly contract with the hospital – that lost 800,000 patients’ files.

Lost or stolen laptops used by the contractors of business associates litter the data breach landscape.  Incidents such as the one that impacted New Mexico’s Medicaid Salud! Plan is fairly common.  The Plan members were hit with a breach not arising out of the direct negligence of DentaQuest, a company that processes claims and provides dental benefits for the Plan; but instead, from the negligence of an employee of West Monroe Partners – a company hired by DentaQuest.  A West Monroe employee had an unencrypted laptop with protected information in the trunk of a car when the vehicle was stolen.  Although it may not always be convenient, most employees should know by now not to leave a laptop in a car – especially if it is unencrypted.  It’s not easy, however, for a hospital to enforce a policy on a company it does not even know exists.

There are two basic risk management suggestions to be gleaned from these incidents.   Not only should the obvious indemnifications be negotiated in all business associate agreements, hospitals need to require business associates vet  subcontractors to ensure they also have proper security controls in place.   In fact, this is actually dictated by the recent statutory changes referenced above.  And, if a hospital purchases insurance to cover the costs of a breach, it should confirm that the insuring agreement broadly covers third-party incidents.  Given that network security and privacy insurance remains a nascent market – albeit one that is now rapidly growing – not all insurance contracts are the same when it comes to how far the third-party coverage net reaches.   NSAP insurance should also be included in every insurance clause requirement – with a provision requiring that subcontractors also procure the necessary minimum coverages.

Hospitals should never forget that their data security is only as strong as their weakest link – which given cost-cutting measures undertaken by business associates may sometimes be an unknown company with weak security controls.

NSAP Insurance Full Policy Limits Must Cover First Party Data Breach Costs

A recently disclosed $10 million data breach expense bill raises an issue that has been percolating the network security and privacy (NSAP) insurance marketplace for several years now.  The publicly disclosed expenses involve BlueCross BlueShield of Tennesee (BCBST).

According to BCBST, in October 2009, “57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a [BCBST] call center.”  And, as of June 11, 2010, the total number of current and former compromised BCBST members is 998,936.  Although there has been no documented incident of identity theft or credit fraud of BCBST members as a result of this theft, BCBST has incurred to date $10 million in costs.  These expenses are driven by its retention of Kroll to investigate the theft, e.g., determine which members were impacted, Equifax credit monitoring, LifeLock services, notification costs, and call center expense. 

The key takeaway from incidents such as this one turns on the fact there is no lawsuit to defend – and no NSAP liability policy trigger to set in motion.  The only trigger is first-party driven, namely the internal expenses incurred to deal with a data breach incident. 

As with most NSAP insurance buyers, the growing number of Blues who have actually purchased NSAP insurance have agreed to sub-limits on their first-party expenses that are usually a fraction of the full liability limit.   This is unacceptable given victims such as BCBST are often forced to expend millions of dollars without seeing a single lawsuit or regulatory complaint.  In fact, the goal of spending so much on the front end is to avoid litigation. 

The good news is that there are a few NSAP insurers who are willing to offer full limits for first-party expenses incurred as a result of a data breach.   These insurers should be evaluated when looking at NSAP insurance for the first time.  And, upon renewal, if your current insurer does not provide the limits you need for the expenses you are most likely to incur, either have your current broker evaluate other insurers or turn to a new broker who can help locate better options.

HHS Issues Proposed New HIPAA Regulations and Breach Portal

Using a lavish press conference as the backdrop, HHS officials announced yesterday proposed changes to the HIPAA regulations as well as an updated web page listing those breaches impacting more than 500 individuals.  The purpose of the new Rules issued yesterday is to align the HIPAA rules with the HITECH Act passed last year.   Specifically, the press announcement states: 

The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Under the proposed Rules (which are 234 pages in length), (1) individuals would have more convenient access to their protected health information (PHI) if available in electronic format; (2) covered entities would only need to protect the health information of decedents for 50 years after their death, as opposed to protecting the information in perpetuity as is required by current HIPAA requirements; and (3) the definition of who constitutes a business associate is expanded.

If these proposed rules are adopted, the expanded view of what constitutes a business associate will include the following:

We propose to add language in paragraph (3)(iii) of the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” in §160.103 to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person.

During the coming weeks there will be much analysis given to these proposed Rules but when it is all sorted out, it is anticipated that the above-listed three changes will be deemed to be among the more significant.  Giving individuals the ability to access their PHI in a particular electronic format will drive up costs, limiting record keeping to 50 years will reduce costs given current encryption technologies, and expanding the definition of business associates to a vague circular definition will throw a monkey wrench to just about any entity looking to comply with HIPAA.  These proposed Rules are certainly a nice gift to privacy lawyers looking to boost their summer hourly billing.