Data Protection Remains Shaky

suspension-bridge-183935_640Data remains exposed in significant numbers in the healthcare industry. The monthly Protenus Breach Barometer shows that the trend of at least one breach per day in a month is continuing. To be specific, Protenus and showed 37 breaches being disclosed for the first time in May. The number is significant, demonstrating the ongoing challenge for the healthcare industry. The not so old adage of it is not a matter of if you get breached, but when you get breached is only proving to be more and more accurate.

A couple of findings from the report stand out.  First, three breaches were not reported for over 1000 days from the date of discovery. This is a substantial period of time during which a breach remained unreported. Why did it take so long for these organizations to report? What breakdown in auditing and monitoring of systems occurred? The delay in reporting could be attributed to the high number of insider breaches reported in May. A common concern about insider breaches is the difficulty in detecting. An insider can slowly leak data out of a system or otherwise mask activity. Additionally, despite widespread reports that insiders are a top threat, outside issues such as ransomware garner many of the headlines and the spotlights. Drawing attention away from insiders is dangerous though. As noted, insiders understand a system, have approved access to data, and have many opportunities to extract data. No organization should feel safe. It is not a matter of a lack of trust, so much as recognizing reality.

The concern about insider threats leads to the second standout item from the May report, namely that insiders caused 15 of the 37 breaches reported. As reported by Protenus, 10 of the insider breaches were the result of an error. While not a good, there is a silver lining that errors should be one-time events and without malicious intent. The other five insider breaches were the result of malicious conduct. Such conduct includes obtaining information for personal gain, selling information to known criminals, and other conduct in the same vein. The common theme of the malicious intent breaches is the desire to profit or personally gain from taking the information. If an individual has a strong desire to create a personal benefit, it will be difficult to stop ahead of time. However, organizations can do a better job of rooting out the internal bad actors. Organizations should be routinely auditing and monitoring systems, records and other aspects of protected health information. Further, automated systems can be deployed to enhance what individual efforts. Using a combination of tools can speed up the time of discovery, which in turn can enhance mitigation efforts.

As can be seen, the Breach Barometer should be mandatory monthly reading for many entities. Until security efforts can be improved, it is instructive to learn lessons from the monthly summary of breach reports. Optimistically, it is hoped that those lessons are from others and not from within one’s own organization.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, Health IT, HIPAA, Regulations and tagged , , , , , . Bookmark the permalink.

One Response to Data Protection Remains Shaky

  1. Pingback: Data Protection Remains Shaky - HITECH Answers: Meaningful Use, EHR, HIPAA News

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s