Guest post by George Bailey, senior advisor, health IT/security, Purdue Healthcare Advisors.
The recent large-scale data security breaches experienced by major retailers Target Corp. and Neiman Marcus provide opportunities for learning across industries. These data breaches are painful for the companies, shareholders and, certainly, for the consumers victimized by subsequent fraudulent transactions on their financial accounts.
But once the dust settles, will these 110 million consumers suffer long-term damage to their privacy and financial security? I would argue no. Surprised? I say this because most of the attributes compromised in the Target and Neiman Marcus data breaches are short-lived items. By “short-lived,” I mean bits of information that can be changed or replaced by the consumer.
For instance, charge card numbers can be changed and accounts closed; debit card PINs can (and should) be changed; lost funds can be reimbursed; and credit scores reinstated. Now I don’t want to imply that this cleanup is easy, quick or inexpensive to do. It’s not. But looking three to five years into the future, these data breaches—just as the T.J. Maxx breach in 2007—will have little-to-no lasting effect on those compromised.
For the healthcare industry, a data breach is a quite different. A patient’s social security number (contained many times within healthcare records), medical history, psychiatric notes and sexual preference are not considered attributes that are “short-lived.” While a social security number can be changed, it’s a difficult and time-consuming process. The other data contained in a healthcare record is very sensitive, private, and cannot be re-written, as it is there to guide physicians in providing optimum care. Once sensitive electronic patient health information (ePHI) is lost, stolen or leaked to the Internet, it can spread faster than the best Facebook gossip and be cached, indexed and copied to a seemingly endless number of devices.
The Target data breach provides three lessons that can help healthcare organizations improve data security.
Push for updated security technology
Retailers are required to protect payment card data by complying with the payment card industry’s data security standard (PCI-DSS), which has been aggressively updated several times in the last 10 years. On the contrary, other than breach notification requirements and expanding security responsibilities to business associates there have been no significant changes to the HIPAA security rules since 2003.
The current PCI-DSS 3.0 version is significantly more advanced than the HIPAA security rules required to protect ePHI. Being compliant with a 10-year-old security standard such as HIPAA should be considered a starting place and not a reason for celebration. Healthcare organizations should review these recent incidents, assess the risks to their technology assets, and make the appropriate security updates and adjustments where necessary.
Communicate the problem
Healthcare organizations have, for the most part, 60 days to notify patients of a data breach per HIPAA/HITECH breach notification requirements. However, 46 states have data breach notification laws that may reduce response time significantly. It is highly recommended for organizations to have an IT security response plan documented so that detection, investigation, response and patient notification can be expedited without delay. Just because breach notification requirements provide 60 days to notify patients, it’s in everybody’s best interest to do it as soon possible. The goal should be to notify patients in less than 30 days.
Be ready to respond to your patients
Healthcare organizations have a more intimate relationship with their patients than the typical retail organization; so it is important to have a crisis communications plan in place for responding to patient concerns should a breach occur. Healthcare organizations have a responsibility to maintain a record of disclosures for every transaction in which a patient’s data has been accessed, viewed or acquired in an unauthorized manner. This kind of request generally comes after an organization experiences a publicized data loss. This is no easy task unless organizations are tracking and auditing access of all patient data. Having a process in place to respond to patients requests before a breach occurs is essential to maintaining a high level of trust with patients.
George Bailey, MS, CISSP, GCIH, CHP, is an information technology security professional with more than 17 years of experience in network security, remote access, wireless security and incident response. Bailey serves as Senior Advisor – Security Services at Purdue Healthcare Advisors, where he oversees and implements security solutions for the healthcare industry. He has presented at many security-related conferences and is routinely published in academic journals. Bailey holds a Certified Information Systems Security Professional (CISSP) credential and is pursuing his doctorate at Purdue University.