04-22-13 | Blog Post

2013 HCCA: The Defining Moments of a Data Breach

Blog Posts

Online Tech is exhibiting HIPAA hosting solutions at booth #919 at the Health Care Compliance Association (HCCA)’s 17th Annual Compliance Institute Conference April 21-24 in National Harbor, MD. The conference draws in healthcare compliance professionals, risk managers, privacy officers, healthcare CFOs and CEOs, and more.

The Defining Moments of a Data Breach
Speakers: John Ford, Principal, Sienna Group LLC
Kurt Long, CEO, Founder, FairWarning Inc.

Kurt and John have teamed up several times to give this presentation and the following presentation was a dialogue between both Kurt and John on dealing with healthcare data breaches.

Kurt – Data breaches with a healthcare organization take on many forms. Research shows that most organizations are not well prepared to detect and combat data breaches.

John – Fraud is a huge issue. In many of the fraud scenarios, it pertains mainly to patient data. Healthcare fraud in the U.S. costs the industry $80 billion to $225 per year. The key to lowering the number is to catch the criminal behavior at the point of origin.

Kurt – Organization today are dealing with much more heightened issues pertaining to a data breach. There are several types of “follow-up” crimes that can come out of a data breach of patient information. Kurt highlighted the following:

  • IRS tax fraud
  • Identifying theft – creating false financial information is very common with deceased patients.
  • Racketeering
  • Mail fraud
  • Immigration fraud
  • Creation of “shell” businesses for the purpose of money laundering

Organized criminals have noticed that health care providers have incredibly critical information pertaining to an individuals’ financial information and their systems often have major privacy and security vulnerabilities.

John – Most people are not prepared for data breach that occurs through organized crime. Those types of organizations typically receive a call from law enforcement (considered an external notification) and in those cases, everything comes to a grinding halt for about 48 hours while executive and operational teams are deployed to investigate the source of the breach.

The general theme at that point in time is to develop a breach response plan. Most people do not have an adequate plan that they test prior to any sort of breach and are scrambling to put one in place.

Organizations need to have a plan already in place because time is not your organization’s time in a situation that big. Upon notification of the breach, the organization will be pressed for an explanation from everyone; from the media to patients and providers.

John listed the key issues to address at that time of a breach:

  • Learning how the internal breach occurred
  • Figuring out why the breach was not detected to begin with
  • Understanding the scope of fraud as a result of the breach
  • Steps patients and providers should be taking as a result of the breach
  • What the organization is doing as a result of the breach

Having a well-crafted plan in place for a data breach will be imperative for your organization. The plan must include a method for active user activity monitoring and thorough log correlation and analysis.

Kurt – By using constructive knowledge leading up to a data breach and proactively taking the correct steps trying to implement the correct processes, you may be immune to civil penalties.

John – Modern strategies out there to impede fraud and future strategies will strive to stop the fraud at the point of origin.

Encryption and authentication are not going to help after a breach. The organization has to go out and find the answers and track down the user logs, essentially shutting the businesses down for 105 days while they try to figure out where the breach came from.

Take-away points from the presentation:

  • Healthcare organizations have unique vulnerabilities to data breaches and fraud given the type of sensitive data the record contain and the wide-spread access to the care-providing functions
  • Criminal organizations are maturing and beginning to target the vulnerabilities of healthcare organizations with the intent to commit fraud
  • The current model of backtracking to figure out where a breach came from is inefficient  and does very little to actually pinpoint the issue
  • Healthcare organizations need to do a better job at monitoring user activity to detect abuse of the system and more efficiently find information in the event of a breach. Learn more daily log review and file integrity monitoring (FIM) and how these technical services can help your organization prevent or remediate effectively after a data breach.

Related Articles:
2013 HCCA: Hidden Liabilities in the EHR
2013 HCCA: Cyber Compliance
2013 State of HIPAA Encryption & Authentication for Healthcare

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved