06-16-14 | Blog Post

Friend or foe? Cybersecurity risks for shared data and a few precautions

Blog Posts

Mom always said to choose your friends wisely. Maybe she was trying to protect you from a data breach.

AT&T learned that lesson the hard way. From a statement released by the company :

“We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.”

This breach was less nefarious than the recent credit card data theft at P.F. Changs, Target and other retailers. While the employees of the vendor had access to sensitive data (such as Social Security numbers), their intent reportedly was to find codes used to unlock mobile phones in the secondary market.

As Washington Post technology writer Brian Fung noted, the heavy restrictions mobile carriers place on unlocking your phone likely motivated the breach: “It’s clear there are people out there who will compromise our most sensitive information just to make it easier to recycle used devices.”

Regardless of the intent or the result, there’s one key sentence in the letter AT&T sent to affected customers: “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization.”

This isn’t the only breach in the news recently that harkens back to Mom’s advice mentioned above. In May, New York Presbyterian Hospital and Columbia University agreed to pay the Department of Health and Human Services $4.8 million to settle an alleged violation of the HIPAA Privacy and Security Rules. It’s the largest payment in history.

Tatiana Melnik, an attorney who focuses on data privacy and security issues, offered her thoughts on the case involving the affiliated, but separate, entities that operate a shared data network:

This settlement is a good reminder that covered entities, business associates, and subcontractors must choose their partners carefully. As more organizations implement data sharing agreements, form strategic healthcare IT partnerships (e.g., those involving big data, analytics, etc.), and otherwise store their data with vendors, data breach issues are inevitable. Healthcare providers and vendors must carefully review their agreements to ensure that each party bears the appropriate amount of risk. Provisions related to indemnification, limitation of liability, damages caps, and insurance requirements should be reviewed with special attention.

A lack of trust between business associates isn’t unusual when it comes to data breaches. A recent Ponemon Institute study revealed that 73 percent of organizations are either “somewhat confident” (33 percent) or “not confident” (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement.

The good news: An iHT2 report presents data that indicates business associates are paying greater attention to data security. From 2009 to 2012, business associates were involved in 56 percent of large-scale data breaches of 500 records or more. In 2013, that number was reduced to just 10 percent of breaches.

What can you do to make sure your IT friends are an alliance for good in the battle to protect sensitive data?

  1. When did the business associate last perform a comprehensive risk assessment? If it’s been more than a year, move on.
  2. Ask for a copy of their audit report – and actually read it. A business associate that invests in a culture of compliance and security is comfortable and confident in sharing details of their controls. In addition to sleeping better at night, you’ll also save a lot of time and money by being able to provide this documentation during your own audits.
  3. Visit your business associates in person. If you have sensitive data, it’s worth whatever airfare and time it takes to visit them face-to-face. You’ll know a lot about the reality of their attitude towards their clients and security from experiencing it yourself.
  4. Consult with references. Don’t just take your associate’s word for it – ask their clients. If they keep their clients happy, this list will be readily available.
  5. Do they have insurance against data breaches to help with remediation costs and understand what’s at stake in terms of timeliness and thoroughness of a response and investigation into any suspicious activity?
  6. How would they know if a data breach happened? Is there enough monitoring in place, and detailed logging, to know if something is amiss and have the information to assess damage and risk?

OCR reminds covered entities to choose friends carefully
AT&T confirms data breach as hackers hunted for codes to unlock phones
Washington Post: Carriers’ tight grip on cellphone unlocking seems to have resulted in a cyberattack
IHT2’s 10 Steps to Maintaining Data Privacy in a Changing Mobile World
Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security

Download Mobile Security White PaperRELATED
Mobile Security white paper
iHT2 recommendations for HIPAA-compliant cloud business associates
What to look for in a HIPAA cloud provider
Top 5 healthcare cloud security guides

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved