Tag Archives: HIPAA

Ashley Madison Writes Rx for Doctors About Safe Sex(curity) and HIPAA

Rx for Doctors

There are many lessons that the Medical Community– Covered Entities, Business Associates and their subcontractors – can learn from the Ashley Madison hack.  Please forgive me if I omit the prurient details and/or any “holier than thou” statements about the AM business, except to say that it was a site that needed security, dealt with highly sensitive and personal matters, and the very people who sought to obtain a “full delete” of their personal information, are the ones who apparently were caught “flapping in the wind” – please forgive the pun.

  1. How could a subscriber/patient/doctor or medical provider (CE, BA or Sub) have known that the information they retained made them a prime target?In the case of Ashley Madison, assuming itdid not possess the native intelligence to realize that we live in an age of website breaches, the WSJ.com actually warned/predicted that Friend Finder networks (a website with similar appeal to individuals seeking extracurricular activities) was hacked, and that Avid Life Media (owner of AM), which was seeking to raise $200 million in an IPO,warned that   “investors will have to think of hack attacks as a risk factor.”  In the case of CEs BAs and their subcontractors, and in addition to HIPAA, HITECH and the Omnibus Rule, the internet is replete with stories of both medical and nonmedical private information being hacked.
  1. How could the information have been safeguarded? In the case of AM, prepaid credit cards, anonymous browsing and encryption would or could have mitigated or eliminated the risk.  On the Medical side, awareness and compliance with the regulatory requirements (which incidentally, includes encryption as a safe harbor) would similarly substantially mitigate the risk and the amount of damage a breach may cause.  Starting with a risk analysis, proper security and privacy protocols, management oversight, and adequate resources devoted to regulatory compliance would go a long way.

The basic problem is that the NIMBY (not in my back yard) type of denying reality has a way of catching up and exploiting vulnerabilities.  The new reality is that with every passing day, more private information is being entrusted to others. Cyber security is playing a cat and mouse game with hackers and ignoring the realities of the digital age can lead to embarrassment, financial loss (or ruin) and governmental scrutiny and fines.

What do you think?

Please like & share:

How Much Does a Data Breach Cost in Dollars and Cents?

Online Security

In my last few posts, I wrote about causes of HIPAA breaches and the possible course of a compliance agreement. ( “The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See” , “Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions” , “The Seven Most Likely Causes of Major HIPAA Breaches” , “The Five Most Likely Types of Major HIPAA Breaches” ) A basic question though is how much does a data breach cost in dollars and cents?

I am reasonably certain that as with all statistical matters, depending on how you skew the numbers, there can be vastly different results. I recently came across a report by the Ponemon Institute/IBM dated May 2015, which deals with global data breaches (not restricted to healthcare and/or HIPAA breaches) which I believe is both timely and highly informative.

Some of the key findings of this report indicate that there has been a 23% increase in the total cost of data breaches since 2013 (understanding that this 2015 report represents 2014).

The simple study of 350 companies dealt with data breaches. The average cost of a breach increased from $3.52 to $3.79 million during a one year period.

An interesting finding was that 79% of C-level US and UK executives surveyed said that executive level involvement is necessary to achieve an effective incident response to a data breach and 70% believe that board level oversight is critical. The reason I point out this factoid is that too many small to medium companies approach HIPAA compliance (which to me is really a subset of the need for data security) with the belief that outsourcing compliance is enough.

All of the participating companies experienced a data breach ranging from a low of approximately 2,000 to slightly more than 100,000 compromised records. For the purposes of this study, a compromised record was one that identified the individual whose information was lost or stolen in a data breach. A breach was defined as an event in which an individual’s name plus a medical record and/or financial record or debit card is potentially put at risk. (Obviously, the report did not deal with the 19 identifiers relating to HIPAA.)

Malicious or criminal attacks were 47% of the root causes as opposed to 42% a year earlier, and similarly the report shows an increased cost from $159 to $170 per record. The cost is highest in the United States, with an average of $230 per record.

The smaller the breach the greater the likelihood, and apparently, the higher the cost per record.

Costs relating to detection increased as well from $0.76 million to $0.99 million. The costs included forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

The cost of the data breach ranges by industry, and while the average is $154, the average cost for a healthcare organization is $363.

The cost can vary based on the initial safeguards put in place.

While notification costs are relatively low, the cost associated with lost business is increasing.

The general attitude of NIMBY (Not in my backyard) seems to be a common mindset with small to medium Covered Entities (CEs) and/or Business Associates (BAs) – this only happens to the other guy. The threat of a data breach is real.

In communication I had with the FBI Cyber Crime and US Attorney prosecutors, the question they pose is not IF you will have a breach, but rather WHEN you will have a breach. The key is preparation and implementing safeguards.

When virtually every company surveyed had a breach of some size, it is fair to assume that this mindset (even absent the significant regulatory issues) is misguided.

 

Please like & share: