The value of ePHI (electronic Protected Health Information)

On Wednesday I blogged about how hospitals are the highest risk for data breaches.┬á Some have emailed me asking why criminals would even care about Protected Health Information┬á(PHI).┬á Sure, itÔÇÖs private information but what use is it to a criminal?┬á The Digital Health Conference last year discussed this question and a panel of cyber security specialists determined that a single PHI record is worth $50 on the black market.┬á This is the same value given by Pan Dixon, executive director of the World Privacy Forum in a 2007 interview.┬á So what makes these records worth $50, a value higher than that of social security numbers or credit card information?┬á Criminals can use a health record to make fake medical claims, purchase prescriptions or receive treatment under a false name.┬á Since medical information cannot be ÔÇ£canceledÔÇØ as easily as a credit card number, criminals have a much larger window in which to exploit the information.

For these reasons, PHI records are a tempting target for criminals, especially with the rising costs of health care.┬á So, yes, you should be concerned about the disclosure of your medical records because it does present a real threat to patients. This is why it is so important for organizations that handle PHI to have adequate security controls in place whether they’re clinics, medical billing, insurance providers, or business associates.┬á Adhering to HIPAA helps but being compliant doesn’t necessarily mean you are secure.

What the changes in HIPAA Omnibus mean for you

The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013 designed to give patients additional rights to their health information and increase penalties to organizations that fail to protect Personal Health Information (PHI).  The rule goes into effect on March 26, 2013 and it includes some changes to data breach response requirements.

HIPAA required covered entities to conduct a risk assessment when a data breach occurs.  The risk assessment would determine whether the breach impacted an individual enough to require notification.  If the risk assessment determined that the risk was low then the covered entity did not need to notify the individuals nor the Office of Civil Rights (OCR).  According to HITECH Answers, the HIPAA Omnibus rule now requires that covered entities retain documentation on the risk assessment performed that could be provided to the OCR if their decision not to notify is called into question, in other words, a burden of proof.  If the OCR finds that the covered entity did not meet the burden of proof, it may find the covered entity to be negligent and fine them accordingly or require them to perform corrective action.  The rule also adds new requirements for determining the harm to the individual.

Also of interest to HIPAA data breaches is the revised language that broadens the definition of business associates to include more downstream providers who touch PHI.  This increases the number of companies that will need to adhere to the HIPAA requirements.  These companies will need to become compliant before the rule takes effect but many may not even be aware that they will soon be subject to HIPAA.

HHS begins fining for lower impact data breaches

On January 2, 2013, the Department of Health and Human Services (HHS) fined the Hospice of North Idaho $50,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA).┬á The primary violation was the loss of an unencrypted laptop containing Personal Health Information (PHI) for 441 patients but the fine included non-compliance areas such as the hospiceÔÇÖs failure to perform a risk analysis and the lack of mobile device security policies and procedures.┬á This is the first HIPAA fine issued for a breach of PHI from less than 500 patients.

HHS Office of Civil Rights Director, Leon Rodriguez, made it clear in his statement on the breach that HHS will hold businesses responsible for protecting PHI irrespective of their size.┬á ÔÇ£This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patientsÔÇÖ health information.ÔÇØ

This comes as shocking news to some who assumed that HHS would not take action on smaller breaches which comprise the majority of health care breaches.  According to the December 2012 U.S. Healthcare Data Breach Trends report, there have been only 500 breaches reported to HHS over the last 3 years involving more than 500 patients but the same period has seen 57,000 breaches involving less than 500 patients.  These businesses should be prepared not only for the cost of notification, lost customers, breach response and remediation, but also HHS fines in the years ahead.

Data: If you don’t need it, delete it

Organizations are accumulating data at a pace that would cause a hoarder to blush.┬á Just like that old bicycle seat stored in the attic, data is often kept ÔÇ£just in case it may be┬áneeded someday.ÔÇØ┬á This practice, however, comes at a cost.

Some organizations think that it is inexpensive to store data, especially with the steady decline in hard drive prices.┬á The fact is, however, data is expensive to keep.┬á Organizations spend a significant portion of time managing, archiving and securing data.┬á Data is housed on servers, each of which must be maintained.┬á Data is also archived regularly according to the organizationÔÇÖs backup schedule and it is audited and secured against loss.┬á Each of these activities consumes the time (i.e. increases the cost) for those in information management.

Excessive data retention can also pose a risk to an organization in regard to compliance and electronic discovery requirements.┬á Personally identifiable information that is lost could result in significant fines. ┬áIn addition, old document drafts that may not provide organizational value could still damage the organization if disclosed.┬á Data related to litigation is costly to obtain, organize, and produce.┬á Searching through an organizationÔÇÖs legacy data adds additional complexity and cost.

For the above stated reasons, it is important to remove unnecessary data.  A structured approach is necessary to avoid the loss of important data and to provide consistency throughout an organization.  Structure can be accomplished through a data retention policy.   A data retention policy should specify how long certain types of data such as emails, documents, drafts, instant message conversations, or even voice mails should be kept and how the data will be properly disposed of.

Contents

At a minimum, a data retention policy should contain a scope section that outlines the types of data covered.┬á Examples would be tax records, personal information, business records and legal documents. In addition, the policy will need to spell out how long and in what form each type of document will be retained.┬á Some policies may include guidelines on removal of data – or this may be left to a data destruction policy.

Retention Term

One of the most difficult parts of defining a  data retention policy is specifying the length of time to retain certain types of documents.  Compliance requirements may determine the minimum or maximum length of time while business requirements may stipulate other terms.  Both the compliance and business requirements will need to be considered in defining the duration. The following are some best practices and can be used a starting point in the formation of a data retention policy:

  • Audit documentation and associated financial documents will need to be kept for at least 7 years if there is a SOX requirement. The IRS requires that tax documents be retained for at least 4 years after they were due.
  • The list of hazardous chemicals provided by OSHA contains many substances common in the workplace and data retention policies should define how long documentation of hazardous chemical exposure data will be kept.┬á OSHA requires that such documents be retained for 30 years.
  • The Health Insurance Portability and Accounting Act (HIPAA) requires that information disclosure authorizations, patient requests, business associate contracts and other such covered documents be retained for at least 6 years from the last transaction or 2 years following the patientÔÇÖs death.
  • Exceptions may be made to these recommendations when pending litigation or audits require an information freeze or legal hold for specific data.┬á In these instances, organizations will need to show that they have made reasonable efforts to prevent the destruction of discoverable information.

This article discussed the need for data retention policies and outlined some regulatory requirements that should be included in business retention requirements.   An effective data retention policy can go a long way in reducing data clutter, improving organizational efficiency and reducing risk.  However, defining the policy will not be enough.  Employees will need to be aware of the policy and motivated to follow it.

 

 

HIPAA compliance primer

This is the first entry in a set of three blogs that deal with information compliance. We wish to provide corporations a guide that outlines which laws they are subject to and how to follow them properly.  In this particular blog I will discuss the Health Insurance Portability and Accountability Act (HIPAA).  A brief overview of the act will be included, as well as a discussion of where HIPAA applies and some of the requirements.

HIPAA is regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI).  The U.S. Department of Health and Human Services (HHS) outlines who HIPAA applies to in their definition of a covered entity.  In addition to those seen in the diagram below, HIPAA applies to companies that provide services that would use e-PHI such as suppliers or outsourced IT providers.

HIPAA-chart

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

Now that I know who this applies to I can discuss the basics of HIPAA compliance.  The primary goal of HIPAA is to protect ePHI which includes, name, dates such as birth, admission, discharge, death, telephone number, SSN, photographs, address, etc.  Companies under this regulation will need to implement technical and procedural controls to protect this information and perform risk analysis on risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI.   Technical controls include such things as encryption, authentication, password complexity, access auditing, segmentation, etc., and procedural controls include such things as password policies, incident response plans, contingency plans, and audit procedures.

HIPAA also requires companies to provide patients with information on their privacy practices and they must record acknowledgement that the patient received the information.┬á You have most likely experienced this at the doctorÔÇÖs office.

The covered entity or business associate must provide a plan outlining how the company will follow the act and designate someone who is responsible for creating and implementing policies to support the plan.  If a company outsources certain business processes then the company must make sure that the third party is also in compliance with HIPAA standards.

This article is too short to go into detail on the controls necessary for an organization but each system that houses or transmits ePHI will need to have adequate controls and each person who works with ePHI will have to follow procedures intended to protect this private information.┬á The scope of HIPAA compliance can be quite broad. ┬áIncluded under this wide umbrella are doctorÔÇÖs offices and other medical fields for the protection of patients. Certain businesses are also included. ┬áAny company that gives its employees a degree of healthcare are bound to follow the confidentiality rules as well as the uniformity rules. ┬áHIPAA defines a covered healthcare provider as a person or business that deals with healthcare in the normal course of the business day, and does so electronically.

This first installment in a series of blogs about information security compliance dealt with the medically related HIPAA or Health Insurance Portability and Accountability Act of 1996.  We defined it and included a summarization of the applications of HIPAA.  Finally, I included an overview of which companies should be concerned with the application and therefore the implementation of HIPAA.

http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Title_I:_Health_Care_Access.2C_Portability.2C_and_Renewability

http://www.cms.gov/hipaageninfo/downloads/CoveredEntityCharts.pdf

http://www.cms.gov/hipaageninfo/01_Overview.asp#TopOfPage

How to determine if you are in a regulated security space

This entry is part of a series of information security compliance articles. In subsequent articles I will discuss the specific regulations and their precise applications, at length. These regulations include HIPAA or the Health Insurance Portability and Accountability Act, The Sarbanes Oxley Act, Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry Data Security Standard (PCI-DSS), and the Gramm Leach Bliley Act (GLBA) among other acts and regulations.

Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place that can help a company improve information security while non-compliance can result in severe fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another.

Many major companies within the United States are subject to some type of security regulation.  Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry and many organizations would welcome such information.  The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation.  The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to best implement them.  Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as the HISP (Holistic Information Security Practitioner) that signify their understanding of the regulations.  Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.

First, companies need to assess which of the laws and acts apply to them. Then they need to organize their information security to address the boundaries put in place by the acts. This requires a set plan that outlines a consistent and effective way of alerting and dealing with threats.

But how do I assess which laws apply to which company

Talking about the particular bills and which companies they apply to is slightly vague. Therefore, take for example your local hospital. This local hospital is publicly traded and not a federal agency, therefore, it is not subject to the FISMA bill. However, since the company deals with healthcare patients it is subject to HIPAA. Now it must look carefully at what sort of protections it must offer patients and place safeguards in affect in order to prevent a breach of security. On the ground level it cannot give away patient information without the express consent of the patient. From a more technological perspective, the hospital cannot allow any system that handles patient information to be compromised.  This means that controls need to be in place for those systems and the equipment that allows access to the systems. Policies and procedures need to be in place to govern the activities of persons who interact with the systems and training needs to take place so that users of the systems perform their duties properly and do not intentionally or unintentionally misuse the system.

Some companies may have to comply with multiple regulations.  In such cases it is best to outline all the regulations that impact the company first and then a determination can be made for which security controls to implement that satisfy the requirements of all the regulations they need to comply with.  This process can reduce the amount of money the organization spends on compliance efforts because it reduces duplication of effort and the likelihood that competing systems would be put in place to satisfy the same regulatory requirement.

This table shows the different regulations and which corporations would be subject to the scope of the act.

 

The ACT

What it regulates

Company affected

HIPAA (Health Insurance Portability and Accountability Act) This act is a two part billTitle I: protects the health care of people who are transitioning between jobs or are laid offTitle II: meant to simplify the healthcare process by shifting to electronic data. Also it protects the privacy of individual patients. The sort of company affected by this bill is any company or office that deals with healthcare. That includes but is not limited to doctorÔÇÖs offices, insurance companies, and employers.
Sarbanes Oxley Act This act requires companies to maintain financial records for seven years. It was implemented to prevent another Enron scandal. U.S. public company boards,Management and public accounting firms
Federal Information Security Management Act of 2002 (FISMA) This act recognized the information security as matters of national security. Thus, it mandates that all federal agencies develop a method of protecting the information systems. All Federal agencies fall under the range of this bill.
Gramm Leach Bliley Act (GLBA) This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers This act defines ÔÇ£financial institutionsÔÇØ as: “ÔǪcompanies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”
Family Educational Rights and Privacy Act (FERPA) Section 3.1 of the act is concerned with protecting student educational records. Any postsecondary institution including universities, academies, colleges, seminaries, technical schools, and vocational schools.
Payment Card Industry Data Security Standard (PCI-DSS)  A set of 12 regulations designed to reduce fraud and protect customer credit card information.  Companies handling credit card information.

There is an abundance of laws and bills on the books designed to protect information. However, it is not always clear to the average business decision maker which regulations apply to their company. That is where a security professional can greatly help a business make sense of such an area that grows more complex with each new regulation.  Compliance is critical and it begins by understanding which regulations affect your company and then outlining the steps to bring you into compliance.

For more information:

Seven Steps to Information Security Compliance

Data retention policies reduce the risk of data breach

What if I told you that you could reduce risk and costs at the same time? Skeptical? I would be. It sounds like some cheesy marketing ploy chuck full of hidden costs or high upfront costs with low ROI. No, I am not pitching a product or trying to sell you a solution. I am however trying to get your attention. I am talking about data minimization.

Companies collect millions of gigabytes of information, all of which has to be stored, maintained, and secured. There is a general fear of removing data lest it be needed some day but this practice is quickly becoming a problem that creates privacy and compliance risk. Some call it “data hoarding” and I am here to help you clean your closet of unnecessary bits and bytes.

 

Risk and Costs

The news is full of examples of companies losing data. These companies incur significant cost to shore up their information security and their reputations. In a study by the Ponemon Institute, the estimated cost per record for a data breach in 2009 was $204. Based on this, losing 100,000 records would cost a company over twenty million dollars. It is no wonder that companies are concerned. Those that are not in the news are spending a great deal of money to protect the information they collect.

So why are I collecting this information in the first place? Like abstinence campaigns, the best way to avoid a data breach is to not store the data in the first place. This is where data minimization steps in to reduce such risk. As part of the data minimization effort, organizations need to ask themselves three questions:

 

  1. Do I really need to keep this data?
  2. Would a part of the data be as useful as the whole for my purposes?
  3. Could less sensitive data be used in place of this data?

 

Do I really need to keep this data?

The first data minimization question to ask is: do I really need to keep this data? Some data is transitive in nature. It is needed in the moment but it is not needed in the long-term. Transitive data should not be stored or archived. It can simply be removed as soon as the transaction is complete. Optimally, this data should not be stored on the hard disk, but rather be kept in memory while processing the transaction and then flushed to avoid risk of storing this data where it could be later obtained by an unauthorized entity.

Other information such as buying preferences or survey data is collected to be used in aggregation and reporting. The individual responses may not be needed once the data has been aggregated so it should be purged. When analyzing business workflows, it is worth considering implementing a purge process following the aggregation and reporting process.

Effort should be made to periodically remove any records that are no longer relevant. After all, information has a shelf life, an expiration date if you will. The plain fact is that information that is no longer useful to the organization should be removed. This removes the privacy, compliance, eDiscovery or other risk associated with the data and allows organizational resources to be spent elsewhere.

Another instance where you should ask if you really need to keep data is when you have a copy of the data elsewhere. In this case, you do not need to keep the data because it is a duplicate. I understand the need for redundancy but build that into a centralized database system. In this way you can protect a single area but still provide high availability. If you absolutely need distributed systems, consider segmenting the database so that distributed systems only contain the portion of the data you need.

 

Would a part of the data be as useful as the whole for my purposes?

The second data minimization question to ask is: would a part of the data be as useful as the whole for my purposes? Sometimes a part of the data can be as useful as the whole. Take a Social Security Number (SSN) for example. Storing the last fmy digits of the social may be as useful as storing the entire number and the damage associated with the disclosure of just those digits is minimal compared to the entire SSN. Similarly, a company could store just the last few digits of a credit card number rather than the entire thing.

This area of data minimization is extremely important when working with credit cards and PCI compliance as places where numbers are stored need to be in full compliance with the regulation. This is a risk that compliance officers are eager to mitigate.

 

Could less sensitive data be used in place of this data?

The third┬ádata minimization┬áquestion you should ask is: could less sensitive data be used in place of this data? Instead of storing a value that is global in nature, like a driver’s license number or SSN, consider storing a customer ID that is only used by your company. This will allow you to identify the customer without needing to store personal information and be greatly helpful in reducing compliance costs for securing data such as PHI (Personal Health Information) in HIPAA or credit card information in PCI-DSS.

Another option would be to store a security question such as a place of birth or mother’s maiden name instead of a password. If passwords must be stored, make sure they are stored as a hash value rather than plain text. Passwords should never be stored as plain text.

To sum it all up, data minimization can reduce the amount of data you need to protect and store, reducing IT costs and information security costs and risk. Three questions can aid in determining what data to prune. Ask yourself (1) Do I really need to keep this data? (2) Would a part of the data be as useful as the whole for my purposes? And (3) Could less sensitive data be used in place of this data?

For further reading

Time for a Data Diet? Deciding What Customer Information to Keep — and What to Toss┬á

Ponemon Study Shows the Cost of a Data Breach Continues to Increase

Security special report: The internal threat

Less Data, More Security