2nd Proposal

Question: The initial quest we asked was “What kinds of healthcare data breaches have happened?”. This has evolved as we’ve learned more into the following two questions. First, what are the underlying causes of healthcare data breaches and HIPAA violations? Second, how does the cost of these breaches impact the industry as a whole? We will use specific case studies and aggregate data to learn about the underlying causes of data breaches and HIPAA violations. We will use the knowledge we learn from answering our first question, and any additional information we can collect, to answer our second question.

Research method:

As described in our first draft of our research proposal, we plan to use a combination of case studies and data breach statistics. Case studies will be used to learn about the types of situations that breach occur in and how the breach was handled by the organization. This will also allow us to see what kind of implicit and explicit consequences occurred due to the breach.

In addition, as part of the HITECH Act, a list must be published of data breaches affecting more than 500 individuals. The list includes a summary of each breach and some specifics of the type of data comprised, method of the breach, location of the data (laptop, desktop, server, etc.), as well as actions taken following the breach.

Resources:

• https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• List provided by the US Department of Health and Human Services of health data breaches. This site is updated regularly and includes data from 2009 - today. This will allow us to analyze a larger amount of data than may be provided with articles and case studies alone. The website allow for an excel export which we can then use to find similarities or frequencies within the breaches.

• http://www.ponemon.org/library

• A collection of articles provided by the Ponemon Institute that cover a range of security focused topics. The source contains articles dating back to January of 2012. The main benefit of this source is that the articles are detailed. However, the main drawback is that Ponemon is not updated regularly or even once a month. That said, there are still 47 articles currently available.

Group Project - Initial Research

While we feel that our original project proposal covered our project adequately, we have decided to begin investigating breaches and associated consequences. Below are a few sources we have looked into and we will continue to further our research and gather information for a recommendation as the weeks progress.

Data Encryption in Healthcare

http://www.modernhealthcare.com/article/20160819/NEWS/160819909/health-it-pros-are-worried-about-hacking-but-many-still-dont-encrypt

This article briefly explains the concern healthcare IT professionals have in regards to hacking but points out that many still do not encrypt data. One of the surveys discussed in the article states that over 80% of those surveyed have made cybersecurity a higher priority in 2016. However, data also shows that 41% still do not encrypt data in transit and 36% fail to encrypt data in storage. When it comes to cybersecurity, encryption of data should be a ‘no-brainer’ and a standard thing that should be done at all times. By not encrypting data, these organizations are not safeguarding patient information and are an easy target for medical identity theft. In one episode of the hit cybersecurity drama-thriller, Mr. Robot, the protagonist points out the inadequate state of a hospital’s security systems. Sadly, there is some real life truth to this point. 55% of survey respondents noted the lack of financial resources and 59% noted a struggle to find “appropriate cybersecurity personnel” as a barrier to their ability to mitigate their cybersecurity risks.

How Healthcare Records are Being Exposed

http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/

This article provides a breakdown of all major security breaches that have been listed on the OCR Breach Portal by midyear 2016. The sheer number of breaches and potentially leaked files by only midyear shows just how widespread the cybersecurity problem in the healthcare industry really is. Data follows.

• 48 data breaches were reported as unauthorized access
• 43 data breaches were attributed to hacking or network server incidents
• 37 breaches were caused by the loss or theft of devices used to store ePHI or the loss/theft of physical records
• 4 breaches were due to the improper disposal of records

In terms of the records that were stolen or exposed:

• 60% were due to hacking (2,703,961 records)
• 78% were due to loss/theft (1,342,125 records)
• 6% were the result of unauthorized access or disclosure (342,748 records)
• 63% were the result of improper disposal (118,594 records)

HIPAA Settlement

http://www.healthcareitnews.com/news/triple-s-management-settles-hipaa-violation-35-million

This article describes what extreme costs can be associated with a HIPAA breach or violation. Triple-S Management Corp was fined $3.5 million after they had repeatedly left beneficiary PHI vulnerable. They failed to maintain appropriate safeguards, failed to implement security measures, and failed to perform risk analysis in order to comply with HIPAA.

Keystroke Logger Breach

http://www.healthcareitnews.com/news/keystroke-logger-detected-hospitals-computers

Computers in a Kentucky hospital had been affected with a keystroke logger that might have been capturing patient information since 2012. Although there is no evidence that the information was used inappropriately, they still conducted extensive research to resolve the issue. As a consolation to any patients that might have been affected, the hospital offer a year of identity protection services.

BCBS Cyber Attack

http://www.healthcareitnews.com/news/excellus-bluecross-blueshield-cyberattack-impacts-105m-people

This cyber attack lead to capture of 10.5 million individual’s social security numbers and other PHI making it the third largest HIPAA breach ever. The insurance company offers its customers two years of identity protection. The CEO explained that the large number of systems within the company make it difficult to maintain security.

Group Project Proposal - Security Breaches

Objective:

(2) Enhance the patient care experience (including quality, access, and reliability)

Problem:

Healthcare data can include a variety of extremely personal information. Confidential patient information regarding diagnoses, procedures, medication, and medical history is kept electronically by various healthcare institutions and providers. HIPAA was put in place to protect the patient data and to maintain confidentiality. We are interested in researching how detailed patient information is kept secure and what measures are in place to ensure the health information is not inappropriately shared. If the security measures fail and a breach occurs, we want to research how the error is managed and what consequences occur. Since a security breach could be a potential HIPAA violation, we want to know how that is handled and what implicit and explicit costs are included.

Data Collection:

In order to complete our research, we will use case studies of previous security breaches to see how the situation was controlled. We can also search for statistics on how often breaches occur and what type of healthcare data was released. Research and news articles can also be used to provide information about specific security breach incidents. By becoming more familiar with HIPAA regulations, we will be able to identify the associated breach consequences and what data security standards exist that must be met to comply with HIPAA.

Hardware/Software:

Unfortunately, there is no simple hardware or software recommendation that can be made to address the problem proposed above. Let’s get one thing straight, everything is hackable. With enough time and resources, every security system can be breached. The only thing that can be done is to make it as difficult as possible for hackers to break in. Depending on the amount of money a company is willing to spend on their security systems places a wide variety on the types of solutions available. Multiple third party services are available such as anti-virus and anti-malware software like Sophos or Windows Defender. Attacks can come in a variety of forms ranging anywhere from system breaches to denials of service. The problem above is multifaceted. As such there are numerous hardware or software steps that can be taken to address this problem. One facet of this problem can be addressed through DDoS protection services.

Controversy:

The main controversy in regards to healthcare data security is, are companies doing “enough” to protect customer’s data? At the end of the day, there are always more or better things that can be done to protect a customer’s data. However, everything has a trade off. This is where the companies must make a cost-benefit analysis of the potential options available to them and consider the social, ethical, financial, and legal implications of their choices.

Assignment 2 Resources

For assignment 2, I used the following linked articles in order to gain a preliminary knowledge of my proposed topic. Information from all of these articles was not directly used, however each did play a role in increasing my understanding of the topic.

http://www.healthcareitnews.com/news/cost-data-breaches-climbs-4-million-healthcare-events-most-expensive-ponemon-finds

http://hitconsultant.net/2016/01/28/hackers-caused-98-of-healthcare-data-breaches/

http://www.modernhealthcare.com/section/articles?tagID=5789

http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/

http://healthitsecurity.com/tag/healthcare-data-breach

http://www.healthcareitnews.com/news/11-million-patient-record-breaches-make-june-worst-month-information-security-2016

http://hitconsultant.net/2016/05/26/healthcare-data-breaches-awareness-readiness/

http://www.cio.com/article/2899488/data-breach/health-insurance-companies-prime-targets-for-hackers.html 

Assignment 2: HIT Security Breaches Research Proposal

Healthcare companies hold a large amount of a customer's private information from social security numbers and bank information to medical records. As such, we as customers would hope that these companies are protecting our information. However, there is always a risk for data breaches to occur. When discussing data breaches in the healthcare industry, there are three main points to consider, what is the cause of the data breach, what is the cost of the breach, and what can be done to prevent this breach from happening again. As someone who cares about who has access to my information, I find each of those three points important. If a data breach were to occur, I want to know what information was possibly exposed, how it was exposed, and what is being done to correct it and prevent it from happening again. I also care about the cost of the security breach because that cost will eventually come down on the customers in one way or another.

You might be thinking, why would a hacker go after my healthcare data, why not go after my bank information or my identity, isn't it money they're after? You might be surprised to learn that 1 in 3 Americans were victims of a healthcare data breach according to the Bitglass 2016 Healthcare Breach Report. This statistic was surprising for me because it illustrated just how many people were effected by healthcare data breaches. During my research, I learned that data breaches can occur in any number of ways. Data can be exposed for any reason from hackers to patient files falling from a vehicle transporting the files to be incinerated. Another fact I found particularly intriguing was the average cost per file for healthcare security breaches. Globally, the average cost of healthcare data breaches is 355$ per record. From the initial research that I have done into this topic, it is clear that healthcare data breaches are extremely common, costly, and are happening at an increased rate.

Through further research, I would like to learn more about what is being done to prevent data breaches from occurring. I would like to learn more about the specific types of data breaches that effect healthcare companies. This includes the smaller data breaches that don't make it into healthcare IT news. In my opinion, it seems as if Healthcare companies are not doing enough to protect customer's information. It can appear this way due to just how many healthcare records are exposed on average per month as well as that healthcare data breaches are happening more frequently. Largely, this is not even due to healthcare companies greatest asset and liability, their employees.

The majority of data breaches are a result of hacks. As such, healthcare company's network security is one of my biggest concerns. If an employee's company account is breached, that counts as a security breach. It is important that companies make a reasonable effort to prevent this and other such data breaches from occurring. Another area I would like to gain further research on is the cost of these preventative measures. The biggest cost of a security breach is loss of business. However, is the cost of a particular preventative measure higher than the cost of the security breach? If so, are companies choosing profit over the security of my information?