Group Project - Initial Research

While we feel that our original project proposal covered our project adequately, we have decided to begin investigating breaches and associated consequences. Below are a few sources we have looked into and we will continue to further our research and gather information for a recommendation as the weeks progress.

Data Encryption in Healthcare

http://www.modernhealthcare.com/article/20160819/NEWS/160819909/health-it-pros-are-worried-about-hacking-but-many-still-dont-encrypt

This article briefly explains the concern healthcare IT professionals have in regards to hacking but points out that many still do not encrypt data. One of the surveys discussed in the article states that over 80% of those surveyed have made cybersecurity a higher priority in 2016. However, data also shows that 41% still do not encrypt data in transit and 36% fail to encrypt data in storage. When it comes to cybersecurity, encryption of data should be a ‘no-brainer’ and a standard thing that should be done at all times. By not encrypting data, these organizations are not safeguarding patient information and are an easy target for medical identity theft. In one episode of the hit cybersecurity drama-thriller, Mr. Robot, the protagonist points out the inadequate state of a hospital’s security systems. Sadly, there is some real life truth to this point. 55% of survey respondents noted the lack of financial resources and 59% noted a struggle to find “appropriate cybersecurity personnel” as a barrier to their ability to mitigate their cybersecurity risks.

How Healthcare Records are Being Exposed

http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/

This article provides a breakdown of all major security breaches that have been listed on the OCR Breach Portal by midyear 2016. The sheer number of breaches and potentially leaked files by only midyear shows just how widespread the cybersecurity problem in the healthcare industry really is. Data follows.

• 48 data breaches were reported as unauthorized access
• 43 data breaches were attributed to hacking or network server incidents
• 37 breaches were caused by the loss or theft of devices used to store ePHI or the loss/theft of physical records
• 4 breaches were due to the improper disposal of records

In terms of the records that were stolen or exposed:

• 60% were due to hacking (2,703,961 records)
• 78% were due to loss/theft (1,342,125 records)
• 6% were the result of unauthorized access or disclosure (342,748 records)
• 63% were the result of improper disposal (118,594 records)

HIPAA Settlement

http://www.healthcareitnews.com/news/triple-s-management-settles-hipaa-violation-35-million

This article describes what extreme costs can be associated with a HIPAA breach or violation. Triple-S Management Corp was fined $3.5 million after they had repeatedly left beneficiary PHI vulnerable. They failed to maintain appropriate safeguards, failed to implement security measures, and failed to perform risk analysis in order to comply with HIPAA.

Keystroke Logger Breach

http://www.healthcareitnews.com/news/keystroke-logger-detected-hospitals-computers

Computers in a Kentucky hospital had been affected with a keystroke logger that might have been capturing patient information since 2012. Although there is no evidence that the information was used inappropriately, they still conducted extensive research to resolve the issue. As a consolation to any patients that might have been affected, the hospital offer a year of identity protection services.

BCBS Cyber Attack

http://www.healthcareitnews.com/news/excellus-bluecross-blueshield-cyberattack-impacts-105m-people

This cyber attack lead to capture of 10.5 million individual’s social security numbers and other PHI making it the third largest HIPAA breach ever. The insurance company offers its customers two years of identity protection. The CEO explained that the large number of systems within the company make it difficult to maintain security.

Group Project Proposal - Security Breaches

Objective:

(2) Enhance the patient care experience (including quality, access, and reliability)

Problem:

Healthcare data can include a variety of extremely personal information. Confidential patient information regarding diagnoses, procedures, medication, and medical history is kept electronically by various healthcare institutions and providers. HIPAA was put in place to protect the patient data and to maintain confidentiality. We are interested in researching how detailed patient information is kept secure and what measures are in place to ensure the health information is not inappropriately shared. If the security measures fail and a breach occurs, we want to research how the error is managed and what consequences occur. Since a security breach could be a potential HIPAA violation, we want to know how that is handled and what implicit and explicit costs are included.

Data Collection:

In order to complete our research, we will use case studies of previous security breaches to see how the situation was controlled. We can also search for statistics on how often breaches occur and what type of healthcare data was released. Research and news articles can also be used to provide information about specific security breach incidents. By becoming more familiar with HIPAA regulations, we will be able to identify the associated breach consequences and what data security standards exist that must be met to comply with HIPAA.

Hardware/Software:

Unfortunately, there is no simple hardware or software recommendation that can be made to address the problem proposed above. Let’s get one thing straight, everything is hackable. With enough time and resources, every security system can be breached. The only thing that can be done is to make it as difficult as possible for hackers to break in. Depending on the amount of money a company is willing to spend on their security systems places a wide variety on the types of solutions available. Multiple third party services are available such as anti-virus and anti-malware software like Sophos or Windows Defender. Attacks can come in a variety of forms ranging anywhere from system breaches to denials of service. The problem above is multifaceted. As such there are numerous hardware or software steps that can be taken to address this problem. One facet of this problem can be addressed through DDoS protection services.

Controversy:

The main controversy in regards to healthcare data security is, are companies doing “enough” to protect customer’s data? At the end of the day, there are always more or better things that can be done to protect a customer’s data. However, everything has a trade off. This is where the companies must make a cost-benefit analysis of the potential options available to them and consider the social, ethical, financial, and legal implications of their choices.