Mitigating Data Theft in the Healthcare Environment

Bill Piwonka, for HealthLeaders News, September 4, 2007

September, 2006 was a bad month for healthcare data privacy. On September 15 of that year, the Mercy Medical Center in Merced, CA, inadvertently compromised sensitive data (including the names, social security numbers and medical records for 295 of its patients) when a USB flash drive containing the information was found by a local citizen at the County Fairgrounds near the hospital’s information booth. The next day in Detroit, MI, the Michigan Department of Community Health reported that it had a flash drive missing. That particular memory device contained the names, addresses, dates of birth and social security numbers for 4,000 Michigan residents. Exactly one week later, the Erlanger Health Center in Chattanooga, TN lost 4,150 records on current and former employees, including their social security numbers, when a USB flash drive was stolen from a hospital office.

The healthcare industry is up to its eyeballs in sensitive and privileged patient data, and awash with regulations that make it a state or federal offense to fail to keep that data private. Yet this situation will only grow worse in the coming months and years, as organizations steadily adopt electronic health records and other initiatives that greatly increase both the amount of electronic data and the risks of data loss or theft. Let’s face it--it’s not easy to steal a file cabinet. But it is easy to steal or lose the equivalent of dozens of file cabinets on a flash drive the size of a pen.

According to the Privacy Rights Clearinghouse, 155,160,842 individual records have been stolen from organizations to date. If the examples above aren’t enough to illustrate the point, here’s another: a recent data breach at Pfizer exposed more than 17,000 current and former employee records, including such sensitive data as social security numbers, when records were stolen from an employee laptop.

A modern, portable storage device, such as a USB stick or even an iPod or PDA, can copy this amount of data almost instantly. Conversely, these devices are also increasingly becoming a vector for delivery of computer viruses and related security breaches. In one of the more brazen security threats over the past year, Trojan-infected USB flash drives were scattered in a London parking lot in hopes that they would be picked up and used by an unsuspecting public. This points to another important consideration: data loss most often involves employees--usually without any malicious intent--and their use of these ubiquitous and inexpensive devices.

And while these devices are cheap, the cost of the data theft is extremely expensive for an organization. A combination of state and federal regulations, industry watchdog groups and corporate governance requirements will dictate that the loss needs to be publicly announced, which immediately impacts consumer confidence. The damage control and investigation costs then begin to mount. Additionally, if there was a failure to follow regulatory guidelines dictated in the Health Insurance Portability and Accountability Act or similar statutes, then fines and other criminal penalties may come into play. Therefore, even when a small amount of data is lost it can result in tremendous financial implications for a business. According to Forrester research, the current cost per individual stolen record is believed to be $90, with Ponemon Institute pushing the number to $182. To put that in perspective, that means the aforementioned Michigan Department of Community Health stands to lose between $360,000 and $728,000, and that’s before any HIPAA or other regulatory penalties.

Yet in a recent report on data loss and endpoint security by industry research firm Aberdeen Group--which identified compliance with internal security policies and outside regulations as the two main drivers for an IT focus on data protection--another interesting fact was uncovered. While most organizations readily identify endpoint security and data theft as a top IT issue, few have taken action to mitigate the threat.

Often this is simply because healthcare IT organizations are not entirely certain how to best go about protecting against data loss via portable devices. The answer, fortunately, is relatively straightforward: (1) develop an Acceptable Use Policy, (2) educate and train employees regarding proper use and restrictions on portable devices in the workplace and (3) adopt the tools necessary to enforce that policy and protect data by controlling and monitoring endpoint security.

Developing an Acceptable Use Policy for portable devices first means that you need to understand your acceptable risk. Oftentimes there are legitimate uses for these devices in the workplace, and completely banning or blocking them from the organization would have an unacceptably detrimental impact on overall efficiency. Thus, understanding current usage in your environment is the first step toward control. The next step is to fix the big holes; for example, with only a few exceptions employees should not need to connect an iPod in the workplace. However, a word of caution here--many organizations aim for too much granularity too quickly; a layered approach where you continuously implement/monitor/assess is much more likely to result in steady improvement while avoiding major disruption. By avoiding unnecessary complexity, it is also more likely that the policy will be successfully adopted without being costly to manage.

Beyond the adoption and training around an AUP, the most critical step is adopting the right tools to monitor and control endpoint security. These tools can allow the organization to monitor device connection (useful in determining/fine-tuning the AUP), block or control the connection of specific devices and ports, encrypt data on the move (to protect information even if devices are lost), and audit file transfer for security forensics. The best tools include all of the above capabilities as well as customizable user-based black-lists and white-lists identifying acceptable devices, protection for a wide array of devices and ports (including USB, Firewire, LPT, COM, Internal/External CD/DVD, Wi-Fi and Bluetooth), and offer a variety of temporary access privileges to allow for the inevitable exceptions in every work environment.

Data privacy--and theft--is a significant challenge in the healthcare industry. However, it can be an entirely manageable challenge if the organization simply takes the appropriate steps. And the impact of adequately protecting data can be substantial; just think of how much easier life would have been for the IT groups at any of the healthcare organizations highlighted at the start of this article if they could simply state that loss was prevented because the data was encrypted or the devices were blocked. Now that is mitigating data theft in the healthcare environment.

---

Bill Piwonka is vice president of Product Management at Centennial Software. He can be reached at bpiwonka@centennial-software.com.