In recent years, many hospitals and health systems have been affected by a data breach. According to a study by the Ponemon Institute, 94 percent of organizations surveyed experienced at least one data breach in the previous two years. Forty-five percent of organizations experienced more than five data breaches in the past two years.
Part of this increase is due to emerging technology. While innovative, they create new vulnerabilities and challenge the industry to create new security and privacy protocols. Unfortunately, the vulnerabilities revealed by new technology will continue to haunt organizations that have yet to evolve their policies and procedures. In addition, healthcare organizations stand to face cyber issues beyond emerging technology, according to the "2013 Cyber Security Forecast" by Kroll Advisory Solutions.
Here, Alan Brill, senior managing director of Kroll Advisory Solutions, discusses four cyber issues that hospitals and health systems should pay attention to in 2013.
1. Vampire data. "Vampire data" is data that a hospital does not know exists and comes back to the bite the organization later, says Mr. Brill. If an organization is not aware of data, it is hard to protect it from being breached. Examples include decades-old backup tapes and archiving that should have been deleted, emails that should have been destroyed after 90 days but still exist indefinitely on employees' desktops and material that was copied to portable or cloud storage without the organization's consent or knowledge.
"While it may not be a sanctioned copy of data, it may still be a discoverable one, and it can certainly be stolen or lost, causing a data breach," says Mr. Brill. "Data exists in myriad locations and in a multitude of formats within an organization, and we've seen too many instances where clients just didn't know the data existed until they experienced an attack.
What organizations can do
According to Mr. Brill, organizations need take inventory of data, classify it by confidentiality or sensitivity level and handle it accordingly. Organizations should only allow users to access the data they need and provide employees with regular data handling training to avoid unnecessary data dissemination or transmission, says Mr. Brill.
"If you can find it, you can manage it. If you have the tools that can go out across your network and look for unusual files, that will be a good start," says Mr. Brill. "It is really a matter of taking the time and the effort to know where information is collected, stored and used. You cannot make an assumption that everything is okay. If you don't look, you are not going to see it."
2. Forensic investigations. As organizations come to understand the reputational and financial importance of forensics investigations following data breaches, the healthcare industry will see more efficiency in breach responses, says Mr. Brill. Currently, many organizations do not log or document their information technology activities properly and this can throw an investigation of a data breach off track.
"Like any applied science, forensics requires certain real-world tools and applications in order to be successful. During a forensics investigation, we sometimes have limited resources at our disposal because organizations aren't properly logging or documenting their activities," says Mr. Brill. "As a result, organizations will spend more money to discover whether the breach occurred and what was lost, and may wind up sending notifications based on reasonable assumption rather than concrete evidence of exposure."
For instance, Mr. Brill was part of a situation where a computer was stolen from a hospital's emergency room. The staff was distraught over the theft because the computer held half a million records. However, when Mr. Brill and his team investigated the hospital's network logs, they found that the computer was stolen before any patient records were transferred to the computer.
"While everyone was convinced that the records had been transferred and a data breach had occurred, the objective records forensically showed that a breach did not occur. Such a breach could have been extremely expensive, but with a short investigation, we discovered that a breach hadn't occurred and a response was not necessary," says Mr. Brill.
What organizations can do
Hospitals should turn on logs and make sure they are retained long enough to be useful, says Mr. Brill. It is also helpful to perform a security assessment and train key employees in the basics of immediate breach response.
"The employees who are most likely to be first responders in a breach should know how to respond without wiping out vital evidence needed to understand the incident, or if applicable, meet the requirements set by the cyber insurance policy carrier," says Mr. Brill.
3. Malicious hackers. It used to be that insider attacks were generally perceived as the most malicious — if a breach was perpetrated by a malicious insider, the results could be pretty nasty. According to Mr. Brill, the latest batch of cyber attackers are delving deeper into the cyber warfare and cyber terrorism space — they are coming to destroy the secure network, erase pertinent data and wreak havoc with physical equipment.
"Kroll Advisory Solutions worked on a handful of very large engagements in 2012 that involved this type of attack, and in each case, the company was hit by an attack that destroyed data on a large number of machines throughout the enterprise," says Mr. Brill.
Malicious hackers may seem like a problem strictly for large hospitals and health systems, but these types of attacks have occurred at organizations of all sizes, according to Mr. Brill.
What organizations can do
Hospitals need to have a backup plan that addresses both software and hardware. Don't assume that backup data files equal a plan for restoration.
"Just because you have backup data it does not mean you will always have the ability to read it or use it. It would be like if old family photos were on a disk drive. Computers do not have disk drives anymore. It would be hard to access those photos on modern computers," says Mr. Brill.
4. Nondisclosure. According to Mr. Brill, the healthcare industry has already seen an increase in the number of breaches where patients have been notified that their sensitive data was lost, and he expects to see that trend accelerate in 2013.
"The debate on nondisclosure may continue, but we will start to see more and more organizations speaking up — even when the loss is not personally identifiable or concerning protected health information. In some cases, nondisclosure will simply not be an option," says Mr. Brill. "For instance, if a hospital experiences a data attack, everyone will know once its systems are down. In other instances, the threat will be too insurmountable without help from security consultants and government entities."
What organizations can do
It is becoming more important for hospitals to contract with outside resources, such as an investigation and forensics partner, a privacy law firm and/or a breach notification partner.
"When a security incident occurs, having providers in place to assist with the investigation, advise on current legal requirements and prepare a response will save time and expense for the hospital," says Mr. Brill.
4 Recommendations to Fight Rising Prevalence, Cost of Hospital Data Breaches
How to Secure Patient Data During Consolidation
Part of this increase is due to emerging technology. While innovative, they create new vulnerabilities and challenge the industry to create new security and privacy protocols. Unfortunately, the vulnerabilities revealed by new technology will continue to haunt organizations that have yet to evolve their policies and procedures. In addition, healthcare organizations stand to face cyber issues beyond emerging technology, according to the "2013 Cyber Security Forecast" by Kroll Advisory Solutions.
Here, Alan Brill, senior managing director of Kroll Advisory Solutions, discusses four cyber issues that hospitals and health systems should pay attention to in 2013.
1. Vampire data. "Vampire data" is data that a hospital does not know exists and comes back to the bite the organization later, says Mr. Brill. If an organization is not aware of data, it is hard to protect it from being breached. Examples include decades-old backup tapes and archiving that should have been deleted, emails that should have been destroyed after 90 days but still exist indefinitely on employees' desktops and material that was copied to portable or cloud storage without the organization's consent or knowledge.
"While it may not be a sanctioned copy of data, it may still be a discoverable one, and it can certainly be stolen or lost, causing a data breach," says Mr. Brill. "Data exists in myriad locations and in a multitude of formats within an organization, and we've seen too many instances where clients just didn't know the data existed until they experienced an attack.
What organizations can do
According to Mr. Brill, organizations need take inventory of data, classify it by confidentiality or sensitivity level and handle it accordingly. Organizations should only allow users to access the data they need and provide employees with regular data handling training to avoid unnecessary data dissemination or transmission, says Mr. Brill.
"If you can find it, you can manage it. If you have the tools that can go out across your network and look for unusual files, that will be a good start," says Mr. Brill. "It is really a matter of taking the time and the effort to know where information is collected, stored and used. You cannot make an assumption that everything is okay. If you don't look, you are not going to see it."
2. Forensic investigations. As organizations come to understand the reputational and financial importance of forensics investigations following data breaches, the healthcare industry will see more efficiency in breach responses, says Mr. Brill. Currently, many organizations do not log or document their information technology activities properly and this can throw an investigation of a data breach off track.
"Like any applied science, forensics requires certain real-world tools and applications in order to be successful. During a forensics investigation, we sometimes have limited resources at our disposal because organizations aren't properly logging or documenting their activities," says Mr. Brill. "As a result, organizations will spend more money to discover whether the breach occurred and what was lost, and may wind up sending notifications based on reasonable assumption rather than concrete evidence of exposure."
For instance, Mr. Brill was part of a situation where a computer was stolen from a hospital's emergency room. The staff was distraught over the theft because the computer held half a million records. However, when Mr. Brill and his team investigated the hospital's network logs, they found that the computer was stolen before any patient records were transferred to the computer.
"While everyone was convinced that the records had been transferred and a data breach had occurred, the objective records forensically showed that a breach did not occur. Such a breach could have been extremely expensive, but with a short investigation, we discovered that a breach hadn't occurred and a response was not necessary," says Mr. Brill.
What organizations can do
Hospitals should turn on logs and make sure they are retained long enough to be useful, says Mr. Brill. It is also helpful to perform a security assessment and train key employees in the basics of immediate breach response.
"The employees who are most likely to be first responders in a breach should know how to respond without wiping out vital evidence needed to understand the incident, or if applicable, meet the requirements set by the cyber insurance policy carrier," says Mr. Brill.
3. Malicious hackers. It used to be that insider attacks were generally perceived as the most malicious — if a breach was perpetrated by a malicious insider, the results could be pretty nasty. According to Mr. Brill, the latest batch of cyber attackers are delving deeper into the cyber warfare and cyber terrorism space — they are coming to destroy the secure network, erase pertinent data and wreak havoc with physical equipment.
"Kroll Advisory Solutions worked on a handful of very large engagements in 2012 that involved this type of attack, and in each case, the company was hit by an attack that destroyed data on a large number of machines throughout the enterprise," says Mr. Brill.
Malicious hackers may seem like a problem strictly for large hospitals and health systems, but these types of attacks have occurred at organizations of all sizes, according to Mr. Brill.
What organizations can do
Hospitals need to have a backup plan that addresses both software and hardware. Don't assume that backup data files equal a plan for restoration.
"Just because you have backup data it does not mean you will always have the ability to read it or use it. It would be like if old family photos were on a disk drive. Computers do not have disk drives anymore. It would be hard to access those photos on modern computers," says Mr. Brill.
4. Nondisclosure. According to Mr. Brill, the healthcare industry has already seen an increase in the number of breaches where patients have been notified that their sensitive data was lost, and he expects to see that trend accelerate in 2013.
"The debate on nondisclosure may continue, but we will start to see more and more organizations speaking up — even when the loss is not personally identifiable or concerning protected health information. In some cases, nondisclosure will simply not be an option," says Mr. Brill. "For instance, if a hospital experiences a data attack, everyone will know once its systems are down. In other instances, the threat will be too insurmountable without help from security consultants and government entities."
What organizations can do
It is becoming more important for hospitals to contract with outside resources, such as an investigation and forensics partner, a privacy law firm and/or a breach notification partner.
"When a security incident occurs, having providers in place to assist with the investigation, advise on current legal requirements and prepare a response will save time and expense for the hospital," says Mr. Brill.
More Articles on Healthcare Cyber Issues:
10 Best Practices for Data Breach Prevention, Response Plans4 Recommendations to Fight Rising Prevalence, Cost of Hospital Data Breaches
How to Secure Patient Data During Consolidation