Analysis: Security Blunders at Government Health AgenciesRecent Breaches Spotlight Challenges Similar to Those in Private Sector
Recent data breaches in Washington state and Florida illustrate that government health agencies can be just as vulnerable to security incidents involving sloppy breach prevention or detection practices as healthcare organizations in the private sector.
The Washington incident involved the theft of a unencrypted personal mobile device containing personal information. The Florida incident, meanwhile, involved the failure to detect a breach until receiving notification from a third party.
A number of factors contribute to the struggles that state and federal agencies face in preventing and detecting breaches.
"Protecting health data is challenging in every setting," says Dan Berger, CEO of security consulting firm Redspin. "Ultimately, it comes down to reducing risk - and that can only be achieved by investing in expertise - either internal hires or outside consultants - technology and training. Government health agencies are typically even more budget-constrained than private health organizations when it comes to IT security."
The U.S. House Committee on Oversight and Government Reform recently spotlighted in a letter to Department of Health and Human Services Secretary Sylvia Mathews Burwell an incident involving stolen unencrypted mobile devices in Washington state.
The committee said it was seeking details of the Feb. 8 theft of a personally owned laptop and two hard drives from an Olympia, Wash.-based employee of the Administration for Children and Families, a unit of HHS.
The Associated Press has reported that the incident potentially affects millions of individuals.
"The laptop was used to conduct Office of Child Support Enforcement audits. Your staff acknowledged that the use of personal equipment is a clear violation of HHS privacy and security policy," the letter states. The committee learned of the incident on March 25 from a HHS representative who informed legislators that HHS was making a notification under the Federal Information Security Modernization Act.
The letter asks Burwell why HHS "waited nearly two months ... to provide Congress with notification under FISMA, which requires notification 'not later than seven days after the date on which there is a reasonable basis to conclude that [a] major incident has occurred.'"
The committee is also demanding that HHS describe the number of individuals potentially impacted; the type of information potentially compromised; and any HHS databases affected.
A spokesperson for the House committee tells ISMG that the committee is working on setting a date for a briefing with HHS about the incident.
As of April 12, approximately 30 percent of the 1,520 incidents listed on the HHS "wall of shame" website, which lists major health breaches affecting 500 or more individuals, involved lost or stolen devices. The recent Washington incident is not yet listed on the federal breach tally.
The Florida Department of Health in Palm Beach County, in an April 11 statement, said it recently learned from federal law enforcement officials that the PHI of some of its health center clients had been compromised by "unauthorized disclosure and/or use."
A Florida health department spokesman tells ISMG that approximately 1,000 individuals have been affected by the breach. "The Justice Department gave us a list [of breached individuals] - we verified it was clients and notified them."
Data compromised by the breach includes names, dates of birth, Social Security numbers, Medicaid numbers, phone numbers and medical record numbers.
The Florida health department is "offering advice on where to obtain free credit check[s]," he says. As for steps the department is taking to bolster security, he says, "We also revamped computer systems and information captured over the past two years."
In recent months, some private sector healthcare organizations - including Florida-based 21st Century Oncology, also have first learned from law enforcement of breaches involving patient data at their organizations.
While many organizations in the public and private sectors often struggle with security, government agencies - especially federal ones - generally also have more requirements to meet that should help bolster security, says Mac McMillan, CEO of security consulting firm CynergisTek.
"FISMA is more demanding than HIPAA. It's based on the NIST Cybersecurity Framework and is, therefore, more complete," he says. "Any organization just following HIPAA would arguably be more at risk than someone following FISMA. The majority of private sector health organizations have selected NIST as their framework" as a way to strengthen their efforts, he notes.
Bob Chaput, CEO of security consulting firm Clearwater Compliance, adds: "HIPAA security regulations detail the 'what': administrative, physical and technical security safeguards that are required to be put into place," he says. "FISMA details the 'how'; how to develop, document and implement an agencywide information security program as specifically defined by NIST. Ostensibly, FISMA is more demanding because it requires these agencies to follow the NIST approach to information risk management, whereas HIPAA does not require organizations follow NIST."
Health data security incidents at government agencies aren't rare. In fact, the HHS wall of shame features a number of such incidents.
Some of those breaches have attracted significant scrutiny from government watchdog agencies.
For instance, Utah's department of health data security was the subject of a critical report in February by HHS' Office of Inspector General. In OIG's comprehensive review of security conducted in the aftermath of two data breaches at the department, including a major hacker attack in 2012 affecting 780,000 individuals, the government watchdog agency said it found 39 "high-impact" weaknesses.
McMillan says all healthcare-related organizations are faced with similar security challenges. "At the end of the day, it's still a network, systems, applications, data and users. In the world of information security, when it comes to the basics, we are generally all equal."
Still, the recent breaches involving government entities shine a spotlight on some fundamental security governance problems that put health data at risk as cyber threats grow, Chaput says.
"It takes time, money and resources to establish a strong information security and cyber risk management program," Chaput says. "Because health information is so much more valuable than financial information, I would expect going forward that we will see more hacking of government agencies, like the one that attacked the Office of Personnel Management. As we see over and over again, and in the OPM case, organizations are simply not starting with the basic foundational step to build any information security program in any industry: risk assessment."