A Breach Prevention Checklist
In an interview (transcript below), Hourihan outlines key steps, including:
- Conducting a detailed risk analysis;
- Encrypting mobile devices and media as well as desktop computers;
- Working with business associates to ensure they take adequate security steps;
- Educating staff about security procedures and the reasons behind them;
- Investigating whether to limit the amount of patient information stored on mobile and desktop devices;
- Requiring vendors that remotely host electronic health records to spell out their approach to access control, vulnerability management and other security strategies;
- Guarding against data loss, such as by banning file sharing programs on computers.
At HITRUST, Hourihan leads the ongoing development of the Common Security Framework. The framework helps organizations demonstrate security and comply with various regulations, including the HITECH Act and HIPAA.
Hourihan recently conducted a detailed analysis of breach statistics.
Before joining HITRUST, he worked at Pricewaterhouse Cooper's security advisory practice, focusing on healthcare.
ANDERSON: You recently conducted an analysis of the breaches effecting 500 or more individuals that have been reported so far to the HHS Office for Civil Rights. You estimate that the organizations that have reported breaches so far may have to spend nearly $1 billion to deal with the incidents. Please explain a little bit about you came up with that figure.
HOURIHAN: There is a lot of information out there about the cost of a breach, both from a notification prospective as well as the general effect on an organization, such as loss of customers. I used the Ponemon Institute's cost analysis of a breach. They look at a number of different things involved with a breach, and they're not just focused on healthcare, but they value the direct and indirect costs associated with a breach on a per-record basis. Those direct and indirect costs include things like detection, escalation, response, containment, the notification, and then any post-breach activities, such legal defense and also credit monitoring.
They came up with $204 per record as being the total cost an organization can expect for a breach, and that breaks down to about $144 in indirect costs and then $60 in direct costs. So I used that $204 in evaluating about $1 billion in costs the industry has experienced since this notification has been made public. There is probably some give and take there in terms of what the real cost is, but that's probably one of the more accurate assumptions one can make.
Then there is also an analysis from the HHS Office for Civil Rights, which is responsible for the enforcement of HIPAA. They have done their own analysis of what the cost of notification is, so taking away any of those indirect costs and also the costs of forensics analysis and response to a breach, and just looking at the notification, they cite about $5.89 per record.
ANDERSON: So what are some of the major expenses involved in dealing with a healthcare information breach? What are usually the big ticket items?
HOURIHAN: Again, going back to what the Ponemon Institute has provided, the indirect costs are significantly higher than the direct costs. Again, they make up about $144 of the $204 per record there. That includes the loss of existing customers and the loss of new customers, or what they call the churn rate. Actually they have noted that of all industries, healthcare actually experiences one of the higher churn rates, at about 6 percent, after a breach is experienced. Looking at the direct cost, that will contain things like your detection, your containment, your notification, and then your post-breach response, and of that, the investigations or forensics make up about 10 percent. Any consulting services tend to make up about 10 percent and then legal defense makes up about 15 percent.
ANDERSON: As a result of your research, what would you say are the most important strategies for preventing breaches and avoiding all these expenses you've been describing? For example, so many incidences have involved the theft or loss of portable computers and media. So should those devices by encrypted to prevent the breaches in the first place?
HOURIHAN: Looking at just the data provided by HHS on these breaches, encryption is definitely at the forefront of controls and strategies to reduce the risk of a breach -- not just of laptops, but also looking at your mobile media, like your USB drives or your CDs and even desktop computers. There have been a pretty significant number of breaches at hospitals and physician practices where a desktop device was actually taken from the facility....So it's not just people leaving laptops unattended at the airport or in their cars and they get lost or stolen that way.
I can't advocate enough building the awareness of security among your users -- and not just on what are good practices, but why these practices are needed specifically in healthcare. As the industry transitions to a more electronic infrastructure where the protected health information is no longer sitting on paper records, but on a database or a laptop or a CD, the importance of security needs to be communicated to everyone. That way, they can take responsibility in their own hands and they are willing to go the extra mile to create a secure password or not share their password or user name with their friends or a physician with the nurses.
It's important to be able to communicate why this is important in their terms, how a lack of security and a lack of privacy can actually affect the patients that come into a hospital or a physician practice and could actually affect their safety. If patients don't trust the records are secure and don't turn over certain information because it won't be maintained, secured, and private, it could affect the care that they are provided with. And if someone who is unauthorized gets into the system, they could steal a lot of information or they could negatively affect the system to where it can't operate and it can't be relied upon for providing care again.
General risk management is something that actually is one of the fundamental controls and requirements of the HIPAA security rule, but you must be able to evaluate your high risk areas and then act based on where your gaps are, what controls you do and do not have in place. This really gets down to being able to focus your limited budget and your limited resources on the highest risk areas....
ANDERSON: Should healthcare organizations consider whether it's prudent to store any health information on mobile devices? And would you advise organizations to store information primarily on network drives rather any types of local device, even a desktop PC?
HOURIHAN: It's definitely difficult for organizations to completely lock down a device to the point where no information can be stored on there. But I definitely would advocate setting up network drives, some sort of cloud storage. It can be centrally managed, it can be protected under a number of layers of controls and defense, and then if a device is lost or stolen, it's no big deal -- it's only the cost of replacing the device, because there are no records stored on there.
Obviously, if you can't achieve that, then you have to go and fall back to the next best thing, which is encrypting the device so that if the device is lost or stolen the information on there cannot be accessed.
ANDERSON: How should organizations be working with their business associates to make sure they have taken adequate security steps? What kinds of questions should healthcare organizations be asking their business partners?
HOURIHAN: Unfortunately, the way organizations have been acting up to this point is they have been relying pretty much solely on contracts, on business associate agreements, for enabling security with their third parties. This is just grossly inadequate in my opinion. About 20 percent of the breaches that HHS posted involved a business partner, and a number of other data sources out there point to about the same percentage -- about a fifth of all breaches involve a third party. What I would advise organizations to do is some sort of due diligence around your business associates. This may vary from relying on contracts where little to no information is shared to doing full on-site third-party reviews of their security program to understand what controls they have and have not in place, and then developing some sort of corrective action plan based on that. There is also an area in between there, so either sending out a questionnaire or reviewing documents, interviewing people and getting an understanding that way.
Again, fall back on a good risk management strategy to define what the appropriate level of review is. If the perceived risk involved is low, you can rely on a contract or a questionnaire. If the risk is high, you may ask for a full onsite review by a third party. And with the changes that are coming with HITECH and HIPAA, business associates are now directly subject to the security rules. So they have to be doing these risk assessments themselves, and then they should be able to provide those results.
So in theory, this shouldn't be more burdensome on business associates.....In practice, business associates probably haven't been doing these risk assessments, so there will be growing pains in getting up to speed. But getting more insight beyond just a contract is definitely needed.
ANDERSON: Any other advice we haven't covered yet on breach prevention strategies that hospitals and clinics and other covered entities should consider?
HOURIHAN: The other big area of focus is obviously this concept of data leakage or data loss. Information is getting out in ways that you may not be aware of through the end points or through actual transmissions. When people set up a file sharing aspect on their machines or use P-to-P software, that is difficult to manage in these somewhat open environments of a hospital and the physician practice....
Again, make sure people are aware of the risks that they're bringing into the organization by downloading something from a website or setting up some sort of file sharing tool on their system. Dealing with the risk requires a combination of people, processes and technology. One technology solution can't solve it, and you just can't rely on education and awareness either.
ANDERSON: Finally, some organizations adopting their first electronic health record systems may be considering using a remotely hosted system using the cloud computing model. What security questions should be posed to those vendors in those cases?
HOURIHAN: Really they should be the same questions and the same processes that you would use for any of the other business associates. First and foremost, look at the level of control that this cloud hosting provider has over the system. Is the vendor just providing infrastructure, or is it on the other end of the spectrum, where the cloud provider is managing pretty much everything and all you're doing is uploading the data?
Whatever that relationship is dictates the level of control that you or your thirty-party outsourcer may have -- and the level of due diligence you should conduct. If the cloud provider is managing the system completely and handling the security functions, then get a risk assessment back from them so you can understand what security control is in place. You can get some comfort that they're not going to experience a breach and your data is not going to get out there.
I guess the key areas that you would want to evaluate would be things like access control, hashing management, vulnerability management, and are they scanning, monitoring and logging to make sure that suspicious activity isn't being conducted on your systems with your data.