Prevention vs. Cure: Facing the Worst-Case Scenario
by ID Experts
There’s an old saying: “There’s no such thing as bad PR.” Well, it’s not true, at least where healthcare is concerned. While starlets and bloggers may thrive on scandal and controversy, consumers look to their healthcare providers for reliable, quality care and privacy. Imagine if a privacy-related data breach in your organization led to identity theft that compromised a patient’s medical records. Imagine if the compromised record caused medical mistreatment or even death, with subsequent lawsuits and national media attention. How long would it take to recover from that kind of PR. Yet recent studies show that the majority of healthcare organizations are not ready to prevent or quickly detect data breaches involving protected health information (PHI), leaving the door open to worst-case scenarios that are life-threatening to patients and to the financial health of the healthcare provider.
According to the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security, released in December 2012, 94 percent of healthcare organizations in the study had had at least one data breach in the past two years, and 45 percent reported that they had more than five incidents in the same time period. The costs of dealing with these breaches ranged from $10,000 to more than $1 million. Yet, only 27 percent of organizations said they had sufficient resources and 34 percent said they had a sufficient security budget to prevent or quickly detect unauthorized patient data access.
Most of the breaches reported in the Ponemon study were “everyday scenarios,” not worst-case scenarios, but consider how bad the worst case can be and the potential cost. For example:
A hard drive failure in a server at a major New York City hospital left over 845,000 patient records inaccessible. The IT manager followed procedures to restore the database from the hospital’s magnetic backup tapes, but the backup tapes were blank. Permanent loss of the database records would put the hospital in clear violation of HIPAA data retention and availability requirements, so the IT manager contracted with a local third-party data recovery service provider. The hospital had no documented policy or procedure to evaluate the security compliance of such service providers, so the IT manager selected a company based on its 48-hour turnaround time and shipped it the damaged hard drives.
The data recovery was a complete success. Within two days, the recovered data was returned to the IT support manager, the database of patient records was restored, and the tape backup system was fully functional again. The IT manager made a note in his files to use this data recovery service provider again. But several months later, the hospital discovered a PHI breach. While creating an image of all the data on the drives, a data recovery engineer had made himself a copy of the patient records database. He found the records of a female patient with a description closely matching that of his ailing wife and altered them to fit his wife’s description perfectly, removing reference to the female’s blood type and life-threatening allergy to insulin. His wife used the fraudulent identity to receive surgical treatments for cancerous tumors in her lungs. The engineer used the credit card data from other patient records to pay his wife’s medical bills.
Soon several of the hospital’s patients began reporting unauthorized purchases on their credit cards. The cause of the security breach was not discovered until the woman whose record was altered received emergency surgery after a car crash. Unconscious when she arrived at the hospital, she died from anaphylactic shock during a simple surgical procedure—an allergic reaction to the insulin she was administered during the operation. The deceased woman’s husband was convinced that his wife’s allergy to insulin was well documented in her health record. An investigation revealed the tampering with her PHI, and the changes were traced back to the NYC hospital’s database. The hospital’s forensic team traced the breach to the third-party data recovery service provider and the data recovery engineer, who, it turned out, had not been subjected to a background check before he was hired and who had a criminal history of identity theft.
Reports of the breach, the altered medical records, and the woman’s death were picked up by the media. The hospital posted a public notice of the PHI breach, sent notification letters to all impacted patients, and offered them two years of credit monitoring and fraud resolution services, plus credit and identity theft restoration if needed. However, the larger threat to patients was misuse of the PHI, which went unmonitored, and the hospital’s reputation was damaged severely. An internal study at the hospital resulted in new protocols for hiring and working with third-party data recovery vendors. The hospital’s risk management process was updated, and the CISO and the IT support manager were fired.
The healthcare industry is in transition, and budgets are tight, but no organization can afford a scenario like this. According to the Ponemon study, the average cost of PHI-related data breaches to healthcare organizations is $2.4 million. Prevention costs a fraction of this figure, yet only 49 percent of healthcare organizations vet and monitor third parties, including business associates. Annual security risk assessments are done by only 48 percent of organizations, and even fewer conduct periodic privacy risk assessments, which are considered one of the most effective measures to reduce the frequency of data breaches unintentionally caused by employees or third parties, the most common cause of breach incidents.
Let’s imagine a happier scenario than the one above.
A pregnant woman has just been to her last ultrasound and is due to deliver in two weeks. A week later, the medical card, from her previously stolen wallet, is used at the same hospital ER by a drug-overdose victim who had bought the pregnant woman’s identity on the street. The hospital admitting staff asks for a driver license, checks the photo, and refuses service when the license doesn’t match the medical ID card. They call the pregnant patient to let her know what has happened, the patient’s medical record is not compromised, and a week later she gives birth and experiences a problem-free delivery. If the hospital had not had basic security procedures and policies in place, the drug addict would have been able to receive treatment using the stolen medical identity, compromising the patient’s medical records. At “best,” the patient’s records would have suggested a drug addict, and her children could have been taken from her. At worst, complications during delivery could have been misdiagnosed and mistreated, leading to serious injury or death.
No one wants to be a part of these realities: not the patients whose well-being or, worst case, lives are at risk; not the doctors and security professionals who will live with the personal and professional consequences; and not the healthcare organizations who stand to lose millions in reparations, breach mitigation, and regulatory costs and more due to a damaged reputation and lost business. ID Experts recommends that healthcare organizations:
- Carry out and document annual privacy and security risk assessments
- Encrypt PHI.
- Update policies, processes (including incident assessment and response processes), and procedures
- Ensure the Incident Response Plan (IRP) covers third parties,
including business associates, partners, cyber insurance
There is such a thing as bad PR, and for a healthcare organization, a good reputation is priceless. The cost of an ounce of prevention truly is worthwhile because, once lives or reputations are lost, there is no cure.
_____________________
Robert Gregg, CEO of ID Experts, and a CPA by trade, has an extensive career as an executive. As CEO of ID Experts, he is committed to protect consumers from identity theft resulting from privacy data breaches, particularly in healthcare. ID Experts provides the absolute best hands on service to prevent and remediate data breaches, and take great care of the victims of a breach.