• Employee Programs
• Customer/Member Value Programs
• Resources for Colleges and Universities
• Resources for Financial Service Companies
• Resources for Healthcare

Healthcare Data Security FAQ

Patients – and the law – demand that you protect highly sensitive information from every possible threat. But in-house security options just can’t keep pace with rapidly growing risks. After all, anti-virus software won’t stop someone from taking medical records. A firewall can’t help retrieve a stolen laptop.

ID theft expert Brian Lapidus, senior vice president of Kroll Fraud Solutions, answers some of the top security questions healthcare organizations should be asking.  Lapidus oversees a highly-skilled team that includes veteran licensed investigators specializing in supporting breach victims and restoring individuals' identities to pre-theft status.  He is particularly knowledgeable about the many security gaps - physical, procedural and electronic - common to many U.S. companies and organizations, as well as the criminal landscape where stolen identities are bought, sold and used.

---

Q: Why are healthcare organizations particularly vulnerable to data breaches?

A: Sensitivity of data - The healthcare industry is responsible for maintaining its patients’ most sensitive Personal Health Information. PHI is a treasure-trove for identity thieves.

Immense Data flow (masses of data flowing in and out) - A primary reason healthcare data security breaches occur is because facilities do not know where all instances of their patients’ sensitive or confidential information resides within the network. Moreover, the danger does not stop at the hospital perimeter, but includes vendors that share or receive the data, as well as employees’ and contractors’ laptop computers and other portable storage devices.

Portability/ Usage of EPHI (Electronic Protected Health Information) storage devices - Improvements in technology and the portability of patient data come at a cost to security. Devices used to store and access PHI include laptops; home-based personal computers; Personal Digital Assistants (PDAs) and Smart Phones; USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access; not to mention hotel, library or other public workstations and Wireless Access Points (WAPs).

---

Q: Who/what is at risk should a data breach occur? Are children, in particular, at risk?  Why?

A: The credit reporting agencies do not knowingly maintain credit files on minor children. Therefore, if the Personal Identifying Information (PII) of a minor is at risk, it is impossible to place a “fraud alert’ on his or her credit file to monitor and help protect the child from identity abuse. Many victims do not realize that their information was used until they apply for credit as an adult.

There are two different ways that an identity thief can use a minor’s information. The first is “Minor ID Cloning” where a thief uses the minor’s name and social in combination with a fraudulent address and date of birth to apply for credit. Once the credit bureau receives an application for credit, that begins the minor’s credit history and the child “becomes” the age of whatever information the thief supplied on the application for credit.

The second form of minor identity theft is “Minor ID Combining” where a thief uses the minor’s social security number in combination with the thief’s name and date of birth.

The detection and repair of minor identity theft is a time consuming and difficult process.

---

Q: What should healthcare organizations be doing to better protect the personal information of children and all patients?

A: Awareness of data-breach methods and ways to thwart an attack are key to reducing exposure. Following are some simple steps to elevate awareness and establish a better defense:

• Educate employees about appropriate handling and protection of sensitive data. Have sanctions in place for employees found not following proper guidelines. Both are HIPAA requirements.
• Consistently enforce policies and procedures, physical safe guards, and IT security. All three are required by HIPAA.
• Review and revise physical security practices as needed in both bricks and mortar and virtual operations. Address all the critical areas, such as who can leave the office with patient’s PHI, where sensitive data is stored and destroyed, who has access to sensitive data, and whether employees are required to surrender keys and badges upon leaving the company’s employ.

---

Q: What are the top three things healthcare organizations can do to protect themselves pre-breach?  Post-breach?

A: Pre-Breach

1. Designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices as required by the HIPAA Privacy Rule at 45 C.F.R. § 164.530(a).


2. Covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. There may be situations that warrant such offsite use or access, e.g., when it is clearly determined necessary through the entity’s business case(s), and then only where great rigor has been taken to ensure that policies, procedures and workforce training have been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA Privacy Rule . Covered entities must develop and implement policies and procedures for authorizing EPHI access in accordance with the HIPAA Security Rule at §164.308(a)(4) and the HIPAA Privacy Rule at §164.508. It is important that only those workforce members who have been trained and have proper authorization are granted access to EPHI. 


3. Partner with a corporate breach and data security expert to map a breach response strategy and plan.  A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the HIPAA Privacy Rule at 45 C.F.R. § 164.530(f).

Post-Breach

1. Have a relationship with a corporate breach and HIPAA data security expert so that any investigation can begin immediately and affected individuals will be notified in a timely manner. Collaborating with a company that can investigate, notify, and assist breached individuals goes a long way to avoid loss of brand integrity.


2. Detail who is in charge of any internal investigation, and who will speak to the police and media. Notify your corporate breach and data security expert partner there is a security issue.


3. Maintain a good relationship with local, state, and federal law enforcement throughout the investigation. A positive report about a healthcare provider’s cooperation with law enforcement goes a long way toward maintaining brand integrity.

---

Q: Describe a client in this industry who benefited from your service? 

A: A healthcare provider lost backup tapes and disks which contained personal information of 365,000 patients. The personal information exposed included patient’s names, physicians’ names, addresses, date of birth, patient financial information, insurance data, diagnoses, prescriptions, and in some instances, lab results. The tapes also contained personal information of deceased individuals and minors who had received treatment at their facility. Kroll was hired to notify these individuals of the loss of information and to provide licensed investigators to respond and educate disturbed callers on how they could protect their personal information as well as that of minors and deceased loved ones. In addition to consultative services, the investigators provided assistance to individuals who had fallen victim to identity theft as a result of this incident, and helped these individuals regain their pre-theft identity status.

---

Q: What are the latest trends in security breaches at healthcare organizations? 

A: Healthcare Payer
A large commercial healthcare insurance company experienced a data breach as a result of a laptop being stolen from an employee’s car. The employee did not follow the corporate policies for protecting member data which resulted in exposing Personally Identifiable Information (PII) for 38,000 plan members.  The information compromised included names, addresses and Social Security numbers and health related data. Kroll was hired to provide notification and consultation to impacted individuals.  Additionally, for individuals who had fallen victim to Identity Theft as a result of this incident, Kroll provided licensed investigators to assist those individuals in resolving the issue and returning their identity to its pre-theft status.

Healthcare Provider
A hospital while under an expansion of its IT system, discovered there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of patients, and of the parents or guardians who were listed as the main policy holders with the health insurance carrier. This personal information included names, addresses, social security numbers and patient (minors) birth dates.

The second database contained personal financial information, unencrypted bank account and routing numbers pertaining to individuals who had donated to the hospital. Kroll was hired to provide notification and consultation to impacted individuals.  Additionally, for individuals who had fallen victim to Identity Theft as a result of this incident, Kroll provided licensed investigators to assist those individuals in resolving the issue and returning their identity to its pre-theft status.