[ISN] Do no harm: HIPAA's role in preventing ID theft

From: InfoSec News (isnat_private)
Date: Mon Jun 16 2003 - 02:13:42 PDT

  • Next message: InfoSec News: "RE: [ISN] This computer security column is banned in Canada"

    http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,82051,00.html
    
    By Marne Gordan
    JUNE 12, 2003
    Computerworld 
    
    With the Health Insurance Portability and Accountability Act (HIPAA)  
    privacy deadline recently passed, most health care providers and plan
    companies are preparing to implement the final rule for security.  
    While many of these organizations are focused on the lack of budgetary
    and staff resources necessary to fulfill another unfunded federal
    mandate, most have lost sight of why this level of protection is
    necessary.
    
    As organizations (known in the legal jargon as "covered entities")  
    begin their risk assessments and risk management planning, it's
    important to remember one of the key principles of the regulations,
    and that is patient protection. The standard clearly states that the
    organization must ensure the confidentiality, integrity and
    availability of protected health information (PHI) and safeguard it
    from threats, hazards and unauthorized disclosure, but the act
    neglects to underscore why it's important to do so.
    
    PHI is composed of the patient's most personal information, which
    includes most health records and data files that typically include
    name, address, Social Security number and a combination of the
    following:
    
    * Insurance information
    
    * Payment information
    
    * Past and present medical condition(s)
    
    * Past and present treatments
    
    * A variety of other individually identifiable health or personal
      information
    
    Although not expressly stated in the privacy or security rules, HIPAA
    establishes that PHI is primarily the patient's personal property and
    not a corporate asset of the regulated organizations. Corporations are
    therefore required by law to take precautions to protect the privacy
    of patient information whenever it's used, from back-office
    transactions to personal patient interactions.
    
    
    Where's the harm?
    
    Previously, industry experts have focused on harm at the individual
    level, in other words, the PHI of a single patient being compromised
    and made public to the specific detriment of that person.
    
    For example, in 1998, an Atlanta truck driver lost his job after his
    employer learned from his insurance company that he had sought
    treatment for a drinking problem. In another example, an employee was
    automatically enrolled in a mandatory "depression program" by her
    employer, Motorola Inc., after her prescription drugs management
    company reported that she was taking antidepressants. These cases tend
    to generate sympathy from the general public, but it's frequently an
    uphill battle for a victim of such exposure to prove substantial harm
    in the courts and trace the source of that exposure directly back to
    the health care organization.
    
    Harm to the individual can range from simple embarrassment all the way
    to financial hardship. The primary source of harm to the individual
    actually exists at the aggregate level, in databases that contain the
    files of hundreds or thousands of patients. These databases are
    commonly held by hospitals, midsize and large health plans, billing
    organizations, data warehouses, records storage facilities and even
    some application service providers.
    
    Although some industry experts tend to disagree, these covered
    entities are appealing targets for identity theft, the fastest growing
    crime in the U.S. today. While not as obvious or attractive a target
    as financial services or e-commerce companies, these covered entities
    represent a significant opportunity for enterprising thieves, by
    virtue of the data that they process and store.
    
    For example, if a large biller's database were hacked and the PHI
    stolen, criminals could have access to insurance information, credit
    card information and the Rosetta stone for identity thieves, Social
    Security numbers. If such a case were to come to court, a plaintiff's
    attorney could easily prove to a judge and jury that substantial harm
    was inflicted upon the individuals whose identities were stolen, and
    the organization's security controls at the time of the breach would
    definitely be called into question.
    
    Others find covered entities equally attractive, but for different
    reasons. Unlike identity theft, where financial gain is the motive,
    the fact that HIPAA privacy and security standards are seen as a
    challenge to some hackers makes the the health care industry a target.  
    These are the "altruistic" independent hackers and hacker groups, such
    as Deceptive Duo, S4t4n1c_S0uls and The Bugz, who feel it's their
    sacred duty to exploit and publicly expose weaknesses in the
    infrastructure of various industries, or deficiencies in federal
    security mandates.
    
    This was precisely the nature of the hack at the University of
    Washington Medical Center in Seattle in December 2000 (see story). A
    hacker going by the name "Kane" allegedly gained access to the medical
    center's network through the affiliated university network and was
    able to steal 4,000 patient records containing PHI including patients'
    dates of birth, Social Security numbers, height and weight and recent
    medical procedures. Kane turned these records over to online
    journalist Kevin Poulsen because he wanted to perform a public service
    by exposing the security risks at the medical center. Kane denied
    intent to sell or otherwise misuse any of the data that he had
    captured.
    
    In their zeal to "improve security" by exposing corporate weakness,
    these hackers disregard any damage that may be done to an individual
    whose personal information is made public. Once information is posted
    to a Web site, there is virtually no way to retrieve it; it then
    becomes open season on the patients and their data. Understanding the
    potential threat of attack may assist some covered entities in
    refining their risk assessments and risk management plans.
    
    
    Implementation: some rules of thumb
    
    When selecting controls for HIPAA security requirements, organizations
    need to understand that the most expensive controls aren't always the
    best for the job, and the most affordable control measures aren't
    always the weakest. Often, a series of layered security controls,
    working together synergistically, may provide maximum protection
    without breaking the organization's budget.
    
    In securing the data center, for example, rather than implementing a
    single biometric control (retinal scan, palm-print reader, etc.), the
    organization may realize more benefit from implementing a key-card
    scheme that logs ingress and egress, supplemented with security
    cameras at the data center doors. These two less costly measures
    complement each other, and the organization isn't relying on a single
    point of failure as a security control.
    
    In addition, whether selecting individual control measures, writing
    policies or reviewing standard operating procedures, the members of a
    company's HIPAA implementation team should step back and imagine that
    their own PHI resides within the environment. It's a simple exercise,
    but it often puts cost/benefit issues into perspective. Treating the
    PHI as if it were their own may also ease the temptation to cut
    corners for the sake of the IT budget and ensure that the organization
    selects control measures that will provide the most suitable
    protection to their systems, services and data.
    
    
    Marne Gordan is director of regulatory affairs at TruSecure Corp. in
    Herndon, Va., and an expert on security regulatory and compliance
    issues, including HIPAA and the Gramm-Leach-Bliley Act. She can be
    reached at mgordanat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jun 16 2003 - 04:17:36 PDT