Friday, June 19, 2009

Oregon Health & Science University Data Breach: Avoidable?

By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)

There are many incidents of healthcare data breaches from atypical healthcare organizations (i.e. pharmacies, medical schools, etc). What makes these interesting is their status. Does a medical school or pharmacy take the same steps that a hospital or medical group takes to safeguard protected health information (PHI) or electronic PHI (ePHI)? Maybe…maybe not!

A report about a June 2009 data breach from Oregon Health & Science University stuck out at me…but then the details of it made me think…was this avoidable? The limited information available about the incident reveals that approximately 1,000 patients’ records were stolen when “a physician's laptop was stolen from a car parked at the doctor's Washington County home. Patient names, treatment dates, short medical treatment summaries and medical record numbers were stored on the computer.” The questions that popped-into my head are: Why are these records saved on a mobile computer? What type of identification or authentication is used to login to the laptop? Does the organization encrypt the data ‘at rest’? Are there back up copies of the 1,000 records? But my ultimate question has two parts...Why is a physician taking these records home? And, more importantly, why didn’t he or she take the laptop inside the house and physically safeguard it?

Security management has many tenants, but one of the primary ones is risk management. How do organizations, their employees, their managers, and ultimately their customers (i.e. patients) manage the risks associated with PHI and ePHI security and privacy? If a comprehensive approach is implemented, the answer is they use a Layered Security (commonly called Defense in Depth) approach. What this means is there is no single layer (point of failure) for safeguarding the confidentiality, integrity, and availability of PHI or ePHI. Another tenant to risk management is the organization or its respective decision makers having the authority and responsibility to ‘accept certain risks’. I provide the following analysis (based on what is publicly available) by pairing the concept of risk management and the Oregon Health & Science University data breach together.

It appears that either Oregon Health & Science University does not have policies, procedures, and training (PPT), or does not have enough enforceability (adequate PPT) that implement a ‘culture of security’ to influence the respective physician to think about the security of the physical laptop and the associated data stored on the laptop. According to the Federal Trade Commission (FTC) the most effective steps one can take to avoid a data breach is having a well trained workforce. I am going to give the University a benefit of the doubt on its safeguard of ‘user access’ to the laptop and presume that a strong identification or authentication scheme is implemented, and to presume that the data stored on the laptop is protected by a strong encryption algorithm. I do not know this, but I am more hoping this is the case than anything else. However, I do have my doubts about why the respective physician left such a sensitive laptop in his or her vehicle. Physically safeguarding the laptop in the residence provides at least one more layer of security that a nefarious individual has to overcome to gain access to the laptop and protected data. This is not the first data breach resulting from a stolen laptop, and I am confident it won’t be the last. As computers become smaller, faster, and more mobile, and as physicians and organizations are pushed to become compliant with electronic medical record regulations, the more the patients’ privacy and security of the most sensitive data an individual has is at risk.

Was this avoidable…you decide!

For further information please visit www.cooperativemac.com

References:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

http://datalossdb.org/incidents/2113-patient-names-treatment-dates-treatment-summaries-and-medical-record-numbers-of-1-000-on-stolen-laptop

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf

Thursday, June 4, 2009

Analysis of Virginia’s Prescription Drug Database Breach

By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)

After I heard about the Virginia Prescription Drug Database breach, I was very curious about what is going on. What is happening?

Several quotes and statistics in news reports stuck out like a sore thumb, and confirmed what I have known for a while, but most in healthcare may not know. It then occurred to me that I needed to share this information and provide a little analysis of what this data breach means to the healthcare industry, and to healthcare information assurance field.

So first of all…what happened? Based on news reports, it appears that the Virginia database that holds millions of prescription records was compromised, records stolen, and the web page defaced with a ransom posted. According to Gov Timothy M. Kaine (D), Virginia, “It’s difficult to foil every criminal that may want to do something to you.” Emily Wingfield, chief deputy director of the Department of Health Professionals, “the database contains 31.3 million prescription records and 1 million records are added monthly”. Both of these quotes say a lot about the state of healthcare, and healthcare security. It states that as the government and industry pushes forward with electronic health records, the risk, vulnerability, and security of these records (our records that are in the care, custody, and control of others) are increasing.

Nefarious people and organizations target specific records (i.e. celebrity records being compromised), groups of records (i.e. Virginia database), or organizations (i.e. Commonwealth of Virginia) for various reasons including extortion. If you want to know what we need to do about it, we first need to answer: Is it worth the risk to have the most sensitive of information in electronic format and on the web? Then we have to ask, what do the custodians of these records have to do to protect the privacy and security of the records? The answer to number one is a political issue, and constituents need to voice their opinion to their elected officials. The answer to number two is to take a comprehensive view and assessment of the environment containing these records.

How did this occur? Until the authorities publicize their findings and investigation results we will never know. But we can read between the lines. Patricia Paquette, DHP's technology director, stated “the DHP's computer system -- which includes firewalls and backups -- is one of the most secure in state government”. Really????? Then why did this happen? I would suggest that the devils-in-the-details and that Ms. Paquette, a technologist, is not looking at the non-technology issues when trying to explain what happened. Security is a people problem…not a technology problem. Is this a money problem? Possibly. A technology problem? Maybe. What about a zero day exploit (a vulnerability that a hacker knows about but the security industry does not yet)? That is possible too.

According to Virginia Gov. Tim Kaine (D), “the breach indicates that the state needs to "create more sophisticated security." Maybe Gov Kaine is aware of something that is not being released, but I would suggest a comprehensive look at the DHP information assurance program before making definitive recommendation on what needs to be corrected. Information assurance is holistic, and looks at training, policies, procedures, technology, as well as environmental issues when assessing whether data (i.e. health data) is ‘secure’. The point I am trying to make is summarized well by Del. L. Scott Lingamfelter (R-Prince William) who stated, "I have some question as to whether there is a comprehensive approach to cyber security in the commonwealth.''

My advice to the Governor and the Commonwealth leadership is to look at information security from a holistic and comprehensive viewpoint, and hire a third party, qualified, independent, information assurance assessor based on the Federal Trade Commission (FTC) requirements for similar assessments. You may be shocked to see what you find!

For further information please visit www.cooperativemac.com

References:

San Francisco Chronicle. http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2009/05/12/financial/f150940D35.DTL

Washingtonpost.com. http://www.washingtonpost.com/wp-dyn/content/article/2009/05/07/AR2009050702515.html


and


http://www.washingtonpost.com/wp-dyn/content/article/2009/05/12/AR2009051201934.html