By Neil Versel
Feb. 19, 2008 | Recent laptop thefts from Fallon Community Health Plan in Worcester, Mass., and from Horizon Blue Cross and Blue Shield of New Jersey have focused attention anew on the issue of data security in health care.
In this age of identity theft, “I’ve actually heard health care systems referred to as one-stop shopping,” says John Carmichael, a security trainer at Security Innovation, Wilmington, Mass. Health records often contain individuals’ names, addresses, phone numbers, Social Security numbers, and payment information — exactly the kinds of data criminals want.
Both Fallon and Horizon say they are not aware of any records being compromised from the incidents, and an e-mailed statement from Horizon indicates that a security feature on the stolen laptop automatically destroyed all of the computer’s data on Jan. 23, 18 days after the theft.
Still, it has been costly. Horizon is offering a year of free credit monitoring for the 300,000 members whose information was on the pilfered machine and Fallon is doing the same thing for the 30,000 Medicare Advantage and Summit ElderCare enrollees affected.
“One thing is clear: When [security breaches] happen, it’s a bad thing for the organization, in terms of bad publicity and in terms of cost,” says John Petze, president and chief executive of Charlottesville, Va.-based biometric device and software-maker Privaris. “It’s clear that it’s going to cost a lot of money even if none of the data is ever compromised.”
Audits, contacting people whose information may have been stolen, credit monitoring, and sometimes legal defense efforts all factor into the cost, according to Petze. According to a 2007 study from Ponemon Institute (Traverse City, Mich.), the average cost of a data breach to the affected company is $197 per customer record — with an average total cost of $6.3 million among the 35 U.S. companies reporting an incident. The majority of the cost was in the form of lost opportunities and brand damage.
About 40 percent of reported incidents originated with contractors, consultants, or other external entities—up from 29 percent a year earlier. Breaches by third parties were more costly than internal data loss, at $231 per record, vs. $171.
“There’s just a panoply of different things that can happen,” from the bad press to loss of customers to extra expenses, not to mention the threat of lawsuits, says Rich Temple, vice president of information technology and chief information officer for Saint Clare’s Health System, a three-hospital organization in Denville, N.J.,
That state has had two well-publicized incidents of late. In addition to the Horizon laptop theft, several dozen employees of Palisades Medical Center in North Bergen, N.J., were suspended after allegedly taking unauthorized peeks at the electronic medical records of actor George Clooney, who was treated there following a motorcycle accident last fall. “I thought that was an appropriate response,” Temple says of the suspensions.
In Fallon’s case, the stolen machine belonged to an outside consultant. “It’s our understanding that it did not have any protection on it, which is against our policy,” according to Jeannette Frey, privacy officer for Fallon Community Health Plan.
Not surprisingly, and critics say too slowly, health care organizations nationwide are taking a closer look at their security plans and making efforts to plug potential security holes.
Right now, Saint Clare’s is taking bids on hard-drive encryption. “We’re going to have that in a matter of weeks,” reports Temple, who adds that the IT department is contemplating blocking certain types of files from being copied to USB drives to prevent sensitive data from leaving the premises.
Those in the security community recommend taking multiple precautions against data loss, but opinions wary widely on which technologies are most effective. Some love biometrics, others think encrypted hard drives are the way to go, and there is a healthy debate over whether to protect computers at the hardware or software levels.
Remember in the mid-1990s when cell-phone users had to enter a PIN to place a call as a precaution against phone hacking?
“The software security solution has failed,” contends Steven Sprague, CEO of Wave Systems, a Lee, Mass.-based maker of hardware security devices. “It failed in the cable [TV] industry, it failed in the cell-phone industry, and it’s failed in the PC industry,” Sprague says.
“The reasons we like our cell phones and BlackBerrys are that there is hardware security.” He says PC makers are moving that way too.
With software security, “You’re basically strapping the armor on after you bought the car,” Sprague argues. It also takes a lot of time to encrypt a drive with software, and smaller organizations may feel a productivity hit.
Seagate Technology is the first major manufacturer to offer encrypted hard drives, with a hardware-based platform called DriveTrust that adds about $60 to $140 to the cost of a new computer. “It’s by far the easiest solution to the ‘I lost my laptop’ problem,” Sprague says.
“Anyone in health care who’s looking at a laptop or, later this year, a desktop PC, should ask for an encrypted hard drive,” Sprague says. It requires a password or a fingerprint to unlock the drive. “If you don’t have the right password, it’s a brick.”
Privaris is more bullish about identity verification at the point of access, with “personal biometrics,” in the form of portable fingerprint readers. Individuals carry the reading device with them — usually a key fob — so it doesn’t have to be wired into a wall or built into a keyboard. It attaches to a computer with a USB plug or wirelessly via Bluetooth.
“Only I can make it work,” Petze says. “I’ve eliminated one of the greatest risks. The insider threat is one of the greatest risks, and the mode is sharing.” He says it also eliminates the need for users to remember multiple passwords.
For his part, Carmichael much prefers hard-drive encryption to biometric authentication. The security trainer says many commercially available fingerprint readers fail the “gummi bear test”: Thieves can press a gummi bear against the reader to lift a user’s fingerprint, and typical readers are not accurate enough to distinguish between the lifted print and the real thing, leading to a serious conundrum for an IT department.
“If my credentials are compromised, you have to revoke the credentials,” he says. Passwords are easy to change. “I can’t change my fingerprints.”
Of course, there is also the perpetual threat of laziness. “Flip over mouse pads and keyboards,” Carmichael says. “How many passwords will you find?”
Evanston-Northwestern Healthcare, a three-hospital system based in Evanston, Ill., prohibits users from writing their passwords near workstations. “We check physical workstations and look for that from time to time,” says CIO Thomas Smith.
Indeed, Carmichael and others believe staff training must be part of any strong security program. “Not everyone is going to realize the sensitivity of the data,” Carmichael says. IT departments need to make sure all users understand organizational policies and procedures, including HIPAA requirements.
“It’s worth being paranoid about,” Temple adds. “A little bit of investment can go a long way later.”