201306Security-Intelligence-IBM-Security-Blog.jpgIn 2012, there were 1,502 documented incidents resulting in loss of personally identifiable information, almost a 40% increase over the previous year’s 1,088 event count. In the last three years, 21 million patients in the United States have had their medical records exposed in data breaches.

Data leaks are becoming a common occurrence, exposing personal details such as email addresses, passwords (both encrypted and clear text), and even national ID numbers. The IBM X-Force 2012 Annual Trend and Risk Report calls for tighter security controls and policies in the healthcare industry.

With healthcare providers and payers alike trying to retain customers through better quality care and comply with an ever increasing corpus of regulations, patient records are the currency in trade, and as such must be protected with all due care. Moving to electronic health records (EHR) is a must for organisations to be able to share data between providers—even competing facilities—insurance companies, and the patient consumer themselves. Creating a record once and enriching it over the lifespan of the patient by all caregivers and payers involved holds the promise to reduce costs and improve outcomes. In addition, the U.S. government provides financial incentives for the meaningful use of EHR through the American Recovery and Reinvestment Act’s (ARRA) HITECH provisions.

Yet converting records to electronic format makes them convenient to steal en masse if not properly protected. The outcome of EHR theft include brand reputation damage in a competing market and financial penalties for non-compliance.

Here are some of the fundamental security controls healthcare organizations must undertake in order to safeguard patient data:

  • Discover all EHR and personally identifiable information (PII)
  • Encrypt or mask EHR and PII at rest and in transit
  • Impose and manage role-based access, coupled with central and/or federal authentication, to EHR and PII
  • Contract with Business Associates (BA) who have access to EHR and PII to ensure they are held to the same data protection standards, and audit them regularly
  • Protect the infrastructure housing EHR and PII using standard technical controls such as firewalls (perimeter and enclave), VPNs, network and host IPS, and endpoint protection
  • Monitor all system and network activities, optimally with automated detection of suspicious activity, particularly as it affects systems containing EHR and PII

Exposure of sensitive data is but one of the salient observations in the IBM X-Force 2012 Annual Trend and Risk Report. Download it now and get the full picture of how 2012 shaped up in terms of threats and gain intelligence into what to expect in 2013.


IBMSecurityIntelligence AUTHOR:
Analysis and Insight for Information Security Professionals

Posted in: Automation Testing, IBM, Opinion, Security      
Comments: 0
Tags: , ,