An Unhealthy Trend

It is hard to ignore breach events when they happen to major retailers, or when there are service attacks against financial institutions, or when disgruntled federal workers choose to vent their disagreements using stolen confidential data.  When we read and watch the coverage, it seems that these areas are likely the most endangered and the most vulnerable to abuse.

When David Kennedy of Trusted Sec spoke before Congress ( and to the media ) about concerns with the Affordable Care Act website it got me to thinking about the sheer volume of information that would be available to attackers through that site, were it ever breached.  Beyond that, it got me thinking about the overall breach stance of healthcare providers in general.  Many of us in the security industry are familiar with the breach that was discussed in the class action lawsuit of Gaffney vs Tricare, and litigation around Advocate Health Care breach, but there really has not been a ton of noise around the issue of data breaches and healthcare firms.  There certainly has not been a public awareness campaign in the way that identity theft and financial fraud has been brought to the mainstream population.  It begged the question: “Does the lack of public awareness mean that there is less of a breach issue with healthcare providers, or is it simply a matter of numbers, that great big breaches, with millions of records lost, grab headlines?”

I figured it would be worth taking a look at the numbers to see what the reality was.  Based on information that I gathered from the Privacy Rights Clearinghouse, and from the US Department of Health and Human Services, it seems that the lack of uproar around healthcare breaches is not because there aren’t events, but because the events themselves lack the big numbers to make into big stories.  Take a look at the trend diagram below, developed with my colleague Igor Radosavljevic in a project for Dr. Kholekile Gwebu at UNH:


As you can see, it is pretty clear that the number of healthcare breaches is increasing rapidly, particularly compared to the other industries noted.  Below, an aggregated average trend line for those other industries makes it even clearer:



Since looking at the data this way, I’ve been thinking about the possible reasons why this is the case.  I think that the reasons can be found in healthcare’s evolution along the same three drivers that have always led to breaches: Awareness, new technology, and monetization.

  • Awareness : The healthcare field has historically had its foundation in reams and reams of paper records.  Most doctors’ offices have substantial amounts of their precious space set aside for records management, at least for the records associated with patient activity from years prior to the enactment of HIPAA, the arrival of pervasive internet connectivity, and the HIPAA privacy rule.  As a result, there has been a much shorter lifespan for healthcare workers to become focused on the security of computer-based records.  This lack of awareness is one of the factors that leads to the number of device thefts and losses that predominate in the healthcare breach numbers.
  • Technology : Healthcare and healthcare communications have only begun leveraging technology in the fairly recent past.  At the same time, healthcare consumers, partners, and providers, have all begun to make serious demands of the technical infrastructure.  As a result, in efforts to satisfy client and business needs, there has ben a real rush to implement portals, integrated billing, telemedicine, and more efficient back offices.  As a result, there are the same types of mismatched controls and architectures that have led to breaches in other industries.  They are perhaps exacerbated in health care because of the lack of consistent technical growth and best practices development that have typified more unified adoption of technology in areas like finance, retail, or government.
  • Monetization : Last year a colleague in law enforcement, now leading an effort to locate the financial endpoints from identity theft, told me that the average healthcare insurance card information stolen was worth 100 times the value of a stolen platinum level credit card.  The reason was that there was very little fraud detection capability at healthcare outlets and that there was a rapidly growing need for healthcare services among the unemployed, and undocumented communities.  As a result, the value of the private data stolen in many of these cases is far greater than in the other, more typical, breaches.


Impact from HITECH?

When new regulations or new penalties enter into a market it is always natural to expect that such regulation will have the impact of increasing the behavior that the regulation is intended to motivate.  The  Health Information Technology for Economic and Clinical Health (HITECH) Act is a very important piece of legislation in this space, and recognizing that, the data analyzed began in 2009, which corresponded to the enactment of HITECH and the publishing, in August, of the HITECH Breach Notification Interim Final Rule.  This should minimize, though not eliminate, that amplifying effect of additional reporting pressure resulting from HITECH.

Recommendations for Healthcare Providers

Of all the markets that I deal with frequently, I think that Healthcare may have one of the best natural affinities for fixing these issues.  In my understanding and interaction with doctors and hospitals, they excel at diagnosis.  Treatment is also extremely important, but the real magic, for me, happens in the diagnosis of complex illnesses, complex relations between symptoms, and the identification of causative factors from the symptoms and illnesses that present.

This diagnosis will start with understanding interactions.  Interactions between data, and systems, and partners.  The data itself, its provenance and privileges, need to be factored in as well.  Once comprehensively mapped and understood, then healthcare providers can begin to apply the same style of requirements definition and solutions mapping that have moved other organizations forward.  The motion of data, to some of these more mobile and more easily stolen systems particularly, has to be examined for necessity and utility.

There are also excellent lessons to be learned from other industries who are currently faring better.  The first, and probably most important, will be for healthcare providers to better understand the scope and scale of investment that better protected organizations are making.  Clearly technology is an expensive change to go through in the first place, but there must be a corresponding investment in ensuring that the services and care rendered through these new systems remains as sacrosanct as the doctor’s office has always been.

The network, the systems, portals, and telemedicine are all potentially major improvements in the speed, universality, and comprehensiveness of care.  As we proceed with this evolution, though, healthcare providers must adopt technology with an eye toward an oath first taken in the 5th Century BC, and at very least, ensure that they do no harm.