Tuesday, December 13, 2011

The Health Information Breach Problem Seems To Be Getting A Lot Of Coverage. Australia Needs To Take a Serious Stance On the Issue and Soon!

Last week I ran a blog on some material on Health Information Security.
This is found here:
Just after this we have had ongoing reports about the situation in the US.
First here:

Health data breaches cost $6.5B annually

December 1, 2011 — 5:43pm ET | By Ken Terry
The number of reported data security breaches in healthcare organizations increased 32 percent from 2010 to 2011, and, on average, there were four breaches per healthcare provider this year, according to the Ponemon Institute's second annual survey on the topic.
The mean cost of these breaches to healthcare organizations was $2.2 million, up 10 percent from last year. In addition, respondents reported that security breaches reduced productivity, caused a loss of goodwill, and contributed to patient churn. Twenty-nine percent of providers said that data breaches had resulted in medical identity theft.
Based on the survey responses, Ponemon estimates that data security breaches cost the U.S. healthcare industry about $6.5 billion a year.
To learn more:
- read the Ponemon Institute
press release
- see the Healthcare IT News
More here:
This was followed up by a long interview here:

Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf

By Tom Sullivan, Editor
Created 2011-12-05 11:12
The street value of health information is 50 times greater than that of other data types. Even worse, the healthcare industry is among the weakest at protecting such information. With organized criminals trying to steal medical IDs, sloppy mistakes becoming more commonplace, mobile devices serving as single sign-on gateways to records and even bioterrorism now a factor, healthcare is ripe for some a wake-up call – one that just might come in the form a damaging "data spill."
Government Health IT Editor Tom Sullivan spoke with Larry Ponemon, chairman and founder of the Ponemon Institute, and Rick Kam, president of ID Experts (pictured below), which sponsored Ponemon's second annual Benchmark Study on Patient Privacy and Data Security. He asked about that data spill assertion, why healthcare lags other industries in privacy and security, and how the $6.5 billion spent on responding to data breaches could be better invested.
Q: The study finds that breaches are up 26 percent. Are things as bad as they seem to be?
Larry Ponemon: Data loss and data breaches happen all the time. And one of the possible reasons for increase in frequency for the data breach events can be due to the fact that organizations are more cognizant of it and are mandated by law to report it. In other words, it’s the old adage, 'If a tree falls in the middle of the forest and we don’t hear it, did it actually fall?' Well, organizations have a heightened sense of awareness, hopefully, about these laws and therefore the frequency is increasing because of that.
There is a second more nefarious possibility that data loss occurs because there’s just more criminal enterprise around data theft. And there’s evidence that, not just in healthcare, but generally that number seems to be on the increase as well.
So it’s a combination of factors, but the results of our research on a matched sample basis suggest that number certainly isn’t going down. Instead of getting better, it seems to be on the increase.
Q: What, specifically, are those factors?
Rick Kam: One of the interesting things within privacy circles is growing concern about the strategic nature of the data. For example the TRICARE information that was breached, there’s concern about the data including the vaccination and health information of our fighting forces being released or perhaps picked up by a nation-state like China or North Korea or others that would look at a bioterrorism strategy against our country in some respect. It might seem a little out there in terms of concern, but just as there’s nefarious for criminal or financial gain, there’s also nefarious for other types of issues where health information can be very useful.
Q: So, an enemy could potentially find out weaknesses in terms of vaccinations, and deduce the best way to attack our troops?
RK: Exactly. To use a bioterrorism agent that weakens the fighting forces of the U.S., knowing what they are vaccinated against and what they are not would be an important detail.
Q: Beyond the military, is the healthcare industry at large vulnerable to some sort of big data heist?
RK: Like when BP had their massive oil spill, there’s the potential for something like this to occur in the data security/privacy within healthcare – which would be a wake-up call for the industry. To put this into context, healthcare information compared to financial data or even oil is something that cannot be put back in the box. You can get a new Social Security number or a new credit card from a financial or identity theft. If you have an issue with the theft from TJX or one of those types of situations or even Sony with the email addresses and account numbers, but losing even a handful of hundreds of pieces of patient data that might surround a stigmatized illness or some variation on that theme, that information cannot be put back into the box. Once it’s out there, it’s out there forever. There are a couple of issues around that. One is that the information is worth 50 times what Social Security numbers are worth based on some of the things I’ve seen in various pieces of research, some of which Larry has done. So a Social Security number is worth, say, $1 on the street while a health insurance number and/or health information is worth $50 on the street, which points to the value of that information for other uses, whether it’s getting access to prescription drugs illegally, or health services.
So I do think there’s going to be a giant data spill of health information and that might be tens of thousands or even millions of records that create that impact. Since you’re Government Health IT, I love this example: Imagine if the health information of the U.S. Congress was compromised ... or of the GOP candidates … or some variation on that theme.
Q: The study found that sloppy mistakes are among the most prevalent causes of data breaches. What are the most common examples?
LP: Basically, it’s hard to say what the sloppiest is, or the worst example, but I think we see billing information, administrative applications like scheduling apps, definitely clinicians that are not paying attention to detail that unfortunately might lose a device like a handheld that contains patient information. Part of the whole ecosystem of healthcare is about collecting information. You have to do it. That’s why you’re in a hospital, right, to recover from an illness or for diagnostic purposes. There’s information that has to be collected about you, but there’s the handling of that between clinicians, administration, billing, and others including third-parties that creates kind of a perfect storm for data loss. There’s also the culture. I’m just going to jump in here – and this might sound pretty negative and damning to clinicians – but culturally we’re dealing with people who measure their efficiency in seconds. There’s pressure on healthcare organizations to be more efficient than they’ve previously been. There’s efficiency in terms of time, the time it takes to get something done. So if it takes a little bit of time to secure your handheld device with a password, that doesn’t get done. That goes back to the culture of healthcare where we push people to work very, very efficiently but they may not have the resources to go a little slower to be more mindful of their privacy and security responsibilities. This might also be true in other industries but based on the research we’ve done over the years healthcare seems to be one of the worst in terms of balancing the need for security with the mission of more efficiency.
Q: So why is healthcare among the worst?
LP: Well, I think there are financial challenges for many healthcare providers, so as a result of that it’s hard to get enough funding to have the right technology and the right people, the right governance processes in place to deal with these regulatory and real requirements, more than just regulatory. So that has a lot to do with it and as I said culturally the main vision in healthcare is to heal people. It’s not about protecting data. Some industries like financial services learned a long time ago that data protection is core to customer trust.
That concept does not seem to pervade the healthcare organizations that participated in our study and, interestingly enough, patients, people who are the victims of data loss, if a healthcare provider loses their data, they’re going to lose trust pretty quickly and say ‘Why do I want to go to a hospital that can’t manage my data? How can they manage my illness?’ ‘How can they manage a laboratory test if I can’t trust them to manage my billing order?’ Those kinds of issues are pervasive in healthcare. Other industries experience some of these, it’s not uniquely a healthcare problem – but it does seem that healthcare has more of these challenges than other industries.
RK: Widespread use of mobile devices is one of the culprits. It’s not unique to healthcare but they are causing problems.
Lots more here (really worth a browse):
And concern also made it to the Australian press. See here:

Data breaches common in US health system

NINETY-six per cent of US healthcare organisations have reported at least one data breach in the past two years, the Ponemon Institute reports in its second annual Patient Privacy and Data Security benchmark survey.
The independent privacy researcher found that organisations suffered an average of four data breaches during the period, at an average cost of $US2.2 million per incident.
Ponemon chairman Larry Ponemon described medical information handling practices as "sloppy", and "a disturbing reality check for patients".
"Data breach risks are high, identity theft and medical identity theft are on the rise, and patients’ privacy is affected," Dr Ponemon said.
Employee negligence was the primary culprit for the 32 per cent rise in the number of breaches during the 2010-11 financial year over the previous period, with 41 per cent of respondents blaming "sloppy mistakes" involving protected health information.
Forty-nine per cent of respondents cited lost or stolen computing devices, while 46 per cent reported "snafus" by third-parties or business associates.
Technical glitches played a part in one-third of the breaches, while criminal attacks were involved in 30 per cent of cases.
The average number of lost records was 2575, up from 1769 a year earlier.
The widespread use of mobile devices was a significant risk, with 81 per cent of respondents collecting, storing and transmitting some personal health information wirelessly – 49 per cent admitted their organisations did nothing to protect these devices.
In Australia, there is no compulsion for healthcare organisations to report data breaches, so the scale of the problem here is unknown.
More here:
The most telling here is the last paragraph - pointing out we don’t have a clue what is happening in Australia.
On the local front we have NEHTA with its work on a Security and access framework and NASH.
See here:

Nehta releases security framework

The National E-health Transition Authority (Nehta) has released the security and access framework that sets out how health information should be collected, stored and accessed – a critical step in its bid to win consumer support for the personally controlled electronic health records which Australians can sign up for starting mid-2012.
Details of the National eHealth Security and Access Framework (NESAF) which was unveiled today by Nehta are currently only available to vendors registered with the Nehta website.

The heart of the framework however is understood to be descriptions of the standards and protocols organisations should use when writing e-health systems, which have been compiled as a toolkit to help organisations design and develop health related computer systems.
Lots more here:
I would tell you more about the document but it seems I can’t.
From Page ii.
The content of this document is confidential. The information contained herein must only be used for the purpose for which it is supplied and must not be disclosed other than explicitly agreed in writing with NEHTA.
I can however point out that the NESAF aims to deliver a risk based management process framework that is to be used by any organisation that is receiving or sending information to the public e-Health infrastructure (PCEHR, IHI etc. one assumes) and that compliance mechanisms are still a bit of a work in progress and may be addressed in Version 4 of the NESAF which is due in March 2012.
Just who funds what, how compliance is to be audited and who needs to apply the framework will almost certainly become clear over time. The cost and complexity of some of what seems to be being proposed to a solo GP practice may be an issue I suspect.
In passing I note we have this available describing NASH - which works with the NESAF.

National Authentication Service for Health

The National Authentication Service for Health (NASH) is a key foundational component for eHealth in Australia. It is essential that the identity of people and organisations involved in each eHealth transaction can be assured, and this requires high quality digital credentials. The NASH,  Australia’s first nationwide secure and authenticated service for healthcare delivery organisations and personnel to exchange sensitive eHealth information, will provide this.
In March 2011 the contract to design and build NASH was awarded to IBM, and NEHTA began working with stakeholders to develop its Concept of Operations and solution design.
The service will issue digital credentials, including digital certificates managed through the Public Key Infrastructure and secured by tokens such as smartcards. These credentials will validate identity when used to access eHealth systems that are enabled to use NASH authentication.
Specifically, NASH will:
  • provide a governance approach that would allow health sector participation in the operational policies and services NASH develops
  • establish the standards framework for national tokens/smartcards in healthcare delivery
  • establish a national supply of digital credentials available to all healthcare delivery entities in the health sector, allowing the traceability of eHealth transactions to trusted identities
  • allow healthcare communities to issue and manage authentication credentials locally, supported by national infrastructure
  • support software vendors in transitioning their products to use nationally recognised digital credentials
Found here (December 9, 2011).
Any close reading of this makes what I said last week seem optimistic. Implementation of NASH is going to take years and years and the costs are going to be more than considerable - both in initial implementation and ongoing maintenance.
Just how this fits with the PCEHR time-table I leave for resolution by the reader!


KH said...

A couple of points in relation to this post:

1. Although NEHTA's security and access framework is accessed via the vendor portal, anyone is able to register as a "vendor". Registration is simple and anyone with a genuine and serious interest in e-health seems to be quite welcome to have a look.

2. I hope you are being overly pessimistic in estimating that the implementation of NASH will take "years and years". NASH deals with a small number of well-defined transaction types. One would hope that implementation should not take too long. More worrying is the fact that according to NEHTA's Specification Roadmap the specs for NASH will not be finalized until late February 2012. Even if implementation proceeds quickly, for a service which is at the heart of e-health security there must be a period of intensive testing before it is put into use. It's hard to imagine that this could occur earlier than some time in 2013, maybe later. Until then virtually any ehealth services which are introduced will have to rely on some interim security/authentication arrangements - is that not so?

Dr David More MB PhD FACHI said...

On your points:

1. Yes the document is easy to get but marked confidential for some reason.

2. The NEHTA Blueprint V2.0 (Sep, 2011) says implementation of NASH is 2012 to 2017 as I read it. See earlier blog. The hold up will be issuing and paying for all those tokens!

3. Yes NASH progress will mean something else in needed for a few years.