Health care providers have become a ripe target for computer criminals in recent times which is making it difficult for the providers to manage their response to security incidents. That not only makes it difficult to protect patient data, but it puts providers at risk of financial sanctions from government regulators.
"Far too often health care incident management plans are not sufficient to deal with complex disclosure requirements causing delays in development of a complete crisis communication plan," explained Anthony Harris, chief technologist with Booz Allen Hamilton.
He added that delays in those plans can lead to missed disclosure deadlines, insufficient artifact collection, and confusion addressing individual state notification requirements.
Those were among the considerations taken into account by
Seattle Children's Hospital when it decided to deploy Radar, a cloud-based security incident management solution by ID Experts. "I have three systems to track all our incidents -- whether it be a privacy incident, security incident or IT incident," said Seattle Children's CISO Cris Ewell. "I use Radar as the source of truth for all HIPAA incidents." HIPAA, or the Health Insurance Portability and Accountability Act, is the federal law that, among other things, governs the security of health care electronic information.
Two features in Radar attracted Seattle Children's to the solution -- its ability to perform risk analysis of incidents, which creates consistency in managing the incidents, and its handling of government regulations. "Radar gives me a place where I can put all the incidents related to HIPAA and see them at a glance," Ewell said, "and I know that I'm tracking them in the exact same way. That consistency is very important."
When regulators audit a health care provider, they look for consistent handling of security incidents. An incident is considered a breach unless you can demonstrate otherwise. Consistent application of risk analysis can be used in such demonstrations.
"Eighty percent of organizations don't have a consistent process," said Mahmood Sher-Jan, vice president and general manager of ID Expert. "Radar brings that consistency to the process."
Regulatory requirements on health care providers are an added challenge to incident management schemes. "Notification and disclosure requirements for state and government authorities differ significantly based on number of individuals impacted and type of record data," explained Booze's Harris.
For example, if lost or exposed records include Medicaid or Medicare data, the regional account manager for the Centers for Medicare and Medicaid Services must be informed within two days.
If the healthcare breach involved more than 500 individual records, the U.S. Department of Health and Human Services must be informed within 60 days. If less than 500, the breach can be logged in an annual report.
On top of the federal rules, many states have different reporting methods with which the health care organization must comply.
The burden of navigating that regulatory morass is easy for Radar, which lives in the cloud. "We were tracking 20 changes in state laws this year alone," ID Expert's Sher-Jan said. "That's something that's very difficult for an organization of any size to do."
"That's part of the reason we implemented Radar in the cloud," he added. "We sometimes have to put out multiple releases of the program in a week."
In addition, Radar permits local customization on a very granular level, which also appealed to Ewell at Seattle Children's because there can be subtle differences in the treatment of the same kind of incident under federal and state law. "Radar is nuanced enough to give me the kind of granularity I need to determine the risk level of an incident," Ewell said.
Customization is important to the effectiveness of the workflow management tools in these kinds of systems, Booze's Harris noted. "These workflow management tools have a huge potential to help organizations improve incident tracking, reporting and compliance when they are properly customized with the organizations incident management processes since they make customizing a plan for an particular type of incident as easy as using a tax program," he said.
"However," he added, "the effectiveness of the organizations ability to respond and mitigate an incident will still be reliant on a well-designed and regularly exercised incident management plan."
Greg Michaels, an associate managing director at Kroll Advisory Solutions, agreed. "These systems can make detection easier," he said, "but there's a planning component that's necessary. You need to know what you're going to do when something happens."
Problems arise, he continued, when information produced by the systems are ignored. "Sometimes these solutions are in place and if they're not monitored or followed up on, it's the same as not having any system at all," he said.
Both large and small organizations can benefit from an incident management system, but smaller organizations often can't afford one. "Larger institutions have the resources to manage security incidents, but for smaller physician practices, long-term care facilities and other entities strapped for resources, it tends to be a problem," explained Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society.
"Smaller entities tend to suffer because they don't have as much to invest in these systems as larger entities," she added.
With security incidents on the rise, Radar and systems like it are becoming an important part of a health care providers cyber defenses. In the last four years alone, data thievery on health care systems has increased 100 percent, according to a study released in the spring by the Ponemon Institute. Those breaches exposed health care information for about 10 percent of the population, estimates Gartner analyst Jack Santos. What's more, those affected by breaches continue to climb after a precipitous drop in 2012. Data breaches impacted nearly eight million individuals in 2013, almost four times the 2.2 million affected the previous year.
Although the average two-year cost of a breach has mostly declined in recent years to $2 million in 2013 from an average of $2.2 million during the previous three years, Ponemon believes the potential cost to the health care industry to be as much as $5.6 billion annually.
"This isn't a problem that's going to go away," Seattle Children's Ewell said. "With diligence, we can minimize the number of incidents, but the number is never going to go down to zero. We're always going to have incidents we have to investigate. We're always going to have threat actors and adversaries that want to compromise our data."