Community Health Systems, Inc. experienced the largest healthcare data breach of the year, when it announced toward the end of the summer that Chinese cybercriminals hacked into its computer network with malware between April and June 2014.The hackers compromised 4.5 million patients' data, including names, addresses, birth dates, telephone numbers and Social Security numbers. Mandiant stated that they were looking for the usual intellectual property.
Healthcare, breaches climbed 138 percent. Take 29.3 million, for instance, the number of patient health records compromised in a HIPAA data breach since 2009, or 138 percent, the percent jump in the number of health records breached just from 2012.
Lisa Gallagher, senior director of privacy and security for HIMSS, said speaking at the 2012 Boston Privacy and Security Forum that somewhere between 40 million to 45 million patient records have actually been compromised. The number can't be confirmed, as the data isn't all there, she adds, but it's a more accurate number based on healthcare organizations' reporting. Moreover, out of the 90,000 complaints HHS' Office for Civil Rights (OCR) received in 2013, some 5,447 went unresolved. Although the office boasts a 94 percent success rate for resolving cases, some 53,000 of those cases may have been closed because either OCR lacked jurisdiction, or the complaint was untimely or withdrawn, not because a HIPAA violation did not occur.
Many of these breaches, officials say, can be easily avoided through regular risk analysis and updating company policies. "By combining device scanning with an understanding of workflow, policies, and procedures, you get a more complete picture of what is actually happening in your environment, Redspin officials wrote in the report. "From there you can implement a remediation plan that significantly lowers your risk of breach."
We regularly perform HIPAA and multiple business sector IT audits and Risk assessments, I was also a chief security risk officer, throughout my career whether it be as a consultant or a cyber-risk manager. I keep seeing the same things over and over.
First, the CEO is often unaware of the risk of doing business online. Homeland security has created an excellent list of five questions for CEOs. I have actually worked for companies as a risk manager reporting to IT and was unable to share this list with the CEO as it would have caused a direct confrontation with IT to do so.
Having Security & Compliance report to the IT Department is one of the biggest issues I have seen, it often prevents cyber risk management from taking place. It's the fox guarding the chickens.
ISACA and KPMG have weighed in on this and it's clearly an issue. ISACA states: "Information security is not only a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organization's response to them." "To achieve effectiveness and sustainability in today's complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department." Information Security Governance 2nd edition
Sign up for Computerworld eNewsletters.