Health Care Breaches: Top Sources of Dark Medical Data

May 29, 2013

One of the goals of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was to spur adoption of electronic record keeping for what has been a paper-intensive sector of the economy. Realizing that the transition to digital data could lead to larger and more serious breach incidents, regulators at Health and Human Services came up with the Breach Notification Rule: healthcare organizations and theirbusiness associates are required to contact HHS when there’s an exposure of unencrypted health data involving more than 500 individuals.

This breach data is also publicly available, and so I decided to take a peek. It’s clear from the stats that the healthcare industry, although relatively new to computerized record-keeping, is also experiencing significant breaches involving its human-generated unstructured content, or dark data

Since about 2010, HHS has received over 600 breach notifications for almost 22.1 million health records. I mined this data to create a simple chart based on the top five sources of this breached data, which accounts for about 85% of all records taken. The breach categories, by the way, come from the self-reported descriptions and other incident notes—not always clearly stated, so some judgement calls were made.

Keep in mind, for medical breaches to be reported, the data has to be unencrypted protected health information or PHI—essentially, personally identifiable information such as names, social security and medical insurance numbers. If we excluded the Backup and Other categories, then we can be fairly sure that the remaining nine million exposed records contained dark data. Downloaded in clear-text form from centralized medical information databases, this dark medical data typically finds a home on loosely permissioned folders. From there, it is either directly hacked or accidentally exposed, or then transferred to laptops and other portable devices—USB drives—that are ultimately lost or stolen.

Another  source of breached data has been misplaced backup tapes or CDs, which seem to be a significant problem for healthcare data processors. There’s even one incident, accounting for most of the Other category, in which a physical server drive containing 1.9 million patient records was stolen. In all these cases, the data taken was structured—i.e., formatted records. But since the PHI wasn’t encrypted, it wouldn’t take much work for a hacker to zero in and parse out account numbers, names, addresses, and other identifiers.

Bottom line: as far as determined medical data thieves are concerned, it’s better to think of even this structured PHI data as simply badly formatted but target-rich spread-sheets.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

The Healthcare Market Opportunityy

August 31, 2012

Over the past 6 months there have been a number of data breaches within the healthcare market. With data security breaches costing the U.S. healthcare industry about $6.5 billion a year1 and even with the recognition of these breaches, 50% of respondents to RedSpin’s (an IT security audit firm) say nothing is being done to protect data2, the healthcare market represents a huge opportunity for managed service provider’s to provide cloud backup and recovery services to address this growing issue.

Market Opportunity Abound

With the size and frequency of data breaches alarming the health care industry, now is the time to capitalize on these unfortunate security concerns by stressing the benefits that cloud backup services offer in terms of keeping records secure as well as ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance. With more than 19 million individuals affected by major healthcare information breaches since September 2009 and data breaches from unencrypted devices having increased 525% in 2011, this represents a huge market opportunity for managed services providers already selling services into the healthcare market, or those looking to sell to the healthcare market. Not just every managed service provider can effectively ensure adequate healthcare clinic / hospital data protection so ensure you can speak their vernacular and understand all the compliances and regulations required. As a managed service provider looking to offer or already offering cloud backup services, in order to go after the healthcare market, you need to ensure you have a HIPAA compliant cloud backup platform in place with a FIPS 140-2 certification being a huge bonus.

Why Healthcare Clinics/Hospitals Should Invest in Cloud Backup Services from Managed Service Providers to Protect Patient Privacy?

Investing in cloud backup services ensures a secure backup system for healthcare clinics/hospitals where BYOD is prevalent (as well as those that are not) – as not all backup can protect endpoint devices such as laptops, tablets and smart phones. Investing in newer technologies improves the reliability and speed of recovery for patient data should there be a disaster and minimizes risk of data theft or loss by utilizing the highest encryption security possible ensuring data is encrypted in flight and at rest and only the healthcare clinic/hospital has the ability to decrypt. It also eliminates the shortcomings of tape backup which includes being expensive, vulnerable to obsolescence, potential inability to recover data due to tape failure or being lost/stolen when transported off-site.

If you’re interested in learning more about how to invest in cloud backup services, please visit www.c24.co.uk

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Is your data secure in the cloud?

November 25, 2011

One of the main concerns from end users about cloud storage is its security. “I am legally obliged to keep my data inside the country’s boundaries; where would you store it?” “How do I know it’s safe?” “How do I know I’m the only one that can access it?” These are all questions that cloud computing vendors and resellers have been striving to answer, and reassure their customers about since this service delivery model was first introduced.

However, today there is a variety of ways in which cloud solutions providers i.e. vendors, resellers and Managed Service Providers (MSPs), can near-guarantee data security and among the most sophisticated near-guarantee of security is encryption. This is a simple yet effective process that will put many customers’ minds at rest, and is therefore a powerful tool for the channel.

Before data leaves the end user’s datacentre it is encrypted at the source and it stays so while it gets transmitted to the cloud, essentially the data is encrypted at rest and in flight to ensure the data remains secure, where it also remains encrypted. Therefore, anyone trying to intercept this data while it is being transferred would only capture encrypted files; access to confidential content is hence not possible.

In order to access data in its un-encrypted form, it needs to be unlocked and the only key resides with the customer, ensuring that the stored version of the data is as safe and secure in the MSP’s datacentre as if it was in-house. Depending on the required level of security, keys can have between eight and 32 digits. So far, so secure.

Safeguards can be applied at various levels to ensure the security of customers’ data from cradle to grave including encryption key escrow management capability. This allows for an additional security provision to be put in place should a customer lose or forget their encryption key. Measures of security (or lack thereof) will often be a deal breaker so any reseller or cloud service provider looking for that extra element of differentiation should certainly look into having as many of these security measures in their portfolios. Amongst the most important factors is to ensure that the underlying technology vendor has a third-party certification of the encryption elements in its products, like a governmental body. It is not enough that a vendor claims their product is secure and it incorporates some form of cryptology. The real question is whether anyone has actually verified that the encryption was implemented properly so it cannot be defeated. This is the comfort level that a recognised third-party certification provides.

In the cloud data centre itself, the security of the data is protected even from datacentre operations staff due to its encrypted format. Cloud operations personnel do not have unauthorised access to the decryption key, meaning that customers should feel safe in the knowledge that their data is visible only to them. Building a level of trust such as this is “key” (excuse the pun) when establishing channel relationships, as trusted resellers are the ones to whom happy customers will return, and will be recommended to others.

It is details such as this that give good relationships the advantage; in order to provide the best possible service it is necessary to understand the technology being utilised and leverage it to each customer’s advantage. Thus, fears about the security of data in the cloud should be greatly reduced. Customers who feel happy with the level of security, support and flexibility provided are the ones with whom relationships will flourish.

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , | Permalink
Posted by david ricketts

C24 release datastore24 solution

August 11, 2011

C24 have just released datastore 24, a powerful back-up solution powered by Asigra. We have invested significantly in the under lying infrastructure so as to offer the best possible solution for clients.

For those of you that are worry about your data being stored in the cloud or on premise:

datastore 24 backed by Asigra Encryption Advantage.Asigra encrypts the data in flight and at rest from cradle to grave.

You can choose from encryption options that range from DES 56-bit with an 8-character key, to AES 256-bit with a 32-character key. Asigra maintains backward compatibility of its software so that even now, using the current release of Asigra, users can still access and retrieve data encrypted with DES 56-bit encryption years ago.

Asigra Security Track Record

  • Zero breaches or compromised systems in over 20 years of operation
  • IANA-registered ports
  • Data stored in compressed and encrypted format
  • Digital signature for every file and block of data
  • Data on disk in self-describing format
  • Background Autonomic Healing and System Admin
  • Restorability Validation Process (digital signature check)

Password Management and Password Rotation. You can align your customer’s existing security policies and procedures with your data protection policies. Asigra Cloud Backup includes a feature that gives you the option to automatically generate passwords and change them at random for specific backup user accounts, so that no one can access the account or the data.

Asigra Compliance Advantage.Asigra Cloud Backup can help your business with a variety of compliance issues:

  • Disk-based, automated solution that runs quietly in the background with no manual intervention – tape backups require manual intervention and thus are not compliant with regulations like Sarbanes Oxley, HIPPA and Gram-Leach-Bliley and others. Contact us for the full list of compliance requirements.
  • All backup data is aggregated, allowing for immediate recovery - traditional backup solutions are not centralized and lead to difficulties in obtaining and providing records to auditors in a timely manner.
  • Backup data is automatically & securely transferred offsite using FIPS 140-2 certified encryption technology via private or public cloud – traditional backup architecture requires additional 3rd party products or manual involvement when transferring data offsite on disk or tape and is thus not secure or reliable.

Leave a Comment » | Managed Service Hosting | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 753 other followers