ISO/IEC 27040, published January 5, 2015, defines a data breach, also known as a data leak or data spill, as: the ‘compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.’
In a world of technology, cyber-hacking headlines are common occurrences. We are repeatedly confronted with the fact that our private, confidential information may not be as safe as we’ve been led to believe. From the largest corporations to the smallest healthcare practice, we assume our private information is secure. After all, why would hackers want to gather information from a small town urgent care, for instance?
Cyber-hacking on a global scale
In the last twenty four months, approximately 50% of businesses and government entities around the world have either been hacked, or attempts have been made to gain insight into their data. These faceless hackers can be part of a group, or an individual working out of their mother’s basement. They can be anyone and anywhere. They are not endemic to any country, color, political group, or religion. They hack for profit, to gather specific information, or to see if they can break a system’s code. Their reasons may be complex or simple.
Whomever the hacker or hackers may be, the consequences of their actions have far-reaching implications. Your data has been compromised. Your business could be at risk, and you have lost your clients’ trust, as well as your reputation. This could have potentially devastating consequences for any company. After all, no business, no matter its size, wants to be in a position whereby their clients’ personal information – whether health-related, financial, or otherwise – is leaked to unknown third parties.
Inside threats
Most large businesses expect cyber-attacks, and to this end, have intricate firewalls in place and employ the services of IT specialists to protect their information. Many attacks are simple and easily handled, but there are some that are of a more sophisticated and complex nature.
What’s scary, however, is the number of breaches that take place from within companies. These are the result of employees who either advertently, or inadvertently, leak information.
Those who leak information intentionally may do so for financial gain, because they feel threatened, or to ‘get back’ at someone. Whatever their reason, they have breached our confidentiality as well as that of the company they work for.
Those who inadvertently leak information, on the other hand, could do so in a number of ways. Just accidently sending an e-mail to the wrong recipient could open a whole can of worms.
Human error
The majority of employees, especially in healthcare, handle confidential information daily. As ‘familiarity breeds contempt,’ they can become lax with privacy policies and procedures, and this is usually when mistakes are made. It is estimated that over 95% of data breaches are due to human error by employees. Within the healthcare industry alone, it is estimated to be 80% for 2015, based on known incidences so far.
Simple mistakes may include forgetting to turn on the firewall, malware, or losing a laptop containing encryption keys. The Department of Health and Human Services has indicated that up to 50% of data breaches are due to unencrypted computing or storage devices that have been either lost or stolen. More often than not, it is due to simple carelessness on the part of employees.
Risks
The healthcare industry, as it stands, is at particular risk of cyber-attacks, and will have to pay particular attention to this threat. This includes hospitals, clinics, and imaging centers, as well as outsourced IT and cloud-based service providers.
This industry has access to a wealth of sensitive data, such as medical records, information pertaining to individuals’ identities, location, insurance, finance, etc. They could potentially be targeted by large outside groups, perhaps even related to foreign countries, who wish access to this information, as it could be used for identity theft, or even extortion, as well as other nefarious reasons.
Healthcare can be deemed a ‘soft target’ due to having so many interconnected devices which all carry their patients’ personal information, hence all of the recent buzz around the Internet of Things. They are, usually, easily accessible to a hacker who is worth his salt. Healthcare employees may not even know where exactly all their information is stored, as their networks are large and convoluted, not to mention complicated.
Not all breaches are equal
There are different categories attached to cyber-hacking, information leaks, or any means by which personal information is obtained by third parties. They are either classified as an event, a security incident, or a data breach.
An event, as defined by the National Institute of Standards and Technology (NIST), is ‘any observable occurrence in a system or network,’ and goes on to say that adverse events are those that have a ‘negative consequence, such as…unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.’
Security incidents, according to Bloomberg Business, are ‘sophisticated data attacks,’ and include the loss of any sensitive information, including that which is due to human error such as the loss or misappropriation of paper files.
Any privacy or security incident is deemed a data breach when it meets the legal definitions as defined by federal or state law. Although only a relatively small percentage of these incidents are classified as data breaches, their identification is a regulatory obligation, and a risk assessment needs to be made. To this end, it is always advisable to treat each such incident as a potential breach, and steps be taken to combat and contain it.
Accountability
The onus is on the affected company to document such incidents and to take steps to investigate the matter. Failure to do so can lead to penalties and appropriate action being taken against them.
Whether a hospital or a private practitioner, it is the responsibility of the owner(s)/board members to ensure that all information is dealt with professionally and that these ethics are carried on down the line. This may often involve extensive security and privacy training. This should be done on a regular basis to ensure that it is fresh on the mind and adheres to the most current best practices for data security.
When encountering a data breach or leak
Federal law clearly states that all data breaches, regardless of the business sector involved or the gravity of the situation, need to be assessed to determine whether they require reporting to the relevant stakeholders or authorities. Studies have indicated that not all organizations have these incident response processes in place. This is particularly disturbing in lieu of the amount of personal information the health care industry has access to.
All data breaches need to be reported to stakeholders, whether they are the company shareholders, owners, clients, or any other parties that have a stake in the business, no matter the capacity.
According to Rick Kam, the co-founder of ID Experts, “A breach is a breach, no matter how small.” He goes on to say, “How many more individuals could be at risk due to unreported data breaches?” The number of unreported data breaches, both within the health industry and others, is staggering, and can’t be ignored. Accountability is a key issue and those responsible for planning for and preventing these incidents should make every effort possible to contain them, if and when they should happen.
Society, today, has changed from that of fifty – or even just twenty – years ago. We put all our information on the internet, and trust everyone, from large health insurance companies to our local doctor, with our private information. We take it for granted that these people have our best interests at heart, and will do everything within their power to keep our personal and private information safe. But do we ever think globally? That certain individuals of unknown origin make it their life’s work to actively find out everything they can about us? That they are interested in our personal lives, no matter how inconsequential we may think we are in the bigger scheme of things? Or that the local doctor’s bookkeeper has had a falling out with her boss and wants to get him into trouble by leaking confidential information? The answer, if you are the average guy on the street, is probably a resounding ‘No!’' Yet these breaches take place all the time, whether deliberately or due to simple human error.