The data leak at Tacoma-based Franciscan Health System that left some 8,300 patients’ information compromised has been well-publicized since the company announced it earlier this month.
Indeed, Franciscan — and its parent company, Colorado’s Catholic Health Initiatives, whose subsidiaries were targeted nationwide — has been busy circling the wagons, both publicly and internally, since the breach itself occurred in January. Speedy communication, in particular, was key, since the scam involved employees responding with login names and passwords to a bogus email disguised as a request from CHI.
“We needed to quickly get information to our staff so they knew what to do,” said Mary Getchell, Franciscan’s director of strategic communications, at an April forum hosted by the South Sound PRSA. Getchell and her team of six were among the first among Franciscan’s wide stable of personnel to react, immediately working on an integrated communications plan to give all staff members answers.
A forensic computer company, hired by CHI to probe into the breach, continues to investigate the case. The root IP address of the emails has been announced as based as a small California college; the specific school, however, remains undisclosed.
A formal re-education program on data security and email phishing scams for Franciscan employees was announced at the beginning of April by both media relations manager Scott Thompson and regional privacy officer Betty Doyle. That program, per Thompson, has yet to begin, though it is expected to kick off within the coming weeks.
Attacks on the rise
Unfortunately for Franciscan and other large health systems, it seems that attacks on the databanks of the health care sector are steadily on the rise.
That much was forecast last year by national firm Experian, best known as one of the country’s main credit bureaus, but whose services also include helping companies recover from data breaches. Michael Bruemmer, vice president of Experian Data Breach Resolution, authored a report in December predicting that the health care sector, “by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014.”
The prediction only follows a startling trend over the past couple of years. In January alone, more than 70 incidents have been added to an online list of health data breaches affecting 500 or more people curated by the Department of Health and Human Services. Of that tally, about half occurred in 2012, and some 35 happened in 2013. And health IT firm Redspin came out in February with its “Report on the State of Health Care IT Security,” citing a 138 percent increase in protected health information breaches between 2012 and 2013.
“Breaches in health care are growing even faster than in the data card industry and in some other industries we’re looking in,” added Kennet Westby, CEO and founder of Seattle IT audit and compliance firm Coalfire, which works with a variety of public and private South Sound clients. “I think you’ll see that trend continue in 2014 and into 2015. It’s definitely the fastest growing part of our practice.”
Recent numbers only validate those observations.
“Last year, out of the 2,300 incidents that we serviced, about 46 percent were in health care,” said Bruemmer. “This year, through the first quarter, that number will probably be closer to 50 percent.
“There’s two reasons for making the prediction I made back in December,” Bruemmer continued. “One, because there’s so much distributed personal identity information or protected health information that’s out in networks of providers, processors and payers.
“The second reason is because the value of a full identity string that includes insurance and/or health care information is about five times more than just a regular identity string that just has Social (Security Number), address, name and day of birth. It’s simply following the money, and it’s the fact that these large health care companies have so much data that, in many cases, they don’t know where all that protected health information rests on their network.”
“I think, overall, your risk environment in health care is one that’s been managed with more of a lax approach,” Westby added. “The awareness has been there for a long time. But the real environment — whether it’s hospitals, (insurance) plan providers, technology platforms and vendors — the actual maturity of those markets is still very low as far as security risk management controls.”
That’s despite the existence of HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) since 1996 and 2009, respectively, and comprehensive changes to the implementation of those regulations last year.
“We (Experian) did a study with (privacy research organization) The Ponemon Institute, and in the general population of organizations, about 39 percent say they don’t have a data breach response plan,” said Bruemmer. “About 17 percent of health care organizations said they don’t have a response plan. Although that’s lower than the general population, that’s still high because HIPAA (the Health Insurance Portability and Accountability Act) and HITECH (the Health Information Technology for Economic and Clinical Health Act) require you not only to have risk assessment, but also a response plan in place. There are people who don’t have it despite the more stringent laws for health care.”
The result is a national landscape where a breach that affects some 8,000 people, like the one at Franciscan — or even the CHI-wide compromise that affected some 12,000 — is viewed as a small-scale incursion.
“Nationwide, you’d see a breach in the 10,000-records-or-less range, I want to say, weekly now,” estimated Westby. “It’s that frequent. Something in the 8,300 range, I’d classify that as small compared to what we’ve seen.”
Compare that, for example, to the largest of the 2013 incidents added to the online HHS list in January: the November theft of two unencrypted desktop computers from the headquarters of Horizon Blue Cross Blue Shield of New Jersey, which impacted nearly 840,000 individuals. Even within the region, the largest breach involved University of Washington Medicine last October, in which some 76,000 patients’ information was leaked.
The general public, for one, seems to have taken note of health care’s vulnerability to cyberattacks.
“Fifty-eight percent of people said in a recent e-health survey that we did that, when they access their medical records online, they put their privacy and security at the greatest risk,” Bruemmer said. “That’s versus just using social media, email or making payments otherwise. It’s a real concern, and these are savvy Internet users who were part of the survey.”
A common attack
Neither Bruemmer nor Westby elected to comment specifically on the attack on Franciscan, but the health care giant’s response to the phishing scam seems to fall within the experts’ do’s and don’ts.
“Washington is one of now 47 states that do have state notification laws to alert those affected by a data breach,” Bruemmer said. State regulations specifically indicate that such disclosure “shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement,” per Title 42 of the Revised Code of Washington.
Franciscan sent letters informing affected patients of the Jan. 27 breach on March 28, said Thompson earlier this month. Franciscan’s forensic IT investigators took almost two months to isolate all the patients whose information was impacted, Thompson said, because the “bits and pieces of information” that the scammers were able to steal often didn’t include all the information necessary to identify individual patients.
Franciscan’s rapid reachout to a forensic computer company was key to an appropriate response, according to Bruemmer and Westby.
“We always recommend the first thing you do is contact outside privacy counsel,” said Bruemmer, “because data breach response in the health care space has very specific federal and state notification laws, whether it’s timeliness or specifics on the implementation of that notification. Generally, inside counsel for the organization usually doesn’t have that level of expertise.
“The second thing is to make sure you select, as required, that good forensics firm so you can shut down the intrusion, determine the particulars of how it happened, and begin chasing it down, so to speak. The counsel and the forensics are always the first two pieces.”
That the breach was tracked to a small college was not unusual, Westby explained.
“That’s where you’d expect to see it come from,” he said. “Universities are one of the biggest targets for systems that are compromised, and then they’re used as the basis to execute these types of attacks. They’ll use an email or an SMTP server in a university that’s, frankly, a somewhat easy target for compromise and has high bandwidth and availability … They’ll have a system where they’ll use the university as a front for their spam server to send out their (emails).”
On the legal side, things have been quiet for Franciscan, but Westby said that, depending on the circumstances, there are openings for litigation.
“Post-breach, we’re seeing more and more civil and criminal legal exposure for organizations,” he said. “Civil is more focused around identifying and proving negligence: Is this a reasonable risk that this organization should have been aware of? Did they have appropriate controls?
“The criminal (side) is, was there more of a gross negligence? Is there a situation where appropriate controls were knowingly not taken or the organization was knowingly exposed to risk? You’re seeing more and more litigation on both sides there. More people are trying to prove those things when data breaches happen.”
Even before the legal risk, Westby said, the cost of a breach can be massive, from the hard cost of issuing identity protection to those affected to updating systems that were targeted by cyber attackers. Indeed, a February study by global IT firm EMC estimated that data breaches cost health care providers more than $1.6 billion a year.
“The biggest real cost to the company, though, is probably the one that’s most intangible in terms of putting real dollars around,” Westby said. “That’s the impact of the damage to the brand. In health care, in a competitive market, that could be huge. ”
While there has been blowback to be sure, Franciscan, so far, seems to have escaped major public outcry. According to Thompson, the health system is committed to addressing such publicity constructively.
“We’ve gotten some negative publicity, but for us, we can learn from it,” Thompson said. “We can implement better safeguards and hopefully, grow stronger in the long run.”