Thursday Mar 10, 2011

Hospital fined $1m for Patient Data Breach


hospital-finedAs an illustration of the potential cost of accidental breaches, the US Dept of Health and Human Services recently fined a hospital $1m for losing documents relating to some of its patients. Allegedly, the documents were left on the subway by a hospital employee.

For incidents in the UK, several local government bodies have been fined between £60k and £100k. Evidently, the watchdogs are taking an increasingly firm position.


Tuesday Sep 07, 2010

Data loss, encryption & security in health care - is your medical data safe?

Over the past few months i've been spending more time with customers in the health care industry. Globally we are seeing an increase in security breaches of patient data, just look at the following examples of data loss in the last month alone...


"Using IRM to encrypt and control access to patient data at the file level means no matter where the file is stored, it is always protected."
These are alarming numbers! As more and more medical and health care organizations are being mandated to move to electronic systems for storing your confidential medical information, these incidents are only going to rise. The modern world is full of new technology designed to make sharing information easier, networks are getting faster, storage devices bigger and threats to your data are increasing at the same rate. A recent study found that attempted attacks on health care organizations increased from an average of 6,500 per health care client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009. As the UK's Liberal Democrat Robert Brown, said: "These are frightening figures. Central government, local councils, NHS boards and the police hold a great deal of information on all of us. Our data is in their hands and we need to know they are taking this responsibility seriously... Liberal Democrats called for an urgent review into data loss in January. I want to know what the government have done since then and why the situation has not improved."

Not improved? I'd like to know why it seems to be getting worse... This increase in activity is taking place in parallel to new laws trying to protect your information. Recent changes to legal acts, such as the Health Insurance Portability and Accountability (HIPAA) act in the US, define that health information must be secured and typically the key word is encryption. As an article on recent HIPAA changes in SC magazine mentions; "In the past, companies offered hard drives that used strong encryption. However, analysis showed that strong encryption was used but only to protect the password and not the data that was stored on the devices. The actual data stored on the hard drive was encrypted with an encryption algorithm developed by the company, which proved to be anything but strong. This illustrates the potential pitfalls of choosing any type of encryption package -- a lack of strong, secure encryption. Obviously, some encryption programs do a better job of protecting data than others, but how can a company choose the right one?" Robert-Brown-Lib-Dem.jpg
"The government is not in control of the situation. They need to get a grip on this right now."
Robert Brown MSP, Spokesperson on Justice

Encryption is a key method to securing information, so much so, that the HIPAA regulations say if your patient information is encrypted, you avoid fines and requirements to publicly notify government of any breach of data. So how do you choose the right way to use encryption? Start by looking at the way data is lost, it falls into a few common areas. Firstly the loss or theft of devices on which the information is stored, DVD's lost in the post, stolen laptops and mislaid USB data devices seem to dominate the news. Then every so often someone accidentally emails patient data to the wrong recipient or posts files online insecurely. Secondly look at the type of format the lost information is stored in;

  • Database exports/backups
  • Unstructured documents such as spreadsheets, PDF's, or emails
So many incidents involve the loss of laptops and storage devices that contain database backups or documents and emails that have either inadequate encryption or none at all.

Are there no decent technologies to address these problems?

Quite the opposite, now more than ever there are many products designed to address these issues by implementing encryption and access controls. Lets look at some of the solutions from Oracle which could significantly improve the security of patient information and massively reduce the risk of health care organizations being fined and publicly embarrassed.



Before I go into any detail, look at the diagram above which highlights patient information typically lives in three places. The database, the application or in a document. To ensure we use encryption and security effectively, we need to put solutions at all three areas. I'm only going to cover specific Oracle encryption technologies in the rest of this article. It is common sense the following should be part of a complete medical data security solution that uses identity & access management solutions, browser to application server network encryption (SSL over HTTPS) and other well known methods of information security.


Encrypting data at rest

Hard disk encryption is often touted as the answer to protecting data at rest. However in practice this addresses only a small area of the problem. When it comes to databases, performance is key. So encrypting the disks on which the medical databases reside can significantly impact system performance. Performance is everything in health care, timely access to patient data can be a matter of life and death. However with the Oracle database, encryption can be used within the database platform itself and here we can really reduce the impact of performance. Transparent Data Encryption (TDE) applied at the table space (the files which store information) has a minimal impact on performance and more importantly does not affect the ability to compress the data. The last thing you want is to start encrypting your database information to find that your previously effective compression is now useless and results in a doubling of the database storage requirements.


But encrypting the data in the database doesn't help when physicians are downloading spreadsheets of patient data from health applications and storing them on USB devices and laptops which are easily lost or stolen. Of course this is where Information Rights Management (IRM) comes into play. Using IRM to encrypt and control access to patient data at the file level means no matter where the file is stored, it is always protected.


Encrypting data in transit

In transit usually means when information is being transferred across a network. Encrypting database backups on DVD's and using IRM to protect files stored on USB keys falls under data at rest requirements. The same set of technologies in the Oracle database that protect information whilst it resides on the disks can also be applied as the database transmits information to the application over the network. Configuring the encryption of information on the network in the Oracle database is easy and requires no change to the application! Protecting patient information couldn't be easier.


Does IRM fit into securing data in transit? Of course, if the file is encrypted with IRM it doesn't matter how it is transferred over the network, it is always encrypted. As an attachment to an email, accidentally hosted on a public website or even stored in the database, IRM protected files are always secured no matter where they live or how they are transferred.


Encrypting data in use

Rarely do we see anyone discuss data in use. What do I mean by "in use"? When you access the health care application and look at a patient record, when you have open a spreadsheet or PDF and are printing it, copy and pasting it into other documents. This is a massive area of data loss and one that very few technologies can address. Mostly we see solutions about protecting information as it moves from the health systems to the users. Ensuring as it resides on storage devices and moves across networks, encryption and access controls provide security. Yet this leaves a gaping hole, how do you ensure people are allowed to use patient data in a secure manner?


Two technologies really help in this regard. Data loss prevention (DLP) technologies are a great way to detect the movement of patient information as it crosses application, network and storage boundaries. I might want to copy my patient records to a USB key or email the information to my home computer. DLP does a great job of detecting this activity, yet it is limited to only blocking and preventing it from taking place. In health care this is a serious problem, stopping people getting access to and using patient information can prevent the physician from delivering care. The last thing you want to stop is a surgeon being able to access critical information when someone's life depends on it.

Again IRM steps in to provide a solution. IRM combined with DLP can both detect and secure the use of patient data. IRM delivers some functionality that significantly improves the ability to protect patient data.

  • IRM documents are never decrypted back to their original form. Unlike document security technologies such as PGP, IRM controls access to the document at all times and the files are never decrypted to disk.
  • The clipboard is under total control, so patient data remains inside the document and cannot be copied into social networks, other documents or applications.
  • Screen shots are prevent with IRM technology, so images of patient data cannot easily be copied or reproduced insecurely.
  • Printing is also controlled, so many incidents of patient data loss have been from physical, paper copies of the information. IRM can prevent documents from being printed and therefore this exposure is prevented.


Monday Dec 14, 2009

Privacy watchdog warns about unacceptable level of data loss, highlighting the NHS


The Information Commissioner's Office (ICO) is continuing to raise awareness of data loss and highlights that in 2010 companies need to do more to protect customer and patient information. In a recent report they quote;

"Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media."

The warning from the office comes with news that the worst offenders are in the health care industry. "We have investigated organisations, including several NHS bodies, that have failed to adequately secure their premises and hardware, which has left people's personal details at risk," said Mick Gorrill, the assistant commissioner with responsibility for investigations.

In the same month the ICO also released an excellent and much needed plain english guide to data protection.

Looking at the results of current research and also at the findings of risk assesments, Information Rights Management is a technology well designed to provide a fast solution to the loss of data in environments where security is hard to enforce. How do you control access to content that is lost by someone you've sent it to at another location outside your firewall? Oracle IRM provides the ability to secure and track that information no matter where it resides.

Loss of data in 2010 is to get more expensive as new laws allow the ICO to implement fines. David Smith, Deputy Information Commissioner, says: "Since November 2007 we have taken action against 54 organisations for the most reckless breaches in line with our commitment to proportionate regulation. Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010. We are keen to encourage organisations to achieve better data protection compliance and we expect that the prospect of a significant fine for reckless or
deliberate data breaches will focus minds at Board level."

If you want to learn more about Oracle IRM, have a look at some of the videos on our YouTube channel and please contact us if you want to undertake a free evaluation.

Monday Feb 09, 2009

Kaiser Permanente becomes another healthcare data loss casulty

Kaiser Permanente A news report in the San Francisco bay area has brought attention to Kaiser warning nearly 30,000 employees of a data breach
involving their names, addresses and social security numbers. Infact a handful of employees have already reported incidents of identity theft.

The report states, "The theft came to light after the arrest of San Ramon resident Mia Garza, 28, on Dec. 23 on suspicion of possession of stolen property and forgery. In a confiscated computer, San Ramon police later found a file with Kaiser employee data, said San Ramon police Cpl. Rich Persson."

So it seems that a computer was stolen from Kaiser and contained the information about the employees. A classic case of data loss that would've been prevented had the document in question been secured using Oracle IRM. Not only that, but attempts to open the file would've created an audit trail for the police to use as part of the investigation.

Kaiser is helping it's employees by providing "one year of free credit monitoring to help affected employees protect their accounts." This can't be cheap for 30,000 odd employees, I wonder if the cost of an IRM solution would have been cheaper?

Friday Feb 06, 2009

Is your private health information safe anymore?

It seems that information about your health care activities just isn't safe any more. The news is being inundated with example after example of sensitive patient information being lost and stolen. Just today, in one day, i've been made aware of three incidents.


Patients’ files stolen from car at Royal Hospital

The Liverpool Echo, England, has reported that "personal details of 354 patients [of Royal Liverpool University Hospital] waiting for kidney transplants were stolen from the back of a car... It contained names, addresses, dates of birth and contact details as well as tissue and blood types." Another example of a good reason to employ a technology such as IRM to control the ability to print documents containing sensitive information.


One dialysis patient whose details were lost told the ECHO: “Obviously I was amazed that our details were going around on a paper copy. They should have been on an encrypted laptop." Actually, even storing the document on an encrypted laptop (hard disk, OS, device) wouldn't have prevented them from printing the copy.

Hospital bosses said it was essential transplant team members carried the information, which I agree with. But you should never forfeit this usability with security. Oracle IRM can provide both, ensuring that doctors can travel with the IRM protected content so that they can open the information whilst on the move and without access to the network but still retaining control of the information if the laptop or storage device is lost.

MOST importantly, DON'T let them print this sensitive information in the first place!


Information Commissioner hits another NHS Trust after data breaches

Days after the information commissioner launched an initiative called the Personal Information Promise, they have hit Brent Teaching Primary Care Trust with enforcement action requiring that they will encrypt all data in future and improve security in line with the Data Protection Act.


This is after,"... two laptops were stolen containing the personal information of 389 patients. The laptops were stored in a locked office, but were left out on a desk in breach of the PCT’s own security procedures. What's more, the laptops were not encrypted and contained sensitive information, including health details relating to some patients. "

Mick Gorrill, assistant commissioner at the ICO goes on to say; "I am increasingly concerned about the way some NHS organisations are transferring sensitive records onto laptops and other mobile devices that are not encrypted. Organisations need to ensure they implement appropriate safeguards to ensure personal details about patients are processed securely.”

I bet millions of NHS patients also share your concern Mick :)


Catskill Regional Medical Center says worker peeked at patient files

A Catskill Regional Medical Center employee was fired Thursday for looking at the files of 431 patients without authorization. reports that, "The 10-year employee was working in medical records at the time of the violations and had ready access to the files, but a routine audit determined she was looking at files she had no reason to be in, including those of acquaintances and neighbors, said hospital CEO Steve Ruwoldt. "I think she was just curious," he said. "She was nosy."

Well good news that the medical center was able to audit and gain evidence of this breach. Not good news for the employee of course! I'm not aware what format the patient data was stored in, but Oracle IRM would have helped both the center in ensuring any documents containing such data could be secured from illegitimate access as well as stopping this particular employee from have a "quick nose" at the information, and it may have well saved her job.

People are curious and if the controls are not there to protect the information, its human nature to take a "sneaky peek". I'm sure she is regretting her actions and this raises an interesting point about using IRM. There is real benefit to the end user. If the organisation can correctly protect the content then they can be safe in the knowledge that they can only open content they should legitimately get access to, even if moments of weakness do occur.

Friday Jan 30, 2009

Lost laptops plague health care organizations

2009 has not been kind to health care organizations. Already in the first month we have seen 2 incidents of lost/stolen laptops which contain patient information.

And then today in the news a report of the Department of Veterans Affairs announcing they have agreed to pay $20 million to current and former military personnel to settle a class action lawsuit on behalf of the men and women whose personal data was on a laptop computer stolen during a burglary. That is a big price to pay for the loss of one laptop and could have been avoided with the use of a technology such as Information Rights Management at a much smaller cost.


Wednesday Oct 01, 2008

More personal data lost in health care

BlueCross and BlueShield Louisiana It seems to be happening every week, sensitive information is being lost from health care organizations. This time email is the culprit.

BlueCross & BlueShield of Louisiana have had to publicly announce details of an incident where a document was accidentally attached to an email sent to a group of about 1,700 brokers. The document contained social security numbers, phone numbers and addresses. Fortunately the information was about the same group of people the email was sent to, no customer information was involved. This demonstrates how easily mistakes like this can happen and how BlueCross & BlueShield are required, by law, to make this information public knowledge. Fines for such incidents can be incurred although no details of a fine have been reported in this case.

Louisiana Blue Cross confirms data breach


Oracle IRM can prevent such incidents in many ways. Firstly, if this document had been classified and protected using IRM and the recipients had not been given rights to the classification, then the document would never have been accessible by this group brokers. This is often the most valuable aspect of using an IRM technology. Having a classification which only allows access to confidential information to those within your organization so that if the document or email is accidentally lost, attached and forwarded via email or stolen, it is unusable for anyone outside your organization.

However what if the document had been protected incorrectly to a classification which the brokers did have access? Unlike many other similar technologies, Oracle IRM separates the rights to content from the documents and stores all this information on the centralized Oracle IRM server. In this case once the mistake has been realized/reported, the BlueCross & BlueShield classification manager could simply deny access to this, or many documents even after they have been distributed. When the brokers then attempt to access the document in the email, they are denied. Even those who were able to access the documents before the organization knew of the error, would be denied access once their rights have been centrally changed. They may however still have access to other content, in the same classification. Such is the flexibility of the Oracle IRM classification model.

Wednesday Sep 17, 2008

Protecting confidential patient data


A recent article in the Teesdale Mercury reports, unfortunately, another instance of patient data falling into the wrongs hands. The press is constantly reporting issues of confidential patient information being hacked, lost, stolen, misused. This highlights a common problem within the healthcare industry, the requirement to share sensitive information about patients and practices of the organization whilst trying to comply with regulations which require process and technology is in place to secure such information. Unfortunately incidents like this are all too common, the Data Loss DB also makes it very easy to look across the healthcare vertical and see who has been losing information, how much was lost, when and how.


Worse still, the healthcare sector is full of regulation. One of the most important in the U.S.A. is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A major component of HIPAA addresses the privacy of individuals’ health information by establishing a nation-wide federal standard concerning the privacy of health information and how it can be used and disclosed.

Essentially, a HIPAA covered entity cannot use or disclose protected health information for any purpose other than treatment, payment, or health care operations without either the authorization of the individual or under an exception in the HIPAA regulations.

IRM is an excellent technology to solve the problem of securing any content covered by the HIPAA act. Not only does it ensure only the right people have access to the right patient data, but as each and every secure document is accessed an audit record is generated. Allowing the organization the ability to present reports which prove all efforts have been taken to secure confidential patient information.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016