|
 Identity theft remains a key challenge for hospital executives. The Identity Theft Resource Center (ITRC), a nonprofit organization dedicated exclusively to the understanding and prevention of identity theft, indicates that the number of reported incidents of identity theft has more than tripled over the last four years. To make matters worse, most of the incidents are neither detected nor reported. The Ponemon Institute, which surveys the cost of breaches annually, estimates the cost of each breach at $6.75 million - representing a 40 percent increase over the same statistic in 2006.
While those numbers aren't based on the healthcare sector alone, they do seem to be in step with the cost that breached healthcare institutions actually bear. For example, earlier this year, BlueCross Blue Shield of Tennessee announced it had spent $7 million responding to a single breach that occurred in October 2009. The cost stemmed from two major sources; free credit monitoring services for affected customers and the cost of nearly 700 contractors and employees who worked on determining what data was compromised.
Beyond VIP medical data breaches
Medical data breaches affecting celebrities like Britney Spears, Michael Jackson, George Clooney and others have received a lot of media attention. Yet, once you look past incidents that are largely motivated by curiosity, it's clear that the healthcare sector should be more concerned about profit motivated attacks from organized cybercriminals.
Cybercriminals target general PII (personally identifying information) to execute identity theft. For example, in 2008, hundreds of graduate students at University of California Irvine found that someone else had already filed their tax returns and collected the refunds. After months of investigation, the identity theft was traced back to a breach at the university's medical plan provider - UnitedHealthcare. This wasn't a large scale breach, but the cost can still add up for a healthcare payer in such cases. On one hand, there is a definite possibility of losing the university as a customer. Alternatively, the angry students and the university may demand that the plan provider cover the cost of tax corrections and the investigation itself.
Then there's PHI (protected health information) theft which involves physician or patient identifiers like a Medicare number that can be used to commit medical fraud. In fact, the opportunity for medical fraud is the reason why a medical identity can command a street value that may be 100 times greater than a stolen credit card number.
Unlike credit cards, which are monitored frequently and have fairly low credit limits, medical identities can be used to receive very expensive medical care and slow processing of claims creates multiple opportunities for fraud. Researchers for Ponemon Institute's 2010 National Study on Medical Identity Theft reported that medical fraud is big business and costs nearly $30 billion annually. This is a cost that eventually impacts us all in the form of higher insurance premiums.
Digitization - a double edged sword
The HITECH Act of 2009 requires that healthcare payers, providers, and business associates complete the transition to electronic health records by 2014. It is a fundamentally positive mandate that will introduce significant efficiencies into a system mired by manual processes and paper based records. At the same time, digitization reduces the barrier to medical data privacy violations, identity theft, and fraud because sensitive data is no longer confined to file cabinets in physically secured offices. An interconnected and networked healthcare ecosystem with digital records enables breaches from across the globe that may only leave behind a nameless and faceless IP address as a clue.
Ironically, the digital assets and networked IT infrastructure which open the door to new cyber threats can also be leveraged to defend against those same threats. Every second of the day, servers, laptops, clinical or claims billing applications, network infrastructure, and security devices all leave behind a trail of activity in the form of logs. Every login and logout from a patient portal, every badge swipe into a pharmacy storage area, and every access to a medical records database or application can be captured in log files. By consolidating and analyzing the digital evidentiary trail contained in those logs, healthcare organizations can proactively detect cybersecurity threats and streamline compliance with HIPAA, state data breach laws, PCI and other mandates.
Leveraging SIEM for Greater Visibility
SIEM (Security Information and Event Management) solutions have tackled the many challenges around collection, storage, and analysis of logs to combat cybercrime in many other industries. However, each industry has unique processes, applications and infrastructure which makes some SIEM solutions better suited for the problem than others.
In fact, even within healthcare there are stark differences between insurers and providers. For example, healthcare payers are characterized by claims processing applications which are often homegrown or highly customized. Interactions with consumers occur over the phone and increasingly through self service portals. In contrast, healthcare providers often have dozens of clinical applications from commercial vendors and interactions are largely in person. Providers also face a unique conflict between medical data privacy and the valid need for open access to records for emergencies and research.
These differences are important considerations in evaluating and selecting a SIEM solution to monitor users across desktops, servers, applications and other digital and internetworked IT infrastructure. A product that cannot monitor logs from a claims processing application to detect a customer service representative accessing an anomalous number of claims in a short period of time will be of limited value to most healthcare payers. Similarly, solutions that cannot give you visibility into a nurse who accesses a patient's medical records across clinical applications and then submits a large print job after hours, will be ineffective in protecting a healthcare provider environment.
Looking Forward
The next few years undoubtedly represent a period of unprecedented transformation for the healthcare industry. Today, consumers are wrapped up in the raging debate around public vs. private sector delivery of healthcare. Regardless of how that plays out, digitization is on its way and soon everything from medical appointments and payments to claims submission and adjudication will happen online.
Along with the efficiencies, the risks are also very real. In healthcare, where lives are at stake and the most personal information is shared, consumers will always have the highest expectations around security and privacy. The onus is on providers and payers alike to ensure that appropriate technologies are in place today, to meet consumer expectations in a digitized world tomorrow.
 Ansh Patnaik of ArcSight, Cupertino, CA, a global provider of cybersecurity and compliance solutions.
|