Got Health Data? Your Penalty Exposures for Data Breaches Just Increased

I’ve been blogging about health data breaches lately, but I’m not sure if there are more of them or if the reporting requirements are more strict.  I suspect the latter.

One of the things I’ve noticed is that many of the breaches seem to be of multiple exposures by the same organization, which has led to recent legislative changes to the HITECH Act.  You can see from the quote below that not only has the limit to the penalty been increased, but the penalties for repeat violators are higher. 

Given the sensitive nature of health data, I’m still thinking that we need to move more towards criminal penalties for wilful neglect and repeat violations.

In addition to redefining the scope and liabilities of business associates in the healthcare industry, the final HIPAA omnibus rule includes revisions to the penalties applied to each HIPAA violation category. While the American Recovery and Reinvestment Act of 2009 (ARRA) initially established a tiered penalty structure, it hasn’t been revised until now.

Section 160.404 refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. The original penalty structure used to be:

via HIPAA Violation Penalties Rise in Response to Data Breaches | SmartData Collective.

Do you think companies are bearing enough of the responsibility for protecting our data?  Do you as a data professional get enough support from management to ensure that data is protected?

Federal Department Bans Use of Portable Devices (YAFF)

I thought I had blogged about this Canadian data breach, but I guess not.  All these data breaches are coming so fast it’s hard to keep up. In this report, we have another YAFF: a portable hard drive being used as a backup device.

It looks like Human Resources and Skills Development Canada (HRSDC) will be taking a three-pronged approach to protecting our data: first, a new policy banning portable storage devices; second, use of data loss protection technologies and third, establishing consequences for staff that cause a data breach.

OTTAWA — The federal department at the centre of a massive data breach says it is banning the use of portable data devices in its offices, using new technology to prevent information from being easily removed from the network and warning any staff that violation of the new rules could mean the loss of their job.

Human Resources and Skills Development Canada (HRSDC) said Monday that it will start using “data loss technology,” which would allow the department to restrict when, where and which staff can remove information from government systems. Reviews have already started to see what risks the use of secured, portable data devices, such as USB memory sticks, carry in the department’s work and whether there are enough safeguards to prevent another massive breach of personal information from happening again.

via Federal department bans use of portable devices after personal data breach | canada.com.

Their loss of more than half a million student loan borrowers’ data has led to class action lawsuits.  A missing external hard drive is the hardware piece of this breach; the fact that this drive contained unencrypted backups is the behavioural issue.  Perhaps we need to start thinking about how to train end users on the consequences of moving data from “the system” to any place else, even for backup purposes.

Is there a solution?

I have more questions than solutions here, though.  Usually enterprise backup solutions involve software plus a server or external service.  I’m not sure why HRSDC was using a portable hard drive for backup.  They are harder to manage, they tend to walk away, and they aren’t that reliable.  So I’m going to guess here that this device was a personal device or being used to sneakernet files from one location to another.  Perhaps from office to home, or from office to office.  Both of those scenarios bother me because they most likely were not official methods for doing these tasks. 

I don’t think there’s one answer.  Training, policy, inspections, consequences, real monitoring and protection, more training, more inspections, some tough decisions.  It’s a complex issue that will require complex responses.  I’d like to hear what other organizations are doing to mitigate data breaches.

Utah Health Department – Yet Another Flashdrive FAIL (YAFF)

I think we need to have an industry acronym now that this seems to happen every week.  My proposals:

• Yet Another USB Breach (YAUB)
• Blame A Thumbdrive (BLAT)
• Yet Another Flashdrive Fail (YAFF)

I like the YAFF one best, so I’m going with that, even though the #FAIL really isn’t in the hardware, but in the abuse of policy and hardware to cause a data breach.

This week’s YAFF announcement comes again from Utah, where a contractor with access to sensitive health data lost a USB flash drive somewhere between Salt Lake City, Denver, and Washington, DC.

What’s different about this news story is that we get more insight as to why that data was on a portable device.  And it’s just as I prognosticated in a previous post: the contractor was frustrated with an infrastructure issues.

The contractor, Goold Health Systems, handles Medicaid pharmacy transactions for the Health Department.Department spokesman Tom Hudachko said the GHS employee, identified only as a woman from Denver, was having trouble with an Internet connection Thursday while trying to upload the data to a server. The employee saved the personal information to an unencrypted USB memory stick and left the Health Department with the device. The employee lost the stick sometime in the following days while traveling between Salt Lake City, Denver and Washington, D.C.

(emphasis mine)

via Utah health department reports another data breach | NewsOK.com.

The contractor lost her job over this.

People Forget Policy When They Are Frustrated or Stressed

I once found a QA contractor cursing at his computer because he was having trouble sending a large file via his Hotmail account.  I offered to help.  When he showed me what he was doing I just about had a heart attack.  He had been trying to send our offshore contractor a copy of a production database backup.  This backup contained names, addresses, phone numbers, credit card information  (no, the legacy system shouldn’t have been storing this information, but it did), SSNs, Driver’s license numbers and other forms of ID. It was an identity theft treasure chest of awesome.

When I asked him why he was trying email this information to our offshore contractor he said he was frustrated that corporate email system would not let him email such a large file.

He told me the only reason he did this was that he had to get the bug logged and fixed before the weekend because he had plans to be away.  He also forgot that production data was never supposed to leave the building.    I’m not sure he ever really felt that what he was doing was wrong, or had any idea why emailing sensitive data was wrong.

The other shock I got was that it was a production DBA who had given him the backup.  When I asked the DBA why he did this without even asking what it was for, he said "I was really busy and didn’t have time."

I wonder just how many times this scenario plays out every day in offices around the world.

Love your data, even when you are stressed.  Especially when you are stressed.

Global Payments Data Breach Tab: $94 Million, Plus More in 2013

One of the most common discussions I have with other data professionals is “why do we keep having so many silly data breaches?”  It seems to me that the data put at risk is done so by sloppy IT practices and negligent employees, not always via hackers and fraudsters.  In this case, it appears it was both.  Reports and rumours point to insecure system admin practices and outside hackers.  We don’t know for certain, because in the US data breach laws are patchy and weak.

Usually the discussion comes around to talking about US companies not having to face many consequences for failing to protect our data.  Take a look at this quote about the GlobalPayments breach of 1.5 to 7 million merchant account holder data:

Global says it has now paid all fines related to non-compliance and has reached resolution with certain card networks, although it did not specify which ones. The processor also says its business has not suffered as a result of the breach.

“The impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial,” Global states. “We continue to process transactions worldwide through all of the card networks.”

via Global Payments Breach Tab: $94 Million – BankInfoSecurity.

Global has spent almost a hundred million dollars on this breach and expects to have to shell out another $25-25 million in 2013.  And yet with those numbers they don’t believe it has had a negative impact on their business.

Global handles Visa and MasterCard payment processing of about $120 billion (yes, with a “b”) in payments annually.

Their annual report also seems to imply that they were not PCI-DSS compliant when the breach occurred and Global has been removed from the list of organizations that is compliant.  So billions of dollars and millions of account information pass through their non-compliant networks.  Because it can.

I wish more companies would treat our data as something that needs to be protected.

Workshop 26 June: Data Governance & Stewardship, St. Paul MN

On behalf of Embarcadero Technologies, I’m leading a workshop on Data Governance and Stewardship in Minneapolis St. Paul on 26 June.   This event is free to attend; all you have to do is register.

We’ll be talking about:

Data Governance and Stewardship: Expert Guidance from Karen Lopez

Effective data governance and stewardship is a crucial component of every business. InfoAdvisors’ Principal Consultant, Karen Lopez, will share essential guidance on:

• Leveraging enterprise data as a corporate asset
• Tips, tricks, and traps to avoid when developing a data governance program
• Managing business expectations cost-effectively and time-efficiently

Karen will also reveal highlights on compliance and policy programs from recent discussions with data professionals in the US Federal Government and Industry organizations.

Karen Lopez, Principal Consultant, InfoAdvisors, Inc.

Karen is a Principal Consultant at InfoAdvisors Inc. with more than twenty years of experience helping organizations implement large, multi-project programs. She specializes in taking practical approaches to systems development and has helped many IT departments choose appropriate methods and standards, based on the department’s culture, experience, and focus. Karen is the Moderator of InfoAdvisors/ITBoards.com IRM discussion groups, an online community of several thousand data management professionals and is also on the Board of Advisors for DAMA International. For more information, visit http://www.infoadvisors.com.

Event Details

Date:        June 26, 2012
Time:        2-4pm
Location:  University of Minnesota Conference Center
                 1890 Buford Avenue. St. Paul, MN 55108
Phone:      612-624-3275
Register Now:  http://forms.embarcadero.com/forms/AMUSCA1206FieldEventMinneapolis6-26

I hope to make this interactive and fun.  There may also be space photos….

Join Me: Webinar 24 May 2PM EDT – Data Governance, Stewardship and Compliance

I’ll be presenting in a webinar for Embarcadero Technologies Thursday, 24 May.  I’ll be talking about a recent discussion I had with US Federal and commercial organizations on their successes and pain points in establishing and maintaining data governance, stewardship and compliance programs.

Registration is required, but it’s free.

Attendees will receive a copy of my whitepaper 5 Things to Do Before Starting Any Data Governance Program.

Join this Webinar for Expert Guidance from Karen Lopez, don’t miss out on the opportunity to ask your Burning Question now!
Thursday, May 24
11am PDT / 2pm EDT

Effective data governance and stewardship is a crucial component of every business. In this webinar, InfoAdvisors’ Principal Consultant Karen Lopez shares essential guidance on:

• How your group can deliver organizational value
• What works and what probably does not
• How to meet cost, benefit, and risk goals.

Karen will also reveal highlights on compliance and policy programs from recent discussions with data professionals at US Federal Government and Industry organizations.

Join me tomorrow.  I’d love to hear about your tricks and tips around compliance, stewardship and governance.