SlideShare una empresa de Scribd logo

Redspin Report - Protected Health Information 2010 Breach Report

Redspin, Inc.
Redspin, Inc.

Redspin just released their inaugural report of protected health information breaches that occurred from late 2009 through the end of 2010.

Salud y medicina
1 de 13
Descargar para leer sin conexión
Breach Report 2010 Protected Health Information
Table of Contents Executive Summary. . . . . . . . . . . . . . 1 Findings. . . . . . . . . . . . . . . . . . 2 Background. . . . . . . . . . . . . . . . . 3 Type of breach. . . . . . . . . . . . . . . . 4 Location of breached information . . . . . . . . . 6 Business Associates. . . . . . . . . . . . . . 8 Conclusion . . . . . . . . . . . . . . . . . 9
Executive Summary. A total of 225 breaches of protected health information affecting 6,067,751 individuals have been recorded since the interim final breach notification regulation was issued in August 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, these numbers only include breaches that affected more than 500 individuals. The number of breaches that affected less than 500 individuals must also be reported to the Secretary of Health and Human Services (HHS) but are not publicly available. This report reviews the information provided for each publicly-disclosed breach to identify threat trends and recommends which controls will have the greatest impact on reducing the number of incidents in the future. PAGE | 1
Findings from the report. 43 states, plus DC and Puerto Rico have suffered at least one breach. ~27,000 individuals, on average, are affected by a single breach. 82 days on average, pass between breach discovery and notification/update to HHS. 78% of all records breached are the result of 10 incidents, 5 of which are the result of theft including common storage media, e.g., desktop computer, network server, and portable devices. 61% of breaches are a result of malicious intent. ~66,000 individuals, on average, are affected by a single breach of portable media. 40% of records breached involve business associates. To reduce the likelihood and impact of a future breach, covered entities and business associates should focus their Information Security Programs on the following controls: 1. Implementing encryption on all protected health information in storage and transit. 2. Strengthening information security user awareness and training programs. 3. Implementing a mobile device security policy. 4. Ensuring that business associate due diligence includes a periodic review of implemented controls. PAGE | 2
Background. The Breach Notification Rule of the HITECH Act requires all breaches of protected health information to be reported to HHS. If the breach affects over 500 individuals, the covered entity must notify HHS no later than 60 days following the discovery of the breach. Breaches affecting less than 500 individuals need only be reported annually. Business associates responsible for a breach are also required to notify the affected covered entity no later than 60 days following the discovery of the breach. By definition, “a breach is generally an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such, that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual1.” When reporting a breach, the covered entity is requested to provide a variety of information including: • dates of breach and discovery • number of individuals affected by the breach • type of breach • location of breached information • brief description • safeguards in place prior to breach • whether or not a business associate is involved Each breach and associated information listed above was reviewed for this report with the exception of ‘safeguards in place prior to breach.’ The data set available did not include any safeguard information for any breach. In the case where multiple types and locations are associated with the breach, only the first is included in the analysis. For more information concerning the Breach Notification Rule and to review the original data set, please visit: http://www.hhs.gov/ocr /privacy/hipaa/administrative/breachnotificationrule/index.html 1 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html PAGE | 3
Type of breach. Covered entities are asked to select one or more of the following types of breach: theft, loss, improper disposal, unauthorized access/disclosure, hacking/IT incident, unknown and other. Many incidents selected multiple types indicating a lack of clarity on the definition of each type by the covered entity and perhaps HHS as well. In an effort to reduce ambiguity, breach types were aggregated into three specific cases based on the description of each incident: 1. A threat-source with malicious intent (theft and hacking/ IT incident). 61% of all 2. A threat-source with unknown intent (loss, unknown, and other). breaches are 3. A threat-source with no malicious intent (improper disposal and a result of unauthorized access/disclosure). malicious intent. Based on this categorization, it is clear that the majority of breaches are a result of malicious intent and result in the majority of records breached (Table 1). • 62% of total records breached resulted from malicious intent. • 61% of all breach incidents resulted from malicious intent. • The highest number of records breached per incident are associated with an unknown intent. Types of Data Breaches – Threat Source (Table 1) PAGE | 4
Focusing solely on incidents involving malicious intent, it is clear that theft is the leading threat-source, representing 60% of all records breached and 56% of all incidents (Table 2). What is not shown here is loss, which accounts for another 19% of records and 15% of incidents. If one loses something and cannot find it, a likely conclusion is that it has been stolen, thus increasing the probable malicious intent numbers. Types of Malicious Intent Data Breaches (Table 2) It is clear that protected health information is actively targeted and has successfully been compromised by a malicious threat-source. It is clear that protected health information is actively targeted and has successfully been compromised by a malicious threat-source. This trend will likely increase as Healthcare IT initiatives are deployed across the industry as a result of financial incentives associated with “meaningful use” objectives. It is critical that the necessary security controls are built into each system as it is deployed, not after. The first step is creating a security plan that describes the system, its users and components as well as the security controls that will be relied upon to protect health information. For better reporting, HHS should consider reviewing the list of breach types from which to select and provide better definitions to avoid overlap and capture consistent information. PAGE | 5
Location of breached information. Covered entities are asked to select one or more of the following locations that contain the breached information: laptop, desktop computer, network server, e-mail, other portable media device, electronic medical record, paper, and other. The category ‘Other’ included hard drives, backup tapes, and CDs. In addition, many of the ‘Other’ breaches do not provide additional clarification. Locations were aggregated into three specific cases: 1. Locations that rely on physical controls (desktop computer, network server, e-mail, and electronic medical record). 2. Locations that may or may not rely on physical controls (paper and other). 3. Locations that do not rely on physical controls (laptop and other portable media device). Based on this categorization, it is clear that locations that cannot rely on physical controls resulted in the highest number of breaches affecting the most individuals (Table 3). • 65% of all records breached resulted from a laptop or other portable media device. 65% of all records • 44% of all incidents involved a laptop or other portable media device. breached resulted • Twice as many individuals were affected from a portable media from a laptop or breach than a location that can rely on full physical controls. other portable media device. Locations of Data Breaches (Table 3) PAGE | 6
Focusing on only portable media breaches, we find that although laptop breaches are more frequent (28% of the incidents), 39% of all records breached are a result of other portable media, including hard drives and backup tapes (Table 4). As a result, over 66,000 records, on average, are breached as a result of other portable media. This means 246% more individuals are impacted as a result of a hard drive, backup tape, or other portable media device breach than an average data breach across all other locations. Locations of Portable Media Data Breaches (Table 4) Devices lacking adequate physical security controls are targeted and successfully compromised more often than devices that The trend clearly indicates that devices lacking adequate physical utilize available security controls are targeted and successfully compromised more physical controls. often than devices that utilize available physical security controls. However, the use of portable media devices will only increase. Additional controls to consider include disk encryption, strong authentication, remote wipe capabilities, and increased user information security training and awareness. All companies should consider developing their own mobile security device policy, if they haven’t already done so. For better reporting, HHS should consider reviewing the locations from which to select and provide definitions to avoid overlap and capture consistent information. PAGE | 7
Business Associates. While business associates have always played a critical role in healthcare IT programs, only after the HITECH Act are they now responsible for implementing the same HIPAA Security Rule safeguards as covered entities, including the responsibility to notify the covered entity if a breach is discovered. Since breach reporting began in late 2009 business associates are responsible for: • 4 breaches affecting multiple covered entities. • Multiple breaches (2 business associates). • 50 breaches, representing 22% of all incidents of over 500 individuals. • 2,417,831 total individual records compromised, representing 40% of all breached records (Figure 1). Breaches Involving Business Associates (Figure 1) PAGE | 8
The relatively small number of incidents resulting in a large number of records compromised indicates that business associates are data- rich targets that are likely to see an increase in malicious activity in the future. Despite the varying sizes of business associate IT environments, sufficient resources must be dedicated toward implementing the neces- sary safeguards as directed by the HIPAA Security Rule. It is also the responsibility of covered entities to hold their business ...business associates accountable. Aside from typical contractual due diligence, covered entities should ensure business associates prove they have associates are data implemented necessary safeguards and those safeguards are working rich targets that are as expected. If a business associate cannot provide the results of an independent security assessment, then consider sending them a consequently likely self-assessment questionnaire. While it does not replace an objective to see an increase assessment of the business associates’ control environment, the in malicious activity. questionnaire will provide the covered entity some visibility into their operations and may provide cause for follow-up investigation. Conclusion. This review of published protected health information incidents focused on three areas: 1. The type of breach, including malicious and non-malicious threat-sources. 2. The location of the breach, including portable and non-portable devices. 3. The role of business associates in recent breaches. By identifying trends in each of these three areas, we hoped to identify a subset of controls that would provide the greatest return on investment to the covered entity and business associate by reducing the likelihood of a successful breach or mitigating the impact of a breach. Analysis was limited to reviewing only incidents that resulted in 500 or more individual records, which may impact the conclusions. For example, the average number of records breached per incident computed is likely slightly inflated; however, the actual number of breaches and number of records breached are certainly higher than reported here. PAGE | 9
To reduce the likelihood and impact of a future breach, covered entities and business associates should focus their Information Security Programs on the following areas: Incident Detection and Response Implement an incident detection and response program to ensure all incidents are detected and responded to in a timely manner. This includes adequate logging and monitoring systems where protected heath information is stored, transferred, and destroyed. Consider developing an incident reporting form that is consistent with the HHS breach notification form. All incidents affecting more than 500 individuals are expected to be reported within 60 days. System Security Plan During the development of the next IT project and all that follow, whether it be a Blackberry Enterprise Server or an Electronic Medical Record deployment, develop a system security plan that documents each component of the new system, including external connections, where sensitive data is stored, who has access, what vulnerabilities exist with the system, and how to prevent those vulnerabilities from being exploited. Once documented, you now have a roadmap to implement all necessary security controls, test on a regular basis, and monitor to ensure they are always operating as expected. This proactive approach will significantly reduce the ability for a malicious threat-source, whether on the Internet, on the bus, or in the office to successfully steal protected health information. Portable Media Policy Portable media is here to stay. From tape backups, to laptops, to personal handheld devices, protected health information is on the move. Rather than try to restrict where sensitive information is taken, take a data-driven view and focus on protecting data wherever it is stored. A mobile device security policy that includes management, operational, and technical controls must be defined and implemented. For help getting started, review our Mobile Device Policy Template1 which 2 can be customized to your environment. As always, test each control after implementation to ensure it is operating as expected. Business Associate Oversight Business associates often provide critical IT services and store, process, transmit, and dispose of sensitive protected health information. Ensure your business associate oversight program includes a review of contractual language that requires business associates to take as much care with your protected health information as you do. 1 http://www.redspin.com/resources/whitepapers-datasheets/request_mobile-security-policy.php 2 PAGE | 10
In addition, contracts should require business associates to prove on an annual basis that they have adequate safeguards in place surrounding protected health information. If they can not provide the results of an independent security assessment, then consider sending them a self-assessment questionnaire1. While it does not replace an objective 3 third-party assessment of the business associates’ control environment, the questionnaire will provide you with some visibility into their operations and may provide cause for follow-up investigation. While IT environments and threats to these environments are constantly changing, focusing your resources on these four areas will provide an immediate positive impact to your information security program and reduce the risk of a breach of protected health information. Redspin, Inc., 6450 Via Real, Suite 3 Carpinteria, CA 93013 800.721.9177 fax 805.684.6859 3 1 http://www.redspin.com/resources/whitepapers-datasheets/request_mobile-security-policy.php www.redspin.com

Recomendados

Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0
Jason Smith
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
IJNSA Journal
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
David Sweigert
 
Capabilities Expert Assessment
Capabilities Expert Assessment Capabilities Expert Assessment
Capabilities Expert Assessment
Prof. Dr. Sc. Eng. Mitko Stoykov
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
Numaan Huq
 
2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance
Raleigh ISSA
 

Recomendados

Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0Jason Anthony Smith - thesis short summary v1.0
Jason Anthony Smith - thesis short summary v1.0
Jason Smith
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
IJNSA Journal
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
David Sweigert
 
Capabilities Expert Assessment
Capabilities Expert Assessment Capabilities Expert Assessment
Capabilities Expert Assessment
Prof. Dr. Sc. Eng. Mitko Stoykov
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
Numaan Huq
 
2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance
Raleigh ISSA
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
Yogesh Kumar
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
Margarete McGrath
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
Matthew J McMahon
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
Jamie Moore
 
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And FinalSession # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Feisal Nanji
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
Information vulbnerability and disaster management information management
Information vulbnerability and disaster management information managementInformation vulbnerability and disaster management information management
Information vulbnerability and disaster management information management
Hallmark B-school
 
Kenya Workshop 1540 Dual Benefit Assistance
Kenya Workshop 1540 Dual Benefit AssistanceKenya Workshop 1540 Dual Benefit Assistance
Kenya Workshop 1540 Dual Benefit Assistance
stimson
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_Intindolo
John Intindolo
 
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
- Mark - Fullbright
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
Scientia Groups
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security
Panda Security
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser Malware
Entrust Datacard
 
Critical infrastructure
Critical infrastructureCritical infrastructure
Critical infrastructure
Prof. David E. Alexander (UCL)
 
The Web Hacking Incidents Database Annual
The Web Hacking Incidents Database AnnualThe Web Hacking Incidents Database Annual
The Web Hacking Incidents Database Annual
guest376352
 
114-116
114-116114-116
114-116
IKERIONWU FREDRICK
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
sukiennong.vn
 
ITACG_Guide_for_First_Responders_2011
ITACG_Guide_for_First_Responders_2011ITACG_Guide_for_First_Responders_2011
ITACG_Guide_for_First_Responders_2011
Robert J. Breitenbach
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
msdee3362
 

Más contenido relacionado

La actualidad más candente

First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
Yogesh Kumar
 
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And FinalSession # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Feisal Nanji
 
Information vulbnerability and disaster management information management
Information vulbnerability and disaster management information managementInformation vulbnerability and disaster management information management
Information vulbnerability and disaster management information management
Hallmark B-school
 
Kenya Workshop 1540 Dual Benefit Assistance
Kenya Workshop 1540 Dual Benefit AssistanceKenya Workshop 1540 Dual Benefit Assistance
Kenya Workshop 1540 Dual Benefit Assistance
stimson
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_Intindolo
John Intindolo
 
The Web Hacking Incidents Database Annual
The Web Hacking Incidents Database AnnualThe Web Hacking Incidents Database Annual
The Web Hacking Incidents Database Annual
guest376352
 
ITACG_Guide_for_First_Responders_2011
ITACG_Guide_for_First_Responders_2011ITACG_Guide_for_First_Responders_2011
ITACG_Guide_for_First_Responders_2011
Robert J. Breitenbach
 

La actualidad más candente (20)

First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
 
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And FinalSession # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
Session # 9 Nanji Himss10 Presentation Sent To Himss Revised And Final
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatu
 
Information vulbnerability and disaster management information management
Information vulbnerability and disaster management information managementInformation vulbnerability and disaster management information management
Information vulbnerability and disaster management information management
 
Kenya Workshop 1540 Dual Benefit Assistance
Kenya Workshop 1540 Dual Benefit AssistanceKenya Workshop 1540 Dual Benefit Assistance
Kenya Workshop 1540 Dual Benefit Assistance
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_Intindolo
 
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser Malware
 
Critical infrastructure
Critical infrastructureCritical infrastructure
Critical infrastructure
 
The Web Hacking Incidents Database Annual
The Web Hacking Incidents Database AnnualThe Web Hacking Incidents Database Annual
The Web Hacking Incidents Database Annual
 
114-116
114-116114-116
114-116
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
ITACG_Guide_for_First_Responders_2011
ITACG_Guide_for_First_Responders_2011ITACG_Guide_for_First_Responders_2011
ITACG_Guide_for_First_Responders_2011
 

Similar a Redspin Report - Protected Health Information 2010 Breach Report

Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
msdee3362
 
BREACH LEVEL INDEX
BREACH LEVEL INDEXBREACH LEVEL INDEX
BREACH LEVEL INDEX
- Mark - Fullbright
 
Your healthy practice July/August 2011
Your healthy practice July/August 2011Your healthy practice July/August 2011
Your healthy practice July/August 2011
Kushner LaGraize, LLC
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligence
ijtsrd
 
D2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-ReportD2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-Report
The Internet of Things
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
Tam Nguyen
 
Systems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxSystems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docx
perryk1
 
INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?
INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?
INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?
Diaspark
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 

Similar a Redspin Report - Protected Health Information 2010 Breach Report (20)

Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
BREACH LEVEL INDEX
BREACH LEVEL INDEXBREACH LEVEL INDEX
BREACH LEVEL INDEX
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Introduction to Incident Response Management
Introduction to Incident Response ManagementIntroduction to Incident Response Management
Introduction to Incident Response Management
 
Your healthy practice July/August 2011
Your healthy practice July/August 2011Your healthy practice July/August 2011
Your healthy practice July/August 2011
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligence
 
D2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-ReportD2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-Report
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...
 
Systems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxSystems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docx
 
ICS CERT- Incidence Reports
ICS CERT- Incidence ReportsICS CERT- Incidence Reports
ICS CERT- Incidence Reports
 
Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?
 
INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?
INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?
INFOGRAPHIC: IS YOUR PATIENT DATA PROTECTED?
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
The Sick State of Healthcare Data Breaches
The Sick State of Healthcare Data BreachesThe Sick State of Healthcare Data Breaches
The Sick State of Healthcare Data Breaches
 

Más de Redspin, Inc.

Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 

Más de Redspin, Inc. (20)

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 

Último

Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426
Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426
Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426
jennyeacort
 
Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...
Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...
Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...
chetankumar9855
 
Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...
Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...
Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...
Anamika Rawat
 
Call Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service Available
Dipal Arora
 
Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...
Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...
Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...
narwatsonia7
 
Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...
Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...
Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...
vidya singh
 
Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...
Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...
Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...
parulsinha
 
Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...
Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...
Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...
mahaiklolahd
 
Call Girls Tirupati Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Tirupati Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Tirupati Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Tirupati Just Call 8250077686 Top Class Call Girl Service Available
Dipal Arora
 
All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...
All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...
All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...
Arohi Goyal
 
Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...
Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...
Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...
adilkhan87451
 
Call Girls Shimla Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Shimla Just Call 8617370543 Top Class Call Girl Service AvailableCall Girls Shimla Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Shimla Just Call 8617370543 Top Class Call Girl Service Available
Dipal Arora
 
Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...
Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...
Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...
GENUINE ESCORT AGENCY
 
Trichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service Available
Trichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service AvailableTrichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service Available
Trichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service Available
GENUINE ESCORT AGENCY
 
Call Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service Available
Call Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service AvailableCall Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service Available
Call Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service Available
GENUINE ESCORT AGENCY
 
Call Girls Kurnool Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kurnool Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Kurnool Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kurnool Just Call 8250077686 Top Class Call Girl Service Available
Dipal Arora
 
Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7
Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7
Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...
Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...
Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...
Dipal Arora
 
Call Girls Gwalior Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 8617370543 Top Class Call Girl Service AvailableCall Girls Gwalior Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 8617370543 Top Class Call Girl Service Available
Dipal Arora
 
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
narwatsonia7
 

Último (20)

Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426
Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426
Call Girls in Delhi Triveni Complex Escort Service(🔝))/WhatsApp 97111⇛47426
 
Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...
Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...
Call Girl In Pune 👉 Just CALL ME: 9352988975 💋 Call Out Call Both With High p...
 
Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...
Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...
Jogeshwari ! Call Girls Service Mumbai - 450+ Call Girl Cash Payment 90042684...
 
Call Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Rishikesh Just Call 8250077686 Top Class Call Girl Service Available
 
Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...
Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...
Top Rated Bangalore Call Girls Ramamurthy Nagar ⟟ 9332606886 ⟟ Call Me For G...
 
Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...
Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...
Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...
 
Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...
Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...
Independent Call Girls In Jaipur { 8445551418 } ✔ ANIKA MEHTA ✔ Get High Prof...
 
Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...
Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...
Call Girl in Indore 8827247818 {LowPrice} ❤️ (ahana) Indore Call Girls * UPA...
 
Call Girls Tirupati Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Tirupati Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Tirupati Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Tirupati Just Call 8250077686 Top Class Call Girl Service Available
 
All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...
All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...
All Time Service Available Call Girls Marine Drive 📳 9820252231 For 18+ VIP C...
 
Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...
Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...
Russian Call Girls Lucknow Just Call 👉👉7877925207 Top Class Call Girl Service...
 
Call Girls Shimla Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Shimla Just Call 8617370543 Top Class Call Girl Service AvailableCall Girls Shimla Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Shimla Just Call 8617370543 Top Class Call Girl Service Available
 
Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...
Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...
Call Girls Vasai Virar Just Call 9630942363 Top Class Call Girl Service Avail...
 
Trichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service Available
Trichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service AvailableTrichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service Available
Trichy Call Girls Book Now 9630942363 Top Class Trichy Escort Service Available
 
Call Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service Available
Call Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service AvailableCall Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service Available
Call Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service Available
 
Call Girls Kurnool Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kurnool Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Kurnool Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Kurnool Just Call 8250077686 Top Class Call Girl Service Available
 
Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7
Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7
Call Girls in Gagan Vihar (delhi) call me [🔝 9953056974 🔝] escort service 24X7
 
Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...
Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...
Best Rate (Guwahati ) Call Girls Guwahati ⟟ 8617370543 ⟟ High Class Call Girl...
 
Call Girls Gwalior Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 8617370543 Top Class Call Girl Service AvailableCall Girls Gwalior Just Call 8617370543 Top Class Call Girl Service Available
Call Girls Gwalior Just Call 8617370543 Top Class Call Girl Service Available
 
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
Top Rated Bangalore Call Girls Richmond Circle ⟟ 9332606886 ⟟ Call Me For Ge...
 

Redspin Report - Protected Health Information 2010 Breach Report

  • 1. Breach Report 2010 Protected Health Information
  • 2. Table of Contents Executive Summary. . . . . . . . . . . . . . 1 Findings. . . . . . . . . . . . . . . . . . 2 Background. . . . . . . . . . . . . . . . . 3 Type of breach. . . . . . . . . . . . . . . . 4 Location of breached information . . . . . . . . . 6 Business Associates. . . . . . . . . . . . . . 8 Conclusion . . . . . . . . . . . . . . . . . 9
  • 3. Executive Summary. A total of 225 breaches of protected health information affecting 6,067,751 individuals have been recorded since the interim final breach notification regulation was issued in August 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, these numbers only include breaches that affected more than 500 individuals. The number of breaches that affected less than 500 individuals must also be reported to the Secretary of Health and Human Services (HHS) but are not publicly available. This report reviews the information provided for each publicly-disclosed breach to identify threat trends and recommends which controls will have the greatest impact on reducing the number of incidents in the future. PAGE | 1
  • 4. Findings from the report. 43 states, plus DC and Puerto Rico have suffered at least one breach. ~27,000 individuals, on average, are affected by a single breach. 82 days on average, pass between breach discovery and notification/update to HHS. 78% of all records breached are the result of 10 incidents, 5 of which are the result of theft including common storage media, e.g., desktop computer, network server, and portable devices. 61% of breaches are a result of malicious intent. ~66,000 individuals, on average, are affected by a single breach of portable media. 40% of records breached involve business associates. To reduce the likelihood and impact of a future breach, covered entities and business associates should focus their Information Security Programs on the following controls: 1. Implementing encryption on all protected health information in storage and transit. 2. Strengthening information security user awareness and training programs. 3. Implementing a mobile device security policy. 4. Ensuring that business associate due diligence includes a periodic review of implemented controls. PAGE | 2
  • 5. Background. The Breach Notification Rule of the HITECH Act requires all breaches of protected health information to be reported to HHS. If the breach affects over 500 individuals, the covered entity must notify HHS no later than 60 days following the discovery of the breach. Breaches affecting less than 500 individuals need only be reported annually. Business associates responsible for a breach are also required to notify the affected covered entity no later than 60 days following the discovery of the breach. By definition, “a breach is generally an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such, that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual1.” When reporting a breach, the covered entity is requested to provide a variety of information including: • dates of breach and discovery • number of individuals affected by the breach • type of breach • location of breached information • brief description • safeguards in place prior to breach • whether or not a business associate is involved Each breach and associated information listed above was reviewed for this report with the exception of ‘safeguards in place prior to breach.’ The data set available did not include any safeguard information for any breach. In the case where multiple types and locations are associated with the breach, only the first is included in the analysis. For more information concerning the Breach Notification Rule and to review the original data set, please visit: http://www.hhs.gov/ocr /privacy/hipaa/administrative/breachnotificationrule/index.html 1 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html PAGE | 3
  • 6. Type of breach. Covered entities are asked to select one or more of the following types of breach: theft, loss, improper disposal, unauthorized access/disclosure, hacking/IT incident, unknown and other. Many incidents selected multiple types indicating a lack of clarity on the definition of each type by the covered entity and perhaps HHS as well. In an effort to reduce ambiguity, breach types were aggregated into three specific cases based on the description of each incident: 1. A threat-source with malicious intent (theft and hacking/ IT incident). 61% of all 2. A threat-source with unknown intent (loss, unknown, and other). breaches are 3. A threat-source with no malicious intent (improper disposal and a result of unauthorized access/disclosure). malicious intent. Based on this categorization, it is clear that the majority of breaches are a result of malicious intent and result in the majority of records breached (Table 1). • 62% of total records breached resulted from malicious intent. • 61% of all breach incidents resulted from malicious intent. • The highest number of records breached per incident are associated with an unknown intent. Types of Data Breaches – Threat Source (Table 1) PAGE | 4
  • 7. Focusing solely on incidents involving malicious intent, it is clear that theft is the leading threat-source, representing 60% of all records breached and 56% of all incidents (Table 2). What is not shown here is loss, which accounts for another 19% of records and 15% of incidents. If one loses something and cannot find it, a likely conclusion is that it has been stolen, thus increasing the probable malicious intent numbers. Types of Malicious Intent Data Breaches (Table 2) It is clear that protected health information is actively targeted and has successfully been compromised by a malicious threat-source. It is clear that protected health information is actively targeted and has successfully been compromised by a malicious threat-source. This trend will likely increase as Healthcare IT initiatives are deployed across the industry as a result of financial incentives associated with “meaningful use” objectives. It is critical that the necessary security controls are built into each system as it is deployed, not after. The first step is creating a security plan that describes the system, its users and components as well as the security controls that will be relied upon to protect health information. For better reporting, HHS should consider reviewing the list of breach types from which to select and provide better definitions to avoid overlap and capture consistent information. PAGE | 5
  • 8. Location of breached information. Covered entities are asked to select one or more of the following locations that contain the breached information: laptop, desktop computer, network server, e-mail, other portable media device, electronic medical record, paper, and other. The category ‘Other’ included hard drives, backup tapes, and CDs. In addition, many of the ‘Other’ breaches do not provide additional clarification. Locations were aggregated into three specific cases: 1. Locations that rely on physical controls (desktop computer, network server, e-mail, and electronic medical record). 2. Locations that may or may not rely on physical controls (paper and other). 3. Locations that do not rely on physical controls (laptop and other portable media device). Based on this categorization, it is clear that locations that cannot rely on physical controls resulted in the highest number of breaches affecting the most individuals (Table 3). • 65% of all records breached resulted from a laptop or other portable media device. 65% of all records • 44% of all incidents involved a laptop or other portable media device. breached resulted • Twice as many individuals were affected from a portable media from a laptop or breach than a location that can rely on full physical controls. other portable media device. Locations of Data Breaches (Table 3) PAGE | 6
  • 9. Focusing on only portable media breaches, we find that although laptop breaches are more frequent (28% of the incidents), 39% of all records breached are a result of other portable media, including hard drives and backup tapes (Table 4). As a result, over 66,000 records, on average, are breached as a result of other portable media. This means 246% more individuals are impacted as a result of a hard drive, backup tape, or other portable media device breach than an average data breach across all other locations. Locations of Portable Media Data Breaches (Table 4) Devices lacking adequate physical security controls are targeted and successfully compromised more often than devices that The trend clearly indicates that devices lacking adequate physical utilize available security controls are targeted and successfully compromised more physical controls. often than devices that utilize available physical security controls. However, the use of portable media devices will only increase. Additional controls to consider include disk encryption, strong authentication, remote wipe capabilities, and increased user information security training and awareness. All companies should consider developing their own mobile security device policy, if they haven’t already done so. For better reporting, HHS should consider reviewing the locations from which to select and provide definitions to avoid overlap and capture consistent information. PAGE | 7
  • 10. Business Associates. While business associates have always played a critical role in healthcare IT programs, only after the HITECH Act are they now responsible for implementing the same HIPAA Security Rule safeguards as covered entities, including the responsibility to notify the covered entity if a breach is discovered. Since breach reporting began in late 2009 business associates are responsible for: • 4 breaches affecting multiple covered entities. • Multiple breaches (2 business associates). • 50 breaches, representing 22% of all incidents of over 500 individuals. • 2,417,831 total individual records compromised, representing 40% of all breached records (Figure 1). Breaches Involving Business Associates (Figure 1) PAGE | 8
  • 11. The relatively small number of incidents resulting in a large number of records compromised indicates that business associates are data- rich targets that are likely to see an increase in malicious activity in the future. Despite the varying sizes of business associate IT environments, sufficient resources must be dedicated toward implementing the neces- sary safeguards as directed by the HIPAA Security Rule. It is also the responsibility of covered entities to hold their business ...business associates accountable. Aside from typical contractual due diligence, covered entities should ensure business associates prove they have associates are data implemented necessary safeguards and those safeguards are working rich targets that are as expected. If a business associate cannot provide the results of an independent security assessment, then consider sending them a consequently likely self-assessment questionnaire. While it does not replace an objective to see an increase assessment of the business associates’ control environment, the in malicious activity. questionnaire will provide the covered entity some visibility into their operations and may provide cause for follow-up investigation. Conclusion. This review of published protected health information incidents focused on three areas: 1. The type of breach, including malicious and non-malicious threat-sources. 2. The location of the breach, including portable and non-portable devices. 3. The role of business associates in recent breaches. By identifying trends in each of these three areas, we hoped to identify a subset of controls that would provide the greatest return on investment to the covered entity and business associate by reducing the likelihood of a successful breach or mitigating the impact of a breach. Analysis was limited to reviewing only incidents that resulted in 500 or more individual records, which may impact the conclusions. For example, the average number of records breached per incident computed is likely slightly inflated; however, the actual number of breaches and number of records breached are certainly higher than reported here. PAGE | 9
  • 12. To reduce the likelihood and impact of a future breach, covered entities and business associates should focus their Information Security Programs on the following areas: Incident Detection and Response Implement an incident detection and response program to ensure all incidents are detected and responded to in a timely manner. This includes adequate logging and monitoring systems where protected heath information is stored, transferred, and destroyed. Consider developing an incident reporting form that is consistent with the HHS breach notification form. All incidents affecting more than 500 individuals are expected to be reported within 60 days. System Security Plan During the development of the next IT project and all that follow, whether it be a Blackberry Enterprise Server or an Electronic Medical Record deployment, develop a system security plan that documents each component of the new system, including external connections, where sensitive data is stored, who has access, what vulnerabilities exist with the system, and how to prevent those vulnerabilities from being exploited. Once documented, you now have a roadmap to implement all necessary security controls, test on a regular basis, and monitor to ensure they are always operating as expected. This proactive approach will significantly reduce the ability for a malicious threat-source, whether on the Internet, on the bus, or in the office to successfully steal protected health information. Portable Media Policy Portable media is here to stay. From tape backups, to laptops, to personal handheld devices, protected health information is on the move. Rather than try to restrict where sensitive information is taken, take a data-driven view and focus on protecting data wherever it is stored. A mobile device security policy that includes management, operational, and technical controls must be defined and implemented. For help getting started, review our Mobile Device Policy Template1 which 2 can be customized to your environment. As always, test each control after implementation to ensure it is operating as expected. Business Associate Oversight Business associates often provide critical IT services and store, process, transmit, and dispose of sensitive protected health information. Ensure your business associate oversight program includes a review of contractual language that requires business associates to take as much care with your protected health information as you do. 1 http://www.redspin.com/resources/whitepapers-datasheets/request_mobile-security-policy.php 2 PAGE | 10
  • 13. In addition, contracts should require business associates to prove on an annual basis that they have adequate safeguards in place surrounding protected health information. If they can not provide the results of an independent security assessment, then consider sending them a self-assessment questionnaire1. While it does not replace an objective 3 third-party assessment of the business associates’ control environment, the questionnaire will provide you with some visibility into their operations and may provide cause for follow-up investigation. While IT environments and threats to these environments are constantly changing, focusing your resources on these four areas will provide an immediate positive impact to your information security program and reduce the risk of a breach of protected health information. Redspin, Inc., 6450 Via Real, Suite 3 Carpinteria, CA 93013 800.721.9177 fax 805.684.6859 3 1 http://www.redspin.com/resources/whitepapers-datasheets/request_mobile-security-policy.php www.redspin.com