Companies in every sector of the economy including health care have begun moving operations and sensitive data to the cloud. As the trend accelerates, some experts have questioned whether the cloud is a safe place to store personal data.
What is no longer in question though, is that client-server systems sitting in providers' offices are inherently unsafe places for such data. Every one of the largest breaches of patient confidential information that took place last year for example, could not have happened had the data been stored in the cloud.
And those events pale in comparison to the massive breach of patient data that was announced last week by company officials from Health Net. These officials reported that a portable, external hard drive containing 7 years worth of personal, medical and financial information on 1.5 million customers had been lost.
The wayward hard drive was last seen in the company’s Northeast headquarters in Shelton, Connecticut. It contained Social Security numbers, medical records and bank account information dating back to 2002.
About a third of the missing files were from Connecticut residents. Customers from Arizona, New Jersey and New York were also affected.
Data on the missing drive were not encrypted but do require a special computer program to read them (presumably available at Radio Shack). Remarkably, to this date, Heath Net has yet to formally inform affected individuals that their confidential information may have been compromised.
That is only half the story, however. It turns out that the hard drive was lost 6 months ago.
Health Net spokesperson Alice Chaves Ferreira explained that the managed care giant didn't report the incident sooner because it didn’t know what information had been lost. It was only after a review by computer experts that Health Net realized the scope of the loss.
"Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information," Connecticut’s Attorney General Richard Blumenthal said in a prepared statement.
"I am outraged and appalled by Health Net's…failure to swiftly inform authorities and consumers," Blumenthal added.
Connecticut law requires that organizations notify consumers and state officials about data breaches "without unreasonable delay." The company’s actions “may have violated state and federal laws,” Blumenthal said. “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted."
Meanwhile, state Insurance Commissioner Thomas Sullivan said he would require that Health Net extend credit protection monitoring through a private company that provides identity-theft protection services.
Ferreira confirmed this will happen. "Health Net will provide credit monitoring for over 2 years — free of charge — to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service," she said.
Health Net officials said they had no evidence that anyone has misused the missing data.
The Health Net data breach comes less than a month after Blue Cross and Blue Shield reported that a laptop had been stolen this summer in the Chicago area, threatening the personal information of 850,000 health care providers in 50 states.
By coincidence, Blumenthal had just announced plans to investigate the Blues’ delays in announcing that breach when the Health Net story hit the wires.
Patient medical records being cared for by providers using the Practice Fusion EHR are stored in the salesforce.com cloud, a $100 million HIPAA-compliant beast that has never experienced a breach. These providers have no need to store patient data on site in hard drives, laptops or anything else.
Glenn Laffel MD, PhD
Sr. Vice President, Clinical Affairs, Practice Fusion
Monday, November 23, 2009
The Data Breach at Health Net
Subscribe to:
Post Comments (Atom)
Posts
2 comments:
I think this is a bit disingenuous.
I mean yes, it's unlikely that a modern cloud application will have anything transmitted physically (ie lost harddrives/lost backup tapes) that isn't encrypted. This means that SaaS-applications, if administered right, will likely not suffer from these kinds of breaches.
But what about SQL-Injection? Javascript/XSS? SSL MiTM attacks? Post-it notes taped to the doctor's screen because they don't feel like remembering the password? These kinds of attacks don't care if you're on a podunk Rails app or an expensive HIPAA-compliant beast. They are all code-level and policy-level vulnerabilities.
There is some security, honestly, in having a closed system. But I believe that is far outweighed by the functionality of an Internet-based system. But Internet-based systems have plenty of flaws of their own.
Security isn't just a one-step thing. Security is constant upkeep and vigilance. It's making sure your programmers are aware of modern attacks and know how to avoid them in code. It's having regular penetration tests and remediation programs.
I'm a big fan of the cloud and of PF. I think that we need to continue to put things in the cloud. I think this is the future. But I do think that we need to be very careful about how we put things up and not neglect the various layers of security to ensure absolute availability, confidentiality and integrity of all data.
I think the cloud can be MORE secure than traditional computing because you have a single point of protection. But those that take care of that single-point-of-protection have to be committed to very diligent security.
My point, though, is just because you're not likely vulnerable from THIS attack, doesn't mean you're free from attack vectors.
Post a Comment