Health Net Incident Impacting 1.9 Million: Lessons Learned

Yesterday I provided some thoughts to Howard Anderson at HealthinfoSecurity.com about the recent Health Net incident for his article Here are some expanded thoughts for his questions…

 1.  What can others learn from this incident regarding how to communicate with the public in the aftermath of a breach incident?

Communicating about breaches has been a problem area for most organizations ever since CA SB 1386 went into effect in 2003.  The published notices are often dismissive and try to downplay the breach, or blame it on some other entity.  I’ve seen way too many organizations make somewhat insensitive statements that downplay the risk results in such a way that it makes customers and consumers angry. For example, saying something like ‘We have no evidence that the information has been used inappropriately’ only a week or two following the breach. Those writing the statements need to understand that information can be used for years following a breach, and most consumers know this.

 

Or, I have often seen them say something like, “We do not know who took the computer, but we believe they did not take it with the intent to use the information on the computer for a crime.” You know, people read this and they say, “Huh?  If the company doesn’t know who took the computer, how can they even speculate about the motivation for some unknown thief?”

 

These and many more similar statements have actually been made following breaches, and these types of statements only hurt the reputation of the organization that experienced the breach, as well as making consumers mad.

 

And then another, the second major problem area I see, is not knowing the legal requirements for notifying the impacted individuals. There are now at least 50 U.S. territory and state-level laws that have breach notice laws in place in addition to HITECH. They all have specific notification requirements, including how quickly notifications must be made, the information that must be included in the notifications and the delivery methods that are acceptable for the breach notices. And oftentimes organizations don’t know what those requirements are.

 

With regard to this specific situation, let’s look at Health Net’s press release about the breach.  They indicated that its investigation of the latest breach incident “follows notification by IBM, Health Net’s vendor responsible for managing IT infrastructure, that it could not locate several server drives” at a data center in Rancho Cordova, Calif. “After a forensics analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives,” the company stated. That information may include names, addresses, health information, Social Security numbers and/or financial information.

 

Health Net is offering those who may have been affected “two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance.”

 

Health Net clearly is pointing the blame at IBM; specifically stating that IBM is responsible for the breach.  Guess what?  When you outsource business activities to a third party, you do not also outsource your responsibility!  What was Health Net doing to ensure, on an ongoing basis, that IBM had appropriate safeguards in place? Were they doing anything?  Did they just rely on Big Blue’s reputation?  Doing so is a risky practice, as this incident shows.  Health Net shares in the responsibility and blame for the incident.

 

There are some positive things about their notification to point out:

  • They put information about the breach on their site that was easy to find from a prominent link on their home page.
  • They offered all involved credit monitoring and identity theft insurance, which they weren’t legally required to do by HITECH, or by all the state level breach notice laws.
  • They provided a way to get in touch with their contracted breach response company, Debix, to find out information about the breach.

2.  We don’t know exactly what happened in this breach, other than unencrypted drives missing from a data center managed by IBM…what steps can organizations take to make sure their business associates are taking all necessary security precautions? And what physical security and other precautions should be taken to protect data centers? And should server drives be encrypted?

 

Yes, the lack of details certainly leaves everyone wondering.  It’s possible the drives are truly missing, lost forever, in the hands of diabolical criminals, or misplaced.  In a large organization, with huge facilities like IBM has, it is probably not uncommon for tapes and disks to be misplaced, at least for short periods of time. It truly would be like putting a book back on the wrong shelf at the Library of Congress; you would only find it again if you accidently happened upon it.  (Thank you Dewey for your Decimal System; Kindle kids, this is something you should know from the history books.  Really, it is “good for you”.)

 

Early in my career I did a tape library audit, of around 3% of the total tapes, which was considered to be a sound representative sample in the huge collection of tapes for the time allowed, and I found around half a dozen misplaced tapes in this small sample.  This was within my own organization.  Can you imagine if a worker accidentally misplaced a drive within a facility where there is media belonging to dozens, hundreds, or even thousands of organizations?  The insider threat is significant in all organizations, and every human makes mistakes.  So, if IBM did not have a good storage media inventory and tracking system in place, then this is a possibility.  Of course, it is also possible the drive was stolen.  There are not enough details to really be able to narrow down the possibilities.

Indeed, Health Net, and every other organization, needs to follow due diligence actions to ensure that every third party they have contracted with has appropriate safeguards in place.  As stated earlier, when you outsource business activities to a third party, you do *not* also outsource your responsibility.  You must follow effective, comprehensive procedures before deciding to outsource to a specific organization, and then you need to perform various types of ongoing activities, depending upon what activities you have outsourced, to ensure they stay in compliance.  A contract alone is meaningless and ineffective with regard to incident prevention if the details within that contract are not followed.  I recommend two types of activities to ensure third parties have appropriate safeguards in place, and are maintaining them appropriately on an ongoing basis: 1) Perform compliance audits / risk assessments, and 2) Establish a way to monitor, on an ongoing basis at any time, how well they are maintaining their compliance program. 

Audits/risk assessments

If you depend upon doing third party security and privacy program compliance audits/assessments through the use of questionnaires, as is typically done, you will likely reveal a very wide range of risks.  Over the past several years I’ve done over 200 of these for business associates (BAs) of covered entities (CEs) that engaged me to help them with this important activity, and while point-in-time audits have been very beneficial to identify concerns within BA information security and privacy programs, they also have their drawbacks.  Some of these include:

  • Each audit typically takes around four to eight weeks (or more) to complete, depending upon how timely the BA completes the questionnaire, provides documentation, and makes key contacts available for interviews.
  • The audit is an assessment of a point in time for the BA.  As soon as the audit is over, if anything within the BA operations, systems, networks, administration, or other signification factor, changes, it will also change the information security and privacy posture for the BA.
  • Most of the answers on the audit questionnaires are not validated.  Many organizations answer the questionnaires in the way that will be most beneficial for them to “pass” the audit, and they do not truly represent the reality of the BA information security and privacy program.

 

Performing an audit prior to engaging a third party is important if the potential third party cannot provide evidence that they have a good program in place.  And organizations must still do the regular audits that are legally required. 

Monitor ongoing compliance

Establish a way to monitor the third party to ensure ongoing compliance.  As changes are made within businesses, the compliance, and risk, levels will also change as a result.  Compliance is not a single-point-in-time event, and security risks are not static.  Think about it.  Your business changes constantly. You provide new services, new products. You discontinue services and products. You offer your services and products in new ways, such as online, over the phone, in kiosks, and through business partners. You obtain customers in new geographic locations. New types of information are collected from your customers and employees.  You make partnerships with new businesses, in geographic locations where you’ve never been before.  New laws are enacted. And the list goes on and on.  During all these business changes your compliance levels will also change as a result.  You must stay diligent with maintaining compliance not only because it is a sound business activity to ensure information security and privacy, but also because the regulators expect for you to stay in compliance at all times!  You must be able to demonstrate that you are following all reasonable due diligence activities to remain in compliance with your applicable legal obligations.  You must also ensure that your third parties you’ve outsourced to also maintain their safeguards on an ongoing basis to address their changing risk levels, and resulting compliance posture, which result from their business changes.

 

As I did more and more BA security and privacy program audits, I became more and more convinced that there must be a better, more effective, accurate and efficient, way for CEs to ensure, on an ongoing basis, that BAs have good information security and privacy programs in place.  To meet this need I partnered with Jack Anderson, of Compliance Helper, to create an automated way to allow CEs to see the progress and levels of compliance activities for their BAs, in addition to the documentation for their BAs, at any time on an ongoing basis, to validate appropriate documents, forms and activities exist for BA security and privacy program compliance, in addition to logging all activities.  By having a window into the key BA security and privacy program components, CEs will be more effectively able to ensure BAs:

  • Are in compliance with legal and regulatory requirements and/or expectations at all times
  • Perform due diligence efforts during the contracting process or other risk management activities
  • Are in compliance with CE contractual security and privacy expectations
  • Resolve security and privacy issues promptly and appropriately

 

This is an effective and cost efficient alternative to performing the more time and resource intensive reviews based upon point-in-time audits.  It also helps to quickly and effectively address and eliminate significant security and privacy program problems.

 

And what physical security and other precautions should be taken to protect data centers?

Regarding data centers, before using an outsourced service, be sure to check the following, along with your other due diligence activities:

  • Will they have your hardware and storage media in the same room/location as all their other customers?  If so, what safeguards exist to keep the storage media from being mixed up with that of the other customers? If they are storing your data on the same storage media as other organizations, this raises the risks significantly.
  • What type of physical access controls exist to the location where your servers and storage media will be located?
  • What type of hardware and media tracking and inventory policies, procedures and technologies do they use?  They should be able to tell you where every server and every storage media is located at any point in time.
  • How often are their controls tested?
  • Who has access to the area where your servers and media are located? They should only allow those with business responsibilities to be there.
  • Do they have documented, up-to-date information security policies and procedures?
  • Do they have a position formally responsible for information security?
  • Do they provide information security training and ongoing awareness to those who are responsible for safeguarding the area where your hardware and storage media is located?
  • Can they provide a copy of their last security audit?  When did it occur?

 

And should server drives be encrypted?

Regarding server drives, whether or not you encrypt depends upon the risks for each situation.  If a third party is housing your servers and drives, along with those belonging to a large number of other organizations, then your risks have increased significantly from if you housed the servers and drives within your own secured walls, handled by your own, onsite workers. What you decide to do will depend upon the answers to the previous questions.  If they do not have your servers and storage media in a separate, secured area, then it would likely be a good idea to encrypt the data on the servers. 

I recently helped a small clinic, in a large inner-city location, with an incident that brought the OCR to their door to do an audit because their server drives were not encrypted. A thief, or thieves, literally kicked in the clinic’s doors and stole their servers and other computer equipment.  Their data was not encrypted, and it contained a large amount of protected health information (PHI).  They had thought since it was within an internal locked room, and their office and building were locked, that they didn’t need to worry about encrypting the data.  And after all, “HIPAA does not specify that encryption is necessary, only ‘addressable’”. (NOTE: “addressable” does *NOT* mean “optional”!)  Being in an inner city area that had a high theft rate should have been considered as part of their risk assessment…if they had done one for their server.

Tags: , , , , , , , , , , , , ,

Leave a Reply