Kroll Cyber Security Blog – A Dialogue on Data Security

In the previous segments of this series, we introduced two recent federal regulations that are poised to have a significant effect on the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule).

As the previous segments discussed, both HITECH and the Red Flags Rule establish new and complex regulatory requirements. Without a doubt, the best defense against regulatory fever is prevention through proactive planning. However, this is certainly easier said than done. While the regulatory framework of HITECH and the Red Flags Rule are complex, perhaps the most troubling aspect is the emerging IT market structure and its interplay with the new regulations.

In the last segment, we introduced two recent laws that have significantly increased the regulatory compliance obligations of the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule). As the Office for Civil Rights (OCR) reporting website demonstrates, the impetus for these new data breach regulations clearly has not been overstated. HITECH requires the OCR to post PHI breaches involving more than 500 individuals, and since the rule went into effect in February of 2009, 288 incidents have been reported, four of which involve over 1 million individuals. With the threat of data breaches clear and regulatory fever now in full swing, it is important to understand the specific requirements and implications of these new laws on the health care industry.

In June, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule to establish a temporary certification program for Electronic Health Record (EHR) Technology. This marks an important step towards allowing healthcare facilities to meet and achieve meaningful use, a requirement to qualify for incentive payments under Medicare and Medicaid. Yet, even with this new development, lingering security questions still plague the process, making the transition to an interoperable EHR system seem even further away and harder to achieve.

The Federal Trade Commission (FTC) announced yesterday that it notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has leaked from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks.

Notices went to both private and public entities, ranging in size from as few as eight people to those with tens of thousands of employees. The letters state that “at least one computer file containing sensitive personal information . . . has been shared from your computer network, or the network of one of your service providers, to a peer-to-peer file sharing (P2P) network.”

Say farewell to the old year with a look at four of the top 2009 events that our experts believe have changed the face of data security for businesses going forward…

• Heartland Payment Systems breach – Termed by some as “the world’s biggest data breach to date”, hundreds of millions of payment cards were compromised. Heartland leadership was visible and vocal throughout the year, championing end-to-end encryption and sharing lessons learned from this incident for which the company created an $82.9 Million reserve.