Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Charleston area medical center (camc) data breach – what can be learned


Published on

Lessons learned from the Charleston Area Medical Center (CAMC) data breach.

Published in: Health & Medicine, Technology
  • Be the first to comment

Charleston area medical center (camc) data breach – what can be learned

  1. 1. Charleston Area Medical Center (CAMC)Data Breach – What Can Be Learned?It’s always educational to review a data security breach to see what can be learned. In the case ofthe Charleston Area Medical Center (CAMC) last month a number of lessons can be learned. First letsreview what we know (and don’t know) about the data breach which happened at CAMC subsidiaryCAMC Health Education Research Institute (CHERI).What HappenedIt was a pretty straight forward breach. Last month someone doing an online search for an addressfound that the name of a relative and their ePHI was readily accessible on a CAMC website via aGoogle search. He immediately notified the relative who in turn contacted the State of West VirginiaAttorney General. The Attorney General’s Consumer Protection Division quickly had the offending siteshut down. In all 3655 patients were involved with the breach whose data had been accessible onthe site since September of 2010. The site was created by a contractor who inadvertently enabledaccess to the data.More Questions than Answers  If the contractor had access to ePHI, were they treated as a Business Associate (BA)?  Was there a Business Associate Agreement (BAA) in place?  Was protecting ePHI specified as an upfront feature/requirement of the site created by the contractor?  Was any application penetration testing performed on the site before it went live?  As a result of the breach CAMC has agreed to additional safeguards including a security assessment – does this imply that CAMC had not previously performed a HIPAA Risk Analysis?!?!Lessons LearnedAn ounce of prevention…: While we don’t know details of this particular vulnerability, it appears thatan application penetration test would have identified the risk and enabled trivial remediation beforean incident. That would be a fraction of the cost of this breach. Its hard to determine the CAMCbrand damage and staff costs associated with a breach like this. And its too early to tell if the hospitalwill see HIPAA / HITECH Act fines associated with the incident. The Equifax credit monitoring cost isalso unclear, though calculating the retail cost from their site at $15 per month per user for each ofthe 3655 individuals affected by the breach for a year tallies to over $54,000 per month and over$650,000 for the year …. a pound of cure. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
  2. 2. Security Assessments have more value before a breach: Well I am stating the obvious here, butthere’s more to the point than the obvious fact that identifying this particular vulnerability early wouldbe much less painful on the organization. The point is that, in our experience, incident-drivenassessments are often knee-jerk reactions to a compliance issue that are completed more to showreaction and publicize respect for client ePHI rather than a core value-driven approach to secureoperations. These types of assessments often cost way more and the value can be limited. The valueof a security assessment is proportional to an organizations bandwidth to absorb the findings andwillingness for organizational improvement. An event-driven assessment for CAMC will not yield a lotof value if the health IT staff is not ready to react to the findings.Ensure BAs are aware of the need to protect ePHI: When you outsource to a vendor, you areoutsourcing the actual labor, but also to a certain extent security management. While you want toexpect that a vendor would be aware of information security best practices you can’t always trust theBA to be secure. A robust BAA shows you care? While requiring a BA to complete a BusinessAssociation Self Assessment Questionnaire may not be appropriate for a web site developer, quizzingthem on a secure software development life cycle might filter out incompetent developers and send amessage that you care about their performance. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM