HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Organizations are not adequately protecting E-health records

The American Recovery and Reinvestment Act of 2009 (aka the stimulus package) included funds to both implement electronic health records and rules to specifically improve personal health information breach notification rules. It’s ironic, then, that the rush to digitize personal health information didn’t include implementing security.  A recent survey of IT managers involved in healthcare revealed that 80% had suffered at least one incident or more of lost or stolen health information over the past year. More tellingly, most still have no support from their senior management to fix the problems.


It's not that the costs of a breach don't have sufficient teeth. Heartland Payment Systems has incurred over $12.6 million in fines, penalties, and other costs associated with their breach of credit card information. And while that's a different industry and a disproportionately massive example, the breach penalties and notification requirements between PCI and HIPPAA are not dissimilar. According to this health information study, the costs of a compromised health information record exceed $210 per instance. That can obviously add up quickly when a database containing thousands of records has been exposed.


So what's the problem, then? One huge one is that developers still don't have a good understanding of security. Most have heard of Cross-Site Scripting, for instance, but they've never seen it exploited. And when you don't understand the problem, it's hard to convince budget and time constrained managers that the costs to fix the problems are ultimately reasonable. Until the ease with which data breaches occur are understood, vendors are going to continue to play a dangerous game by not fixing the problems. There is a proven need for upgrading our medical systems to be both more cost-effective and to provide better overall health care. But security needs to be a part of that prescription, too.



Rules for web-based health repository breach notifications announced

The Federal Trade Commission (FTC) has released the final rules concerning breach notifications for Personal Health Information (PHI) that were required under the American Recovery and Reinvestment Act of 2009 which was passed in February (otherwise known as the stimulus package). The Department of Health and Human Services (HHS) and the FTC were tasked with issuing rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information was breached. This closes a loophole in the Health Insurance Portability and Accountability Act (HIPAA) for web-based companies that gather health information. Until now, they had typically not been covered under HIPAA. The new rules go into effect 30 days after publication in the Federal Register. The FTC plans to begin enforcement 180 days after that.


 Some interesting items in the new rules:


 ·         Encrypted data is considered secure (hope it's strong).


 ·         The media must be notified if more than 500 individuals have had their information accessed.


 ·         Companies have up to 60 calendars days to provide notifications.


 ·         Law enforcement can delay notifications if it would impede an investigation or be a threat to national security.


 ·         If the contact information for 10 or more individuals is out of date, alternate notice may be given via a posting on the vendor web site or through the media. (10 is not a lot. It might be 'easier' to find those and do the notification on your web site…and then save the postage.) Read the rules here.




Read the rules here.







Extortion can mean double jeopardy for personal health information providers

I've been thinking a bit more about the personal health information extortion attempt that's been in the news recently, and which Ken Swinney mentioned in his  Keep the snakes at bay  post yesterday. If you haven't been following the story, the gist is that a state agency responsible for identifying prescription medication abuse was hacked and compromised. Their site was then replaced with a ransom note demanding 10 million dollars for access to the database.

Under current guidelines, would this have required that patients be notified of a potential breach? It's hard to say without knowing all the specifics, and what 'concerned entities' were involved. Under the new HIPAA breach notification rules  that go into effect this September, though, notifications would most definitely be required.If nothing else, that's a lot of postage.

I can only imagine that we'll see more and more incidents of this nature in the future. In fact, this is not the first extortion attempt involving personal health information to become public in the past year. One of the nation's largest processors of pharmacy prescriptions (think benefit claims) also suffered an extortion attempt roughly six months ago. Smartly, they didn't pay. Even so, public extortion of this kind is double jeopardy for those who maintain personal health information (or financial, for that matter). At that point, providers are already in violation of any applicable legislation, and will be subject to those fines and penalties no matter what approach is taken in recovering the compromised data.





Keep the snakes at bay

Recently, a state agency announced that their site had been compromised by computer hackers. The attackers left a ransom note on the web site claiming that they had captured 8.3 million patient records and 35.6 million prescriptions. The attackers also claimed to have created a password-protected, encrypted backup of the data.  For a mere $10 million the miscreants offered to “gladly send along the password.”

To quote the great philosopher Morpheus, “Welcome to the desert of the real.”

Warnings about security flaws in web applications have been ignored by most for as long as web applications have existed. A small contingent of evangelists, including folks in our own HP Application Security group, have consistently warned about the existence and exploitability of these vulnerabilities.

The U.S. Department of Health and Human Services Inspector General, in a report dated October 27, 2008, stated that “limited actions” by the Centers for Medicare & Medicaid Services (CMS) have “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.” Voluntary compliance (an oxymoron?) was a key problem cited for this lack of effectiveness.

Some suggest that healthcare records simply should not be made available via the public internet. That’s a lot like saying people shouldn’t eat greasy cheeseburgers. It may be true, but it’s not gonna stop.

The first step to understanding the real problem is recognizing that the availability of information, even healthcare information, is a growing part of our everyday lives. You wouldn’t put sharp kitchen knives on the floor where your toddler could reach them, would you? If you did do something this dangerous, would you then punish the toddler for cutting himself?

We need to stop wondering why snakes bite and start wondering what we can do to put a healthy distance between our toes and the snakes.

The federal government has enacted new, strong provisions to begin forcing developers of healthcare management software applications to provide notice of breaches to the medical providers they serve, who can in turn notify the affected individuals. This is a huge step, because in the past HIPAA compliance was a burden borne by the medical providers. If they aren’t notified of the breach, nobody is the wiser…until somebody finds out at the pharmacy that all of their pain prescriptions have already been filled by some nice young gentleman.

Now that software application developers are held accountable for security, I believe we’ll start to see some distance between us and the snakes. By the time these software developers figure out they need a plan for their web application security, they’ll find out HP has been there all along.

Ken Swinney
R&D Group Manager
HP Application Security Center

New Personal Health Information (PHI) breach guidelines included in stimulus package

Under the American Recovery and Reinvestment Act of 2009 passed in February (otherwise known as the stimulus package), the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), must issue rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached. As a first step, the (FTC) has now issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach. This is a positive move towards building federal standards for Personal Health Information (PHI) breaches that at least match the same requirements given other important data such as credit card numbers.

The stimulus package also tries to close the current Health Insurance Portability and Accountability Act (HIPAA) notification 'loophole' by recognizing that there are now new entities (for example, third-party storage vendors) that collect consumers’ health information that are not covered by the current breach of data guidelines. Beginning September 16th,  “covered entities” under HIPAA will be required to give breach notifications, and “business associates” of HIPAA-covered entities will be required to report breaches of PHI to the covered entities. Until the HHS and FTC can issue new guidelines, the new HIPAA requirements should ensure that affected individuals from physicians to patients are notified within 60 days of discovery of a breach. This will apply to any organization that utilizes or maintains “unsecured protected health information.”

There is definitely a need for federal guidelines regarding PHI breaches. Currently (and until September when the new HIPAA requirements go into effect), only two states (California and Arkansas) require breach notifications for all concerned entities.  What exists now is a mishmash of existing state and federal regulations concerning PHI breaches that only serves to breed confusion.  And that’s not helped by organizations (third-party storage vendors, for example) who aren’t following simple standards of customer service when notifying either patients or physicians of PHI breaches because they don’t yet have to.  As we've seen with Wall Street, self-regulation is not always the best answer, especially when it comes to delivering bad news. Companies should be aware that any breach of PHI will soon require across the board notification from consumer to health care provider, and that lack of compliance can result in hefty fines. The stimulus package created four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are also effective immediately. As well, there are also new state guidelines enacted this year that contain hefty penalties for non-compliance. California guidelines adopted this year as part of SB 541 have penalties for violations including $25,000 per patient for unauthorized access, use, or disclosure of patients’ records, $17,500 for each subsequent occurrence of access to an affected patient’s records, and $100 per day of delayed reporting of a breach.  Any company that is involved with PHI would be well served to step up security efforts to avoid a breach now that the consequences are more severe, and to have a notification policy in place and ready to go in the unfortunate event of a breach.


Labels: compliance| hipaa| phi
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.