A report released on April 29 by Javelin Strategy & Research should raise the alarm at healthcare provider organizations about the true costs of data breaches, as well as the appropriateness of remediation services offered to victims.
The survey, “Avoidable Collateral Damage from Corporate Data Breaches,” examined three industries: healthcare, financial and retail. It found that in healthcare, found that 30 percent of consumers whose data was affected by a breach would avoid the health provider post-breach. According to the report, it has become standard practice for many businesses that have suffered a breach to subsidize identity protection services (IDPS), whether or not it is appropriate, effective or actually reduced the risk in light of the data that that was breached. According to the report, IDPS generally offers poor protection against medical identity fraud.
Javelin maintains that its findings were arrived at independent of the report’s sponsor, Identity Finder, LLC. Yet in a phone interview following the release of the report, Identity Finder’s CEO, Todd Feinman, offered some insightful comments on the report’s conclusions.
Feinman notes that leaking credit card numbers is bad, but breached social security numbers and medical information is far worse in terms of potential repercussions on the victim and the time it time it takes to set the record straight. While credit monitoring and IDPS may be offered for a few years, social security numbers never expire, he says. If a college graduate gets his social security number stolen in a data breach, he faces a lifetime of being more vulnerable to underground communities that harvest ID information for illicit purposes, he says. Many times it’s not evident that a social security number has bee stolen within the first few years of it being harvested, he adds.
For those reasons Feinman calls IDPS a double-edge sword. “You think they are protecting you, but they really aren’t, because while you may think the problem is going away, it hasn’t,” he says.
A similar point was made last December by the risk mitigation and response firm Kroll. One of its conclusions is that credit monitoring for victims of a data breach will fall by the wayside, and there is a need in healthcare for a better understanding of breach risks, how it can affect the patient and more appropriate remedies. Kroll managing director Alan Brill pointed out that the Federal Trade Commission and certain states, including Illinois and California have suggested that remediation should be risk-based, offering victims some indication of who may have stolen the information, the risks he or she faces and advice for protecting themselves.
Taking a proactive approach is, of course, best, and the Javelin report recommends ongoing risk assessments in the form of a sensitive data management program, a strategy that Feinman says is being undertaking by an increasing number of healthcare providers.
Feinman notes that there is some flexibility in putting together a program that is appropriate for a particular organization, but there are three essentials.
No. 1, organizations need to sift through irrelevant data to identify the sensitive information that absolutely needs to be protected. Step one is vital, Feinman says.
Providers should also secure unprotected data and remove at-risk data. “This is really about taking stock and reducing it to the minimal amount necessary,” Feinman says. He says that two-thirds of all data breaches involve old, forgotten data, and often with data that has been duplicated and taken outside the secure environment.
Finally, report compliance with policy and regulation, a mandatory step that all organizations must follow.