The High Cost of HIPAA Privacy Violations

October 21, 2009 by ADMIN
Share |

By Danny Lieberman, Security Expert and Founder of Software Associates

Back in February 2009 I noted that CVS Caremark Corp. had agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations when pharmacy employees threw items such as pill bottles with patient information into the trash.

This morning, 9 months later – I checked the stock performance of CVS Caremark. I was curious to see if the stock had taken a hit from the HIPPA violation federal fine.

The answer is that there was no influence on stock performance and as a matter of fact CVS stock tracks the S&P 500 closely the entire period,  currently at a year high of 38.

This was not a data loss event. It was a non-compliance situation that probably didn’t constitute a very big threat to patient information/customer data.

Data security vendors like Mcafee, IBM, Fidelis Security, Symantec, Verdasys, Reconnex, Vericept, Raytheon, Websense and Checkpoint have written thousands of white papers on how their data security products can help an organization be HIPAA compliant.

For example (from the Checkpoint web site:

Health Insurance Portability and Accountability Act of 1996 (HIPAA)—HIPAA includes security standards for certain health information. NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lists HIPAA-related log management needs. For example, Section 4.1 of NIST SP 800-66 describes the need to perform regular reviews of audit logs and access reports. Also, Section 4.22 specifies that documentation of actions and activities need to be retained for at least six years.

True – but log-management cannot mitigate dumpster-diving, nor can it prevent bulk database dumps and file transfer.

This seems like a case of when you have a hammer, every problem looks like a nail. Checkpoint is well-known for not having DLP technology, not investing in DLP nor acquiring DLP.

It may be easier to collect PII in small quantities from a dumpster than from an information system, but when you want large quantities of data, it’s much more effective get command line SQL access and go for the gold.

See the below example for Oracle.

Select all and save the credit card numbers in an external data file, zip the data and use secure copy to send it to a one-time instance of a Linux server in the cloud – for example on Mosso, where I can setup a server in 5 min, transfer the data and then discontinue the service when I’m finished.

SPOOL data.csv;
SELECT credit_card_number from customer_table;
END SPOOL;

All done in less than 15 min.

* * *

Stay Informed With ISR News Feeds and Email Alerts

Enter your email address:

Delivered by FeedBurner

Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.

Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 -  he is always looking for interesting projects and ideas.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, Class Action Lawsuit, D&O Liability, Danny Lieberman, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, Sarbanes-Oxley, Software Associates, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

4 Comments on The High Cost of HIPAA Privacy Violations

  1. Paul Berndt on Thu, 22nd Oct 2009 2:04 am

    2. So where is the High cost? the stock didn’t take a hit the 2.25 million might be cheaper than actually securing there data.

    Paul

  2. Danny Lieberman on Sun, 1st Nov 2009 8:51 am

    3. Paul,

    The “high cost” was rhetorical. I agree that a 2.25 M fine might actually be cheaper than buying DLP technology.

    This is known in risk management parlance as “ignoring risk”

    You can ignore, transfer or mitigate.

    Danny

  3. Danny Lieberman on Sun, 1st Nov 2009 8:52 am

    4. Rhetorical statement -

    You can in risk management parlance - ignore, mitigate or transfer risk

    Danny

  4. ADMIN on Sun, 1st Nov 2009 9:02 am

    5. As the publisher and the one who re-titled the piece, I concur with Danny that it was rhetorical - because the fine was less than the cost of preventing the breach, that means consumers are at higher risk from this system of risk parlance, and are ultimately paying high price in one form or another, as all costs are passed on to consumers in the end…

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!