Data Breach Analysis Project

Written By PIcc Alliance

If you wish to contribute, join an upcoming project work session.

Date and time of the second project meeting TBD

Under section 13402(e)(4) of the HITECH Act, breaches of unsecured protected health information affecting 500+ individuals mut be posted by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights

In this project we aim to examine the data available through the Secretary of HHS Breach of Unsecure Protected Health Information

The outcome of the project could include

  • An infographics

  • A peer-reviewed publication

  • Several meetings to discuss the findings

Background

Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

Definition of a breach

Definition of Breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

  2. The unauthorized person who used the protected health information or to whom the disclosure was made;

  3. Whether the protected health information was actually acquired or viewed; and

  4. The extent to which the risk to the protected health information has been mitigated.

Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

Instructions for Covered Entities to Submit Breach Notifications to the Secretary

HITECH Act Enforcement Interim Final Rule (link)

HITECH act (link)

Meeting 1: February 6, 2023

In the first scoping meeting, we covered three major topics. The first, we considered the potential of the data being incomplete, despite compliance requirements. Next, the limitation of generalizability. Finally, whether we should use another data-source, for instance an FTC data-source.

Reminder of useful resources:

  • Instructions for Covered Entities to Submit Breach Notifications to the Secretary (link)

  • HITECH Act Enforcement Interim Final Rule (link)

  • Health Information Technology for Economic and Clinical Health (HITECH) Act Overview (link)

FTC’s Breach Form

From the FTC's breach form:

1) What steps are you taking to investigate the breach?

2) What steps are you taking to mitigate losses?

3) What steps are you taking to protect against further breaches?

4) List any law enforcement agencies you've contacted about the breach.

5) information that someone has been harmed by this breach?

Discussion:

  • Limitation: Discussed “health adjacent” devices => discuss other regimes…

  • Aspect: Different state-level privacy laws; Different state-level requirements

  • Sector of company… (how to define healthcare company)

  • Under HIPAA => business associate => notification obligation => reporting requirement from healthcare provider.

  • If BA is not reporting … “triangulation”. => example

  • “reference lab: genomics co hack: patient informed:  no contract” => passing information between…

  • Discussion: counterintelligence risk

  • BAA => jurisdiction might differ, transmission of data to foreign entities

  • Permanence of data => e.g., genomic data (identifiability)

Methodology

  • +500 individuals (required to submit notification within 72hours)

  • Breaches change “shape” e.g. over time

  • <500 can be disclosed at the end of the calendar year.

  • Time trends (month by month)

  • Who is the threat actor (category),

  • Discussed state sponsored…

  • What type of attack;

  • What is the effect (actual attack vs. ransomware)

 

Different Layers

  • international

  • national

  • regional

  • local

 

Questions to consider

  • What should we capture in addition to what we are capturing?

  • How far reaching are the effects?

    • (e.g. Payor => might be located in one state but individuals might be affected in different states)

    • Relationship between data

  • Mitigation strategies for researchers: data sharing agreements that assign differential privacy budgets?

    • Did you provide an environment for researchers to send their computations to, rather than emitting data?

 

Mitigation strategies

  • De-identification

  • Pseudonymization

  • (Full) anonymization

  • Synthetic data

  • Imputed data

  • Encryption

  • Tokenization

Additional notes:

  • Aggregating data carries risk in itself

  • capturing data (via computer vision from screen)

  • RCM / medical coding =>

    • Data value vs. risks

    • Removes human capabilities…

Additional resources:

  • Department of Defense Cyber Crime Center (DC3) (link)

  • Complying with FTC’s Health Breach Notification Rule (link)

  • Assessing the role of …genomics///out of country companies (link)

  • Data Breaches (link)

 

Join the next meeting for this project:

Monday, February 27 at 1:00-2:00PM EST

(Link to Meeting Credentials)

PIcc Alliance
Previous

Regulatory Landscape Survey
Next

PCCP Project