You almost feel sorry for Target. The breach of up to 110 million records -- theoretically 34 percent of the U.S. population -- is the stuff of unfortunate legend.
Chances are slim that a healthcare organization will suffer a Target-sized breach. But, as the 2013 Survey of Medical Identity Theft by Ponemon Institute shows, the breach of protected health information (PHI) creates significantly more risk for harm than the exposure of financial data: loss of insurance coverage, misdiagnosis, mistreatment, and more.
With that in mind, healthcare organizations can learn valuable lessons from the Target data breach -- lessons that protect patients and other vulnerable people.
1. Protect your organization's reputation and bottom line with fast, accurate breach assessment. Doing so enables effective communication and response that limits reputational and perhaps financial damage. Target's name was pummeled repeatedly as additional information came to light -- first the breach of up to 40 million credit and debit cards, and then the theft of up to 70 million people's personal information. In addition, Target could be fined $3.6 billion just for the breach of the credit and debit cards.
2. Operationalize your incident risk assessment and breach response processes. This moves your organization from the typical, knee-jerk reaction of incident response to a more strategic, daily approach. This strategy might have helped Target avoid at least one class-action lawsuit, in which the court must determine if "Target unreasonably delayed in notifying affected customers of the data breach."
3. Upgrade your risk analysis -- and your technology -- to meet changing threats. The Target breach happened at the point-of-sale, a place considered not as vulnerable. It appears that Target used an "ancient algorithm" to encrypt PIN data, to quote Matthew Green, a cryptographer and professor at Johns Hopkins University.
4. Understand how quickly an attack can spread through a system. Take the "mosaic" security in health insurance exchanges. Different protective strategies and technologies among the members of an exchange make these organizations particularly vulnerable to attack. Large retailers such as Target "are constantly on guard for attacks because their networks have multiple access points that need to be monitored," according to Steven Ryder, president and owner of True North Networks, an IT consultancy and solution provider based in Keene, N.H.
5. Never underestimate how motivated thieves are to break into a system -- and how much is at stake. This is especially true for medical information, which, according to Kirk Herath, Nationwide Chief Privacy Officer, has a street value of $50 -- versus the $1 value of a stolen Social Security number.
"Once someone gets in the network, whether it is 40, 400 or 40 million credit cards is irrelevant since once you're in, you're in," Ryder said. "It is why large companies are 'targets' so to speak, because the potential compromised data is so large."
6. Get your business associates into alignment. Data breaches don't stop at the door of your organization, as the Target breach illustrates. "The point-to-point encryption systems the processors are selling are not good enough because they don't go all the way to the issuer," says [Gartner Vice President Avivah] Litan. There are many players in every card transaction, as [Business Insider] covered in a recent report, and each interaction between them presents a potential entry point for fraudulent activity."
One strategy that Business Insider recommends "to reduce breaches is for companies to share information on how hacks happened. This helps every organization strengthen security weaknesses and prevent future attacks.
Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, says that information sharing is already quite prevalent as a means for preventing breaches, '...sharing of information has prevented a lot of fraud and massive attacks that a lot of people don't know about."
Conclusion
Some experts contend that the Target data breach should never have occurred. Whether or not that's true, it did happen.
All we can do is learn lessons from the incident to help ensure the same thing doesn't happen to the data we safeguard.