Data Breach Analysis Project
If you wish to contribute, join an upcoming project work session.
Date and time of the second project meeting TBD
Under section 13402(e)(4) of the HITECH Act, breaches of unsecured protected health information affecting 500+ individuals mut be posted by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights
In this project we aim to examine the data available through the Secretary of HHS Breach of Unsecure Protected Health Information
The outcome of the project could include
An infographics
A peer-reviewed publication
Several meetings to discuss the findings
Background
Breach Notification Rule
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
Definition of a breach
Definition of Breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors
The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
Instructions for Covered Entities to Submit Breach Notifications to the Secretary
Meeting 1: February 6, 2023
In the first scoping meeting, we covered three major topics. The first, we considered the potential of the data being incomplete, despite compliance requirements. Next, the limitation of generalizability. Finally, whether we should use another data-source, for instance an FTC data-source.
From the FTC's breach form:
1) What steps are you taking to investigate the breach?
2) What steps are you taking to mitigate losses?
3) What steps are you taking to protect against further breaches?
4) List any law enforcement agencies you've contacted about the breach.
5) information that someone has been harmed by this breach?
Discussion:
Limitation: Discussed “health adjacent” devices => discuss other regimes…
Aspect: Different state-level privacy laws; Different state-level requirements
Sector of company… (how to define healthcare company)
Under HIPAA => business associate => notification obligation => reporting requirement from healthcare provider.
If BA is not reporting … “triangulation”. => example
“reference lab: genomics co hack: patient informed: no contract” => passing information between…
Discussion: counterintelligence risk
BAA => jurisdiction might differ, transmission of data to foreign entities
Permanence of data => e.g., genomic data (identifiability)
Methodology
+500 individuals (required to submit notification within 72hours)
Breaches change “shape” e.g. over time
<500 can be disclosed at the end of the calendar year.
Time trends (month by month)
Who is the threat actor (category),
Discussed state sponsored…
What type of attack;
What is the effect (actual attack vs. ransomware)
Different Layers
international
national
regional
local
Questions to consider
What should we capture in addition to what we are capturing?
How far reaching are the effects?
(e.g. Payor => might be located in one state but individuals might be affected in different states)
Relationship between data
Mitigation strategies for researchers: data sharing agreements that assign differential privacy budgets?
Did you provide an environment for researchers to send their computations to, rather than emitting data?
Mitigation strategies
De-identification
Pseudonymization
(Full) anonymization
Synthetic data
Imputed data
Encryption
Tokenization
Additional notes:
Aggregating data carries risk in itself
capturing data (via computer vision from screen)
RCM / medical coding =>
Data value vs. risks
Removes human capabilities…