Lessons learned from the Charleston Area Medical Center (CAMC) data breach.

1. Charleston Area Medical Center (CAMC)
Data Breach – What Can Be Learned?
It’s always educational to review a data security breach to see what can be learned. In the case of
the Charleston Area Medical Center (CAMC) last month a number of lessons can be learned. First lets
review what we know (and don’t know) about the data breach which happened at CAMC subsidiary
CAMC Health Education Research Institute (CHERI).
What Happened
It was a pretty straight forward breach. Last month someone doing an online search for an address
found that the name of a relative and their ePHI was readily accessible on a CAMC website via a
Google search. He immediately notified the relative who in turn contacted the State of West Virginia
Attorney General. The Attorney General’s Consumer Protection Division quickly had the offending site
shut down. In all 3655 patients were involved with the breach whose data had been accessible on
the site since September of 2010. The site was created by a contractor who inadvertently enabled
access to the data.
More Questions than Answers
 If the contractor had access to ePHI, were they treated as a Business Associate (BA)?
 Was there a Business Associate Agreement (BAA) in place?
 Was protecting ePHI specified as an upfront feature/requirement of the site created by the contractor?
 Was any application penetration testing performed on the site before it went live?
 As a result of the breach CAMC has agreed to additional safeguards including a security assessment –
does this imply that CAMC had not previously performed a HIPAA Risk Analysis?!?!
Lessons Learned
An ounce of prevention…: While we don’t know details of this particular vulnerability, it appears that
an application penetration test would have identified the risk and enabled trivial remediation before
an incident. That would be a fraction of the cost of this breach. Its hard to determine the CAMC
brand damage and staff costs associated with a breach like this. And its too early to tell if the hospital
will see HIPAA / HITECH Act fines associated with the incident. The Equifax credit monitoring cost is
also unclear, though calculating the retail cost from their site at $15 per month per user for each of
the 3655 individuals affected by the breach for a year tallies to over $54,000 per month and over
$650,000 for the year …. a pound of cure.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

2. Security Assessments have more value before a breach: Well I am stating the obvious here, but
there’s more to the point than the obvious fact that identifying this particular vulnerability early would
be much less painful on the organization. The point is that, in our experience, incident-driven
assessments are often knee-jerk reactions to a compliance issue that are completed more to show
reaction and publicize respect for client ePHI rather than a core value-driven approach to secure
operations. These types of assessments often cost way more and the value can be limited. The value
of a security assessment is proportional to an organizations bandwidth to absorb the findings and
willingness for organizational improvement. An event-driven assessment for CAMC will not yield a lot
of value if the health IT staff is not ready to react to the findings.
Ensure BAs are aware of the need to protect ePHI: When you outsource to a vendor, you are
outsourcing the actual labor, but also to a certain extent security management. While you want to
expect that a vendor would be aware of information security best practices you can’t always trust the
BA to be secure. A robust BAA shows you care? While requiring a BA to complete a Business
Association Self Assessment Questionnaire may not be appropriate for a web site developer, quizzing
them on a secure software development life cycle might filter out incompetent developers and send a
message that you care about their performance.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM