THE LATEST MUSINGS FROM PARANET

Our thought leadership blog offers perspectives on how people, process and tools are revolutionizing IT in the modern enterprise.

How This Newsworthy Healthcare Data Breach Could Have Been Stopped

Here we take a look at some of the largest healthcare data breaches of 2018 and how it could have been prevented. Click here to learn how to protect your site.

healthcare data breach

In 2015, over 100 million healthcare records were compromised. But it wasn't just one company who was attacked by cybercriminals.

It was over 100 countries and more than 8,000 devices that were hacked into.

Being the victim of a healthcare data breach puts both your company and your patients at risk. The global average of recent cyber attacks 2018 is $3.86 million. That's up 6.4% from 2017.

Per record, that's around $148. Yet, many of these security breaches in healthcare could have been stopped.

Keep reading if you're looking to keep your company and your patients safe. We're taking a look at the latest healthcare data breaches and what they should have done to prevent them.

3 Massachusetts Hospitals Fined Almost $1 Million for Their Healthcare Data Breach

Three hospitals in Massachusetts were fined by OCR (Office for Civil Rights) because they failed to obtain patient authorization to film an ABC documentary entitled, "Save My Life: Boston Trauma".

Boston Medical Center paid $100,000, Brigham and Women's Hospital paid $384,000, and Massachusetts General paid $515,000 in fines.

All three hospitals denied disclosing their patient health data and claimed they all went through proper channels to gain consent. Also, none of the agreements was considered admissions of liability.

What They're Doing to Prevent This in the Future

As a result of this, they now plan to implement staff training to ensure these healthcare breaches don't happen again. Further, plans include developing procedures and policies around the use of photography, along with audio and video recording.

A new process needs to be implemented to properly evaluate and approve any and all media requests to film in areas normally not open to the public.

Not the First Time This Happened

It should be noted this is the second HIPPA settlement where improper filming was involved. New York-Presbyterian Hospital also settled with OCR in 2016 for $2.2 million after filming the ABC show, "NY Med".

Multiple Security Breaches in Healthcare

It's not uncommon for the same company to experience multiple healthcare data breaches. This happened at Augusta University Health (AU Health) based in Georgia. Hackers used phishing e-mails to gain access into their system.

They were attacked in September 2016, April 2017, September 10-11, 2017, and again in July 2018. Yet, when August University Health finally gave notice, the company did not explain when the discovery was made, nor why it took them so long to publicly share this information.

What Happened

Hackers gained access by soliciting usernames and passwords. This strategy gave the hackers access to a number of internal e-mail accounts.

Once discovered, officials disabled the impacted accounts. But for the 417,000 people whose personal information was breached, the hackers obtained quite a bit of information.

Medical record numbers, demographic information, medical data, surgical details, treatment information, patient diagnoses and medications, insurance information, and dates of service were all breached. It's common to use this information to commit medical fraud.

And to make matters worse, a few victims also had their social security and driver's license numbers hacked.

How They're Handling the Healthcare Cyber Attacks

AU Health began sending out notifications in October 2018 to all those impacted. They also gave the victims one year of free credit monitoring. 

AU Health also hired new leadership to fill strategic roles in critical departments. They're also implementing a multi-factor authentication for off-campus e-mail users and they plan to review their tools to limit e-mail retention.

Officials have also placed a ban on putting protected health data in an e-mail. They have also implemented new software to screen e-mails to ensure no protected health or personal data is included in an e-mail to prevent further incidents.

UA Health has also increased their security training and they're reviewing and enhancing their compliance-related policies. This is one of the smartest moves they can make as relaxed monitoring policies and problems with access management makes it easier for phishing attacks to occur.

Data Breaches Can Happen Months or Years Before They're Discovered

It's unlikely you can stop every single security breach. But even if you can't stop them, it's imperative that you discover and put a stop to them immediately. The longer a breach goes undiscovered, the more damage it causes.

And it takes an average of 191 days for most organizations to identify a data breach. That's over six months.

This happened recently at BJC HealthCare who discovered they were left exposed to hackers for eight months. All because of a misconfigured server that allowed access without authentication. As a result, 33,420 patients were exposed.

Which, considering that BJC is one of the largest nonprofit healthcare systems in the US, with 15 hospitals, it could have been worse had officials not discovered the breach when they did.

How BJC Handled the Discovery

Once discovered, the server was immediately reconfigured to prevent future data access. They also determined that only patients who visited BJC between 2003 and 2009 were at risk.

However, the exposed data included insurance cards, driver's licenses, Social Security numbers, patient names, addresses, and even their date of birth. In the wrong hands, identity theft and medical fraud were real possibilities.

Patients who were affected were notified and offered one year of free credit monitoring. BJC also reviewed its security policies and procedures.

They are also more aware of what type of data they're storing that's connected to the internet to prevent possible breaches in the future.

Steps to Prevent Security Breaches in Healthcare

The healthcare industry is one of the most targeted industries for cyber attacks. Your safest bet is to assume your system will be breached and to take precautionary measures to lessen the extent of the damage.

Develop a security plan for your company. Every six months to a year, it's a good idea to go over your policies and procedures to ensure they're still effective.

Hackers are always coming up with new strategies; you can't afford to assume fixing an issue once will prevent hackers from finding a new way to steal your information. Keep testing your system to ensure it's working efficiently.

Develop a company-wide policy regarding passwords. Create strategies to prevent hackers from getting in via e-mail.

Take Action Now

The more steps you take to prevent a healthcare data breach, the less expensive, stressful, and time-consuming dealing with one will be.

Don't wait until you're a victim. You have too much to lose. Instead, take action now and get the help you need.

We provide security solutions and services that are focused on the healthcare industry. We can help you develop and implement cyber security strategies that keep you and your patients safe. Click here to learn more

10 IT Security Threats Your Company Should Know

image/svg+xml

Would you like to see us weigh in on a particular topic of interest?

ask here