By Ryan Squires Posted November 19, 2018
We trust doctors to care for us when we are ill and provide us with proactive advice to ensure that we remain healthy for years to come. But, how would you feel if you were to learn that those same approaches – fixing what is broken and remaining proactive – aren’t always at the forefront of healthcare IT? Here are our top 5 recent healthcare security breaches – and ways healthcare IT can avoid them.
Following the theft of a laptop that had removable, unencrypted media on it including names, addresses, birth dates, social security numbers, insurance information and clinical information for about 55,000 former or current patients of the firm, the company was ordered to pay three quarters of a million dollars to make up for their lacking HIPAA compliance (unencrypted patient data).
By encrypting the removable media, this breach could have been prevented. But, education also played a significant role here as well. According to the above link, only 32% of surveyed healthcare professionals know about HIPAA audits. Healthcare need to understand the necessity of encrypting removable media. In the same vein, it is important for organizations dealing with highly-sensitive employee data to enable full disk encryption (FDE) on all their systems, adopt multi-factor authentication, and enforce complex password requirements.
Email is one of the biggest attack vectors that bad actors utilize to gain access to extremely important patient data. Toyota recently announced that their corporate email system had been compromised and 19,000 of their employees potentially lost their PHI (protected health information). Victims were health plan members in Toyota’s program. The speculation is that the email system was breached by a third-party. With data as important as this, those identities should have been secured with every mechanism available.
Following the breach, Toyota enabled multi-factor authentication and established mandatory password reset policies. But by that point it was too late. Had these measures been implemented prior to the breach, perhaps Toyota could have prevented it in the first place.
Some shocking security news in the Verizon’s 2018 Protected Health Information Data Breach Report has recently come to light. Of the figure in Verizon’s report, perhaps the most compelling argument for Zero Trust Security is that 58% of breaches are initiated by insiders. That’s right, over half of all healthcare breaches are initiated by those on the inside of a given organization.
The phishing attack used methods we see time and time again: the hackers sent out phony emails which mimicked an executive at UnityPoint. All it took was a single user to fall for the scheme, and the hackers gained access to UnityPoint’s internal email accounts. The hackers had continued access to the accounts for over two weeks.
Resulting from the breach, UnityPoint wisely enacted multi-factor authentication (aka MFA, two-factor authentication or 2FA), implemented security tools to help weed out suspicious emails, and of course reset the passwords on all compromised accounts. Perhaps this is a good time to remind everyone that sharing credentials is not a good idea. All we can hope for is that the guilty party doesn’t fall victim again.
Some 3.12 million patient records were compromised in the second quarter of 2018 alone. More alarming still is the fact that 30% of those breaches happened due to repeat offenders. According to the Q2 2018 Protenus Breach Barometer,
“If an individual healthcare employee breaches patient privacy once, there is a greater than 30% chance that they will do so again in three months’ time, and a greater than 66% chance they will do so again in a year’s time.”
Certainly, healthcare IT professionals need to find effective ways to educate their users, because the risk of a breach doubling just over three months after a initial transgression is simply too risky to let go unmitigated.
Avoid Nomination to a Top 5 List!
Our Top 5 recent security breaches highlight how important it is to have secure identity management to help stem the tide of what appears to be increasing healthcare-related data breaches. Data like this getting loose can negatively impact a person’s life for years to come. Just like how we must act on our doctors advice of being proactive and getting ahead of our health issues before they compound, we have to get ahead of potential breach vectors before our organizations are put at risk.
Tools like multi-factor authentication, full disk encryption, privileged identity management and event logging go a long way to ensuring that your customers’ data is safe. We see companies adopting multi-factor authentication after breaches occur; they should really be thinking of ways to prevent the breach in the first place. That’s how JumpCloud® Directory-as-a-Service® can help to keep sensitive data secure, while also helping to prevent huge fines levied against your organization. Sign up for Directory-as-a-Service today and up your security game.