2020 has been a transformative year for the healthcare industry. COVID-19 underscored how essential and delicate our medical infrastructure can be. We changed our working environments and how we interact with one another.
In order for us to protect our physical health, we instituted remote work forces, implemented telehealth services, thermal scanners, COVID-19 contact-tracing technology, and turned to more digital engagements and reliance on third-party vendors, all while researching for a vaccine. What developed was an increase in risk for our data health.
The attack surface for any medical, research, or healthcare institution has been hard hit with cyber attackers recognizing the value of the information stored and transmitted. Bad actors have also identified vulnerabilities specific to the healthcare industry such as numerous medical devices are connected to unsecured networks; devices can be outdated and behind on expensive upgrades; staff needs access to patient data instantly – and while cyber awareness training could be conducted – in life or death instances, a system may not be logged off properly, exposing records to hackers lying in wait.
RECENT HEALTHCARE DATA BREACHES
Breach Submission Date to OCR*:
Sept. 27, 2020
Ransomware
US Care Sites and Hospitals were affected – outages to computer systems, phone services, the internet, and data centers with diverted ambulances, delayed lab results, and system shutdowns.
ORGANIZATION | BREACH |
Breach Submission Date to OCR: | Ransomware 12,861 patients’ protected health information has potentially been compromised. |
Breach Submission Date to OCR: | Phishing Attack |
Breach Submission Date to OCR: | Hacked/Cyber Attack 5,600 records; network server breached. |
University of Missouri Health Care Breach Submission Date to OCR: | Phishing Attack Compromised data of approximately 180,000 patients contained in the accounts, including names, dates of birth, medical record or patient account numbers, health insurance information, and or limited clinical or treatment data, such as diagnostics, prescriptions, and procedure information, and some social security numbers. |
Breach Submission Date to OCR: | Phishing Attack Unauthorized access 5,226 patients which includes names, dates of birth, financial account information and credit and debit card information. |
Breach Submission Date to OCR: | Third-party vendor Blackbaud that provides customer management and financial services to Nuvance was breached. Unauthorized access of potentially 314,829 names, contact information, ages, gender, dates of birth, admission dates, departments of treatment, treating physicians, and health insurance statuses. |
The University of Tennessee Medical Center Breach Submission Date to OCR: | Ransomware Attack on third-party vendor Blackbaud, the software provider. Potentially 235,000 patient names, contact details, and demographic data may have been accessed. |
Joslin Diabetes Center Breach Submission Date to OCR: | Third-party vendor for fundraising and donor relations, Blackbaud, experienced a ransomware attack. May have impacted 71,160 names, dates of birth, treatment dates, treatment locations and physician names. |
<br?
REASONABLE SECURITY
As much as these institutions try to practice reasonable and appropriate cyber hygiene in their morphing world, it is a monumental effort just keep systems current and operational. Security unfortunately sometimes becomes an afterthought. How to prioritize security investments is the first step to a reasonable security strategy. How do you define reasonable security for your organization?
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Meaningful Use require that organizations implement security controls that are “reasonable and appropriate” for their organization. To comply with these guidelines, the regulations instruct each organization to (1) select its security controls based on risk assessments, and (2) oversee the effectiveness of those controls using risk management.
Your risk assessment should provide guidance on how to balance your organization’s mission (what your business does), objectives (your business goals), and obligations (the care you owe to the public or others). Basically, your risk assessment guides you how to define your duty of care and establish your acceptable risk.
In an age of social distancing and increased digital exposure, ensure you take care – duty of care. We can help.