- Healthcare organizations must ensure that they have comprehensive and regularly updated administrative safeguards, such as user authentication measures and proper access control. A failure to have these in place, or having outdated ones, could potentially lead to a data breach.
This was proven in a recent Pennsylvania federal grand jury case, where a man was indicted on charges stemming from a healthcare hacking incident in 2013.
A Texas man was indicted on Intentional Damage to a Protected Computer and Wire Fraud, and potentially faces a maximum total sentence of 30 years in prison, a fine of $500,000 or both, according to a Western District of Pennsylvania US Attorney’s Office statement.
“[Brandon A. Coughlin] intentionally hacked and damaged 13 servers operated by a local healthcare facility and engaged in a scheme to defraud that healthcare facility by using its purchase card to order merchandise from Staples,” the press release read.
The facility hired Coughlin in January 2013 to work as an in-house computer systems administrator, although Coughlin resigned one month later at the management’s request.
“Using the administrative passwords he knew from his employment, on September 18, 2013, Coughlin hacked the computer network of the healthcare facility, disabled all administrative accounts needed to control any and all of the computer servers of the healthcare facility, and deleted users’ network shares, business data, and patient health information data, including patient medical records, causing a loss of more than $5,000.00,” the Attorney’s Office explained.
Healthcare organizations must be mindful of their administrative safeguards, especially when it comes to terminating employee access once that individual no longer works for the entity.
“Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files,” according to the HIPAA Security Series from HHS. “Access controls should enable authorized users to access the minimum necessary information needed to perform job functions.”
HHS also has four implementation specifications:
- Unique User Identification
- Emergency Access Procedure
- Automatic Logoff
- Encryption and Decryption
It is important to note that automatic logoff and encryption options are considered addressable, while unique user identification and emergency access procedure are required under HIPAA.
“Many small provider offices rely on a password or PIN to authenticate the user,” the HIPAA Security Series states. “If the authentication credentials entered into an information system match those stored in that system, the user is authenticated. Once properly authenticated, the user is granted the authorized access privileges to perform functions and access EPHI.”
HHS adds that while passwords are the most common way for entities to obtain authentication, they may want to also explore other options.
Insider threats can be particularly damaging to healthcare organizations. A 2016 survey from Accenture and HfS Research found that 48 percent of surveyed C-level security executives and IT professionals had a strong or critical concern over data theft from insiders in the next 12 to 18 months.
Sixty-nine percent also reported that they had experienced an attempted or successful theft or corruption of data by insiders during the prior 12 month period.
“Cybersecurity today must include a rethinking of the nature of security, and a shift from an approach that stresses protecting vulnerable assets to one based upon strengthening assets, making them more resilient and part of a holistic cybersecurity process that delivers greater value to the enterprise,” the report’s authors wrote. “Digital trust is not a technology, nor a process — it’s an outcome exemplified by secure, transparent relationships and engagement between the enterprise and its employees, partners, and customers.”
In healthcare/pharma, the report found that 26 percent said that a lack of a security budget - including technology and services - was the largest inhibitor to their organization’s security provision. A lack of staffing budget was the greatest inhibitor for 16 percent of respondents, while extended budget cycles were listed by 16 percent of those surveyed in healthcare/pharma.