- Several recent large-scale health data breaches have affected over 5 million individuals, including patients, employees, and providers.
With more covered entities implementing connected devices, BYOD strategies, and working toward interoperability, there are more potential access points for attackers than ever before.
Organizations need to ensure they are properly training employees, performing regular system updates, and implementing security patches as necessary.
More healthcare industry standards and regulations also need to be put in place to govern electronic patient health information and others more appropriately, according to Imprivata CIO Aaron Miri.
“As an industry we are still waking up to the realization that we are under constant attack, and we have to come forward as a united front on dealing with this,” he told HealthITSecurity.com. “Otherwise this will be a never-ending story.”
Understand where valuable data is being stored
The largest health data breach in recent months took place at Arizona-based Banner Health, where 3.7 million records were possibly compromised. The cybersecurity breach affected “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets.”
Patients, members and beneficiaries, providers, and food and beverage outlet customers were all possibly affected.
The food and beverage outlet breach was discovered on July 7, 2016, with payment cards used at 27 different Banner Health locations from June 23, 2016 to July 7, 2016 potentially being affected.
Data security expert Bill Kleyman explained earlier this month that the Banner Health breach is a lesson for other healthcare organizations to ensure that they are constantly reviewing where their valuable data is being stored. Facilities must also ensure they know how that data is being protected and where there is access.
“Too often, we take reactive approaches to security,” Kleyman said. “Of course, there is no silver bullet when it comes to security. However, healthcare organizations must approach security like architects; by seeing the big picture. And, I can't recommend this enough, work with security professionals to do penetration testing against your network, all of your data points, and your most critical systems.”
Miri added that user access should also be carefully monitored, and organizations need to understand who is accessing data, when, and where.
“As a hospital CIO for a number of years, my biggest struggle was not understanding who was accessing what data and where,” he explained. “And so being able to put in the tools to do that was really a huge key.”
Utilizing information sharing to prevent incidents
Earlier this week, Valley Anesthesiology and Pain Consultants reported that the information of 882,590 patients was potentially exposed after one of its computer systems was accessed by an unauthorized user.
The Arizona-based facility said that it learned about the incident on June 13, 2016, but the unauthorized access may have occurred on March 30, 2016.
Some patient data, provider information, and employee information may all have been exposed.
“VAPC recognizes the importance of protecting the privacy and security of personal information, and regrets any inconvenience or concern this incident may cause,” VAPC said in a statement. “In addition to security safeguards already in place, VAPC is taking steps to enhance the security of its computer systems in order to prevent this type of incident from occurring again in the future. These steps include reviewing its security processes, strengthening its network firewalls, and continuing to incorporate best practices in IT security.”
These types of attacks are not likely to slow down anytime soon, Miri maintained. Medical record values continue to rise on the black market.
“We have to compartmentalize, encapsulate, and wrap technology, process, and a framework around every single thing that we're doing from a healthcare sector perspective,” he said. “Then, we need to share information appropriately without fear of retribution or retaliation about potential vulnerabilities.”
Information sharing will be key, he added. There is no such thing as a bad idea, there is only such a things as people not saying anything at all.
“We have to speak up. We have to participate. We have to be part of government,” Miri stated. “We have to be part of the solution. Everybody, from providers to patients to physicians to vendors, need to step up to the plate, participate, join in, and give up ideas.”
Find the right balance between innovation and security
Another recent large data breach took place at South Carolina-based Bon Secours Health System. In this case, R-C Healthcare Management, a Bon Secours vendor, inadvertently made patient files available online as it attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016.
The discovery was made on June 14, 2016. Possibly exposed data included patient names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers, and in some instances, bank account information.
Large-scale data breaches cannot hinder organizations when it comes to implementing new technologies, according to Miri.
Organizations cannot simply stand still in terms of innovation, they need to prepare themselves.
Technical tools, such as two-factor authentication, biometric identification, tokens, and secure messaging can all benefit covered entities in finding the right balance between innovation and security.