As we roll into the last few months of the year, it’s worth looking back on how the industry has been doing protecting PHI and adapting to the increasingly threatening world of cyber-intrusions. While the big stories generally revolve around the largest amount of lives impacted and the most technically harrowing attacks, it’s worth noting that there are still breaches as simple as someone stealing a laptop with a spreadsheets with thousands of persons worth of PHI on it. In this article, we’re going to go through some of the largest breaches of 2017 and discuss how we address these as a company which we’ve shared in our open-source policies. While it’s impossible to say in retrospect if any breach was 100% preventable, having policies in place to provide “reasonable effort” to prevent exposure is key to minimizing the damage from the unpreventable.
Ransomware or Malware
At top of mind in 2017 is ransomware and malware, which shut down and exposed multiple hospitals and HIT Vendors thoughout the year. Of those, two were notable:
- Pacific Alliance Medical Center attack potentially leaks 260K patients
- Nuance Impacted for Weeks Due to Malware
The vector of the attack is relatively straightforward: through phishing or infected 3rd party hardware like a thumb drive, hackers gain access to hardware throughout an organization’s network and encrypt data on that hardware. The purpose of ransomware is to extract payment to undo that encryption while other malware like the ones believed to be used in the Nuance attack are wholly irreversible and are just designed to effectively destroy the data.
Preventing something like an attack like this actually hits to the heart of most of our policies, but let’s go for the top 3 references in this article. First, patch management ensures that you are constantly being vigilant to new security concerns. While it’s not directly stated in our policies, we have one person and a backup who are wholly responsible for managing patches for our system for security concerns. Second, having policies on appropriate system access and by reducing the need for privledged users reduces the risk that if one user’s credentials are compromised all systems could be accessible by an attacker. Third, we run OSSEC and Anti-Virus on all production systems to identify any otherwise unknown attacks and to solve any issues brought up from an attack.
Unauthorized Access or Disclosure
- Indiana Medicaid warns patients of health data breach
- Phishing attack at UC Davis leads to health data breach
Other than a vector for malware, phishing can also be used as a method for attackers to simply gain access to systems by getting credentials to a system. Or, a well-meaning dev may accidentally breach patient data by placing it on a public facing web page.
While your mileage may vary, our policies have a few tips to help prevent this. First, we require two-factor auth on all production systems. While this doesn’t necessarily prevent a system user from giving an attacker their credentials and auth token (sigh), it reduces the risk of unauthorized cross application access and minimizes the window by which an attacker can maintain access to an application. We also require access to all production systems to be managed over a VPN with two-factor auth. We also have an unofficial “All data is potentially PHI” policy for our managed integration services hardware/software. While we may have access to test environments with mock patient data, we assume that we may be sent PHI from any vendor or healthcare organization. As such, we protect all data like PHI as established in our policies.
Theft or Improper Disposal
- WSU hard drive theft potentially impacts 1 million people
- State Employee Dumps Medicaid Worksheets in dumpster
While hackers and ransomeware are increasingly perilous, 20% of data breaches reported to the OCR are good old fashioned theft and improper disposal. Someone stealing a laptop from a car or a unencrypted hard drive from an office to cause a breach are a tale as old as HIPAA itself.
We may be biased, but stop storing PHI on local machines or on paper. We don’t. We only used approved tools with appropriate access controls and encryption to store and transfer PHI. We also have no servers in our offices and BAAs with our cloud providers.
Don’t learn about HIPAA the hard way, either getting beat up by your first 250-question audit or worse: by finding yourself on the OCR’s Wall of Shame. Consult our policies or let us do the lifting for you on our thrice-audited, HITRUST-certified compliant Platform.