August 30, 2017

Facing down the largest breaches of 2017 with Datica's open-source policies

Mark Olschesky
Mark Olschesky

Datica Alumni — Former Chief Data Officer

As we roll into the last few months of the year, it’s worth looking back on how the industry has been doing protecting PHI and adapting to the increasingly threatening world of cyber-intrusions. While the big stories generally revolve around the largest amount of lives impacted and the most technically harrowing attacks, it’s worth noting that there are still breaches as simple as someone stealing a laptop with a spreadsheets with thousands of persons worth of PHI on it. In this article, we’re going to go through some of the largest breaches of 2017 and discuss how we address these as a company which we’ve shared in our open-source policies. While it’s impossible to say in retrospect if any breach was 100% preventable, having policies in place to provide “reasonable effort” to prevent exposure is key to minimizing the damage from the unpreventable.

Ransomware or Malware

At top of mind in 2017 is ransomware and malware, which shut down and exposed multiple hospitals and HIT Vendors thoughout the year. Of those, two were notable:

The vector of the attack is relatively straightforward: through phishing or infected 3rd party hardware like a thumb drive, hackers gain access to hardware throughout an organization’s network and encrypt data on that hardware. The purpose of ransomware is to extract payment to undo that encryption while other malware like the ones believed to be used in the Nuance attack are wholly irreversible and are just designed to effectively destroy the data.

Preventing something like an attack like this actually hits to the heart of most of our policies, but let’s go for the top 3 references in this article. First, patch management ensures that you are constantly being vigilant to new security concerns. While it’s not directly stated in our policies, we have one person and a backup who are wholly responsible for managing patches for our system for security concerns. Second, having policies on appropriate system access and by reducing the need for privledged users reduces the risk that if one user’s credentials are compromised all systems could be accessible by an attacker. Third, we run OSSEC and Anti-Virus on all production systems to identify any otherwise unknown attacks and to solve any issues brought up from an attack.

Unauthorized Access or Disclosure

Other than a vector for malware, phishing can also be used as a method for attackers to simply gain access to systems by getting credentials to a system. Or, a well-meaning dev may accidentally breach patient data by placing it on a public facing web page.

While your mileage may vary, our policies have a few tips to help prevent this. First, we require two-factor auth on all production systems. While this doesn’t necessarily prevent a system user from giving an attacker their credentials and auth token (sigh), it reduces the risk of unauthorized cross application access and minimizes the window by which an attacker can maintain access to an application. We also require access to all production systems to be managed over a VPN with two-factor auth. We also have an unofficial “All data is potentially PHI” policy for our managed integration services hardware/software. While we may have access to test environments with mock patient data, we assume that we may be sent PHI from any vendor or healthcare organization. As such, we protect all data like PHI as established in our policies.

Theft or Improper Disposal

While hackers and ransomeware are increasingly perilous, 20% of data breaches reported to the OCR are good old fashioned theft and improper disposal. Someone stealing a laptop from a car or a unencrypted hard drive from an office to cause a breach are a tale as old as HIPAA itself.

We may be biased, but stop storing PHI on local machines or on paper. We don’t. We only used approved tools with appropriate access controls and encryption to store and transfer PHI. We also have no servers in our offices and BAAs with our cloud providers.


Don’t learn about HIPAA the hard way, either getting beat up by your first 250-question audit or worse: by finding yourself on the OCR’s Wall of Shame. Consult our policies or let us do the lifting for you on our thrice-audited, HITRUST-certified compliant Platform.

tag Security Compliance HIPAA


Spear Phishing: Hackers Aiming for Healthcare

Marcia Noyes

Director of Communications

In the 377 healthcare data breaches last year, phishing attacks were among the top data breach causes. Why is healthcare such a target for spear phishing attacks?

event-note August 18, 2017

CloudFlare, Data Breaches, and the HIPAA Conduit Exemption

Adam Leko

Chief Technology Officer

By now you've heard of the CloudFlare leak of sensitive data. There's a specific part of HIPAA legislation that health care should be concerned about.

event-note February 27, 2017

Lifting A Fork for Open Source

Marcia Noyes

Director of Communications

This Q&A with Datica's Chief Data Officer, Mark Olschesky, explores what it means that Datica just passed 200 forks of our open-source policies.

event-note September 7, 2017

Our company policies, now available free on GitHub

Kris Gösser

Chief Marketing Officer

HIPAA compliance is complicated, but it doesn't have to be. To make compliance easier for companies working with PHI, we open source our HIPAA policies.

event-note September 25, 2014