The other day my wife went to the doctor, and a few weeks before that we took our son to the dentist. We had to fill out all the paperwork and give them all the usual PII, including name, address, phone number, alternate contacts, SS#, DOB, driver’s license, insurance info, weight, height, underwear size (just kidding), then we paid them with our credit card. All the while trusting that they are keeping our information safe and secure. Well, they are keeping the information we entrust them with secure, right? How do we know if they are?
Let’s look at what is going on in the health care industry. According to the Protenus’ ‘Breach Barometer Report‘ for 2017, there were only 477 reported breaches in health care with 5.6 million patient records compromised in 2017. Only… Wait… That doesn’t instill confidence that our information is secure. Well, according to the report, it is better than in 2016 where 450 incidents were reported with 27 million patient records affected. So, it appears to have improved. Doesn’t that make you feel better? (No? Me neither.)
It’s now 6 months into 2018, so the health care industry should have learned from those that have been compromised in the past. For an industry that houses so much personal information on individuals, they should be more secure than the government. But have they learned? Look at some of these recent reports:
- Medical records exposed by flaw in Telstra Health’s Argus software
- Georgia MENTOR discovered that an unencrypted disk sent by a third-party software provider containing documents that included sensitive information appeared to have been lost in the mail
- Ransomware exposes records of 85,000 Center for Orthopaedic Specialists’ patients
- A data breach may have resulted in the exposure of the personal and protected health information of patients of a medical lab chain with multiple Alabama locations
- Information of 16,000 UnityPoint Health patients may have been affected by phishing attack
- MedEvolve misconfigured its FTP server and exposed the data of 205,000 patients from two separate providers
Why haven’t things changed? The answer is one word: People. People are the reason for the incidents. Employees are falling prey to phishing emails. Employees are making configuration errors. Employees’ laptops with patient information on them are stolen. Drives from 3rd party providers with patient information on them are being lost in the mail. Flaws are being found in the software that is used by medical practitioners that allow unauthorized access. Then there is the insider threat. According to the Protenus report, 37% of the 2017 breaches in the health care industry were due to employees.
What can be done?
The industry needs to make data security a top priority and use the latest technology and effective training for employees to protect patient data. This should include:
- Implementing password security policies that are in line with industry best practices;
- Restricting access to differentiate between appropriate and inappropriate access to patient information;
- Implementing stronger security measures for accessing patient data remotely;
- Using multifactor authentication for accessing systems;
- Encrypting portable devices, drives, laptops, and desktops that are used for patient care or that will access any patient data;
- Requiring 3rd party vendors and contractors to attest to the protection of patient privacy and be audited on a regular basis to make sure they are compliant. This should always be in their contract;
- Prohibiting the use of default username and passwords on software and hardware that is used – at the very least, change that password;
- Deploying email protection devices/services;
- Training staff to avoid the methods unauthorized individuals use to gain access, such as training against phishing and vishing attacks.
When it comes to training staff to defend against attacks, health care needs to use a service that is proven to prepare employees to handle real-world attacks. Take, for example, Social-Engineer’s Phishing as a Service ®(PHaaS®) or Vishing as a Service® (VaaS®). By using these proven services, you will educate and train employees and ensure that they understand the value of the data they are to protect.
While nothing can be 100% secure, as long as people are involved, the health care industry can succeed in making our information secure. It just requires them to have security procedures, policies, and auditing in place that follow industry best practices. It also requires them to use regular, effective training for employees and follow the above suggestions. Then we all can be more at ease when filling out all those forms with our personal information.
Stay safe and secure.