Phishing attacks, malware, and employee errors. These are three of the most recent causes for healthcare data breaches in 2018, with more certainly to come. The year isn’t over yet.
For anyone in the healthcare industry, the thought of a data breach is both scary and intimidating. It can be hard to determine the best way to protect sensitive patient data from cyber threats, and even with strong cybersecurity strategies in place, many health providers and hospitals still fall victim to successful attacks.
While unfortunate, this is not surprising. With the exception of 2015, the last seven years have seen a rapid increase in breached patient records and health data. Forbes states that the Journal of the American Medical Association has seen an increase in data breaches since 2011. "The number of annual health data breaches increased … to 334 over the past seven years," the article reports. A majority of these breaches (75%) were compromised due to hacking.
This rising number reflects not only the ingenuity of today’s cyber attacks, which always seem to stay one step ahead of us, it also reflects a lack of proper cybersecurity implementation. Phishing attacks, malware, and employee errors are all avoidable by putting proper cybersecurity solutions and training in place.
Recent 2018 Healthcare Data Breaches
Some say the best way to avoid error is to watch, analyze, and learn from the mistakes of others. To keep your patient records safe, take a look at these three recent data breaches in healthcare. You’ll see what went wrong and, more importantly, discover strategies and solutions that will help you bridge potential pitfalls in your own organization.
1. UnityPoint Health
When? March to April, 2018 | Announced? July 30, 2018
UnityPoint staggered into the final quarter of this year, still reeling from a massive blow: being victim to the largest healthcare data breach in all of Q3 2018. This network of hospitals in Iowa, Illinois, and Wisconsin had almost one-and-a-half million patient records compromised after they were hit by a phishing attack that targeted multiple email accounts.
Even worse, this wasn’t UnityPoint Health’s first brush with a cyber attack. They’ve struggled to keep their PHI secure since February, when they fell for another successful phishing attack that compromised over 16,000 patient records.
How to avoid this data breach:
What caused this data breach? In the end, the biggest fault here was UnityPoint Health’s employees failing to properly identify and quarantine two phishing attacks. According to Becker’s Health IT & CIO Report, "the phishing emails in the latest attack appeared to be sent from an executive within the organization, which tricked some employees into sharing their sign-in information."
By properly educating your employees or co-workers on internet hygiene and security best practices, it will be easier to identify which emails are phishing attacks and which are legitimate. If there’s one takeaway to learn from UnityPoint Health’s breach, it’s this: when in doubt, always check with the person who sent the email before clicking a document, following a link, or sending sensitive information in the clear.
2. Independence Blue Cross
When? April to July, 2018 | Announced? September 17, 2018
Independence Blue Cross in Philadelphia, Pennsylvania announced in September that over 15,000 patient records were exposed after an employee placed a unencrypted file online containing sensitive member information.
The data was exposed for three months before anyone noticed, and while the file has since been taken off the public-facing website, Healthcare IT News reports that "officials could not rule out access" or confirm that the information wasn’t compromised or stolen.
Furthermore, while the file only contained information like names, providers, and birth dates, any information gleaned from unencrypted files like this can help hackers pull together a believable story and commit identity fraud.
How to avoid this data breach:
To avoid a data breach like this, check your user roles and permissions: users should only have access to the information they need for their job, and they should be limited to specific files and folders to avoid sharing sensitive data in the wrong place.
Patient data should also be encrypted whenever it’s not being accessed. This will help prevent someone unauthorized to the file from viewing its contents. A secure file transfer solution, like GoAnywhere Managed File Transfer, is an especially good strategy for ensuring data is protected in motion (between departments, providers, and locations) and at rest.
When? June to July, 2018 | Announced? July 20, 2018
Even non-U.S. health providers can fall victim to a data breach. In this case, the Singapore government health database (also known as SingHealth) was targeted in an attack that scoured information from clinical visits going all the way back to May 2015. Roughly one-and-a-half million patient health records were accessed, and the data included personal details like demographics, patient identification numbers, and even medication prescriptions.
How to avoid this data breach:
SingHealth claims the attackers breached their network through one of their workstations. The hackers started by infecting the workstation with malware, then stole login credentials and moved throughout the system until they found higher access to the network.
This attack was, according to The Straits Times, highly sophisticated and thought out. Not every cyber attack will be like this, but it’s good to prepare for the possibility.
Small health providers and large healthcare organizations alike are at risk of compromise. To protect your organization, start by implementing secure workstation credentials. Have your employees use multi-factor authentication (MFA) to thwart a potential attacker that already has a username and password. Chances are, they don’t have a randomly-generated code, SSH key, or biometric access to get past the second layer of authentication.
Furthermore, while SingHealth’s breach only lasted a week, some last for months before they’re detected. Requiring a password change every 45-90 days can help thwart attacks. And if you’d rather not change it that often, at least ensure that your employees or co-workers are using a long password with a variation of numbers, letters, and symbols.
Finally, any information stored in databases should be encrypted. That way, if a hacker gains access to a database, they won’t be able to decrypt the files since they won’t have the key.
Protect Your PHI from Growing Cyber Threats
Data breaches are a serious threat, and they’re not getting any easier to identify and prevent. To keep on top of what’s ahead, use these resources to prepare your organization for internal and external threats:
6 Users to Put on Your Security Watch List: Learn how to identify and de-escalate six internal users from putting your organization at risk.
Why A Good Security Awareness Program Matters: Discover how to empower your workforce and build a strong cybersecurity culture for your employees.
7 Steps to Protect Yourself Against Spear Phishing: Learn how to detect corporate spear phishing attacks in your organization and stop them from breaching your data.
How to Promote Cloud Security in Your Organization: Are you moving your ePHI or EHR to the cloud? Use these cybersecurity tips to improve the security of your cloud data.