The Examiner reported about 4 health care data breaches on the 20th. See if you can find a common element.
Information on 21,000 California Blue Shield customers, including health care info, was compromised when a vendor call center employee was socially engineered, their login information compromised and their customer data stolen.
Last week Montana’s New West Health Services said an unencrypted laptop with data on 25,000 patients was stolen. It included patient information, bank account information health information and other information. On an unencrypted laptop out in the field.
Also last week, at St. Luke’s Cornwall Hospital in New York, a USB drive was stolen with information on 29,000+ patients which included patient names, services received and other information. The drive, it would appear, was not encrypted. The reason I assume it was not encrypted is that if it was encrypted and the encryption key was not taped to the device, the hospital would not have to report this event.
Finally, Indiana University Health Arnett Hospital lost a “storage device” with information on 29,324 patients containing information such as patient name, birthdate, diagnosis, treating physician and other information. Again, likely this information was not encrypted.
Anyone figure out the common element? All of these events would have been non-events if these companies had reasonable cyber security practices in place.
The call center employee was socially engineered.
An unencypted laptop was stolen (where was it left)? Why was it unencypted? Why did it have patient data on it?
A flash drive with patient data was lost. Why was it not encrypted and did the data need to be on the flash drive at all?
And, a storage device was stolen. That happens. Why was it not encrypted?
How much training did the call center do to train employees about social engineering? Why was the laptop not encrypted? Why was the flash drive not encrypted? And, why was the storage device not encrypted.
I keep pointing to encryption because if you have a breach but the data is not readable by the thief, you don’t have to warn customers. It is a very simple step to take. JUST DO IT.
Only in the flash drive case could the encryption cause a problem if you need to be able to share the drive with someone else. The other two situations, the encryption would be transparent to the user.
Especially when it comes to health data, you need to be careful. AND this does not only mean hospitals and doctors. Sony lost protected health information when they were hacked. PHI has been lost in other hacks too. Most organizations store PHI somewhere (often it is HR or in risk management).
While some things in cyber security are hard to do, many things are not hard to do. If we start with the easy stuff, we do make the job harder for the bad guys. Not impossible, just harder. Let’s start doing the simple stuff. We can worry about the hard stuff a little later.
Information for this post came from The Examiner.