Breach after breach is occurring within the healthcare vertical, as medical providers, insurers, and medical device companies find themselves fielding evermore sophisticated techniques from criminal entities. Targeted phishing remains consistently lucrative from a target/execution model.
In focusing our information security teams so tightly on the cyber model, though, are we overlooking the information sitting in the file cabinets and archival storage — the paper, backup tapes, or other data stores — that are not readily observable by the in-place data loss protection schema?
How small and overworked infosec teams must focus on where the biggest bang for their buck will be recovered seems logical. A breach touching the backend of a hospital or locking down all the medical devices would certainly have the potential to be a catastrophe.
Can a file folder or two or three — or hundred or thousand do substantive damage? Perhaps only if you are the patient whose personal identifying information (PII) or protected health information (PHI) are compromised. Though HIPAA enforcement from OCR carries a much more telling bite than has previously been experienced by entities with lackadaisical notions of physical security of paper or archival records. They are still talking about the multi-million-dollar fine levied when a healthcare provider included patient information in a press release.
Cases where paper healthcare records were compromised
Let’s move beyond the hypothetical and speak to specifics — instances where employee lack of attention to detail, willful disregard for established processes, or malevolent acts have caused the medical record of a patient to become compromised.
Mercy Love County Hospital and Clinic in Marietta, Oklahoma, saw one of their former employees convicted for the theft of medical records and a laptop from a “hospital storage unit.” In their notice to the public, the hospital emphasized that “a small number of patient records” were compromised, 10 in total. Clearly small. But the breach report filed with U.S. Department of Health and Human Services (HHS) noted that information on 13,000 patients was compromised.
Regardless of number, the hospital’s former employee (a nurse) wasted no time and went on to monetize the information culled from the storage unit, court records tell us. The miscreant engaged in financial identity theft, opening up a variety of credit instruments to the tune of $240,000.
Then there’s the instance where a medical entity, St. Francis Hospital in Columbus, Georgia, mistakenly sent “some administrative documents” to a landfill instead of to the shredder. It was an administrative error that compromised, according to the hospital, “personal and/or billing information of some patients, including the patient’s name, date of birth, Social Security number, address, diagnosis, account number, final bill date, discharge date, last payment date, insurance balance or account balance.” While the public statement was ambiguous, the filling with HHS by the hospital showed 1,412 individuals were affected.
And then there is the January 2018 instance in which a ShopRite pharmacy in Millville, New Jersey, tossed the “device used to capture the signatures of customers … without first wiping the device of all stored phi.” Approximately 10,000 of the pharmacy’s customers were affected in that incident.
The most easly preventable compromises
While these are but a few of the recent instance where losses were a bit different than the normal hack and intrusion we read of with regularity, these are the most preventable. They constitute the lowest hanging fruit within the healthcare infosec ecosystem.
This year alone 54 healthcare providers have reported the compromise of medical records. The happened via email (sending a patient a file belonging to another is a common recurring error), loss or theft of devices, and, of course, IT incidents. But of those 54, 20 percent of them involve paper.
Going forward, let’s make it a point of emphasis to healthcare insiders and help them protect their patient’s privacy by protecting both the electronic records, as well as the paper records.