Health Data Breaches Added to Tally Vary Widely
Large breaches involving hackers continue to plague the healthcare sector this year, but incidents involving lower-tech issues, including mailing errors, also are persisting.
Healthcare entities, as well as their business associates, can take important steps to avoid becoming victims of the types of breaches added to the wall of shame in recent weeks.
When it comes to preventing hacking incidents, Tom Walsh, president of consulting firm tw-Security, says: “Organizations need to shore up their network defenses to the point where hackers get discouraged because it is taking too long to hack in, thus forcing them to move on to a softer target.”
Walsh suggests that defensive strategies include:
- Developing a solid patch management and change control program;
- Conducting vulnerability scanning of external facing and internal servers and systems – and remediating findings;
- Conducting a penetration test at least annually;
- Replacing or updating antiquated firewalls, routers and endpoint security.
“Newer firewalls have additional capabilities for dealing with today’s malware,” he says. “Traditional anti-virus solutions are usually one step behind the latest malware attack – look for behavior monitoring tools.”
“Phishing threats are pervasive; they’re a daily challenge that must be addressed.”
—Susan Lucci, chief privacy officer, Just Associates
Susan Lucci, chief privacy officer at security and privacy consulting firm Just Associates, stresses the importance of employee education in mitigating malware risks.
“Employees are still clicking on links they think are legitimate. More must be done to help the workforce recognize the warning signals that this not OK,” she says. “Phishing threats are pervasive; they’re a daily challenge that must be addressed clearly before a true reduction in the number and impact of these attacks. HIPAA training programs and materials should be created and provided to all members of the workforce to provide specific and visual clues to identify the high risk of malware. A program that focuses on this one specific issue could help bring awareness and faster recognition to determine whether or not to ‘click.'”
To minimize the risk of breaches involving paper records, organizations need to improve quality control. For example, they should make sure vendors hired to conduct mailings periodically check the envelopes to confirm what is being displayed, Walsh says.
“The vendor doing the mailing may not have educated their workforce regarding PHI and the consequences if PHI is displayed anywhere on or through an opening on the envelope. In fact, the vendor doing the mailing may likely be a subcontractor to the vendor doing the patient billing,” he notes.
“Often we find in our evaluations of vendors that the responsibilities for HIPAA compliance are not properly communicated downward to the front line worker,” he says. “While the vendor’s executives may have signed a business associate agreement … it is unusual to find any level of awareness regarding HIPAA at the lowest level of a vendor’s workforce – the front-line workers responsible for the machines that stuff the envelopes.”
In cases like the recent Tufts mailing breach, Lucci says covered entities and their business partners “need to take a hard look at whether or not window envelopes ever make sense when PHI is potentially involved.”