Data Breach at UC Health and Healthcare’s Ongoing Struggle
In Cincinnati, Ohio (USA), the Daniel Drake Center for Post-Acute Care of the UC Health system has reported unauthorized access to patient medical records for the past two years by an employee. The data breach was only discovered in June and has impacted an estimated 4,721 patients. They will have a year of complimentary credit monitoring and identity theft protection services from Experian.
There has been no further information disclosed about how the employee went undetected for two years while accessing the records. They also have not disclosed how they identified the recent breach. What is known is that the Daniel Drake Center did not have software for proactive monitoring since they have announced that they will be implementing the software after this recent incident. Additionally, the Daniel Drake Center will be providing training to all employees about cyber security.
No further comment has been provided about the incident.
Healthcare Security Challenges
General consensus among security experts is that the healthcare sector is the most unprepared for protecting data. This is said because the highest number and most severe security incidents have happened in the healthcare sector. This has been the case year after year. Part of the unique security challenge within healthcare is the fact that healthcare organizations must share patient data. The sharing of data creates a lot of risk with each transaction. With so many stakeholders granted access to the system, there’s more exposure to risk for patient data to fall into the wrong hands, and may take a long time to figure out how it happened.
Another challenge for the healthcare sector is that cyber security is not a priority for the healthcare industry. This is principally because at hospitals they face the risk of jeopardizing people’s lives if they do not invest in the right equipment, staff, or facilities. When fighting for budget dollars, cyber security doesn’t take priority in the discussion; even when describing the financial loss on the line. The lack of priority leaves IT departments at hospitals with the bare minimum to work with. This means legacy computers and operating systems, such as Windows XP. Even worse is when hospitals may demand that IT workers work within proprietary systems which almost may never get patched. When cyber incidents happen from within or externally the IT departments are left nearly defenseless.
With healthcare institution attacks on the rise daily, there may be are some practices you should be aware of that will help your IT department better protect your data assets. As was the case with the breach at the Daniel Drake Center, you will need some preemptive measures in place. This can become a requirement if your institution faces a data attack.
User Behavior Analytics (UBA)
One of the most cost-effective security investments to make is in a UBA solution. UBA is the activity of tracking, collecting, and analysis of log data. This analysis is often done with a machine learning algorithm. The important feature of UBA is the ability to establish a baseline behavior of users and detect when there are deviations from this behavior. The employee who was stealing for the past two years would have been caught as soon as he tried to access files outside his normal work routine. UBA usually assists with the deterrence of insider threats.
Security by Design
How secure is your organization’s processes by design? It is important to have security integrated into the daily processes of work for employees. This will ensure that data in transit and data at rest is always kept secure among stakeholders and yourself. Technology can only aid so much in this area, you will need to work closely with the COO to ensure this happens in a manner which does not disrupt current process too dramatically.
Frequent Vulnerability Tests
Similar to an immune system, you can test your security team by having hackers get into the network past your current security measures. If they’re able to identify vulnerabilities then they can be tasked with patching them up.
Healthcare cyber security still seems to be struggling but 2017 may be the year of change for the sector. Let’s hope to see less of these data breaches from insiders and malicious actors.