The Dangers of a Data Breach to Healthcare Systems
- Posted On June 23, 2020
- Posted By Vu Nguyen
No one ever expects a data breach—but it’s an event that can range from being minorly annoying to catastrophic. For healthcare organizations, a data breach can be especially disastrous. Not only do data breaches have the potential to halt business and administrative operations, they can be very financially costly, and jeopardize patient privacy. Patient safety can even be put at risk if important records and healthcare information systems essential for patient care become compromised.
Proper IT management involves being prepared for the possibilities of a data breach, and making sure systems are in place to avoid weaknesses in the IT infrastructure. It’s a critical part of running an efficient healthcare organization—one that should be seen as another important step in supporting patient care as well as the bottom line.
Case Study #1: Aveanna Healthcare
Aveanna Healthcare, headquartered in Atlanta, GA, has an enviable market position as the number one healthcare provider for pediatric homecare. With 30,000 caregivers in 23 states, Aveanna is a healthcare giant—and it became a target of a major data breach.
According to Aveanna, they first discovered a phishing attack on August 24, 2019. As they investigated the IT breach, the company discovered that several employee email accounts had been hacked for more than a month.
It wasn’t until February 2020 that Aveanna began notifying patients of the data breach—which potentially affected more than 160,000 patients. In June 2020, more than a hundred patients filed a class-action lawsuit alleging that the data breach could have been prevented with better IT security. The patients’ suit claims that personal information including banking information, medical records, and Social Security numbers may all have been exposed in the breach. Aveanna’s data breach has become costly, embarrassing, and potentially damaging to patients’ privacy.
The security of your infrastructure is critical—the lawsuit against Aveanna claims that the company’s security was out of date and that patients’ sensitive data was not properly safeguarded. The lawsuit also alleges that procedures to handle possible phishing or virus-containing emails were inadequate. According to Verizon’s Business 2020 Data Breach Investigations report, human error accounts for almost a third of all healthcare data breaches.
Here are some steps that can help you control factors that make you more vulnerable to a data breach:
- Ensuring networks and systems are upgraded for the latest security measures
- Proper monitoring networks to detect intrusion sooner
- Periodic audits and security reports to review IT security
- Policies, procedures, and training for staff to know how to identify and properly report a suspected IT breach
These steps may have helped to stem the impact of the Aveanna breach or may even have helped prevent vulnerabilities altogether.
Case Studies #2-3: A Tale of Two Ransomwares
Healthcare organizations are among the most highly-targeted victims for ransomware attacks, which is a type of malware that often breaches a system through a Trojan horse type approach. In healthcare, ransomware attacks often attempt to block access to important systems or files until a ransom is paid. Two different healthcare companies experienced ransomware attacks in 2019, each facing different dangers from the attacks.
The Fetal Diagnostic Institute of the Pacific
The Fetal Diagnostic Institute of the Pacific (FDIP) is a medical practice in Honolulu, HI, that provides a number of healthcare services to pregnant patients. In June 2018, the practice experienced a ransomware attack on a server when software was installed to encrypt a number of files, including patient medical records.
More than 40,000 patient medical records were impacted, which may have included personal information such as name, address, birth date, diagnoses, and other medical information. A subsequent investigation found no evidence that patient protected health information (PHI) was accessed or viewed, although they were also unable to rule out that possibility.
FDIP took immediate action, hiring a cybersecurity firm to remove the malware, restore the data with backup files that were being maintained for just such a security breach, and implement additional IT security to prevent future vulnerabilities.
The Cancer Center of Hawaii
One of the most vicious consequences of a ransomware attack can be the immediate threat to operations if medical records or other essential systems for patient care are blocked and there is no offline backup available.
The Cancer Center of Hawaii in Oahu, HI, was victim to a ransomware attack in November 2019. Outside attempts were made to disable their system, temporarily preventing the Center from being able to provide radiation treatments. The Cancer Center of Hawaii had engage a private IT security firm and the FBI to launch an investigation into the event and to determine the risk that PHI was compromised.
Preventing Ransomware Attacks
What could FDIP and The Cancer Center of Hawaii done differently? Like in the Aveanna case study, policies, procedures, and education for the workforce may be a critical defense to prevent phishing and Trojan horse style attacks. Although it’s unclear if it was an issue in these cases, properly maintaining your firewall and ensuring security software is updated are also crucial steps to keeping ransomware attacks at bay. It’s always advised to keep offline data backup to be able to restore data, as FDIP did, and never pay the ransom to hackers.
The healthcare industry is increasingly becoming a target for these attacks. Investing in proper IT security to reduce your risk for ransomware attack far outweighs the costs of going through a ransomware attack. Even in cases where the attack is found quickly and the risk mitigated, you can lose a lot of public trust from patients, employees, and the community if the event is viewed as preventable.
Healthcare IT: Unique and Complex
At VNC, data security is of the utmost importance. Whether you’re looking for managed IT services or CIO services, we prioritize analyzing your systems to make sure that the security infrastructure and procedures are up-to-date.
Healthcare IT is complex—many of the IT security risks are unique. VNC has expertise in the healthcare industry, with knowledge of the platforms and processes that can help safeguard healthcare data.
Your IT strategy and your IT security strategy go hand-in-hand. We help clients develop a customized roadmap that matches organizational objectives to add operational efficiency—without opening you up to new vulnerabilities. Taking the proper steps to prevent a data breach is a necessary measure for your HIPAA compliance and can even impact patient safety. You need IT expertise that is specific to healthcare—at VNC we have you covered.
Learn more about the services we offer and contact us about how we can help you address your IT security concerns.