By County Line | Posted April 27th, 2018 |
Editor’s note: Scenic Bluffs Community Health Centers prepared the following press release on its security breach in late February.
Cyber attackers gained limited unauthorized access to one staff email account within the Scenic Bluffs Community Health Centers system and may have obtained some information relating to patients.
“SAN FRANCISCO – As many as 80 million customers of the nation’s second-largest health insurance company, Anthem Inc., have had their account information stolen, the company said in a statement.” – USA Today – February 4, 2015
“In Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, security researchers from Penn, Dartmouth and USC conducted an excellent piece of ethnographic research on health workers, shadowing them as they moved through their work environments, blithely ignoring, circumventing and sabotaging the information security measures imposed by their IT departments, because in so doing, they were saving lives.” – BoingBoing – June 28, 2016
In the three article quotes above, we can see the problem in the healthcare industry that leads to huge breaches in security.
Cyberattacks are meant for steal personal health information (PHI) which can be worth over $200 on the black market and to steal money via ransomware.
Ransomware – In a healthcare facility, ransomware is even more devastating than with a regular firm. Not only are those files protected by HIPAA, which carries high penalties for unsecured data, but a hospital can’t even provide medical care without the patients’ charts. The entire business can grind to a halt.
Malware – Malware comes in many forms. Things like spyware, Trojan horses, and worms are all executable files that can damage files, steal information, and wreak havoc. Most of these threats arrive via email and are activated by someone’s activity, such as clicking a link or downloading a file.
Phishing – In a phishing attack, someone in a company will receive an email that requests restricted information, like a password or someone’s file. The entire scheme relies on someone inside the company being scammed into believing that they are sending information to someone who should have it.
Other threats include insider breaches, increased use of cloud technology, and internet-enabled devices.
Limited Spending – One of the biggest challenges that healthcare enterprises have is that there has been traditionally low spending on cybersecurity. The federal government spends 16% of its IT budget on cybersecurity, whereas healthcare companies often spend as little as 12%. This, according to Symantec, is the reason that healthcare businesses are notoriously susceptible to breaches.
High Demand for PHI on black market – PHI is a hot commodity on the black market. According to the FBI, a social security number is only worth $1, but the electronic health records (EHR) are worth $50. All of this information allows criminals to steal a customer’s credit, fraudulently charge medical care, order prescriptions, and much more. They are also harder to discover. It often requires that the patient is vigilant, as well as that the enterprise is watchful.
BYOD (Bring your own device) Policies – As a cost-saving measure and to provide convenience for their staff, 81% of healthcare companies have a bring your own device (BYOD) policy.
Nearly half of those companies are not doing anything special to secure those devices. These are a simple gateway into the company’s secure data. In one case in Los Angeles, two unsecured laptops that were stolen had the information of about 700,000 patients on it. These policies represent a significant risk in the security of PHI.
Negligence by employees– Behind active attacks, the next most significant risk is negligence. Opening an email with a malicious attachment or sending PHI to someone who isn’t supposed to have it. The counter to this problem is nothing more than good training. Teaching employees to spot risks and to know how to deal with them is at the heart of successfully maintaining PHI security and avoiding mistakes that lead to the loss of thousands of patients’ health records.
There are some simple, but vital, ways to avoid security breaches.
Clearnetwork can help. Our advanced email security has all the features that healthcare organizations need to stay ahead of threats. We offer end-to-end encryption, data loss prevention, URL and attachment defense, archiving, zero-hour threat detection, and more. Our support team also responds in minutes and will even provide support to end-users. Check out our service, give us a call at 800-463-7920 x3 or email us at sales@clearnetwork.com
At the heart of maintaining patient, privacy is email security. As the single biggest gap in the protection system, it’s an area that requires extra attention and training. None of the solutions is complex or difficult, but each one requires that your team works hard to keep up the highest standards.
With cyber threats increasing in sophistication, businesses are under pressure to try and stay ahead…
Cybersecurity has become an ever-critical concern for businesses of all sizes. In 2025, as remote…
In the world of compliance and auditing, businesses often have to grapple with a variety…
With the ever-evolving digital world, businesses are under constant attack in the cyber world, which…
Within this contemporary world, when cyber security threats are gradually becoming more innovative and more…
In today's digitized world, the protection of a business's IT infrastructure has become more crucial…