Headlines about data theft, cyber-attacks, and the importance of protecting your data are everywhere. You probably try to keep up to date with the most recent security products and malware detectors, doing everything in your power to protect your sensitive information.
But what about the companies and service providers with whom you interact? How well do they protect your information? From what kinds of threats? Are they following the rules and keeping data safe? Maybe the weak spots in their security armor are not where they (or you) might expect.
Criminals looking for valuable information have found the Holy Grail of data theft: personal medical records. Think about what might be sitting, right now, in electronic files and manila folders in your doctor’s (or other medical providers’) offices. All that information from all those forms you have to fill out – your social security number; address; insurance or Medicaid/Medicare information; and credit card numbers – is there.
It’s a treasure trove of information to help criminals commit all kinds of fraud, and data leaks are affecting more and more people.
Blue Cross / Blue Shield was attacked in a breach that affected over 80 million people. The UCLA Health System criminals stole patient names, addresses, social security numbers, and detailed medical records of more than 4.5 million people.
Not only are these kinds of leaks violations of personal privacy, they’re also violations of the federal HIPPA Law that says (among other things) that healthcare providers are obligated to keep patients’ information confidential. That means the patient whose data has been stolen isn’t the only one feeling the pain of a breach. Fines, lawsuit costs, settlements, fees for credit monitoring services/credit repair for those affected by the violation are a few of the “pains” felt by healthcare providers themselves.
However, an interesting trend emerges when you examine some of the information out there about personal data leaks. A study by the University of Texas reveals that “[m]ore than half of identity-theft crimes happen off-line”, and if you take a look at Becker’s Health IT & CIO Review’s report of 15 of the most expensive fines and settlements, you’ll note that not one of those HIPPA violations was a “high-tech” cyber-attack.
Low-tech methods are still absolutely commonplace — and absolutely dangerous. Becker’s report on 15 cases above indicates three main sources of healthcare information breaches: dumpster diving, unencrypted portable data storage, and failing to limit access to critical data.
About as low-tech as you can get, but apparently effective: in two of Becker’s fifteen cases above (that’s about 13%), major pharmacy chains disposed of sensitive patient data by simply throwing paper records into the trash. Worse still, these dumpsters weren’t even locked — they were outside, waiting for anyone to come digging for data — and someone did.
Portable Data Storage
Five of the 15 most expensive attacks involved the theft of easily transported (and unencrypted) storage devices like laptops and USB sticks – that includes the 57 hard drives stolen from Blue Cross, Blue Shield of Tennessee. Strong encryption could have made this data useless without the key, but instead, readable patient data yielded huge returns for thieves who simply walked off with the device.
Failure to Limit Access
Not everyone needs access to all data. One of the hospitals from the report didn’t require a login to access medical records, and that means anyone – not necessarily staff – could walk up and look up someone’s information. UCLA Health in Los Angeles was fined $865,000 because unauthorized employees were able to access protected records from 2005 through 2008: an expensive mistake.
Low-tech is high risk.
The lesson here? Low-tech mistakes can lead to high costs to individuals and businesses. A few updates could have eliminated the leaks and protected both the healthcare providers and their patients:
- Dump paper in favor of digital docs: if there’s nothing in that dumpster, divers go home empty handed.
- Make sure what paper is there is disposed of properly: retrain employees on paper records disposal and install shredders.
- Encrypt information: encrypted data is useless data to criminals.
- Limit local storage, wipe devices clean, and allow secure access to the cloud: employees don’t need USBs if they can log into the system remotely.
- Put access controls in place for all critical records: passwords and identity verification keep the bad (or unauthorized) guys out.
Healthcare providers aren’t the only ones who need to make sure their technology keeps up with the times to keep information secure. Everyone should be concerned about data breaches and leaks. Going digital securely is a great way to keep data protected, allow access to those who need it from where they need it, and keep those who shouldn’t have access out.
At 5i Solutions, Inc. the security of your data is our business – that’s why we’re proud of our online Cloud Vault. Data encrypted to today’s standards is secure yet available in an instant to you (and only you) from any location you need it. Your data is safe from unsecured dumpsters, unencrypted USBs, and unauthorized access.
Operational security is built in to our data hosting and Cloud Vault, with network security, key management, custom levels of identity verification and access control. Threat management, penetration testing, monitoring, logging, and on-demand reports ensure the continued integrity of your data. Access tailored to your needs and your security requirements, including HIPAA compliance.
Protect your customers or patients, and protect your business.
5i Solutions. One single, secure point of intake, access, and storage. One singular solution.