Data Breaches: What Could Have Stopped Them?
by Donna Koger, 6.1.18
Everyone in the medical field should know by now that data breaches are extra difficult on healthcare organizations. PHI is especially attractive to hackers because it contains more personal information. Medical practices are “held to the highest trust standards” and when breached, can suffer very stiff penalties for HIPPA non-compliance.
Here are 3 examples of Healthcare breaches and what could have been done to avoid them:
Community Health Systems
Second largest HIPAA breach at the time and affected 4.5 million individuals. This was a malware attack that “copied and transferred PHI out of the company.” The cost was approximately $100 million.
One way this organization could have saved themselves from such a breach is by making sure all employees have annual HIPAA compliance trainingand that they understand the dangers of being careless and non-compliance.
One of the world’s largest, Anthem was hacked in a breach that compromised 79 million people. The cost paid by Anthem for the settlement was $115 million.
The breach was the result of an employee opening a phishing email to release malicious code into the organizations’ systems.
This indicates there should have been annual HIPAA compliance training and other safeguards in place such as “multi-factor authentication, email threat filtering, more granular data isolation and micro-services strategies” this massive HIPAA breach may have been prevented.
Advocate Medical Group
In this breach, there were unencrypted laptops (Encryption: What Are You Waiting For?) that contained PHI of approximately 4 million people that were stolen and additional thefts were reported later that year. The Advocate Medical Group was fined $5.5 million.
According to ClearDATA, the Advocate Medical Group “failed to provide sufficient risk analysis and management to ensure electronic health information was secure.” A thorough Risk Analysis would have revealed areas in the company that were non-compliant, such as unencrypted laptops.
Want to learn more about risk analysis, encryption and PHI management? Check out our HIPAA Resource Center