Training, Technology, and Tone From the Top: Remedies for Stemming Data Loss in Healthcare

Healthcare industry survey respondents who experienced at least one cyber incident in the past 12 months reported losses of personally identifiable information (“PII”), protected health information (“PHI”), employee records, and intellectual property at rates at least 15 percentage points higher than the market at large.

It is no secret healthcare entities regularly collect and store vast amounts of personally identifiable information belonging to patients, consumers, and employees, including Social Security number, date of birth, credit card information, medical insurance, and driver’s license number. Each of these data points are highly valued by cyber criminals and are often tied to even more sensitive patient information, such as medical diagnoses and health history.

Given the nature of the health industry, the need for open sharing of data to provide proper care intensifies the risk. Healthcare providers, administrators, and staff must all be able to access, edit, and transfer voluminous amounts of data. This provides ample opportunity for accidental exposure or malicious theft of the data by insiders. In addition, there has been an uptick in recent years of incidents reported to the U.S. Department of Health and Human Services caused by external hackers.

In this environment, security efforts can seem daunting. A review of representative Kroll casework gives a better picture of what can happen and how to respond.

 In an example of accidental exposure, an employee downloaded 10,000 patient records onto an unencrypted USB drive to do some analysis; he was under a deadline and simply wanted to be able to work remotely. Unfortunately, the USB drive disappeared. We recommended tighter infrastructure controls (turn off ports so that employees cannot connect external devices to the network) and employee training (proper and secure data handling that follows company protocol).

In a case of social engineering/phishing, an organization’s human resources department was targeted during tax season by a phishing scheme. An email appeared to be coming from an internal executive requesting W-2 information on employees. Personnel complied with this very legitimate-looking order from leadership, including a follow-up to transfer funds via wire. The end result was a compromise of employee data as well as a loss of thousands of dollars. Training became an absolutely essential part of proactive measures to mitigate this kind of threat; this included sharing frequent alerts with employees regarding scams making the rounds. Tighter protocols for disclosure of PII or transfer of funds, even when involving the C-suite, were also implemented.Kroll was involved in an investigation of an individual (a malicious insider) who learned that their position was likely to be eliminated and decided to use their broad network access to download hundreds of gigabytes of patient, employee, donor, and financial data to a removable hard drive to leverage for “insurance.” The employee had made insinuating remarks when let go, such that staff began questioning what might have occurred. Kroll was brought in for forensic analysis and, over the course of the next week, identified the data taken, including volume and timing, and used that information to help the client get ahead of the pending data breach-related issues surrounding the theft.

Kroll has also helped clients respond and remediate ransomware matters, where clients have found their data was inaccessible, and unreadable except for one message: their data was encrypted and a ransom with bitcoin was required to receive a decryption key. Ultimately, an organization will want to rely on backups of data stored on separate systems to rebound, which means a strenuous backup schedule, in addition to employee training, as ransomware is often deployed via a phishing attack. Security patches are essential, because ransomware attacks exploit known vulnerabilities most of the time. Most organizations are unaware that they should treat a ransomware incident like a data breach. Because it is difficult to know what was accessed, viewed, or exfiltrated, you don’t want the clock to start ticking on a potential breach without essential advance preparation.

Leaders who set the tone from the top about the importance of information security can make a big impact with employees. This was particularly evident when Kroll recently entered into a new client relationship with a hospital system. Its privacy officer spoke with great reverence about their “duty to maintain the sanctity of the patients’ data.” By emphasizing how data privacy and security ultimately enhances the care of constituents, the privacy officer significantly raised awareness of the patient data privacy issue, which in turn helped the staff make it an integral part of their daily activities.

The healthcare entity that starts from the position of treating their data with the same level of care as their patients will find it easier to train a vigilant eye toward the unique data compromise threats the industry faces.