Preventing a Data Breach Caused by Human Error

Sign in with strong passwordHow secure is your business data?  Does your company provide security training to your staff to protect your data?

Most data breaches are caused by human error, making human error one of the greatest vulnerabilities in any company’s security.  Workforce training could have prevented many of the recent data breaches, which have been caused by lost or stolen laptops and USB flash drives, inappropriate email use, phishing schemes and other hacking/IT incidents, and unauthorized access to data.

  • Stolen Laptops: Cedars-Sinai (Los Angeles, CA, August 2014) reported a potential data breach of 500 patients’ medical data as the result of a stolen unencrypted laptop.  Breaches caused by stolen laptops were also reported by Sims and Associates Podiatry affecting 6,475 individuals (NY, January 2014) and by NYU Hospitals Center affecting 872 individuals (NY, February 2014).
  • Email:  Midwest Orthopaedics (Chicago, IL, April 2014) notified 1,256 patients that their health information including surgery dates and descriptions were compromised when someone accessed a physician’s Gmail account.  Rady Children’s Hospital (San Diego, CA, June 2014) notified parents of more than 20,000 patients after employees on two occasions forwarded spreadsheets containing their children’s private health information to job applicants applying for data management jobs.
  • Phishing:  Target’s massive breach (December 2013) was traced back to a phishing email containing malware. Then when Target sent out an email to regain their trust after the breach, cyber thieves took advantage of Target’s email campaign to send out their own phishing scam campaign (January 2014).  Need an example of phishing in healthcare?  Employees of Centura Regional Medical Center (Durango, CO, May 2014) responded to a phishing email and provided their system login information, exposing the personal health information of 1000 patients.
  • Hacking/IT:  Community Health Services Inc. (Tennessee, August 2014) reported a breach of 4.5 million patients’ data as the result of the Heartbleed internet bug.  Kaiser Permanente (Oakland, CA, April 2014) notified patients that their personal and health information was compromised when their research server was infiltrated by malware.
  • Unauthorized Access:  NRAD (Long Island, NY, June 2014) reported data involving 97,000 patients was breached by an employee with inappropriate access to confidential data.  Memorial Hermann Health System (Houston, TX, July 2014) reported an internal data breach in which an employee gained unauthorized access to the EHR system over a 6 ½ year period and accessed 10,604 patients’ data.

In fact, training of employees about cybersecurity and about appropriate access to confidential data is amongst the administrative safeguards that is part of the workforce training required by HIPAA for healthcare.  These safeguards are also relevant to other industries.

Workforce Training and Cybersecurity

Training your employees about these topics will help to protect your company from hackers and phishing attacks.

  • Use Strong passwords – Strong passwords are harder to guess.  Include upper and lower case letters, numbers and symbols, and a minimum of 8 characters.  (Never use default passwords!)
  • Use different passwords for each site accessed – If a password is breached on one site, this will ensure it will not unlock data on another site.
  • Change passwords periodically – If a password is breached, it will no longer be active.
  • Keep passwords secure – If an employee uses another employee’s password, the audit log which records user activity in the business software will record the access to the data by the logged in employee, not the one who accessed it.  (Imagine their surprise if employees are accused of accessing data that was accessed using their log-in information.)
  • Only access the patient records they need access to (Healthcare) – Even with role-based access control, passwords will provide access to all patient charts in a medical office.  HIPAA Privacy training will teach employees to only view the patient records necessary to do their work and to not share PHI with those who should not have access.
  • Hover over links before clicking –When viewing links on emails and websites, place the mouse over the link without clicking and check to see where the link will direct you.  Cyber criminals use links to direct users to sites to collect data or install malware.  Ensure that the link is legitimate before clicking on the link.
  • Do not open attachments from unknown senders that are not referenced in the email – It is common for hackers to send malware in attachments, especially in .zip and .exe files.
  • Use encrypted email to send patient information and other sensitive information – Sending this information via standard email messages is like sending it on a postcard for all to see instead of in a sealed envelope.  Unprotected emails can be easily read by those who are not the intended recipient, and are therefore not a HIPAA compliant means of communication.
  • Confirm the identity of callers before providing company information – Phishing can also take place over the phone as callers “phish” for information.
  • If using mobile devices, protect the screen from snooping eyes – Someone sitting next to you can easily see you input passwords or read company data over your shoulder.
  • Protect devices with company data from being lost or stolen – It is all too easy to leave a phone or laptop behind on a table or to have it swiped when you’re not looking.  Secure data on laptops and other mobile devices with encryption.

Malicious Insider

In the NRAD and Memorial Hermann Health System cases, it appears that the breaches were caused by rogue employees – also known as malicious insiders.  The NRAD breach was caused by an employee who had access to the billing program and who used it to “access and acquire” patient information.  In the Memorial Hermann Health System breach, the employee gained unauthorized entry to the EHR to view patients’ names, addresses, medical record numbers, dates of birth, health insurance information and Social Security numbers.

Though training would teach employees what it is appropriate to access, training is not likely to prevent someone who maliciously accesses company data for his own use.  This type of activity can be detected by monitoring audit logs or by the actions of other observant employees, and can be discouraged if employees know that your company is reviewing audit logs to uncover unusual activity.

Protect Your Company

Is your company doing everything it can do to protect its confidential data?  Stemp Systems can help your company do a risk assessment to assess your levels of risk.  Using this information, we will recommend appropriate technology and procedures to protect your business.  Don’t risk losing your company’s confidential information.  Call us.

Failure to Perform Upgrades Caused Breach at Community Health Systems

Last month (August 2014), hackers used the Heartbleed vulnerability to access patient information in private physician offices throughout Community Health Systems (CHS).  You might ask, how is this possible? The Heartbleed internet blug is a massive vulnerability that was discovered in Open SSL which many websites use to encrypt and transmit data, and it also…

Ransomware: Locked Files AND a Data Breach

The recent discovery regarding CryptoWall has changed the way we need to respond to ransomware. As described in our previous blog, ransomware encrypts your computer’s files (rendering all data inaccessible) and demands a ransom in order to decrypt the files.  Since Cryptocker ransomware first showed up in September 2013, there have been a number of…

Email Down – Everything Down – Is the Cloud the Answer?

Email Down Microsoft Exchange was down recently on Tuesday, June 24, 2014.  The service outage of this online email service left many users in the United States without email all morning, and many into the evening.  The official downtime was 8.65 hours.  This outage resulted in many frustrated people unable to communicate and thus unable…

Data Breach: Could This Happen to Your Medical Practice or Business?

NRAD’s Breach We frequently hear stories in the news about data breaches…generally large breaches of millions or perhaps tens of millions of names, dates of birth, social security numbers and credit cards.  The exposure of 70 million names and credit card numbers of Target customers is probably the most infamous recent example. But this week…

(c) Ulistic Inc. | Search Engine Optimization Calgary | Calgary Small Business Marketing | Calgary Business Networking