With all the talk about compliance and regulations, particularly when it comes to patient data, it's confounding to read about all of the hospitals that have been victims of breaches. One would think security teams in the healthcare sector are bringing their A game when it comes to defending their most valuable assets.
I've spoken with a couple security researchers and experts, so tomorrow's post will also examine this topic as it seems to me that hospitals--the very places that tend to the ill--are more and more the targets of illicit acts by bad actors. Would it be unreasonable to request that even criminals possess some code of ethics. Perhaps they might all take an oath to grant immunity to the health care industry as a whole?
The latest breach of Massachusetts General Hospital suggests that the hospitals, though, aren't the weak link as this breach was supply chain related. Even for those who are doing all that they should be doing to defense their environments, third parties still put them at risk.
Patterson Dental Supply, which provides software to the hospital to manage dental practice information for a number of providers that includes the Boston hospital, said that an unauthorized individual gained access to electronic files on the company’s systems in early February.
The hospital said files contained some MGH dental practice information, including the patient names, birthdays, Social Security numbers and — in some instances — the type of dental appointment, provider name and medical record number.
In a press release, the hospital said it began sending letters to affected individuals and had set up a dedicated call center to answer questions. Hospital spokesman Mike Morrison said though the hospital received permission to begin notifying patients in late May, the hospital needed time to identify which patients had been impacted.
MGH said the vendor has already enhanced the security of the systems that maintain dental records, but many have questions about the increasing security issues with third-party vendor management for the healthcare industry.
Lysa Myers, senior researcher at ESET, said in order to avoid being the next victim, do things like:
Mapping locations of sensitive data: Collaborate across all relevant teams to determine which data—intellectual property, employee records, financial information, credit card data—is considered sensitive by the organization. Information security should audit for all locations of that sensitive data on the network, as well as for the locations of copies of that data that may be accessible to members of your vendor. Apply the principle of least privilege: For example, don’t give users admin rights to their machines if they don’t need it, and limit their ability to access parts of the network they don’t legitimately need to use.
Building security assurances into vendor/partner agreements: Advise your legal team to add a corporate data security and incident response policy into vendor agreements and to stipulate compliance with them.
Adding depth and breadth to basic security practices: Recommended protections include network segmentation, multi-factor authentication, and strong passwords.
Encryption – Ask how vendors are protecting sensitive data since you and the vendor should encrypt sensitive data as it’s sent over the network, such as via the web or email.
"Working together, every department and manager involved with the supply chain and partner organizations can build a safe environment. Doing so before a cyber attack or accidental data breach occurs can close a critical gap in your organization’s security posture," Myers said.