[BreachExchange] Paper healthcare records highly vulnerable, yet often overlooked

Mon Apr 9 21:00:25 EDT 2018

https://www.csoonline.com/article/3268125/data-breach/
paper-healthcare-records-highly-vulnerable-yet-often-overlooked.html

Breach after breach is occurring within the healthcare vertical, as medical
providers, insurers, and medical device companies find themselves fielding
evermore sophisticated techniques from criminal entities. Targeted phishing
remains consistently lucrative from a target/execution model.

In focusing our information security teams so tightly on the cyber model,
though, are we overlooking the information sitting in the file cabinets and
archival storage — the paper, backup tapes, or other data stores — that are
not readily observable by the in-place data loss protection schema?

How small and overworked infosec teams must focus on where the biggest bang
for their buck will be recovered seems logical. A breach touching the
backend of a hospital or locking down all the medical devices would
certainly have the potential to be a catastrophe.

Can a file folder or two or three — or hundred or thousand do substantive
damage? Perhaps only if you are the patient whose personal identifying
information (PII) or protected health information (PHI) are compromised.
Though HIPAA enforcement from OCR carries a much more telling bite than has
previously been experienced by entities with lackadaisical notions of
physical security of paper or archival records. They are still talking
about the multi-million-dollar fine levied when a healthcare provider
included patient information in a press release.

Cases where paper healthcare records were compromised

Let’s move beyond the hypothetical and speak to specifics — instances where
employee lack of attention to detail, willful disregard for established
processes, or malevolent acts have caused the medical record of a patient
to become compromised.

Mercy Love County Hospital and Clinic in Marietta, Oklahoma, saw one of
their former employees convicted for the theft of medical records and a
laptop from a “hospital storage unit.” In their notice to the public, the
hospital emphasized that “a small number of patient records” were
compromised, 10 in total. Clearly small. But the breach report filed with
U.S. Department of Health and Human Services (HHS) noted that information
on 13,000 patients was compromised.

Regardless of number, the hospital's former employee (a nurse) wasted no
time and went on to monetize the information culled from the storage unit,
court records tell us. The miscreant engaged in financial identity theft,
opening up a variety of credit instruments to the tune of $240,000.

Then there’s the instance where a medical entity, St. Francis Hospital in
Columbus, Georgia, mistakenly sent “some administrative documents” to a
landfill instead of to the shredder. It was an administrative error that
compromised, according to the hospital, “personal and/or billing
information of some patients, including the patient’s name, date of birth,
Social Security number, address, diagnosis, account number, final bill
date, discharge date, last payment date, insurance balance or account
balance.” While the public statement was ambiguous, the filling with HHS by
the hospital showed 1,412 individuals were affected.

And then there is the January 2018 instance in which a ShopRite pharmacy in
Millville, New Jersey, tossed the “device used to capture the signatures of
customers … without first wiping the device of all stored phi.”
Approximately 10,000 of the pharmacy’s customers were affected in that
incident.

The most easly preventable compromises

While these are but a few of the recent instance where losses were a bit
different than the normal hack and intrusion we read of with regularity,
these are the most preventable. They constitute the lowest hanging fruit
within the healthcare infosec ecosystem.

This year alone 54 healthcare providers have reported the compromise of
medical records. The happened via email (sending a patient a file belonging
to another is a common recurring error), loss or theft of devices, and, of
course, IT incidents. But of those 54, 20 percent of them involve paper.

Going forward, let’s make it a point of emphasis to healthcare insiders and
help them protect their patient's privacy by protecting both the electronic
records, as well as the paper records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180409/e16bfa5a/attachment.html>