2022 Kicks Off With A Massive Data Breach Report
Just two days into the new year, the United States Department of Health and Human Services (HHS) received its first data breach report of 2022.
An intruder was
found to have accessed the network of Florida-based hospital system Broward Health, affecting more than 1.3 million of its patients and staff members.
Kicking off the year with a massive cyber attack is a nightmare that no medical practice would ever want to experience. So how did a nationally recognized healthcare system fall victim to one? And what can other practices learn from the incident?
Let’s have a closer look.
Here’s What Happened
On October 15, 2021, the intruder gained access to the Broward Health through the office of a third-party medical provider. The said provider was given permission to access the system so that it could provide healthcare services.
Just four days later on October 19, Broward Health discovered the breach and immediately carried out the necessary actions in response to it. Unfortunately, in the four days that the intrusion went undetected, the attackers were able to exfiltrate or remove personal medical information from Broward Health’s systems, affecting a total of 1,357,879 people.
What information was compromised?
With the sheer number of protected health information (PHI) exposed, the Broward Health data breach has affected the largest number of individuals since August 2021.
The PHI included:
- Names
- Dates of birth
- Addresses
- Phone numbers
- Financial or bank account information
- Social Security numbers
- Insurance information and account numbers
- Medical information (including history, condition, treatment, and diagnosis)
- Medical record numbers
- Driver's license numbers
- Email addresses
What did Broward Health do?
According to its statement, Broward Health carried out the following actions upon learning of the breach:
- Contained the incident
- Notified the FBI and the Department of Justice (DOJ)
- Required a password reset for all employees
- Implemented multi-factor authentication (MFA) for all of its system users
- Began implementing additional minimum-security requirements for devices that have access to their network but are not managed by their IT
- Engaged an independent cybersecurity firm to conduct an investigation
- Engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted
Here’s What You Can Learn From the Breach
According to Steve Moore, a chief security strategist at Exabeam, an organization can still be vulnerable to data breaches even if they have a robust security stack. One of the ways these intrusions take place is through compromised credentials, particularly those that belong to third-party vendors and partners.
Besides having a detailed plan on how to respond to a data breach, it’s important to note that prevention plays a huge part in an organization’s cybersecurity incident response plan. Here are a few cybersecurity best practices that you can learn from the Broward Health incident:
Access Control Management
Despite the fact that it poses a lot of risk and can result in unfavorable outcomes, vendor access is necessary in healthcare. It’s simply something healthcare organizations like yours can’t do without. The best way around this is by stringently managing and controlling access to your network.
Access control management is considered a security essential for healthcare organizations. It’s actually one of the cybersecurity best practices endorsed by the Center of Information Security, more commonly known as
The CIS Controls.
According to The CIS Controls, it’s important that you use processes and tools to create, assign, manage, and revoke access credentials and privileges for all accounts using your clinic’s assets and software.
Manage what access the accounts have and ensure that users only have access to the data or assets appropriate for their role. There should also be strong authentication mechanisms in place to protect critical or sensitive practice data or functions.
To know more about what access control is, why you need it, and what measures you can apply in your practice, check out
our blog post about access control.
Cybersecurity Awareness Training
Since the COVID-19 pandemic broke out, 90% of organizations in the United States had adopted a remote working setup for most of their employees. Unfortunately, only 29% of those organizations actually train their staff about the best practices of working remotely. That is a huge security risk!
Does
your medical practice have regular cybersecurity awareness training in place?
Cybersecurity awareness and skills training is also one of the 18 CIS controls we highlighted in our
Cybersecurity Essentials for Healthcare Practices ebook. To reduce the risk of a cyber attack in your organization, you should establish and maintain a regular cybersecurity awareness program that effectively influences the behavior and actions of your workforce.
How your employees respond to a potential cyber attack plays a critical part in the success or failure of your cybersecurity program. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), 85% of data breaches in 2020 involved human interaction.
Human error is the weakest link in the cyber chain, and cybercriminals take full advantage of this.
Simply put, it is much easier for an attacker to entice one of your employees to click a malicious link or open an infected file than to find an exploit and sneak into your network directly.
Your practice’s network users (including yourself) can cause disastrous cyber incidents whether intentionally or not. These incidents can be due to mishandling data, missending emails, losing devices, using weak passwords, or using the same passwords used on public sites.
Implementing cybersecurity awareness training is key to keeping your practice safe from falling victim to cyber attacks. With regular and effective training, your workforce can learn to spot, respond to, and avoid any cyber threat that comes their way.
If you want to know more about what cybersecurity awareness training is, why your practice needs it, how you do it, and how often it should be done, this
blog post addressing frequently asked questions is a great place to start!
Feedback Loops
A feedback loop is a mechanism in which some or all portions of a system’s output are used as input for future activities. It is intended to give us access to information in real time so that we can use the information to alter human behavior.
In the cybersecurity field, one example of a feedback loop is phishing simulations or
simulated phishing campaigns, which are exercises that your organization can conduct to identify users who are prone to clicking malicious links and falling for phishing scams. Phishing simulations are a great way to correct unwanted end-user behavior within your team.
According to
Security Intelligence, a feedback loop consists of four unique stages:
- Capturing or measuring a behavior. In phishing simulations, this involves sending out a simulated phishing email. The user then opens the phishing email that, ideally, should be recognized as malicious.
- Conveying information to the users in a manner that is easy to understand. Right after the user clicks a supposedly malicious link, they should be informed about what they just did and how they can avoid making the same mistake in the future.
- Conveying the direct consequence of the behavior. The users should also be informed about the consequences of their actions—both from the cybersecurity perspective and the human resources perspective.
- Recapturing or re-measuring the behavior. To ensure that the users have learned from the experience and the unwanted behavior is corrected, you need to retest the users.
Visibility
In the field of IT and cybersecurity, it’s important to remember that visibility is a prerequisite for protection. In other words, you need to see something in order to protect it.
Cybersecurity visibility is the ability to have an unobstructed view into the threats as well as security controls of your IT environment. It makes pertinent information easy to observe, gather, and manage.
There are three essential types of cybersecurity visibility:
Technical Visibility refers to any external threats to your infrastructure. Before you know how to address these vulnerabilities, you need to know all the components that affect the organization, where they are located, and how they are being used.
All servers, devices, solutions, and tools on your practice’s corporate network should be accounted for. This means that every
IT inventory needs to be thorough and should include each item’s real-time status, ownership information, and general functionality.
Operational Visibility refers to processes and compliance. Because visibility makes data easier to protect, an organization needs to be transparent in how it accesses, manages, and controls data.
Operational visibility also includes visibility into its users’ access to the data. User-based visibility requires discipline and strictness, ensuring to answer questions such as:
- What data can a user access?
- Why do they have access to it?
- What level of responsibility do they have?
- What applications does the user need to be efficient in their tasks?
Organizational Visibility refers to the potential threats against an organization’s brand, reputation, or intellectual property. This is often the type of visibility that cybersecurity experts find difficult to understand and carry out.
Unlike the other types of cybersecurity visibility, organizational visibility does not rely mainly on straightforward cybersecurity tools. It requires a lot of strategic approaches and processes as well. You will need to know what your company’s brand, reputation, and intellectual property encompasses, what data falls under these categories, how you can track this data, and how you can protect this data from potential threats.
Technical Capabilities
Cybercriminals are taking advantage of technology—they’re using the latest innovations to get past your IT network’s defenses! You need to fight fire with fire.
You can’t go head-to-head against advanced cybercrime technology without gearing up on solid cybersecurity equipment, experience, and expertise. Put simply, you need the team and the tools to make sure that your practice can prevent, discover, respond to, and mitigate any potential data breach that comes your way.
Our advice? Look into a reputable IT company that offers
excellent cybersecurity services designed specifically for medical facilities and see what they have to offer.
Equip Your Practice for 2022
In the year 2021 alone, the Federal Government received reports of over 40 million compromised patient records—and cybersecurity experts are certain that cyber attackers aren’t stopping anytime soon.
Though the Broward Health breach took place in 2021, it is only the first reported data breach in 2022 and it’s already affected more than a million people. Cybercriminals are obviously ramping up their efforts in breaking down healthcare practices’ digital walls and getting their hands on your clinic data.
Is your practice’s staff, devices, and cybersecurity solutions prepared for a potential cyber attack?
If you’re not quite sure how to answer that, it may be a good idea to get expert advice or an IT network assessment by cybersecurity professionals who specialize in healthcare. ER Tech Pros offers exactly that! Reach out to one of our experienced cybersecurity specialists today!
Search Articles
News & Resources
ER Tech Pros is a managed service provider (MSP) that specializes in catering to the IT needs of healthcare practices in and around the Sacramento area.
We use our cutting-edge technology, extensive experience, and 24/7 support to make sure your IT network is in its most secure and optimal state.
HIPAA- and SOC-compliant, we are healthcare’s trusted IT experts.
We take care of your IT so you can care for your patients.
8795 Folsom Blvd., Suite #205
Sacramento, CA 95826
info@ertech.io
Resources
Search this Site
Get Updates
Enter your email address below to receive healthcare tech tips and resources from ER Tech Pros.
Connect With Us