Patient data breaches can strike anywhere: Make sure you’re prepared for them all

Recent healthcare data breaches prove that risks can come from anywhere. From vendor access risks to insider snooping, the security landscape needs to change.

The threats of ransomware and cybercrime strike fear into the hearts of healthcare organisations across the globe. And with good reason. The Hive ransomware group, alone, targeted over 1,500 victims in over 80 countries before they were infiltrated by the FBI. But data breaches don’t just originate with criminal organisations seeking millions through fraud and extortion.

That means you need to understand – and protect against – the wide range of data breaches that could impact your organisation. Here are a few different types of data breaches, and what could have been done to prevent them.

Third-party data breaches

It’s nearly impossible to do business today without engaging at least one third-party service provider. And giving access to any third-party vendor creates a point of vulnerability that must be secured.

But what happens when a third-party vendor is hit with a cyberattack? Broward Health, a healthcare system in Florida, recently found out that it can have huge downstream effects.

Broward Health experienced a data breach when a bad actor gained unauthorised access to their network through a third-party medical provider. The personally identifiable information (PII) exposed included names, dates of birth, financial information, phone numbers, email addresses, Social Security numbers, insurance information, driver’s license numbers, and medical records – including medical histories, diagnoses, and treatments.

The healthcare system investigated and does not believe the data was misused. However, they did implement an enterprise-wide password reset and enhanced security measures that included multifactor authentication for all users. They also offered free identity theft services to the 1,357,879 individuals impacted.

This data breach underscores the need for a robust vendor privileged access management (VPAM) solution. Without one, organisations keep themselves open to the risks of not locking down third-party privileged access. It’s no longer safe to provide your vendors with broad, privileged access based on trust. Instead, you need to level up your own security strategy to protect your organisation’s weakest attack vector.

Insider snooping

Having a VPAM solution is crucial, but it’s only part of the picture. With data breaches, sometimes the call is coming from inside the house. That’s why the ability to detect insider threats is so important. Whether due to negligence or malicious intent, insider snooping can cause a lot of damage.

One recent example: on January 19, 2023, the DCH Health System in Tuscaloosa, Alabama announced an employee-related privacy breach.

During a regular privacy audit, DCH Health discovered a hospital employee had accessed electronic patient records without authorisation. Further investigation showed that this wasn’t the first time. Between September 2021 and December 9, 2022, the employee accessed and viewed approximately 2,530 patient records.

While a data breach recovery expert found no misuse of the information, and DCH Health provided free identity theft protection services to the affected patients, the employee still had inappropriate access to sensitive data – and was caught too late.

So, what could’ve been done here? If the employee was someone with authorised access to patient data – like a nurse – who was misusing those rights, a patient privacy monitoring solution would address the problem. If the employee wasn’t on the medical team, then better access governance paired with patient privacy monitoring would’ve prevented – or stopped – the inappropriate access.

Either way, when sensitive patient data is at stake, protecting it is paramount.

Blocking breaches before they happen, no matter where they start

The varied starting points of data breaches mean that you need a truly robust security strategy that covers more than just the “traditional” idea of breaches, including vendor access and insider snooping.

Manual monitoring has value but isn’t enough to keep up with the number of accesses to an EHR, or the varied cyberthreats to today’s healthcare organisations. Ideally, monitoring for patient privacy should be automated with systems that use artificial intelligence, machine learning, and behavioral analytics, as well as human know-how.

Likewise, risk analytics should do more than catch or obstruct cybercriminals who target your organisation. They must also address security risks from employees and third-party vendors.

Patient privacy solutions ensure HIPAA compliance, but their purpose is even greater. On top of preventing penalties and criminal prosecution, reducing risk with behavioral monitoring and analytics helps build trust. An atmosphere of trust and privacy promotes patient retention, encourages active involvement with treatment plans, and supports patient-centered care.

Read how AI-powered solutions can protect patients, improve compliance, and streamline investigations in this case study.