High-profile breaches seem to be a weekly thing now. That shouldn’t be surprising, considering how many breaches happen every single day. But most breaches are affecting small companies and thus don’t generate much news or they are going undetected. It’s the bigger companies that are breached that make it into the news.
This week’s high-profile breach hits the medical community. Community Health Systems, a Tennessee-based health care organization, reported that 4.5 million records were compromised this spring. According to eSecurity Planet:
While the stolen data included patient names, addresses, birthdates, phone numbers and Social Security numbers, it did not include financial or medical information.
The suspected hacker in this case is a group from China.
As has become typical in high-profile breaches, media and security experts alike began to speculate where the meltdown occurred and how future breaches could be avoided. For instance, Tsion Gonen, chief strategy officer with SafeNet, told me in an email:
The question to ask is why wasn’t the patient data encrypted if it is considered protected under HIPAA. This breach and the many data breaches we have seen recently are a symptom of an outdated approach to securing customer data. Today, data security is dominated by a focus on perimeter security measures and ‘keeping the bad guys out.’ But what happens when they get in? Companies need to have a defense-in-depth strategy that enables them to secure the breach once an intrusion occurs. That includes using strong encryption so that if the cyber criminals get access to the data it is made useless to them, especially if it is customers’ sensitive personal and healthcare information.
Gonen poses an excellent question regarding encryption and he is spot on when he says that companies need to do a better job at creating post-breach intrusion plans. These are issues that businesses in every industry should be addressing. However, does this particular breach reveal holes in overall medical industry security in particular? Stephen Cobb, senior researcher at ESET, has reason to think so.
In a blog post, Cobb pointed out that on an average day more than 24,000 Americans have had their Public Health Information (PHI) compromised. Medical breaches have other implications beyond names and Social Security numbers being stolen; our lives could be at risk. He wrote:
[D]ata breaches and medical errors are not unrelated, particularly when greater use of IT systems and digital devices is often put forward as a way to reduce preventable medical errors. That is not reassuring, given some of the attitudes toward information security that I have observed in different parts of the medical world.
In a USA Today article, Phil Lieberman, president of Lieberman Software, said that too few medical facilities invest in network security. How many high-profile breaches will happen before the health care industry re-evaluates its security plan? As Lieberman said, we can’t count on HIPAA to act as security, although perhaps that’s what too many medical institutions are doing.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba