While all of us were focusing on the massive WannaCry ransomware attack that hit more than 150 countries last Friday, other breaches managed to fly under the radar, including one large data breach that impacted the Bronx Lebanon Hospital Center in New York City. The breach exposed the records of over 7,000 patients.
What kind of medical records were compromised? Unfortunately, a lot. Specifically, patients’ mental health and medical diagnoses, HIV statuses, sexual assault and domestic violence reports, as well as names, home addresses, and social security numbers. The actual length of time these records were left exposed is not known, but it seems that anyone who was a patient at the hospital between 2014 and 2017 is potentially at risk.
How did this breach happen? Some sources believe a misconfigured Rsync backup server hosted by the third-party records management vendor iHealth Solutions was left susceptible. This instance is indicative of a larger trend in the industry where institutions move to adopt new technology architectures, yet don’t take steps to protect the legacy systems that they transitioned from. Turning off access to that system does not equal a secure system, especially when it’s still connected on the network and not patched and maintained in the same way it used to be.
Here are a few takeaways to remember when building a security strategy and preventing future attacks:
1. Make data flows a priority.
The identification of those not only allows you to identify information about what data is involved and touched by whom (which can help with your Data Loss Protection and Identity Management initiatives). It also gives you visibility on what systems talk to each other in what way. That is critical to know when architecting a security solution as the initial vector of the attack and the final malware that exfiltrates data or impacts workflow don’t often share the same technology protocols or application stacks.
2. Have a response strategy that involves your emergency management and risk group.
The former will aide in containing and recovering clinical and operational impact due to the incident, while the latter is the conduit to your cyber liability insurance policy who will be one the resources to provide services like incident response, call center management, law suit protections, etc.
3. Advise patients to get insurance providers involved.
While credit monitoring is helpful in response to a medical data theft scenario, it is good practice for impacted patients to follow up with their insurance providers, who can provide claim processing information to make sure patients are not victims of medical fraud. Additionally, prompt patients to update their passwords for patient portals with doctors, hospitals, and insurance companies.