Five Lessons Health Care Organizations Can Learn From a Serious Security Breach
In recent weeks the media has been abuzz with stories of security breaches at various retail companies across the country. The number varies, but estimates consistently range around 70 million records for breaches that include credit card numbers, and 110 million records for those that include names, street addresses, and email addresses.
The intriguing part of these stories is the tactics used to penetrate the information systems of numerous highly regarded organizations. As we continue to learn more about these events, one message is clear — if it can happen to these organizations, it can happen to any organization. This adds one more item to the list of things keeping executive officers up at night. But in the middle of a sleepless night, a good leader can always learn from the mistakes of others.
Lesson 1: A breach can happen to anyone.
The major retail organizations that have been breached are multibillion dollar international corporations spending millions of dollars on electronic security, yet hackers were able to penetrate their security controls and access millions of credit card numbers. So health care organizations should prepare for a potential breach using a “when,” not an “if,” mantra.
Inside an organization, people make mistakes and controls are not always in place or operating consistently. Outside an organization, there are many talented hackers. If they choose to target you, it will only be a matter of time before they have access to your confidential information.
Lesson 2: The intent of most malicious health care industry breaches is not to access health information.
The hacker’s target is financial information contained in the health care entity’s computer systems. Wholesale theft of millions of credit card numbers and information sold on the black market has created an illegal billion dollar industry.
In contrast to financial and retail industries, health care organizations have historically focused the majority of their resources protecting their patients’ health care information. Because of this focus, there has been less emphasis placed on protecting financial information, such as Social Security numbers and other financial information. A growing number of external breach attempts are now aimed at financial information in health care organizations.
Lesson 3: Don’t make it easy.
Not having appropriate IT controls is like leaving the front door of your house unlocked and open while you are away on vacation. Most breaches are the result of human error and opportunity.
Appropriate IT controls significantly increase the level of expertise required to break into an electronic information system and limits the occurrences due to human error or negligence. Periodic, independent evaluations of system controls can identify risks and weaknesses in the security system.
Lesson 4: Breaches are both intentional and unintentional.
The recent breaches are an example of hackers intentionally and successfully breaching security systems. Intentional breaches can also be the result of internal organizational issues.
A significant number of breaches that take place in health care organizations are not perpetrated from malicious hackers outside the organization. Instead, they are the result of sources within the organization and stem from misuse of access privileges. Generally, internal breaches are unintentional and would be completely avoidable if appropriate IT controls were in place. Breaches can be prevented by IT processes, organizational procedures, and the encryption of mobile devices.
Lesson 5: Failure to put IT controls in place can be an extremely expensive mistake.
The costs to the breached retail organizations are expected to be enormous, both financially and to their reputations. A breach of information at a health care organization can be devastating. One recent breach resulted in a $4.9 billion dollar lawsuit, while another resulted in a service organization being barred from doing business in a state by the attorney general.
In terms of IT security, the health care industry is significantly behind the financial and retail industries. Every health care organization knows about the Health Insurance Portability and Accountability Act (HIPAA), but a significant number of health care organizations have not put appropriate IT controls in place.
Each security breach is a wake-up call for all organizations. As the health care industry moves to a more advanced electronic environment with the ongoing implementation of electronic health records, IT security must become a priority. Success will require the investment of resources, both financially and human. The failure to invest raises the organization’s risk that at some point, leadership will have to explain to the public why a breach occurred. The costs of that unfortunate event will be far greater than the proactive investment that could have helped avoid it.