Minimize the impact and cost of healthcare data breach incidents
According to the 2018 Verizon Data Breach Report, the healthcare industry experienced 750 data breach incidents, 536 with confirmed data disclosure last year alone. And so far, 2019 isn’t shaping up to be any better. In the first quarter of 2019 there have already been 58 reported breaches, impacting 1,396,634 records.
What’s Causing All These Incidents?
The driving force behind those attacks varied considerably, with malware, cyberespionage, web applications and everything in between noted as a source of the incident. However, for the majority of cases you don’t have to look very far to find the source. Fifty-six percent of incidents were the result of employee error. For all the hype over hackers lurking in the shadows launching malware and attacks on corporations, in reality one of the most overlooked threats to data security is just human behavior. Clicking phishing links, accessing data they’re not privileged to look at, misdelivery (i.e., Joe accidentally cc’d the wrong person on his email) or leaving a device unattended rank high on the list of top behaviors to blame. When the threat is internal, no amount of cyber security prevention can protect against 100 percent of incidents.
One such example of employee error happened in October 2018, when a researcher discovered that North Carolina-based MedCall Healthcare Advisors had been leaking protected, personal data through a misconfigured Amazon S3 storage bucket, leaving the database exposed to the public—not once, but twice in a single month.
Another example comes from a case last summer out of Canada, where a snooping Sobeys pharmacy employee was fined and suspended from practice for six months for spying on the electronic health records of 46 people she knew, including her child's girlfriend. Canadian privacy commissioner Catherine Tully responded that Sobeys “failed to act in a timely fashion to properly and thoroughly investigate and contain these privacy breaches.”
Tick Tock, Time to Report
In the words of Commissioner Tully, “acting in a timely fashion” is crucial. Every second counts when detecting, remediating and investigating a data breach. The goal is to not only contain the threat, but to quickly identify the full scope of the breach, to understand the full impact and determine the necessary response. And thanks to high-profile breaches and heightened data privacy scrutiny driving more national and state-level legislation on data breach notification deadlines, that timeline from detection through reporting is quickly shrinking.
In 2018, several states revised their data breach notification laws to specify deadlines for notifying affected individuals. Colorado and Florida tie for the shortest notification deadline in the U.S., at just 30 days, while Alabama, Arizona and Oregon all passed legislation enacting a 45-day notification period. Louisiana and South Dakota have a 60-day notification deadline for alerting affected individuals. And in California, timing for medical information-specific breach notifications requires that affected patients and the California Department of Health Services be notified no later than 15 business days after the unauthorized access, use, or disclosure has been detected. And it’s very likely that more states will follow suit, passing legislation to help shorten the timeframe for reporting data breaches, therefore taking measures to better define the previously noted requirement to notify “without unreasonable delay.”
The Cost of Non-Compliance
For healthcare in particular, the department of Health and Human Services Office for Civil Rights (OCR) is sending the message that organizations need to take these notification deadlines seriously, or risk steep fines. Children’s Medical Center of Dallas found out the hard way, when they failed to respond in a timely manner to a breach, costing the company $3.2 million in fines in 2017.
Add the threat of fines to the already excessive cost of a breach—including everything from lost company revenues, outside counsel fees, and credit monitoring expenses for those impacted—and the brand implications for being called out in the media for the data breach, and it’s no wonder the security team at every major healthcare entity is scrambling to find the “magic formula” to minimize the threat and limit the impact as much as possible.
Software Innovations Can Expedite Incident Response
Launching a thorough investigation into a data breach incident requires significant time to first detect the threat, mitigate the problem, perform the necessary analysis to understand the scope of the incident, and then act on the evidence gathered to launch appropriate response plans. With shortened notification deadlines making that even more challenging, IT security teams need tools that can help automate the process, expedite analysis and get to the bottom of the breach faster than ever before. With the new API from AccessData®, organizations can now automate forensic data capture the minute a breach is detected by seamlessly integrating cyber tools with AD Enterprise for post-breach analysis. Now, when an organization’s cyber platform detects anomalies on the system, the orchestration service is called and AD Enterprise collects the targeted data from the system to investigate those anomalies, all without the need for user interaction, saving significant time and cost when investigating a breach.
Having a thorough incident response plan in place that includes the right software to expedite the process from detection through investigation can help ensure your organization is adhering to data breach response guidelines and strict notification deadlines. To request a demo of the new API, visit https://marketing.accessdata.com/API.