| BLOG
A Cautionary Tale: Pay Attention to Remedial Steps Post Cyber Breach

I remember in drivers’ education class being shown the obligatory scary movie on railroad crossing accidents. After the wreck, one salty old train engineer says to another, looking at the demolished car, “Why don’t they learn, Slim?” “I don’t know, Jim,” the other fellow says, scratching his furrowed brow.

In the information security world, we are past the need for scare tactics. Only an ostrich might be oblivious to the heightened cyber risks these days and their increasing frequency. Nevertheless, periodically you see cautionary reminders of mistakes that are made pre-, during, and post-security incidents.

Take one HIPPAA situation for example. The U.S. Department of Health and Human Services’ Office for Civil Rights just announced a $3.2 million fine paid by The Children’s Medical Center of Dallas. Why? In 2009 a BlackBerry device was lost, and in 2013 a laptop was stolen. Both devices contained unencrypted data which together revealed personal health information (PHI) for over 6,000 people.

In January 2010, Children’s dutifully self-reported a breach on the loss of the BlackBerry device at the Dallas/Fort Worth International Airport in November 2009. The Blackberry lacked password protection and contained unencrypted electronic PHI and personal identifiable information (PII) on about 3,800 individuals.

When the laptop was stolen at the Hospital in April 2013, Children’s filed a breach report the following July. It seems the laptop, too, contained unencrypted PHI and PII on nearly 2,500 individuals.

Hindsight is so crystal clear. How could Children’s allow continued use of devices without encryption to protect PHI and PII, many of the devices dating back to the mid‑2000s? And after the Blackberry was lost, how could it be that unencrypted laptops were still around, and the Hospital allowed its nurses and workforce to continue using unencrypted laptops and other mobile devices until 2013?

Children’s decided to pay the fine and avoid a long and costly (and uncertain) fight to defend itself, a distraction from their care mission. In a familiar refrain, the Hospital reported there was no evidence, despite the two incidents, that any patients or their families were affected. It also reported that it now had new, enhanced levels of protection across the variety of devices in use and had beefed up training on the importance of protecting patient information, plus the security methods to do so.

In the healthcare sector, incorporation of mobile technology, virtual imagery over network infrastructures with remote access, and faster communication of medical data is vital to improved quality of care. Data breaches (whether by external attack or internal mistakes), or ransomware (dedicated denial of service) are likewise threats to continuity of care and the physical and financial well-being of patients.

While these breathtaking changes in technology occur, headlines of healthcare organizations’ information management lapses continue. The lessons of each incident must be carefully analyzed and applied to thwart future attack vectors and to protect patient information.

“Why don’t they learn, Slim?” Regardless of the merits of Children’s legal defenses, it is clear that the predictable events involving lost or stolen devices known to hold sensitive patient information did not inspire a hard look at both the devices used and the system protections in place in the days following those security incidents. The takeaway: don’t get hit by that train. And that advice holds true for all organizations, not just healthcare institutions. Implement systems and protocols—in this case multi-factor authentication, end-point security, and encryption tools—to follow up on cyber incidents or loss of devices to ensure reasonable and effective precautions are in place to mitigate known or predictable risks.

  • Glenn E. Davis
    Partner

    Experience matters. For over 40 years, Glenn Davis’ unwavering commitment to clients has been the delivery of creative and efficient results in dynamic business disputes and cybersecurity challenges. His mission is to provide ...

Search Blog

Categories

Archives

Contact

Kerri Forsythe
618.307.1150
Email

Jump to Page

HeplerBroom LLC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek