Skip to main content

Top five healthcare security hygiene fails in 2019

(Image credit: Image source: Shutterstock/Wichy)

Security hygiene is like your immune system: bad habits can lead to the breakdown of your immune system and a greater susceptibility to viruses. Likewise, in cybersecurity, bad practices can lead to the breakdown of your security hygiene and a greater susceptibility to data breaches.

Security hygiene refers to the practices or processes used to maintain computer and network security. Certainly, data breaches can result from your system being infected with viruses. However, there are other security hygiene practices that help to maintain the integrity of your cybersystems and their data, minimising vulnerabilities that can be exploited.

Healthcare has become a highly targeted field because of the high value of protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) regulates data privacy for health information and mandates specific processes to best protect health data. Because of this, proper healthcare security hygiene practices are central – failure to implement them can lead to massive fines, loss of reputation and trust, and lawsuits from clients or patients.

Based on recent data breaches and levied fines, below are some of the most important healthcare security hygiene fails of 2019.

Healthcare security hygiene fails

1. System Misconfigurations and Vulnerabilities

Misconfiguration is a major problem in healthcare systems. A number of 2019 breaches or fines illustrate this point. In terms of breaches, Immediata Health Group exposed the information of approximately 1.56 million patients because of an incorrect webpage setting that allowed search engine indexing. This left PHI open to anyone with Internet access, and not just employees with internal access. The University of Washington Medicine exposed the information of approximately 1 million patients because of the accidental removal of webpage settings. This also allowed for search engine indexing.

In terms of fines levied, Touchstone Medical Imaging was fined $3 million because, in 2014, an FTP server allowed uncontrolled access to PHI, including after the server was offline because the misconfiguration allowed for webpage indexing. Cottage Health was fined $3 million for breaches in 2013 and 2015, one of which involved misconfigurations that exposed PHI.

The above examples were the result of internal errors, but misconfigurations and other vulnerabilities can also allow for hackers to enter the system. Mission Health found malicious code on their e-commerce websites, which diverted payment information to hackers. While discovered in 2019, the code had been installed at least 3 years earlier. Another growing trend is the exploitation of vulnerabilities by installing ransomware on healthcare systems. In one of a plethora of examples of this, DCH Health System had to shut down all of its Alabama hospitals to new patients who were not in a critical situation when its system was frozen by ransomware. DCH ultimately had to pay the hackers an undisclosed amount to get the encryption key and regain access to their system and data.

2. Failing to Encrypt Devices and Drives

It would seem to go without saying that PHI and drives or devices containing it need to be encrypted. And, yet, it apparently does need to be said. In 2019, the University of Rochester Medical Centre (URMC) was fined $3 million for breaches related to the theft of a laptop and a flash drive containing unencrypted PHI. The problem wasn’t merely that the unencrypted drives were stolen, but that URMC failed to implement adequate healthcare security hygiene procedures, including utilising device controls and employing adequate encryption mechanisms where regulatory bodies called for them. As Roger Severino, the director of the Office of Civil Rights, stated: “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies but fail to fix the problem, they will be held fully responsible for their neglect.”

3. Unauthorised Users

Adequate healthcare security hygiene is integral to preventing unauthorised users, and to alerting cybersecurity teams in the event that an unauthorised user has somehow breached the security system. However, this has been a big fail for the healthcare sector – including the biggest breach of 2019. In March of 2019, American Medical Collection Agency – a billing company used by dozens of medical labs throughout the United States – discovered that the personal and payment information for more than 25 million patients had been breached by an unauthorised user. But this information wasn’t simply hacked in 2019; the user had first gained access to the system in August 2018 and the information had been advertised in black market forums.

In another case, an unauthorised user potentially accessed the patient files of approximately 3 million patients through Dominion National, an insurer and administrator of health plans. While Dominion didn’t receive the alert until 2019, their investigation showed that the unauthorised user had accessed their servers dating back to 2010.

4. Compromised or Blank Passwords

Having a complex password and making sure a password isn’t left blank is a basic element of security hygiene. And, yet again, the seemingly obvious has led to fails in healthcare security. In 2019, Medical Informatics Engineering (MIE) agreed to pay $100,000  for a breach of 3.5 million records in 2015. The breach was the result of hackers compromising two user IDs and corresponding passwords. But this wasn’t the result of a complex phishing scheme. One of the user IDs was “tester” while the other was “testing,” and the corresponding passwords were the same as the user IDs. During the investigation, the Office of Civil Rights found that MIE failed to undertake an adequate risk analysis to determine vulnerabilities in their security infrastructure. But at least MIE had duplicated test user IDs and passwords; Cottage Health’s other breach in 2019 involved PHI being accessible without a username or password.

5. Storing Protected Data in Public Servers

Protected data should be…protected! Of course, when you move that data to a public server, it’s accessible to anyone. In 2019, the Texas Health and Human Services Commission (TX HHSC) was fined $1.6 million for HIPAA violations between 2013 and 2017. The PHI of approximately 7000 patients was exposed when an internal application was moved to a public server. While investigating the breach, the Office of Civil Rights found that TXHHSC hadn’t implemented access controls, and thus was incapable of auditing user access when the information was moved to the public server.

Doc Vaidhyanathan, product development, Spanugo (opens in new tab)

Doc Vaidhyanathan is a security systems and authentication expert. He leads product development at Spanugo, addressing the security assurance needs of hybrid data centers for enterprise operations. Prior to founding Spanugo, Doc was part of the core management team at Arcot Systems (acquired by CA Technologies in 2010) that built one of the largest global authentication programs in the payment industry (3D Secure) with over 160M registered users. Doc has held leadership positions in Product Management, SaaS Operations, Engineering and Services Management, and has managed global teams of 400+ engineers.