According to a statement issued by Albany, N.Y.-based St. Peter’s Surgery & Endoscopy Center on Jan. 8, 2018, an unauthorized third party possibly gained access to approximately 135,000 patient records at their facility.
The key words here are “unauthorized” and “possibly,” meaning that St. Peter’s knows by the presence of malware on their server that someone with access may have knowingly or unknowingly allowed malware to be loaded through vectors of infection including web, email and/or a USB drive. The vector of infection also could have been via network worm or remote access if it was not secure. It is disquieting because there has been no traceable activity in regards to the patient’s electronic files: it can’t be proved one way or another.
As frightening as this potential breach of patient’s records is to St. Peters and patients, it does provide an opportunity to bring up some preventative strategies to improve the health of your IT network.
As a managed IT services provider specializing in HIPAA security, and a member of both the New York State Association of Ambulatory and Surgery Centers (NYSAASC) and the national Ambulatory and Surgery Center Association (ASCA), SkyPort IT regularly educates our clients about cybersecurity services and tools that should be utilized to help prevent and/or document breaches and basic procedures that allow you to build an electronic paper trail of every activity involving electronic protected health information (PHI) in your IT environment.
Who Has Your Back?
Because SkyPort IT specializes in HIPAA compliance for healthcare IT, policies and procedures for electronic records and information systems, we advocate for security on every layer and level of your information network.
In the case of St. Peter’s recent malware discovery, our breach management system would identify exactly what had happened and there would be no ambiguity related to where the files were or who had them because we track every file being accessed in the network. We set up alerts so that if access to a file had occurred we could quickly track specifically who in the organization had touched these files, and the path they had taken. It can block operations with files to prevent critical data from leaving the environment.
More importantly, our healthcare cybersecurity services extend to ensuring that we prevent malware from making its way to your server, to begin with. As important as the software tools and services that we utilize to keep organizations like yours stay safe, are the HIPAA compliance policies and procedures we put in place for data protection.
Physical security for your server is especially important. All servers should be physically and remotely secure with limited access. If you have an IT person on staff, which many small to medium-sized businesses do not, you must have a policy and procedure in place to limit access to the organizations’ server.
Patient records are a gold mine.
There are a number of ways a worm or malware can infect or enter your IT network. While it is important for all employees to be educated about general good practices regarding their use of the internet and your internal network, it is critical that the employees most active on the network – such as your IT staff - are being vigilant.
The server is not a personal workstation and should only be used for appropriate work such as maintenance. Your IT staff, IT provider, or anyone with administrative access rights to the server, should never be engaged in these activities which are all vectors for intrusion:
Browsing the web
Looking at emails
Opening files off a thumb drive
Plugging in a cell phone
Recognizing that the server at a healthcare or medical organization holds information that is a gold mine for hackers is the first step in protecting your patient’s data, your business, and your reputation. Advice and useful materials for cloud computing security and healthcare IT can be found here: https://www.skyport-it.com/useful-materials-just-for-you.