There are plenty of challenges facing healthcare IT organizations out there. The attacks on major health networks in the U.S. including Anthem, Premera and Community Health Services signal that hospital networks and insurers are in the crosshairs of sophisticated adversaries. Similar trends have been seen outside the U.S., as well.
But while sophisticated and stealthy attacks on healthcare providers may be on the rise, news out of the United Kingdom this week reminds us that, often, the cause of a damaging and embarrassing data breach is all too easy to spot.
As the Guardian reports, the UK’s National Health Service found itself apologizing this week for an embarrassing breach at a London clinic that exposed the identities of some 780 HIV patients. The cause of the breach was an all too common mistake: the “cc” field on an e-mail message.
According to UK health secretary Jeremy Hunt, a staff member at the Dean Street clinic in London sent a newsletter for patients using the clinic’s HIV and sexual health services with the names of recipients pasted into the “cc”(or carbon copy) field rather than the “bcc” (blind carbon copy) field.
It’s an error that is familiar to any modern office worker. However, in this case the stakes were high. UK officials have warned that medical records are of particular interest to cyber criminal gangs there which hope to leverage the information they contain to enable identity theft scams or even blackmail and extortion campaigns.
The stakes are high for healthcare firms that experience a breach, as well. Insurers are pushing back on damages claims when there is evidence that a provider failed to fulfill its responsibility to protect sensitive patient data. The failure to take steps to prevent simple errors like the cc/bcc confusion might be cited by an insurer in denying a claim.
Clearly there are many possible remedies to inadvertent leaks like this. Email marketing products make it a simple matter to distribute newsletters to customers or patients while also protecting the identities of your subscribers. Even barring those powerful and inexpensive services, simple application logic can be used to warn senders when they have pasted a long list of recipients into the “cc” field and ask them to confirm their decision to do so. Finally, data leak prevention tools can protect lists of patient names from being transmitted outside of an organization.
Hunt, the UK’s health secretary, said that country’s Care Quality Commission would conduct an independent review of the effectiveness of existing data security measures in the NHS and recommend changes. One object of that inquiry would presumably be to close technical loopholes that allow inadvertent data loss incidents such as this, as well as to beef up protections against cyber attacks, he said.
It’s likely that it wont take long for those investigators to get to the bottom of this incident. The bigger question is what steps they will take to remedy it and to address the larger, structural problems that make healthcare providers so prone to hacks and mishaps.
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesIn the Wake of the Year of the Data Breach, Do we Need a Sarbanes Oxley for IT?
When scandals roil Wall Street or Corporate Boards, federal regulations soon follow. Five years into our data theft epidemic, however, there’s still no law demanding accountability for information security.South Carolina School District Does the Ransomware Two Step
A South Carolina school district is the latest to do the ransomware two step: assuring parents that data encrypted and held hostage by the criminals wasn’t “accessed” by them. Nice try.Insurance Claim Data Paints Fuzzy Picture on Cost of Breach
How much does a company pay for each record lost in a data breach? The latest survey of cyber insurance claims suggests the answer is more complicated than you would think.