On March 10, 2019, nearly 42,000 patients who have trusted AdventHealth with their personally identifiable information (PII) and health information will be formally notified that this data has been compromised—for more than sixteen months.
The Data Breach
In late December, officials from Florida’s AdventHealth Medical Group Pulmonary and Sleep Medicine finally found the hacker’s footprint, discovering AdventHealth’s systems had been compromised “by an unauthorized third party” in August 2017. That means patients’ PII and health data, including names, Social Security numbers, DOBs, medical histories and more, have been accessible by hackers for over a year.
In AdventHealth’s notice to be distributed this March, the organization claims to have improved its processes “to enhance auditing and system safeguards” and is offering consumers free credit monitoring, fraud consultation and identity theft restoration services from risk consulting firm Kroll. The March notice will come after the sixty-day timeframe that the Department of Health and Human Services has established for individual notifications following a data breach discovery, which means we’ll soon get to see how DHHS handles its investigation and AdventHealth’s response to the incident.
This healthcare hack ranks high on the industry’s list of longest breach periods and joins over 500 other breaches in 2018 that have compromised more than 15 million patient records (a number that has tripled from 2017), indicating widespread security and monitoring issues and increased risk for hospitals and other healthcare organizations in 2019.
The Mistake
AdventHealth’s cybersecurity and threat monitoring efforts were clearly inadequate, putting thousands of patients at risk by letting a hacker access their systems undetected for a significant amount of time. Detecting the threat only after sixteen months reveals insufficient risk auditing methods and information system activity review.
One of the cornerstones of a strong security management system is regular risk assessments and monitoring. But the company’s delayed response—notifying consumers after DHHS’s sixty-day period—also shows problems with their incident response plan, which should always account for timely notice and resolution.
The Fix
Employing a strong risk management program that includes regular risk assessments and vulnerability scans would have allowed AdventHealth to tighten its security efforts in the age of increased ransomware and cybersecurity threats. Advanced identity management and access control tools and procedures would have also allowed the organization to keep better track of system users. Detection capabilities are crucial in reducing the time between a breach’s occurrence and an organization’s discovery, but developing a sound incident response plan to implement upon a breach discovery is also not something to underestimate.
Data & Security Risk Assessments
A data risk assessment securely handles PII within a system or network and regularly monitors and audits employee access to personal information to prevent unauthorized access. A security risk assessment can identify gaps in compliance, keep track of an organization’s overall security posture, conduct network penetration testing, review corporate policies and more. These comprehensive assessments are the fundamentals of a modern, secure healthcare IT system and should be implemented by each and every organization in the industry to help reduce the occurrence and impact of cyberattacks in 2019.
Incident Response Plans
An incident response plan is a documented plan for how an organization will act once a data breach or cyberattack has taken place. It outlines what employees, vendors and partners need to understand as soon as the breach occurs and explains how to maintain smooth and safe operations, minimize financial and operational loss, recover data and accomplish other necessary security tasks. Involving legal counsel in the creation and testing of response plans will help determine an organization’s breach notice law obligations as well.
Take steps for your organization today to avoid making the same mistakes as AdventHealth in the year ahead. Learn more about the components you need to create a comprehensive data protection plan that safeguards the data you handle and the patients you serve.
Are you ready to explore your cybersecurity options? Contact Loricca today to get started.