BACKGROUND:
An attack on CaptureRX, which helps healthcare providers administer 340B programs (which let those serving vulnerable patient populations purchase outpatient drugs at discounted prices), has exposed patients’ names, date of birth, and prescription information. Cybersecurity experts offer perspective.
<p>For healthcare providers that have a large amount of patient data that can fetch a handsome price in the underground market, ransomware represents a significant risk. To protect infrastructure against ransomware, organizations need to establish a rigorous vulnerability discovery and patching cadence, train users/employees to be extra vigilant against phishing, and verify security controls are working properly.</p>
<p>All PHI, Personal Health Care information falls under HIPAA guidance. There are stated rules of practice for enterprises who handle PHI to follow. When a breach occurs and PHI is determined to be exfiltrated to non-permissioned users, an investigation can and usually does occur – conducted by the OCR, the U.S. Government\’s Office of Civil Rights. They will determine if the proper practices of data governance have been followed. Often, they determine that these practices have not been followed and fines are put in place, such as when Athens Orthopedic was fined $1.5M in 2020 and Lifespan Health System fined $1.04M in 2020.</p> <p> </p> <p>Data Governance starts with the HIPAA-prescribed regular access reviews, examining each reviewer who has access to data and applications, what data access privileges have changed, and who approved such changes in the last audit period.</p>