In their data breach notification to affected patients and employees, Florida based Broward Health healthcare system confirmed the breach impacted data of over 1.3 million patients. The attack took place on Oct. 15, 2021 with attackers gaining access to the company’s network and patient data, but was not discovered until Oct. 19th. Data stolen included patient’s personal medical information: Names or other personal identifiers in combination with: Driver’s License Number or Non-Driver Identification Card Number. 

Experts Comments

January 05, 2022
Ron Bradley
VP
Shared Assessments

  “Regardless of your industry, third party risk management is more important now than ever. The recent announcement by Florida’s Broward Health regarding a data breach of more than 1.3 million records may seem sensational at first, but the reality is they are just a drop in the proverbial bucket related to healthcare record losses in 2021.  

   “According to Broward Health, the breach occurred from a third party service provider authorized to access Broward Health systems. While HIPAA and

.....Read More

  “Regardless of your industry, third party risk management is more important now than ever. The recent announcement by Florida’s Broward Health regarding a data breach of more than 1.3 million records may seem sensational at first, but the reality is they are just a drop in the proverbial bucket related to healthcare record losses in 2021.  

   “According to Broward Health, the breach occurred from a third party service provider authorized to access Broward Health systems. While HIPAA and HITECH regulations have effectively added many layers of protection to the data security onion, the fact remains, healthcare is still a soft target with high value rewards.

   “A simple search of the obligatory HHS reporting site “wall of shame” will produce over 600 breaches totaling 44.5 million records during 2021. The significance of those reported numbers is, there are thousands of third parties supporting those healthcare providers with access to protected information.

   “These are examples of reported breaches due to federal regulations. If you widen the lens to other less regulated industries, the magnitude becomes staggering. Thus, the importance of 3rd, 4th, and Nth party risk assessments to ensure proper assurance and due diligence.

   “The basics of TPRM are straight forward:

  • Evaluate your internal control environment (policies and standards)
  • Build your assurance program on one or more frameworks (e.g., NIST, ISO, HIPAA)
  • Maintain an accurate list of your service providers, and their providers, …and so on
  • Ensure you have a repeatable and auditable process
  • Measure and communicate your actions to senior management
  • Prepare for the worse when something fails

   “Trust me, I know from experience this is far easier said than done. The best advice I can give to anyone in this field is to keep it simple. Use spreadsheets and simple tracking mechanisms to start with.  Automation is great, but not always necessary depending on scale and complexity. Lastly, stay current, stay relevant, and make sure you bring your risk and business partners along with you.”

  Read Less
January 05, 2022
Tim Erlin
VP of Product Management and Strategy
Tripwire

This incident is a good reminder that the effectiveness of your organization’s cybersecurity extends to any third-party with access to your systems. While it may not be practical for you to audit all of your suppliers directly, you can ask them what standards they comply with and how their audited against those standards. Best practices from NIST and the Center for Internet Security provide a solid foundation for most organizations. It’s important to ask this question at least annually, as

.....Read More

This incident is a good reminder that the effectiveness of your organization’s cybersecurity extends to any third-party with access to your systems. While it may not be practical for you to audit all of your suppliers directly, you can ask them what standards they comply with and how their audited against those standards. Best practices from NIST and the Center for Internet Security provide a solid foundation for most organizations. It’s important to ask this question at least annually, as circumstances change. This is a vital step to help safeguard the integrity of your organisations digital assets and protect against similar threats.

  Read Less
January 05, 2022
Trevor Morgan
Product Manager
comforte AG

Starting off the new year with word of a high-profile data breach like the one affecting the Broward Health system might make you question whether healthcare providers are getting the message about data privacy and security. After all, it is difficult to find good news in a situation in which over 1M data subjects have had their most personal and sensitive health information compromised. However, we can take some solace in the fact that more and more healthcare providers are indeed realizing

.....Read More

Starting off the new year with word of a high-profile data breach like the one affecting the Broward Health system might make you question whether healthcare providers are getting the message about data privacy and security. After all, it is difficult to find good news in a situation in which over 1M data subjects have had their most personal and sensitive health information compromised. However, we can take some solace in the fact that more and more healthcare providers are indeed realizing that keeping patients’ data private is an ethical obligation and means more than just implementing basic data security controls.

The more these types of data breaches occur, the more the general public understands that protecting borders and perimeters around sensitive data isn’t enough—effective data security needs to be applied directly to sensitive information in the form of data-centric security, including methods such as tokenization or format-preserving encryption. By tokenizing patient information as soon as it enters the data ecosystem, these organizations can continue to work with sensitive data in its protected state due to data format preservation. Better yet, if (or when) threat actors gain access to tokenized data, they cannot comprehend it or leverage it for personal gain or other nefarious purposes. We will see and read a lot about data breaches throughout this year, but the good news is that organizations wanting to protect patients’ sensitive PHI and PII have access to the right solution. It’s just a matter of deciding to take the appropriate medicine before any catastrophic exposure to risk occurs.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.