In their data breach notification to affected patients and employees, Florida based Broward Health healthcare system confirmed the breach impacted data of over 1.3 million patients. The attack took place on Oct. 15, 2021 with attackers gaining access to the company’s network and patient data, but was not discovered until Oct. 19th. Data stolen included patient’s personal medical information: Names or other personal identifiers in combination with: Driver’s License Number or Non-Driver Identification Card Number.
<p>This incident is a good reminder that the effectiveness of your organization’s cybersecurity extends to any third-party with access to your systems. While it may not be practical for you to audit all of your suppliers directly, you can ask them what standards they comply with and how their audited against those standards. Best practices from NIST and the Center for Internet Security provide a solid foundation for most organizations. It’s important to ask this question at least annually, as circumstances change. This is a vital step to help safeguard the integrity of your organisations digital assets and protect against similar threats.</p>
<p>Starting off the new year with word of a high-profile data breach like the one affecting the Broward Health system might make you question whether healthcare providers are getting the message about data privacy and security. After all, it is difficult to find good news in a situation in which over 1M data subjects have had their most personal and sensitive health information compromised. However, we can take some solace in the fact that more and more healthcare providers are indeed realizing that keeping patients’ data private is an ethical obligation and means more than just implementing basic data security controls.</p>
<p>The more these types of data breaches occur, the more the general public understands that protecting borders and perimeters around sensitive data isn’t enough—effective data security needs to be applied directly to sensitive information in the form of data-centric security, including methods such as tokenization or format-preserving encryption. By tokenizing patient information as soon as it enters the data ecosystem, these organizations can continue to work with sensitive data in its protected state due to data format preservation. Better yet, if (or when) threat actors gain access to tokenized data, they cannot comprehend it or leverage it for personal gain or other nefarious purposes. We will see and read a lot about data breaches throughout this year, but the good news is that organizations wanting to protect patients’ sensitive PHI and PII have access to the right solution. It’s just a matter of deciding to take the appropriate medicine before any catastrophic exposure to risk occurs.</p>
<p> “Regardless of your industry, third party risk management is more important now than ever. The recent announcement by Florida’s Broward Health regarding a data breach of more than 1.3 million records may seem sensational at first, but the reality is they are just a drop in the proverbial bucket related to healthcare record losses in 2021. </p>
<p> “According to Broward Health, the breach occurred from a third party service provider authorized to access Broward Health systems. While HIPAA and HITECH regulations have effectively added many layers of protection to the data security onion, the fact remains, healthcare is still a soft target with high value rewards.</p>
<p> “A simple search of the obligatory HHS reporting site “wall of shame” will produce over 600 breaches totaling 44.5 million records during 2021. The significance of those reported numbers is, there are thousands of third parties supporting those healthcare providers with access to protected information.</p>
<p> “These are examples of reported breaches due to federal regulations. If you widen the lens to other less regulated industries, the magnitude becomes staggering. Thus, the importance of 3rd, 4th, and Nth party risk assessments to ensure proper assurance and due diligence.</p>
<p> “The basics of TPRM are straight forward:</p>
<ul>
<li>Evaluate your internal control environment (policies and standards)</li>
<li>Build your assurance program on one or more frameworks (e.g., NIST, ISO, HIPAA)</li>
<li>Maintain an accurate list of your service providers, and their providers, …and so on</li>
<li>Ensure you have a repeatable and auditable process</li>
<li>Measure and communicate your actions to senior management</li>
<li>Prepare for the worse when something fails</li>
</ul>
<p> “Trust me, I know from experience this is far easier said than done. The best advice I can give to anyone in this field is to keep it simple. Use spreadsheets and simple tracking mechanisms to start with. Automation is great, but not always necessary depending on scale and complexity. Lastly, stay current, stay relevant, and make sure you bring your risk and business partners along with you.”</p>