Author Archives: Desh Urs

5,400 More: Providence Breach Highlights the Poor State of Data Security

5,400 More: Providence Breach Highlights the Poor State of Data Security

Providence Health and Services, an Oregon-based healthcare clinic, recently notified nearly 5,400 current and former patients that their medical data may have been exposed. A former employee reportedly accessed the medical records without “any apparent business need” between July 2012 and April 2016, according to a Providence media advisor. Affected information included demographic details, medical treatments, and possibly insurance data and Social Security numbers.

Providence_Health_&_Services_logo

The employee has since been fired in accordance with a corrective action plan, with the clinic noting that it didn’t believe any sensitive information was further viewed or disclosed.

Damage Control

Providence’s breach highlights one of the biggest problems plaguing healthcare as a whole—threat detection. With private information being transferred across multiple EMRs, external hard drives, and mobile devices daily, it’s becoming increasingly difficult for clinics to monitor all channels on which sensitive data travels. Add in human error and the complications that arise when data is handled by large teams of providers, and you have a security system that is vulnerable inside and out.

Breaches like the one recently reported in Providence can take months to detect, and in some cases, they may even take years. Unless a breach is detected immediately, unauthorized users have plenty of time to copy, transfer, or sell privileged information.

As part of its corrective action strategy, Providence is offering 24 months of free credit monitoring for all affected patients. Although damage control tactics like these are necessary after any instance of data loss, they do little to assuage the fears of patients worried about future information exposure. By the time the breach has occurred, it’s already too late.

A Measured Response

Knowing how to appropriately respond to breaches is the responsibility of all organizations handling sensitive data. In Providence’s case, the clinic didn’t believe that the data was exposed beyond the initial breach, and tailored its outreach accordingly.

The confusion following breaches makes large-scale damage control strategies difficult to apply at the drop of a hat, making it essential for breach response protocols to be in place before the damage is done. When strategies for breach prevention are incorporated into clinic policy through mandatory employee training, threat classification, and agile threat response, better security comes as a matter of course. To prevent breaches like the one affecting Providence, healthcare organizations need to build security into their infrastructure from the ground up.

Desh Urs iBridge LLCWritten by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

$2.7 Million: The Costs of OHSU’s Security Shortcomings

$2.7 Million: The Costs of OHSU’s Security Shortcomings

The Oregon Health & Science University recently resolved an investigation into two breaches of electronic health data occurring in 2013, resulting in a payment of $2.7 million and three-year corrective action plan to prevent future security issues.

According to Tamara Hargens-Bradley, spokesperson for the U.S. Department for Health and Human Services Office for Civil Rights, these breaches occurred across multiple channels:

“The first incident involved a stolen laptop and the second resulted from the use of an internet-based information storage service, or ‘cloud storage’ service, without a business associate agreement,” she said. “No harm was reported by patients.”

OHSU

The breaches occurred within three months of each other, both the result of improper security protocols. The stolen laptop was not encrypted at the time of its theft. And Google, the company hosting the illegally-accessed spreadsheet, features no contractual relationship with OHSU to securely store sensitive information. These failings bring to light previous security incidents in OHSUs infrastructure, occurring in 2009 and 2012 and affecting nearly 15,000 patients.

Since the 2013 breaches, the OHSU has taken steps to improve its security protocols, including:

  • Stronger computer encryption across the campus
  • Free identity theft protection for at-risk patients
  • Toll-free phone outreach for patient concerns and support

Steps to Security

Though OHSU committed itself to a three-year security action plan to prevent future data loss, its strategy may be shortsighted. Though its commitment to supporting affected patients is necessary, it’s little more than a damage control measure. Pledges to strengthen computer encryption across the university will do nothing to support cloud-based security infrastructure or prevent theft of the hardware itself.

Better security is a product of planning—reacting after the fact isn’t enough to enact meaningful change. Structures must be in place before breaches happen; and for organizations like OSHU that have suffered myriad breaches over the past seven years, these structures can’t come soon enough:

  • Preparation: Security should be delegated to a specific task force that is trained in crisis management and has dedicated plans for how to solve emerging threats.
  • Detection: Organizations must know where breaches are before they can be addressed.
  • Removal: Workflows for how data breaches will be contained and addressed help teams act efficiently.
  • Post-Recovery Response: Data must be reviewed on how the breach occurred, why it occurred, and how to reinforce security to prevent it from happening again.

While prioritizing affected patient and communication are good first steps, OHSU has a long road to travel before it’s ready to build structures that support true organizational security.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA