Providence Health and Services, an Oregon-based healthcare clinic, recently notified nearly 5,400 current and former patients that their medical data may have been exposed. A former employee reportedly accessed the medical records without “any apparent business need” between July 2012 and April 2016, according to a Providence media advisor. Affected information included demographic details, medical treatments, and possibly insurance data and Social Security numbers.
The employee has since been fired in accordance with a corrective action plan, with the clinic noting that it didn’t believe any sensitive information was further viewed or disclosed.
Providence’s breach highlights one of the biggest problems plaguing healthcare as a whole—threat detection. With private information being transferred across multiple EMRs, external hard drives, and mobile devices daily, it’s becoming increasingly difficult for clinics to monitor all channels on which sensitive data travels. Add in human error and the complications that arise when data is handled by large teams of providers, and you have a security system that is vulnerable inside and out.
Breaches like the one recently reported in Providence can take months to detect, and in some cases, they may even take years. Unless a breach is detected immediately, unauthorized users have plenty of time to copy, transfer, or sell privileged information.
As part of its corrective action strategy, Providence is offering 24 months of free credit monitoring for all affected patients. Although damage control tactics like these are necessary after any instance of data loss, they do little to assuage the fears of patients worried about future information exposure. By the time the breach has occurred, it’s already too late.
A Measured Response
Knowing how to appropriately respond to breaches is the responsibility of all organizations handling sensitive data. In Providence’s case, the clinic didn’t believe that the data was exposed beyond the initial breach, and tailored its outreach accordingly.
The confusion following breaches makes large-scale damage control strategies difficult to apply at the drop of a hat, making it essential for breach response protocols to be in place before the damage is done. When strategies for breach prevention are incorporated into clinic policy through mandatory employee training, threat classification, and agile threat response, better security comes as a matter of course. To prevent breaches like the one affecting Providence, healthcare organizations need to build security into their infrastructure from the ground up.
Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.
As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.
Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.