The Oregon Health & Science University recently resolved an investigation into two breaches of electronic health data occurring in 2013, resulting in a payment of $2.7 million and three-year corrective action plan to prevent future security issues.
According to Tamara Hargens-Bradley, spokesperson for the U.S. Department for Health and Human Services Office for Civil Rights, these breaches occurred across multiple channels:
“The first incident involved a stolen laptop and the second resulted from the use of an internet-based information storage service, or ‘cloud storage’ service, without a business associate agreement,” she said. “No harm was reported by patients.”
The breaches occurred within three months of each other, both the result of improper security protocols. The stolen laptop was not encrypted at the time of its theft. And Google, the company hosting the illegally-accessed spreadsheet, features no contractual relationship with OHSU to securely store sensitive information. These failings bring to light previous security incidents in OHSUs infrastructure, occurring in 2009 and 2012 and affecting nearly 15,000 patients.
Since the 2013 breaches, the OHSU has taken steps to improve its security protocols, including:
- Stronger computer encryption across the campus
- Free identity theft protection for at-risk patients
- Toll-free phone outreach for patient concerns and support
Steps to Security
Though OHSU committed itself to a three-year security action plan to prevent future data loss, its strategy may be shortsighted. Though its commitment to supporting affected patients is necessary, it’s little more than a damage control measure. Pledges to strengthen computer encryption across the university will do nothing to support cloud-based security infrastructure or prevent theft of the hardware itself.
Better security is a product of planning—reacting after the fact isn’t enough to enact meaningful change. Structures must be in place before breaches happen; and for organizations like OSHU that have suffered myriad breaches over the past seven years, these structures can’t come soon enough:
- Preparation: Security should be delegated to a specific task force that is trained in crisis management and has dedicated plans for how to solve emerging threats.
- Detection: Organizations must know where breaches are before they can be addressed.
- Removal: Workflows for how data breaches will be contained and addressed help teams act efficiently.
- Post-Recovery Response: Data must be reviewed on how the breach occurred, why it occurred, and how to reinforce security to prevent it from happening again.
While prioritizing affected patient and communication are good first steps, OHSU has a long road to travel before it’s ready to build structures that support true organizational security.
Written by Desh Urs
Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.
As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.
Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.