Yet another major data breach by leaving a folder unsecured in the infinitely connected networked world. The recent federal healthcare data breach tally reported a data breach that affected more than 307,000 patient records from an unsecured folder. This case of unsecured folder of Touchstone Medical Imaging, a provider for diagnostic imaging services leading to huge breach came to be listed in the Department of Health and Human Services “wall of shame” website, under HIPAA breach notification rule. Security experts however, view this vulnerability as a relatively common lapse among the healthcare providers generally caused due to human errors. With technology enabling fast transfers, by the time the service provider realises that their seldom-used folder containing patient billing information had inadvertently been left accessible via the internet, the damage has been done.
Such common errors become the weakest link in protecting electronic patient healthcare information (PHI). Even as Touchstone Medical Imaging tries to ascertain the depth of the damage done, security consultants view the case of unsecured files left accessible to the Internet as a sign of deeper security control issues. While this case may be the result of inadequate oversight and control on enterprise network by their IT staff, unrestricted Internet access to a healthcare enterprises network servers and file share system is a warning signal of bigger problems which calls for stricter actions.
Further, as once a file becomes publicly accessible there is every possibility of another entity obtaining it and making a copy of the same. Security teams therefore need to look for controls that they need to put in place. Breaches involving unsecure patient data accessibility via the Internet have already caught the eye of federal regulators leading to HIPAA penalty enforcement in the past. The Department of Health and Human Services as of January 2013 issued the HIPAA Omnibus Final Rule, that significantly modifies the privacy security, enforcement and breach notification regulations. This demands business associates and covered entities to re-examine their service offering and business models to handle insider threats.
Moreover, to avoid such Touchstone-type breaches, covered entities, business associates and vendors should be very careful about sharing applications and data even across peer to peer networks. As healthcare enterprises take initiatives to implement effective HIPAA security audits systems in accordance with HIPAA Omnibus rule enforcement, business associates and their subcontractors who receive, create, transmit or maintain protected health information must also encrypt data and avoid mistakes of exposing data on the Internet as they are also now directly responsible for HIPAA compliance.
With its built-in vulnerability scanning technology Aegify security and compliance monitoring system ensures continuous security monitoring and effective compliance, demystifying the complex compliance regulations and standards. Further, business associates and their subcontractors who receive, create, transmit or maintain protected health information must also encrypt data and avoid mistakes of exposing data on the Internet as they are also now directly responsible for HIPAA compliance. Aegify suite of solutions address the security and compliance requirements of covered entities and their business associates, ensuring that the healthcare data remains safe and secure.