Hospital group criticized for emailing health information

Partners should have known better than to allow employees to send sensitive patient data via email, experts said in the wake of yet another healthcare data breach, and should have responded faster when the breach was discovered.

Late last month, Boston-based Partners HealthCare System notified 3,300 patients that hackers got access to employee emails that contained such information as Social Security numbers, health insurance information, and medical data.

The system includes such well-known hospitals as Brigham and Women's Hospital and Massachusetts General Hospital.

According to Partners, employees fell victim to phishing emails that allowed hackers to get access to their email accounts.

The organization said it is stepping up employee training about phishing and enhancing "existing technical safeguards" to protect patient information, but did not provide details about what those technical safeguards were.

Instead of better protecting the emails, the hospital chain should instead consider not using email at all for transmitting sensitive patient information, experts said.

"Putting patient data into emails introduces elements of risk to both privacy and security," said Amy Abatangle, executive vice president and general manager at network security vendor Untangle. "It is a very questionable practice, outside of the phishing breach."

Educating employees about phishing may not be enough, she said.

"Scammers can be very clever when it comes to getting employees to reveal credentials or even seemingly harmless information which can then be used to gain access to vulnerable systems," she said.

All it takes is one employee to fall victim to a phishing attack, said Mike Paquette, vice president of security products at Framingham, Mass.-based Prelert.

[ Healthcare breaches need a cure for human errors ]

After that, it's easy to get other employees to click the same malicious link, he said.

"The clever attacker simply finds emails already in the inbox of the first victim, and replies to them with enough context to make the link seem plausible," he said. "The new victim sees a reply from an associate's email address containing details from an actual email that he or she previously sent, and has absolutely no reason to suspect foul play."

Targeting healthcare companies in particular is attractive to criminals.

According to the FBI, healthcare records can cost up to $60 or $70 each on the black market, significantly higher than credit card numbers. With insurance fraud, criminals can charge up to the limit of a health insurance policy -- and the information can also be used to order drugs for resale.

"Also, since medical breaches often go undetected for longer periods of time than credit card breaches, patient data usually remains valuable for longer," said Mark Orlando, director of cyber operations at Foreground Security.

As a result, the number of data breaches reported by healthcare companies rose 60 percent in 2014, according to PricewaterhouseCoopers -- twice the rate of other industries.

The breach also indicates another problem at the hospital chain -- although the breach was first detected in November, it took months for the hospital chain to do the forensic analysis, identify the compromised data, and contact patients.

"This attack indicates a clear need for stronger cybersecurity regulations," said Muddu Sudhakar, co-founder and CEO at security vendor Caspida.

Organizations need to not only improve their security, but their reaction time as well, he said, suggesting that regulations should be mandated to inform customers within 30 days of discovering a data breach.

Unstructured data in particular is a problem for many companies.

"This is one of the main things that organizations need to get up to date with," said David Gibson, vice president of marketing at security vendor Varonis Systems. "They need to make sure they understand where all the sensitive information is, and watch what people are doing with it."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsPartners HealthCaresoftwaredata protection

More about FBIPrelertPricewaterhouseCoopersUntangleVaronis

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts