So, it hasn’t taken that long for a big hack into a major hospital system has happened.
As the article noted: “That would make the attack the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.”
At this point it appears that the hack into the hospital’s system was not unlike the hack into Target Store’s system, where the hackers gained access to the network, probably through some sort of faked IT support method or simply a phishing technique.
I’m still amazed to see the ignorance in reporting of incidents like this. The reporter states:
“The company said the stolen data did not include credit card numbers, or any intellectual property such as data on medical device development.”
So let’s be clear, the point of this type of hack is not to get medical information, it is to get personal information for identity theft.
How does this major hack apply to smaller medical practices?
The thing a smaller medical practice needs to be concerned about is hackers trying to stay below the radar. Most medical practices do not have a process in place to deal with IT support issues. There needs to be a policy and procedure in place on how exactly the office will deal with:
- Computer hardware support issues
- EHR support issues
- Calls from support people
Add to this, there needs to be in place controls for when support folks remote in to the network. This access needs to be controlled and strictly tracked.
This may all seem like over kill…until you have an issue.
You also need to make sure you have in place a policy and checklist for if (I mean when) you have a PHI data breach.
This PHI data breach checklist needs to follow the strict set of requirements put out by HHS, so that you can minimize the issues you’ll be facing.