Four years; yes, you read that correctly, four years later approximately one thousand patients of Riverside Health System of Virginia were notified they were victims of a privacy breach. The fact that a healthcare provider was breached seems to be a common headline in the news these days. Personally what makes this breach even more interesting was the fact that it was discovered after a random audit. Riverside Health System spokesperson Peter Glagola said in a statement, “We have a robust compliance program and ongoing monitoring in place, and that’s how we were able to identify this breach. We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”
Let’s take a look at the root cause of this breach and how the “robust compliance program and ongoing monitoring” during the past four years was fundamentally flawed from the beginning. I am sure the one thousand compromised patients who walked into Riverside Health Care were greeted by Nurses and Doctors in white lab coats and not the stereotypical person who looks like a “hacker”. However; unbeknownst to those one thousand patients, the licensed practical nurse (LPN) they interacted with turned out to be the nefarious hacker in this particular story. A LPN stole approximately one thousand patient Social Security Numbers (PII) and electronic medical records over four years, starting in 2010. The LPN needed “patient information” to properly provide care to their respective patients.
In the case of the LPN; does a LPN need access to a patient’s Social Security Number and full date of birth to provide proper treatment?
LPN’s need to treat patient symptoms >> patient symptoms are documented within electronic medical records >> electronic medical records are stored within folders on file shares, applications, email inboxes, etc.
The first step with any compliance program should be discovering where all the “sensitive” data resides within an organization. Post the discovery phase; the program should then focus on the business processes around sensitive data – “who should have access to sensitive data”. Understanding what a normal pattern of sensitive data access is vs. an abnormal pattern of sensitive data access is crucial to any organizational compliance program. Being able to “secure” those normal patterns of sensitive data access and ensuring business owners attest to who has the ability to execute these normal processes must be answered by compliance programs. In the case of Riverside Health System of Virginia; the internal controls and active monitoring in place per Peter Glagola to protect their patients didn’t prevent the most common advanced persistent threat within organizations – the rouge employee e.g. “nefarious hacker”.
The prescription Riverside Health System wrote for their patients who were hacked was one free year of credit monitoring services.
Learn About STEALTHbits’ Solutions
StealthAUDIT – Data Collection, Analysis, Remediation, and Reporting for Microsoft Infrastructure, Applications, and Beyond
StealthINTERCEPT – Real-time Monitoring and Control over Change and Access for Active Directory, Exchange, and File Systems