Days later, after New York-Presbyterian agreed to pay out the largest settlement ever in a HIPAA violation case ($4.8M), the only thing we can ask ourselves is, “Why did this happen, and how could this have been prevented?”
The breach was ultimately discovered by an external entity of the hospital when they found a deceased patient’s data online. However, they (the hospital), upon further investigation, found that the health records of another 6,800 hospital patients had become publically available when a physician deactivated a server on the hospital’s internal data network. The key phrase here, “internal network” – begs the question, how did an internal network become exposed to the internet and webcrawlers?
Digging a little deeper, Columbia University faculty members serve as attending physicians at NY Presbyterian. Therefore, this business arrangement needs to be supported via a technical solution that enables Columbia resources to work within the walls of NY Presbyterian. This resulted in a system with NY Presbyterian and Columbia University operating a shared data network and network firewall that was administered by employees of both entities. The shared network linked directly to NY Presbyterian patient information systems containing EPHI according to HHS Office for Civil Rights (OCR). Therefore, when a physician “attempted to deactivate a personally owned computer server on the network” it had a much large ripple effect, ultimately leading to the breach.
Since we now know how this problem occurred, the logical next step is to find out how it could have been stopped.
The first step, as with any good data security process, is “discovering” where the sensitive data lives. That’s where we’re able to come in – through the utilization of STEALTHbits Sensitive Data Discovery solutions. However, one of our main differentiators in our sensitive data discovery program is the inclusion of professional services, which are able to produce artifacts that articulate (via a risk score) the “true business risk” of what we have found within the organization. Producing this “true business risk” view would help an organization prioritize their remediation efforts to ensure that wherever sensitive data lives, there is an appropriate business approach to dealing with that data (monitoring, locking/blocking, moving, deletion, etc.) prior to the asset being retired from the organization.
Alerting could also be an option via StealthINTERCEPT and “custom” rules IF the organization discovered sensitive data, and then decided to “protect” their lockdown policies. However, a report that identifies sensitive data on “targets”; which is refreshed on a periodic basis and analyzed across AD Domain object information, would be a logical first step for an organization looking to prevent breaches of this nature in the future.
Learn About STEALTHbits’ Solutions
StealthAUDIT – Data Collection, Analysis, Remediation, and Reporting for Microsoft Infrastructure, Applications, and Beyond
StealthINTERCEPT – Real-time Monitoring and Control over Change and Access for Active Directory, Exchange, and File Systems