Print Divider Print Divider Branding

Security Breaches in Healthcare: Preventing Data Disaster

01/31/2015  |  By: Jason Riddle, CISSP, President, Information Security


Social Logo Social Logo Social Logo Social Logo

Electronic health records (EHRs) are rapidly becoming a crucial and widely adopted element of our healthcare system, bringing along numerous benefits. With EHRs, physicians and patients can monitor, share, scrutinize, and respond to health data. The opportunities are great – but with these opportunities come new and serious security considerations.

Some of those considerations are regulatory. Organizations not in compliance with the Office for Civil Rights’ HIPAA/HITECH security and privacy rules can (and increasingly do) face major fines. But even beyond the specter of fines and legal penalties, a breach of consumer data can damage an organization’s reputation, reducing patient trust and harming business.

For data thieves, EHRs represent a treasure trove of information – and their gain is a healthcare provider’s disaster. How, then, can organizations avoid security breaches? And what should they do if they experience an attack?

Preventive measures

Prevention is the frontline of an organization’s security effort – but it’s not all about defensive tools like firewalls. In fact, preventing data theft is more a matter of education than technology. (Though the technology is important.)

Some of the most effective and devastating data theft tactics used today fall under the umbrella of “social engineering” – think emails requesting sensitive data that look like they’re from within your organization, or deceptive phone calls to customer service. These aren’t sophisticated technical tricks. Instead, scammers prey on an organization’s unprepared employees. The only way to combat these tactics is proper training. Organizations must ensure that their teams understand scammers’ common tactics and follow strict security policies that define the circumstances in which sensitive data may be shared.

Beyond awareness of data thieves’ tactics and relevant policies, employees can act as a security team’s eyes and ears, noting signs that may indicate abnormal network activity. If employees anywhere in the organization detect slow Internet connections or network accounts that no longer seem to work, they should be trained to report these events immediately. Security is an organization-wide initiative.

Detecting danger

In fact, preventive measures alone make for a suboptimal security effort.

Even with the best training and the best firewalls in place, the truth remains that the world of information security is constantly changing. New attack vectors emerge continuously; new bugs or vulnerabilities are discovered. That doesn’t mean you should give up, but it means you should be ready in case attackers do get past your defenses. Otherwise, you might not know they’re there until it’s too late. Hackers and scammers often get the most return on their effort if they manage to avoid detection and steal more and more of your data over time.

This is why healthcare providers and other organizations need to develop strategies for detection. The best approach to detection is human monitoring, either through a managed security services provider or an in-house security team. Unlike an automated defense system, human security experts can recognize subtle red flags, contextualize them, then investigate and respond accordingly. Since organizations tend to see thousands of these red flags in a month (if they’re watching), it’s important to have security experts who can take action on your side.

Effective response

If prevention and detection are the first two pillars of an effective strategy to prevent security breaches in healthcare, response is the third. If you detect that your system has been breached, you need to have a strategy in place to deal with it.

What should that strategy look like? The most crucial thing is to quickly contain the issue in a contextually appropriate way. Depending on the nature of the incident, organizations might either disconnect Internet-facing machines – or preserve the connection for a time in order to collect data on the attack. These are decisions that should be made by qualified security professionals, however, and organizations without internal security teams should engage a third party with expertise in information security incident response and forensics.

In most cases, healthcare providers must report data breaches to relevant government authorities and the public at large. Since organizations may be subject to fines or other penalties, they should coordinate closely with their legal departments or representatives. Most importantly, organizations should be as straightforward and transparent as possible about the situation, reporting both how the breach occurred and how they have responded.

After the incident is over, one of the most important aspects of an organization’s response should be to reevaluate their security strategy, identifying any holes or flaws and making revisions in light of the experience.


Security breaches in healthcare can cause tremendous damage, and they invariably feel like disasters. But when healthcare providers and other organizations develop a careful, comprehensive security strategy, they give themselves the tools they need to more effectively guard their patients and themselves against data theft. With a plan that covers the three pillars of network security – prevention, detection, and response – you’ll be ready to continue caring for patients with confidence.

Originally posted in Tennessee Chapter: Healthcare Financial Management Association