With 2017 behind us and the new year beginning, there’s no time like now to reevaluate how your organization handles sensitive customer information. With data breaches increasing year after year, everyone should turn their gaze inward to ensure they are taking a proactive cybersecurity stance.
Why is this so important? Here’s an example of everything that can go wrong if you don’t protect your customer’s data.
This year, the California Attorney General announced a $2 million settlement with Cottage Health — a healthcare network — after the organization suffered two separate breaches in 2013 and 2015, exposing the information of about 55,000 patients.
Upon investigation, Cottage Health discovered that a third-party managed services provider named Insync reportedly removed electronic security protections from one of its servers. This resulted in the exposure of a file containing the personal health information of Cottage Health clients. While no financial information or Social Security numbers were leaked, the case skates a murky area where legal experts aren’t sure if HIPAA laws were broken, as the breach occurred under the supervision of a third party.
The state determined that that Cottage Health needed a full assessment of their current and future protocols. The announced settlement terms include:
“Cottage Health is required to pay a $2 million penalty and upgrade its data security practices. Cottage Health is required to protect patients’ medical information from unauthorized access and disclosure and to maintain an information security program that meets reasonable security practices and procedures for the healthcare industry. It must designate an employee to serve in the capacity of a Chief Privacy Officer and to complete periodic risk assessments.”
How You Can Prevent This Type of Fallout
The most striking aspect of this report is just how little Cottage Health knew about what was going on with its patients’ information. How could a third party simply remove protections without anyone realizing it or being made aware at Cottage Health? The settlement has some clues.
Simply put, no one was watching. There was no point of contact for all IT needs. And, perhaps most glaringly, there was a real failure to follow IT security best practices.
The sad thing about this is how easily it could have been rectified. Regular IT assessments and a vulnerability management system would have picked up on this error caused by the third-party vendor, leading to immediate remediation. Further employee testing would have discovered the need for defined roles at various spots throughout the IT infrastructure, helping to put in place a meaningful check system.
Even though Cottage Health had a third-party vendor in place, they still needed more protection. If your organization isn’t taking a proactive approach to cybersecurity, then you’re leaving the door open for errors and oversights like this to occur. Take a lesson from Cottage Health and save your reputation in the process.
Interested in taking a look at your cybersecurity practices? Contact us today to learn more.