On November 13, 2020, Mercy Iowa City Hospital began informing patients that the hospital had fallen victim to a data breach between May 15 and June 24. The breach was discovered when someone noticed phishing emails had been sent by an employee’s email account. Although security experts couldn’t verify whether sensitive patient data was actually accessed, they confirmed the hacker could have accessed that data.
More than 60,000 patients may have had their data stolen including their names, Social Security numbers, confidential health insurance information, dates of birth, and driver’s license numbers.
A representative from Mercy Iowa City Hospital published a letter informing Iowa residents that “Mercy is not aware of any fraud or identity theft to any individual as a result of this incident.” However, evidence of identity theft doesn’t always occur immediately. Sometimes it takes months.
If sensitive data isn’t encrypted it’s not secure
How could a hacker slip by hospital cybersecurity? Was the hospital using software that wasn’t updated? Did the email user gets tricked into divulging their login credentials? Was it an insider threat? Did the hospital skip cybersecurity protocols? These are important questions to ask because the majority of data breaches are caused by user error, although, most business owners and employees don’t know that.
HIPAA requires hospitals to protect private information known as PHI (Private Health Information). When a hacker accesses an employee’s email account, that’s a sign of lax cybersecurity. However, when data is encrypted, it doesn’t matter if someone steals it—they can’t read the data.
Encryption is the ultimate cybersecurity measure
Hackers will eventually find ways to circumvent average cybersecurity protocols. Unfortunately, most businesses, including hospitals, can’t afford the high cost of high-end cybersecurity systems. That’s why encrypting data is a critical component of cybersecurity. It acts as a failsafe in case of a breach. Although encryption isn’t a replacement for automated threat detection, it’s more affordable than some high-tech network security systems.
What did Mercy Iowa City Hospital do wrong?
Mercy failed to have adequate cybersecurity systems in place at the time of the breach. It’s unclear exactly how the data breach occurred. Those details will likely emerge in time if the company is willing to share that information.
The breach was most likely caused by user error and the owner of the compromised email address probably didn’t know they had been hacked.
Mercy provided affected patients with a year of free identity theft monitoring and has enabled multi-factor authentication to prevent similar breaches in the future. Hopefully, their cybersecurity team will also start encrypting company emails.
Cybersecurity breaches have dire consequences
How many more serious data breaches have to happen for businesses to tighten up their cybersecurity? Cybercriminals target small businesses more than any other type of organization because they know small business owners are less likely to have strong cybersecurity measures in place. Unfortunately, many small business owners believe it can’t happen to them, so they skip cybersecurity.
No network is inherently secure. All networks are vulnerable to attack whether the servers are on-premises, in the cloud, or located in a privately-owned data center.
Data breaches, especially breaches that fall under GDPR, have dire consequences for business owners. The fines are huge, customers lose trust, and lawsuits can bankrupt a business.
If you’re an entrepreneur or a business owner, here’s what you need to do to protect your data:
Consult with an IT security expert
There is no substitute for expert advice. Only an IT security pro can tell you exactly what you need. If you’re bound by industry-specific data security requirements, you might need more protection than you think.
Create a budget for cybersecurity
Just like you would prioritize a budget for payroll, cybersecurity should also be an official and non-negotiable part of your budget.
Don’t rely on your WebHost or ISP for protection
Never rely on your WebHost or internet provider to provide complete cybersecurity for your network. You might have accounts that come with some kind of low-level security, but it’s not likely enough. You need security measures that provide complete visibility and detailed logging.
Test your security perimeter routinely
If you’ve got an IT security team, they’ll handle testing your security perimeter. However, if you only hire a team as needed, make sure to schedule periodic testing and maintenance. You need to stay up-to-date on installing patches and software updates to prevent hackers from exploiting vulnerabilities.
At the very least, use encryption
Regardless of what security policies you adopt, at a minimum, you should encrypt your data end-to-end, including all email communications. If you do fall victim to a data breach, the hacker(s) won’t be able to read the data they’ve stolen.