@FortinetHealth @iHealthBeat – #healthcare breach notification report. Deja vu all over again. #HIMSS16 #cybersecurity
— Ryan Witt (@WittRZ) January 21, 2016
I was intrigued by Ryan Witt’s comment about it being Deja Vu when it came to more healthcare data breaches. In many ways he’s right. Although, I’d almost compare it more to the movie Groundhog Day than deja vu. If it feels like we’ve been through this before it’s because we have been through it before. The iHealthBeat article he links to outlines a wide variety of healthcare breaches and the pace at which breaches are occurring is accelerating.
I think we know the standard script for when a breach occurs:
- Company discovers a breach has occurred (or often someone else discovers it and lets them know)
- Company announces that a “very highly sophisticated” breach occurred to their system. (Note: It’s never admitted that they did a poor job protecting their systems. It was always a sophisticated attack)
- Details of the breach are outlined along with a notice that all of their other systems are secure (How they know this 2nd part is another question)
- They announce that there was no evidence that the data was used inappropriately (As if they really know what happens with the data after it’s breached)
- All parties that were impacted by the breach will be notified (Keeping the US postal service in business)
- Credit monitoring is offered to all individuals affected by the breach (Makes you want to be a credit monitoring company doesn’t it?)
- Everything possible is being done to ensure that a breach like this never happens again (They might need to look up the term “everything” in Webster’s dictionary)
It’s a pretty simple 7 step process, no? Have we seen this before? Absolutely! Will we see it again? Far too much.
Of course, the above just covers the public facing component of a breach. The experience is much more brutal if you’re an organization that experiences a breach of your data. What do they say? An ounce of prevention is worth a pound of cure. That’s never more appropriate than in healthcare security and privacy. Unfortunately, far too many are living in an “ignorance is bliss” state right now. What they don’t tell you is that ignorance is not bliss if you get caught in your ignorance.