On Tuesday, June 24, the director of Montana’s Department of Public Health and Human Services (DPHHS), Richard Opper, advised his agency that 1.3 million people in the state of Montana needed to be notified of a break-in of the states computer files. This information may have been a security breach by hackers who accessed medical records of Montana residents’ and impacts the status of their personal information. It is unclear at this time if any information was stolen.
According to Opper the hackers had not accessed any information or used it any of the records in an inapproprate manner. As compensation, the state of Montana is suggesting all 1.3 million people sign up for a year of free credit monitoring and identity fraud insurance. A toll-free help line is currently in place to assist those who sign up for the insurance. At this time no one has reported any theafts of their bank accounts or stolen identities, or credit card losses. Many of the letters of notice are to residents who no longer live in Montana and to estates of those who have passed away.
On May 22, malware was located on the health agency’s server when information technology IT workers discovered unusual activity on the server earlier in the month. All of the information was sensitive and comprised a long list of medical records, health assessments, diagnoses, treatment, prescriptions, insurance, Social Security numbers, names, addresses and birthdays.
Department employees, approximately 3,100, were also notified, the server contained their bank account information. Security has been updated state officials said. On average, Security breaches of this type are attempted 17,000 times per hour. With a volume of that proportion it is difficult to safeguard the state’s system of computer security against hackers without being one step ahead of them, Opper stated. State officials expect cyber-security insurance purchased last year to cover most of the cost connected with the incident.
Residents of Montana will feel the impact of this security breach of their medical files for a prolonged period of time. With this breach of information in mind, HealthITSecurity.com looked at other computer security break-ins of similar healthcare organizations. This is a general summary what these organizations are dealing with in efforts to keep their computers secure, and some hints on how to minimize hacking.
Even the best security programs can be broken into, some breaches are unavoidable. Many illegal entries by hackers occur due to human error break-downs that were preventable. For example, North Carolina Department of Health and Human Services (DHHS) mailed 48,752 Medicaid cards were mailed to the wrong recipients. This type of error is avoidable with solid user training in proper mailing methods.
Phishing attacks are another area of concern as hackers attempt to obtain user login name and passwords. Security experts have stated intense user training can thwart these attacks when they know what to look for in incoming emails. IT security personnel supervisors can strengthen training efforts and enhance user training experience by sending fake phishing emails and educating them on how to spot eternal threats. Phishing hackers have gotten more sophisticated in their email attacks and constant vigilance is a necessary part of any competent IT department.
Three other areas of needed improvement are, stronger encryption, internal user monitoring and physical safeguards. Stronger encryption refers to more than just shoring up computers in the work environment. Portable devices, such as laptops, smartphones, thumb drives and tablets that are not secure may be stolen from an employee, a car, desk or other easily accessible area.
Monitoring internal employees is also an important step in preventing access to sensitive patient information. User monitoring software may be employed on company owned electronic devices, or proprietary methods based on time of day, data type or data usage may also be implemented.
Keeping company equipment in the office may be one of the strongest methods of physical security. However, it may also be almost impossible to carry out with much success. It is a constant point of debate and wonder as to where the line should be drawn. Montana residents may not be comforted by this information, as a security breach of this size may impact their medical files indefinitely.
By Andy Towle