A hospital in Missouri faces a lawsuit after a medical records breach occurred as a result of an email phishing scam, something that’s difficult to protect against within healthcare organizations, according to a security expert.
In January, Children’s Mercy Hospital in Kansas City, Mo., notified 63,049 individuals who were potentially affected by the medical records breach, according to Jake Jacobson, Children’s Mercy director of public relations.
An investigation led by the hospital determined that the mailbox accounts of four of five affected employees had been downloaded by unauthorized individuals. According to the notification, information accessed during the incident varied by individual, but could include information such as medical record number, first and last name, date of birth, gender, age, height, weight, body mass index, admission and discharge date, procedure date, diagnostic and procedure codes, demographic information, clinical information, conditions and diagnosis, and other treatment information and identifying or contact information.
Fight back with email screening tools
Security expert Larry Ponemon said a number of healthcare providers are particularly susceptible to phishing scams because cybersecurity is not their “highest priority” and they often lack a “good governance process” for controlling data access. Ponemon is the founder of Ponemon Institute, which studies data protection and information security.
“It seems like the healthcare industry, healthcare providers [are] the most vulnerable relative to the industries we study,” Ponemon said.
Within the healthcare industry there’s “not really a great technology that could identify a phishing email,” Ponemon said. He noted that implementing employee training and installing email screening tools that scour incoming emails, attachments and embedded URLs to identify potential phishing attacks could go a long way toward keeping such incidents at bay.
Larry Ponemonfounder, Ponemon Institute
“A lot of phishing scams I’ve seen have not been all that difficult to see,” Ponemon said. “If you look at the information, read the link, you can guess with about 90% accuracy that basically this is not real and [is] likely to be a phishing email. But people in healthcare are under a lot of pressure, so when they get an email they don’t necessarily stop and check the terms in each email.”
Additionally, Ponemon said healthcare organizations often operate a “flat network,” instead of having layers, meaning when something happens in one device, it can spread very quickly to multiple devices, which he described as a “lateral infection.”
“Malware infections on one system can actually touch hundreds or even thousands of systems in the world of IoT; in healthcare everything is about an IoT device,” Ponemon said. “That’s why it’s easy for bad stuff, malware, phishing scams, to spread quickly.”
Jacobson, with Children’s Mercy, said the hospital has taken steps to protect against further incidents, including implementing additional technical control of multifactor authentication. Additionally, the hospital has installed a call center and informational webpage to provide answers to families who might have been affected and is offering free identify theft protection to those families.
Medical records breaches not new
The lawsuit against Children’s Mercy Hospital was filed by the firm McShane & Brady in July. Attorney Maureen Brady said the firm would like to see medical records breaches stopped.
“It’s very hard because you can’t unring that bell,” Brady said. “Once the information is out, it’s out forever; you can’t get it back … the anxiety and embarrassment and humiliation that goes along with this type of disclosure is astronomical.”
The threat of a medical records breach occurring is not new to the healthcare community. Though 2017 saw fewer massive health data breaches compared to 2016, 5.6 million Americans suffered from a medical records breach, an average of at least one medical records breach per day throughout the year, according to data released last year by Protenus.
In addition to the newly filed lawsuit, Children’s Mercy Hospital has faced other lawsuits in the past for medical records breaches.