Last week, a Indiana medical firm saw a massive medical data breach that extended throughout the entire U.S. Per online reports, possibly 4 million people in more than 230 hospitals and other healthcare organizations were affected by the breach, which occurred in May of this year.
Hackers stole protected health information that included:
“patients’ names, mailing addresses, email addresses and dates of birth … additional information stolen included Social Security Numbers, lab results, dictated reports, and medical conditions.”
It’s the type of data that sells at a premium in online black markets that, admittedly, are just flooded with such information (and that premium shows how much more in demand detailed medical info happens to be). Needless to say, the company that got hacked – Medical Informatics Engineering (MIE), providers of the NoMoreClipBoard EHR system – went into full damage-control mode, as did its clients.
Where’s the Security?
Despite the disastrous results that MIE is seeing, it appears that the company had been as proactive as possible when it comes to data security. For one, they uncovered the breach internally, which contrasts with the many companies who become aware of a data breach only when a third party (like the FBI) gets in touch with them.
Also, forensic analysis shows that the breach took place as early as May 7 and was discovered in May 26. While two-and-a-half weeks is an eternity in internet time, it’s also not a bad performance from overworked IT staff (that’s not to say that it couldn’t be better).
Of course, if data encryption had been used to protect the information, retrieving useful information would have been harder for whoever hacked MIE. But, encryption was probably not a viable option for the company. The thing to understand about encryption is that it protects data when that data is not being used. (If that’s news to you, just give it some thought: encryption works by scrambling information. In order for a legitimate user to work with encrypted data, it has to be unscrambled first; that is, the information is not encrypted).
Now, seeing how medical organizations may need to access patient info in any given 24 hours, MIE would have no option but to ensure that medical information is always accessible. Ergo, it cannot be encrypted, at least not for live databases, which is what the hacker or hackers targeted – the story is different for data going into semi-permanent storage, obviously.
Encryption is Appropriate in Many Cases
Despite what appears to be a terrible flaw regarding cryptographic security, the truth is that encryption is an excellent way to protect data. After all, there’s a lot of data out there that’s “not being used”: when you’re not interacting with your smartphone, for example, the contents of your mobile device are data that’s not being used.
Same goes for when you’re transporting your laptop to and fro from work – it’s data that’s not being used. (Seriously, you’re not one of those types that uses one of these steering wheel trays while driving, right?)
The list of devices that hold data that’s not being used (at least a good chunk of the time) is huge: smartphones, external hard disks, small USB flash drives, laptops, backup tapes, tablet computers, data discs, etc. For such devices, encryption is not only an appropriate method for protecting the data, it’s considered one of the best (and in some circles, the best).
It’s just a matter of knowing when to use it.
Related Articles and Sites: