- This topic has 3 replies, 4 voices, and was last updated 4 years, 5 months ago by Ameen.
-
AuthorPosts
-
-
2019-10-18 at 10:51 am #14925SaranathKeymaster
Please read your friend’s report and provide comments on “Are there any other preventive measures to avoid the attack?”.
Case study 5 : Employee error exposed data of 16,000 Blue Cross patients online for 3 months (https://www.healthcareitnews.com/news/employee-error-exposed-data-16000-blue-cross-patients-online-3-months)
1. Provide a brief description of the story.
– Employee error exposed data of 16000 Blue Cross patients
online fro three months. The breached information included names,
dates of birth, diagnosis codes, provider details and information used for
claim processing purposes but no Social Security numbers, financial
data or credit cards were included in the breach.2. What is/are the impact of this data breach? Consequences of the
data breach.– the impact of data breach is cybercriminals can use this type of
data for medical fraud. There may be identity theft and sometime had to
pay out of pocket costs per incident. The breach serves as a reminder
for organizations to have proper access controls and network monitoring
in place to either prevent these types of errors or to quickly detect
misconfigured or improperly uploaded data.
– Consequences : there are cost of health information breach
1. Reputation repercussions
• Loss of patients
• Loss of current customers
• Loss of new customers
• Loss of strategic partners
• Loss of staffs
2. Financial repercussions
• Cost of remediation
• Cost of communication
• Cost of deductible and/or increased insurance coverage
• Cost of changing vendors
• Cost of business distraction
3. Legal/Regulatory repercussions
• OCR fines and penalties
• State fines and penalties
• Loss or reestablish accreditation
• Cost of lawsuit
4. Operational repercussions
• Incremental cost of new hires
• Cost of training new hires
• Cost of reorganization
5. Clinical repercussions
• Fraudulent claims processed
• Delayed or inaccurate diagnosis
• Bad data in research results3. How did the data breach occur?
– An employee uploaded a file to public-facing website about 1
percent of its members and their data was exposed online for 3 months.
No details were provided on whether the employee intentionally
exposed the data, or whether the incident was accidental.4. What should be the main cause of the data breach?
Provide a brief
explanation of the cause of data breach, such as phishing,
ransomware, HIPAA violation, database misconfiguration, human
error, third-party vendor error)?– The main cause of the data breach should be HIPAA violation (if
the breach was intentional), human error/weak data security policy (if
the breach was unintentional)– Disclosure of identifiable records of medical care (“protected
health information” or PHI) with patient consent is the violation of HIPPA
with certain exception. There is also a “public health exception,” allowing
release of PHI without consent to “public health authorities and their
authorized agents for public health purposes including but not limited to
surveillance.”5. How could you prevent this data breach attack?
– To prevent this kind of data breach, we need to adhere to the
basic principles of fair information practices and to develop and enforce
confidentiality policies that govern the handling and release of public
health data. The basic of confidentiality policy is “fair information
practices,”. The concept of fair information practices is built on
foundation that confidential, identifying information collected by a health
organization should possess the qualities of1) relevance,
2)integrity,
3)written purpose,
4)need to know access,
5) capacity for correction, and
6) consent of the individual or the community from which the information
was obtained. To minimize the data breach keep only what we need,
safeguard the data, educate/train the employee, control the computer
usage, secure all the computers.– Strong organizational policies and procedures prevent this data
breach ( these policies must be sufficiently comprehensive to
encompass electronic information systems) and security mechanisms
must be established to ensure the enforcement of those policies. Making
two factor authentication every time employee log in to the system
minimize the potential of data breach. Two factor authentication could be
mobile authentication, smart cards, biometrics. In this data breach ,
cause is unknown either intentional or intentional so such kind of data
breach might happen even after the successful login with authentication.
So protecting data integrity goes beyond authentication. Information
must also be secure while in transit using cryptography. If the
information is unintentionally or accidentally release to public, data can
only be decrypted with a key possessed by a user. -
2019-10-22 at 2:06 pm #15034ChalermphonParticipant
I think, Other ways to protect in this situation is design and develop methods to protect the system such as Data access level, Level of use or confirmation System Error and caution by popup windows.
-
2019-10-23 at 3:31 am #15048tullaya.sitaParticipant
I think in this situation, the authority to access and/or upload the sensitive data such as patient information should be limit to people who get involved and should be access in one-by-one not one-to-all fashion. In order to upload the file, the system should have an alert box to confirm the upload with the preview of data that want to be uploaded ( as a final reminder before release).
-
2019-10-23 at 9:28 pm #15072AmeenParticipant
Human error is the hardest to manage. Besides, creating regulations/guidelines to control practices, there should have internal and external data auditing, for additional prevention. Also, an organization must make sure employees understand the minimal good practices for data protection by testing them. A few months ago, my company has implemented an online course on data protection for all employees worldwide, as it just has to follow newly European data protection, GDPR, in May 2018. The course is a multi-modules composed of principal lecturing and multimedia on scenarios. All are made in a simple word and storytelling to understand. After each module, there is a test. All employees must be passed all tests.
- This reply was modified 4 years, 5 months ago by Ameen.
-
-
AuthorPosts
You must be logged in to reply to this topic. Login here