Medicaid was hacked and over 181,000 medical records and 25,000 social security numbers were stolen. I was speaking to Marc Silverman when we got the alert about the incident. We had an interesting conversation on the subject. This is what Marc had to say.
“I really wouldn’t want to be in DTS’s shoes right now. It’s bad enough to have any kind of breach, but it’s particularly concerning when one occurs due to a configuration error. Out of the multitude of ways to breach a server, configuration errors are one of the easily preventable attack vectors if you perform vulnerability assessments.
In this case, if DTS did not perform a vulnerability assessment of the server before placing it into production, then DTS’s SDLC is suspect and could be viewed as willfully negligent considering that they are required to comply with PHI laws, especially HIPAA. If DTS did perform a vulnerability assessment, was made aware of the vulnerability, and still went ahead with deploying the server, then DTS is again willfully negligent.
About the only scenario where DTS would not be immediately willfully negligent is if the vulnerability assessment of that server was insufficient in extent and rigor to detect the vulnerability so that DTS wasn’t aware of the issue.
If that is the case, how much do you trust any of the other servers managed by DTS?”
A couple years after the BlueCross BlueShield of Tennessee hard drive theft, the Healthcare company settled on paying $1.5 million for the HIPAA violations.
In 2009, BCBCTN had 57 hard drives stolen from a data storage closet in Chattanooga. Adding the extra costs that the company had to spend on the investigation, notification and protection efforts after the breach and the total cost becomes around $17 million.
That makes each hard drive valued at $324,561. Talk about an expensive breach!
What could BCBCTN have done to prevent the breach? Maybe a few physical security tests and better security awareness training could have prevented the drives from being stolen. Or maybe it would have been best to have a Risk Assessment performed (definitely after the breach!)
What do you think? Does that price tag scare you? – because it should!
Healthcare IT Security
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant. See how we can help.