H-ISAC Hacking Healthcare 8-25-2020 -

TLP White: This week, Hacking Healthcare is devoted to exploring the physical aspects of data security that, while sometimes easy to overlook, are no less important. This issue will examine the types of incidents members should consider, various legal and regulatory elements, the applicability of insurance, and what practical steps you can take to mitigate threats to physical data security.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

The physical aspects of data security.

When we think of data breaches, most of us think of digital threats. Our minds immediately focus on exploited vulnerabilities and malicious cyber criminals based somewhere overseas. However, when it comes to securing data from unauthorized access and improper use, there are other considerations. From well-established threats such as natural disasters, to break-ins and lootings, there are numerous physical incidents that organizations should consider when assessing their responsibility to reasonably protect sensitive data.

Aren’t these events uncommon?

While not as common as the everyday threat from malicious cyber actors, physical incidents have the potential to bring legal and regulatory burdens, and they happen more often than you might realize.

Below are just a few examples worth examining:

– Walgreens:

In late July, it was reported that roughly 180 Walgreens locations suffered break-ins during May and June.[1] Theft of prescription drugs may not be surprising, but Walgreens also reported the theft of hard drives and paper records potentially containing “customers’ health insurance and vaccination information,” as well as photo ID numbers, contact information, and address information.[2]^{, [3]}

– Cub Pharmacies:

Like Walgreens, Cub Pharmacies reported that six of its locations were looted during May. In a public notice, Cub Pharmacies acknowledged the “removal of locked safes, binders containing past prescription records, and prescription orders that were in the process of being completed.”[4] In total, they estimated that “customer names, addresses, prescription numbers, drug names, drug quantities, ordering physician names and addresses, number of refills remaining, prescription dates, and date of birth” information was compromised.[5]

– Lifespan ACE:

At a time when so many individuals are working remotely, it is also important to consider the risk associated with the theft of employee devices. In February 2017, an employee of Lifespan ACE, a not-for-profit health system based in Providence, RI, had their laptop stolen from a parked car. According to HHS, the laptop, which was used for work purposes, “was never recovered… and [the] employee’s work emails may have been cached in a file on the device’s hard drive.” Ultimately it was assessed that whoever had stolen the laptop would potentially have access to “patient names, medical record numbers, demographic information, including partial address information, and the name of one or more medications that were prescribed or administered to patients.”[6] Resolving this issue with HHS ultimately cost Lifespan ACE over a million dollars.[7]

– Natural Disasters:

Natural disasters are an unchanging reality that present a risk to the integrity of facilities while also creating opportunities for devices to be stolen or lost. This risk can come from a variety of situations, such as the required evacuation of personnel due to an encroaching wildfire or hurricane or a tornado that sweeps through a facility and leaves devices with PHI unaccounted for.

Regardless of the cause, accounting for physical risks to digital information is an essential aspect of overall cybersecurity risk management.

Action & Analysis

**Membership required**

—-SURVEY LINK HERE—-