And it’s a scenario that could easily happen to your dental practice.
It seems everywhere we turn these days, we’re learning about organizations that have suffered from data breaches which compromise individuals’ personal and private information.
A report by Check Point Software Technologies has found that cyberattacks targeting healthcare organizations and hospitals in Canada increased significantly since 2020. This information should be concerning to anyone running a healthcare practice.
Although it’s never a good thing when these happen, it’s important to review the details of these breaches and learn from them, so similar events can be avoided in the future.
Today we’re going to look at the circumstance of one such incident that occurred at the Saskatchewan Health Authority, and how it highlights the importance of training as well as enforcement of security and information technology policies.
So, What Happened?
In December 2019, the Saskatchewan Health Authority experienced a large scale data breach, one of the largest recorded of such incidents for the province.
The breach affected as many as 50 million files, 5.5 million of which were believed to contain personal information or personal health information.
At least 547,145 patient files which held personal health information were stolen or exposed to malware, from the Saskatchewan Health Authority, eHealth, and the ministry of health, but they were unable to determine which specific files were affected.
Approximately 40 gigabytes of data was taken from the network and sent to computers located in the Netherlands and Germany, and servers were locked from use through encryption.
Hackers demanded money in return for releasing encrypted data, however eHealth Saskatchewan said they would not be engaging in negotiations with the attackers.
Files were taken between December 19, 2019 and January 5, 2020 but the breach was not discovered until January 21, 2020.
This leads to a few questions: how did this happen? Why was the breach not discovered sooner? And could this have been prevented?
So let’s dig in.
How Did This Happen?
The Saskatchewan Health Authority reported this breach originated from an employee who opened an attachment on their personal device that contained malware.
The device had been plugged into their workstation to charge with a USB cord.
Even if an organization has robust security in place for computer terminals and other devices owned by the organization, it’s not uncommon for personal devices to fall short in these areas.
Although the employee had been trained on privacy related issues, it came to light during an investigation that they had not been trained in the Saskatchewan Health Authority’s Acceptable Use of Information Technology Assets policy.
Furthermore, although this individual had previous warnings regarding this sort of behaviour on file, these incidents do not seem to have been taken seriously by their superiors.
This shows the need for organizations to not only develop clear policies for use of technology but to ensure all employees have been adequately trained in these issues to avoid these types of incidents.
It also highlights the importance for managers and supervisors to take behaviour which violates these policies seriously.
This type of problem is universal.
If you walk through any dental or medical practice you’re bound to see personal devices plugged into practice computers. They just don’t know any better, and sadly many practices don’t set out policies for this sort of thing.
Anne Genge CIPP, CHISP
Could This Have Been Prevented?
An investigation into the attack found several opportunities where the ransomware may have been detected.
The breach prompted calls for an independent review of the governance, management, and program of the health authority, as well as an in-depth review of their security protocols.
Even though the start of this incident was traced to a particular individual and workstation, it seems that there were multiple opportunities for vulnerabilities within the system.
It was determined eHealth did not provide satisfactory alerting of the attack, and patient data contained on workers’ laptops and phones had not been fully and properly secured. Regular risk assessments in this scenario, just like in dental and medical practices can finds the gaps and help mitigate risk
Furthermore, up to 80 percent of the laptops with access to the network were found to be not encrypted against malicious activity, and only fifty percent of employees had up-to-date security awareness training.
The audit also found many of the eHealth systems in the province didn’t have adequate disaster recovery plans in place.
All of these are examples of areas which, had they been dealt with appropriately ahead of time, could have helped mitigate this risk.
The Saskatchewan Health Authority attack shows the need for not only strong policies regarding use of technology, but also training on those policies and follow up when they’re broken.
Dental practices can get the training they need from a new specialized online training academy called Myla which launches this summer 2022.
I can help.
Do you want to ensure your information technology and security policies and procedures are air tight, and take into consideration as many aspects of potential risk as possible?
Would you like to have an expert do a review and help find any blind spots you may have missed?
Or maybe you feel like your policies are solid, but you want to ensure your staff are well trained and have a strong understanding of security and technology issues.
Do you need help implementing best practices to ensure the confidentiality and integrity of your patient information?