Healthcare breach

XXXXX
YYYYY
ZZZZZZ
November 20, 2016
Abstract: None Requested
Healthcare Breach: Jacobi Medical Center NYC
What Went Wrong
This data breach occurred in December of 2011 when thieves hijacked a courier van carrying computer backup tapes from the Jacobi Medical Center to a secure location. These tapes contained private data for 1.7 million patients, vendors, staff, and contractors. This data ranged in dates from 1991-2010. The stolen data contained all the pertinent identifiers and information used to commit identity theft (Rashid, 2011). This information was not in text format, and not easy to get to unless the thieves are experienced in data mining. NYC is putting legislation in place to take effect in January 2017 and named house bill A10475. Assemblyman Jeffrey Dinowitz who states, “New York’s data breach notification law needs to be updated to keep pace with current technology,” commented on the legislation. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data.” Jacobi took most of the allotted sixty-day time frame to notify customers of this data breach (Snell, 2016).
All hospitals must keep abreast of new advances in cybersecurity to prevent criminals from gaining access to private health information. The hospital did not encrypt the files on the backup tapes. That was a near fatal error for the hospital. The contractor driving the van in question left the van unlocked while collecting other tapes from a different site in Manhattan.

That was a gross human error, and the hospital fired this contractor and ended the contract. Jacobi supplied each victim with anti-fraud and credit monitoring. Jacobi offers to pay for any damages due to this breach. They also set up Customer service centers in the hospital to assist those affected by this breach. Prevention is cheaper than damage control, and the hospital is very concerned about the final cost of governmental fines and litigation that could take years to resolve. Every hospital entity must apply diligence to keep breaches from happening, but it is the human element, that causes most of the damage. Up to date policies and procedures can prevent the data breach from happening.
Prevention
The administration should have taken steps to have the data encrypted before the tapes leave the hospital. The use of additional armed security to ride along with the driver to ensure proper protocol is crucial. Each member of the security team must take the proper precautions to contain possible breaches. An additional security measure is necessary for a more thorough investigation in the hiring of contractors to deliver encrypted data tapes in the future, as most data breaches are human caused.
Recommendations
The hospital has stepped up with an encryption process during the scheduled backups. Higher security for transporting these backup tapes is critical. They should have armed personal security escort the van to the proper location for data storage. The hospital should reanalyze all security systems currently in place to identify any future weakness that could be exploited. Then redesign the system to prevent future breaches. Each section of the hospital IT technology infrastructure should be investigated regularly to identify problems before they become a breach. Each employee should have regular security training to understand the ramifications of any breach, and ways to prevent it.
The main goals in cybersecurity are the CIA Triad (Confidentiality, Integrity, and Availability) that provide a secure policy that limits accessibility to data sources that hold private health data for a hospital’s customers. It must require employees to use a two-step method for validating a user identity in order to access this data. In this case, extra attention to how the data is extrapolated is also crucial. Next, the security consistency is critical in the prevention of future breaches by attaching file protection and user access protocols to maintain the integrity of these files that contain PHI (Private Health Information). Third, is the frequent maintenance of both hardware and software platforms within the hospital systems in order to provide availability for all approved users and prevent breaches (ITE, 2016). It is imperative to use updated Internet malware and virus infection prevention with the frequent use of scanners. The FDA (2013) recommends, “Healthcare facilities and medical device manufacturers safeguard data to reduce the risk of cyber attacks due to malware.”
Conclusion
All healthcare entities that use information technology to access, store, and transfer data must put stringent security procedures in place to prevent future breaches. This requires recurrent analyzation of protocols and regular training for all involved in data transfers. Every system involved must be maintained by regular upgrades of all firmware and software revision levels that include office equipment and of course the users of sensitive materials. Cybersecurity is everyone’s concern and training users to prevent breaches is critical. In the case of the breach mentioned above, internal mechanisms would not have helped, since the breach occurred outside the facility. The IT system should be secure at all times. It is usually human error, which allows a breach to happen. Regular training is imperative for successful breach prevention.
References
Food and Drug Administration- FDA Cybersecurity for Medical Devices and Hospital Networks:
FDA Safety Communication (2013) Retrieved from
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
Information Technology Encyclopedia – ITE (2016) CIA Triad Definition Retrieved from
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
Rashid, F.Y., (2011) NYC hospital Data Theft Affects 1.7 Million Patients, eWeek
Retrieved from
http://www.eweek.com/c/a/Security/NYC-Hospital-Data-Theft-Affects-17-Million-Patients-282182
Snell, E., (2016) Proposed NY Data Breach Legislation Accounts for PHI Security Health
IT/Security Retrieved from
http://healthitsecurity.com/news/proposed-ny-data-breach-legislation-accounts-for-phi-security