Jul 27 2017

Data Breaches: Not Statistics, Personal Lives

Today, NBC10 interviewed Layer 8 Security to provide subject matter expertise on the breach affecting Women’s Healthcare Group of PA, one of the largest OB/GYN practices in the region. The news piece was well done; in addition to laying out the facts, the interview focused on the husband of one of the victims.

2017-07-25 Security Breach at Women’s Health Care Group of Pennsylvania

They highlighted the human factor.

Behind the headlines about companies being breached, real people are affected by stolen personal information. In the interview, the husband raised serious issues about the data breach:

“If a doctor’s office is going to ask for this type of information they should have it encrypted.”

“It was a little infuriating.”

“It concerns me that it took them that long [to notify us].”

Breaches have become so commonplace that we are seeing what appears to be “Breach Fatigue”.

Every day, we read news stories that show – 30,000 records stolen; 100,000 financial reports; 3,000,000 accounts and on and on. These aren’t mindless statistics. These are real people’s lives that are being affected. People have become numb to these numbers and the inconvenience of changing accounts, credit cards, doctor’s offices, etc. But it’s only getting worse.

We get asked all the time, “Should we give all our personal information to our doctor/lawyer/accountant.?” The answer is “Yes, but. . .  Give the amount required for them to perform the service needed, and then ask the important questions.”  As the customer, it is your obligation to ask the Practice about their data protection methods. Ask specific questions about their cyber compliance program, their cyber awareness training, their data protection policies and the technology they use.

Professional Practices Don’t Shoulder 100% of the Blame – It’s Complicated

This is a business model we used to take for granted.  We used to assume that our Medical Professionals knew how to care for us, as well as our medical records. Today, defending our privacy is exhaustive. The attackers are hitting every business in America hundreds or thousands of times per day. They can send waves of attacks, and they only need to penetrate once. On the defense, the entity must be resilient every time. This is a hard game to play. New tactics appearing day-to-day, and with no way of knowing exactly which direction the threat is coming from.

Businesses have a lot to learn, but so do we as consumers. It is our responsibility to drive our own security. Work with your respective Practice. Asking them reminds them they have accountability. They don’t want to end up in the headlines, trust me.

NOTE: No business is every completely insulated from the possibility of a breach. WHCGPA did several things right here as well; notify federal authorities, use of forensics investigators and including publishing this letter for wide dissemination.  http://www.whcgpa.com/notice-of-security-breach-incident.html