eugenesergeev - Fotolia
A recent healthcare data breach at Massachusetts General Hospital underscores the need for greater transparency when it comes to cybersecurity incidents.
Cybersecurity experts describe MGH's statement on the breach as being light on details. In its announcement about the healthcare data breach, MGH stated that it is notifying nearly 10,000 individuals of a privacy incident that occurred in research programs within MGH's department of neurology. The statement said that an unauthorized third party "had access to databases related to two computer applications used by researchers in the Department of Neurology for specific neurology research studies."
The report provided no insight into how the breach occurred. David Holtzman, a health IT expert and an executive advisor for cybersecurity company CynergisTek Inc., other healthcare organizations that could have potentially learned from the incident.
"Healthcare organizations should consider how their experiences can benefit the larger healthcare industry through greater transparency and sharing of information if they suffer a cybersecurity incident," he said.
A call for more transparency
MGH and its corporate parent, Partners HealthCare, have invested significantly in information security programs and cybersecurity defenses since 2011, according to Holtzman.
The effort was spurred by a settlement with the Department of Health & Human Services' Office for Civil Rights related to a 2009 data loss incident. According to the resolution agreement, an MGH employee took home documents containing the protected health information of 192 individuals. The employee left the documents on a train when commuting to work on March 9, 2009. The documents were never recovered.
MGH was charged with a $1 million fine and committed to a corrective action plan to strengthen its information security programs.
It's MGH's investment in cybersecurity plus its "good reputation in the healthcare community" that should spur the organization to be more transparent when a cybersecurity incident occurs so that other organizations can learn from the incident and strengthen their own programs, Holtzman said.
He believes details such as whether MGH has evidence that the healthcare data breach was the result of an outside attack as well as the mode of attack would be helpful for other healthcare organizations.
Presbyterian Healthcare Services breach
The lack of detail from MGH deviates from another healthcare data breach that happened a month earlier. Just this week, Presbyterian Healthcare Services in New Mexico announced it had suffered a healthcare data breach through a deceptive email sent to Presbyterian staff in May. Presbyterian discovered the breach nearly a month later in June. The healthcare system is notifying more than 180,000 patients whose information could have been compromised.
"Was it the type of attack that overwhelmed or pretended to overwhelm the security of the enterprise information system? Was it accomplished through social engineering or an email phishing attack? Or is this the work of a malicious insider," Holtzman questioned.
Israel Barak, CISO for Boston-based cybersecurity company Cybereason Inc., said MGH sets a high standard for cybersecurity across the healthcare industry, and if it can be breached, CIOs and other healthcare leaders should pay attention.
"This should be an indication to the healthcare industry as a whole that we really need to step up our game. Because if this is what's happening in an organization that sets the high standard, then what can we expect from organizations that look up to Massachusetts General and try to improve based on their example?" he said.
He was also struck by how long it took for MGH to discover the breach in the first place.
Israel BarakCISO, Cybereason
According to MGH's statement, the organization discovered the breach on June 24. Yet, an internal investigation revealed that between June 10 and June 16, the unauthorized third party "had access to databases containing research data used by certain neurology researchers," two weeks before the breach was discovered.
Data breaches happen frequently in healthcare, but Barak said becoming aware that a breach occurred two weeks after it happened is "a standard we need to improve."
Takeaways from MGH healthcare data breach
MGH's statement said the affected research data could have included participants' first and last names, some demographic information such as sex or race, date of birth, dates of study visits and tests, medical record number, type of study, research study identification numbers, diagnosis and medical history, biomarkers and genetic information, and types of assessments and results. The data didn't include Social Security numbers, insurance or financial information and did not involve MGH's medical records systems, according to the statement.
The MGH communications department has no further information on the healthcare data breach other than what's contained in the statement, according to Michael Morrison, director of media relations at MGH.
CynergisTek's Holtzman said all data that contains personally identifiable information should have "reasonable and appropriate safeguards to prevent the unauthorized use or disclosure of the information." Any organization handling sensitive personal information should take a risk-based approach to assessing threats and vulnerabilities to enterprise information systems, he said.
"Take the results of the risk analysis and develop a plan to mitigate and identify threats and vulnerabilities to reduce the risk to sensitive information to a reasonable level," he said.
Barak said it's a given that healthcare security systems will get breached, "but the bigger question is, how quickly and how efficiently we can recover from something that happened. What is our cyber resiliency?"