A security breach is an unintentional or intentional release of confidential information to untrusted organization or person. Typically, it involves an application or an individual unlawfully entering private or unauthorized logical IT perimeter. This phenomenon is also called a data leak. According to Robbins & Sechooler (2018) , more than 700 data breaches transpired in 2015 and the major breach exposed over 200 million personal records to fraud and theft. The security breach at Anthem insurance company was the largest healthcare threat ever recorded. This breach exposed sensitive information such as social security numbers, birth dates, home addresses, among other personal information of more than 70 million members of Anthem ( Martínez et al., 2015) . This phenomenon reflects the importance of protecting data, not only in healthcare but also in other organizations. This paper summarizes and analyzes two cases of data breaches and subsequently provides a data security plan for a small healthcare setting.
Office of Civil Rights
In 2018, the Office of Civil Rights (OCR), particularly the Department of Human Health Services (HHS), experienced a significant data breach. HHS confirmed that a phishing email was being shared on a fake HHS Departmental letterhead with a signature of the director of OCR; Jocelyn Samuel (HHS, 2016). The emails looked like an official governmental communication, and its main focus was at covered entities of HIPAA’s employees and their business affiliates. What is more, the email encouraged the recipients to click on a link which promised them inclusion in the HIPAA Privacy, Security, and Breach Rules Audit program (HHS, 2016). Moreover, it directed the users to a nongovernmental website.
Delegate your assignment to our experts and they will do the rest.
This scenario can create a significant threat to the link users and the OCR. Personal information of over 110 million users was exposed to cybercrime threats, and this risked data and financial loss. The perpetrator used the signature of the director as a tool to persuade the user to follow the link. The organization should have employed several approaches to reduce threats.
First, the director of OCR should have a robust signature which is not vulnerable to forgery. The phishers were able to forge the signature of the director because it was not as strong as it should be. Also, the HIPAA Privacy, Security, and Breach Notification Audit Program should have an effective communication protocol. The secure protocol would have reduced the threat as not many users would fall into the idea of following a fake link. What is more, every user should have made an inquiry to the legitimate organization in the event of changes in the communication protocol. This strategy would have reduced the threat of falling victims to phishers.
Uber
Uber Technologies; is a ridesharing organization which suffered security breaches by hackers. According to Robbins & Sechooler (2018) , hackers stole personal information of over 50 million drivers and customers. The hacking was archive by two outsiders who were able to access the company’s information through a third party cloud-based server that the company uses. The perpetrators managed to download 16 large files as well as records of 35 million users globally. Also, up to 3.7 million drivers were affected by the situation ( Robbins & Sechooler, 2018) . Moreover, the company discovered the security breach in 2016, but it did not report the incident; it waited for almost a year instead.
The incident posed a significant threat to the personal information of the victims. The hackers stole the names and driving licenses of Over 600,000 drivers in the United States. Moreover, personal information of about 57 million ridesharing customers was stolen and exposed to all manners of fraud ( Robbins & Sechooler, 2018) . Hackers exposed sensitive information such as names, emails, and addresses of the customers. Also, the company was under threat as its forensic experts were not able to access any history that reflects downloads of the credit card number.
Two major factors caused the security breach. Accordion to Kiel, Ciamacco & Steines (2016), the inadequate information security of Uber technologies poses a high risk to the data breach. Moreover, the company's decision to not disclosing the attack also exacerbates the security breach. The company paid the hackers as per their request instead of revealing the situation sensibly. Furthermore, the company did not notify the affected users about the situation, and this subjugated the vulnerability of the deliberately acquired personal information connecting to the users.
The company could have minimized the threat in several ways. First, the company could have informed the affected ridesharing users, drivers, as well as the government about the situation. Informing the victims and the government could have offered a better opportunity to protect the victim’s information following the awareness. Also, the organization would have followed an ethical procedure in dealing with the data breach. Most importantly, the organization should have had strong information security to reduce the chances of successful hacking of their data.
Security plan
Educate healthcare employees in the proper handling of data devices. A simple human error can yield hazardous and costly consequences for a healthcare institution. Training employees can equip them with the n ecessary knowledge for the proper handling of sensitive data using various devices.
Setting a strong password regularly. Passwords are vulnerable, and obtaining it means accessing confidential information of users. Setting robust passwords regularly would reduce chances of preceptors to access the patient's data.
Employing a Firewall. Firewalls monitor ongoing and outgoing network traffic based on the programmed security protocols by healthcare.
Initiate data encryption. This is one of the most critical methods in protecting healthcare information. Data encryption in transit and rest makes it more difficult for perpetrators to decode the patient's information.
Embracing physical and administrative safeguards in healthcare. Physical measures, procedure, and policies focus on protecting covered entities of electronic information systems related to healthcare buildings and equipment from unauthorized intrusion.
Employing health information archival and retrieval systems. The systems facilitate healthcare's record-keeping, information decimation, data tracking, data analysis, and data indexing.
Initiating disaster recovery in the healthcare system, this involves a set of tools, policies, and procedures which enable recovery of systems or information after a security breach.
Introducing cloud computing in healthcare. Cloud security consists of procedures, policies, and tools which work in unison to protect the cloud-based systems, infrastructure, and data of a healthcare system.
Using mobile devices to deliver healthcare. A healthcare system can employ Mobile devices to carry outpatient record keeping. Mobile devices are handy in recording information, and they present a patient’s history and information with minimal errors.
Security plan analysis
Although the majority of the outlined security plans are effective, some have weaknesses. First, the use of data encryption and firewalls are stronger ways to achieve data security in a healthcare system. Firewalls can sense and report malicious activities in the network system of mini healthcare while data encryption reduces the chances of decoding patients’ information by perpetrators. Moreover, health information archival and retrieval systems and disaster recovery are stronger security strategies because archival health aid in data tracking and data analysis while disaster recovery aid in gaining lost information. As it is apparent from the arguments provided, these strategies improve healthcare security significantly.
Nevertheless, strategies such as mobile phones use in delivering healthcare and changing of security passwords have weaknesses. Mobile phones are very vulnerable to security threats because of the ease in securing information from the devices. Using them in delivering healthcare puts patient's information at risk. In addition, changing passwords does cannot entirely prevent security breach because perpetrators often do not depend on passwords to accomplish cybercrime. Moreover, mobile devices are prone to human errors because users can easily forget passwords or miss critical patient’s information. Apart from the outlined strategies in the security plan, installing antivirus in healthcare devices is a critical security strategy because the antivirus can identify malicious emails or links and caution healthcare users against them in order to maintain data security.
References
HHS . (2016, November 28). HIPAA Privacy, Security, and Breach Notification Audit Program
Retrieved from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
Kiel, J. M., Ciamacco, F. A., & Steines, B. T. (2016). Privacy and data security: HIPAA and HITECH. Healthcare information management systems (pp. 437-449). Springer, Cham.
Martínez-Pérez, B., De La Torre-Díez, I., & López-Coronado, M. (2015). Privacy and security in mobile health apps: a review and recommendations. Journal of medical systems , 39 (1), 181.
Robbins, J. M., & Sechooler, A. M. (2018). Once more unto the breach: What the Equifax and Uber data breaches reveal about the intersection of information security and the enforcement of securities laws. Criminal Justice , 33 (1), 4-7.
