Due to the actions of a vendor, AmediCanna, a cannabis dispensary in Halethorpe, Maryland, suffered a potential data breach. While at first blush it seems to be a joke that can write itself, the reality is this breach is no laughing matter. For businesses that handle confidential medical records, a HIPAA-related breach can have serious financial consequences.
HIPAA Compliance
One alarm we have been ringing at Dresner is about the importance of data security. Specifically, that businesses evaluate their practices in how they manage and protect their customer’s data. This responsibility is particularly weighted in regards to HIPAA compliance. Many Maryland businesses fail to recognize that even though they are not hospitals or other ‘traditional’ medical institutions, if they handle patient information, they must be HIPAA compliant.
HIPAA Compliance and Windows 7
Before we continue, let’s take a moment to discuss Windows 7. Now that Windows 7 has reached the end of its life, the software is essentially no longer supported. If your business is still using Windows 7, you are unable to be HIPAA compliant. HIPAA regulations require that software involved with patient data must be updatable to address new cyber threats. Using any computers operating Windows 7 in conjunction with your patient data (even if the computer is just a print-server on the same network) renders your business non-compliant with HIPAA. If you still have computers running Windows 7, contact Dresner Group today to develop a plan to bring your business back into HIPAA compliance.
HIPAA is for More Than Hospitals
Cyber attackers are constantly searching for opportunities to compromise data, and medical records are some of the most desired. Hackers exploit security gaps left by businesses who don’t realize the value of the data they are maintaining and don’t protect it accordingly. As Maryland’s IT support experts, we strive to share best practices with the business community, including informing them of their risk. For example, we recently discussed what businesses can learn from the dentists who suffered under the REvil malware attacks, and we pointed out that Maryland veterinarians are at risk of cyberattacks.
Part of the reason why these types of businesses are targeted is because, in addition to the data they handle, there is a misunderstanding about the level of risk they face. This misunderstanding is partly due to HIPAA education efforts focusing on hospitals; and other types of businesses gain the impression they aren’t targets, even if they handle patient data.
With this false sense of security, many businesses, in particular smaller businesses, don’t realize that they are targets for hackers. This misunderstanding causes them not to beef up their security, allowing bad actors the opportunity to target them and their data. This brings us back to the THSuite data breach which affected the dispensary in Halethorpe, who--by all available information--simply failed to follow best practices for securing their data.
What makes this breach so disconcerting is that it wasn’t due to a brute force attack from a master cybercriminal. As in recent data breaches, the cause was due to not following best practices for cybersecurity. In this instance, at least 30,000 medical records were left unsecured and unencrypted; stored via Amazon’s Simple Storage Service (Amazon S3) and was accessible via a web browser.
For businesses in Maryland, your responsibility to protect client data is taken very seriously. If your business must be HIPAA compliant, the penalties of a breach of this magnitude can result in fines of up to $50,000 for each exposed record and we haven’t even touched upon Maryland’s Notification Law. Depending on the size of your business, a data breach can be enough to shut down your business.
Compromised Data is No Laughing Matter
Let’s consider the information the hackers may have stolen and how they may affect the victims. The data leak exposed:
- Full names
- Phone numbers
- Email Addresses
- Dates of Birth
- Addresses
- Medical Information
- Photo IDs (including Government issued)
This data can allow hackers and scammers the ability to enact incredibly elaborate and personalized phishing attacks, such as spear phishing. Not just against the individuals whose data they have compromised, but also against the individual’s organization. The photo IDs acquired in the breach, in combination with the personal information also acquired could easily lend itself to identity theft. What’s your identity worth to you? The level of information found in this breach can have a wide range of long term consequences for the victims.
Three Basic Steps To Protect Your Data
THSuite and other third-party organizations which had data breaches previously could have prevented the hacks if they followed a few basic security measures. These measures include:
- Use of two-factor authentication
- Having a clear idea of who has access to sensitive data
- Never leaving an unsecured system accessible to the internet
As noted, these are basic measures to enact and here are some ways to do so:
As you can see, best practices for data security don’t have to be an impossible goal. In fact, they are easily attainable, but you must take data protection seriously. For more information about HIPAA or how we can strengthen your data security, call us today at 410-531-6727. We can also clarify the specifics for HIPAA compliance and present best practices for secure data transfers for your medical practice.
If you're not in a HIPAA-regulated industry, data protection is important to your business too, especially as a Maryland business. Dresner Group supports a range of industries and can provide you with the IT services you need, allowing you to serve your customers and grow your business.