A ransomware attack occurring on January 13 affected up to 100,000 eyecare patients. The Arizona eyecare breach targeted Cochise Eye and Laser, maliciously encrypting their patients’ files. More details are discussed.
Cochise Eye and Laser Eyecare Breach
Cochise Eye and Laser runs three eyecare medical offices in Arizona, treating thousands of patients. On January 13, 2021, Cochise Eye and Laser was targeted by a ransomware attack that compromised their billing and scheduling medical practice software. Upon gaining access to the medical practice software, the hackers maliciously encrypted the files so that Cochise could not access patient files.
Although there was no evidence that hackers stole the affected files, in some cases they altered and deleted patient files during the medical practice software data breach.
As a result of the eyecare medical practice software data breach, Cochise was forced to rely on paper charts. Additionally, they have had to reschedule follow up appointments for all patients seen after January 1, 2021 as they cannot determine when patient appointments were originally scheduled.Â
Protected health information potentially accessed during the eyecare breach included patient names, dates of birth, addresses, phone numbers, and in some Social Security numbers, as this information was stored in their billing software.
Cochise is currently working on improving their cybersecurity by implementing increased security measures to prevent medical practice software data breaches. They are also in the process of restoring data and implementing new offsite data backup.
How to Prevent Breaches
There are several ways in which healthcare organizations can increase their overall security and prevent medical practice software data breaches, many of which are HIPAA requirements.
Risk Assessments and Remediation Plans
Risk assessments are arguably the most important part of determining the overall security health of an organization. Conducting a risk assessment allows for vulnerabilities in an organization’s safeguards to be identified. As a HIPAA requirement, healthcare organizations must conduct annual risk assessments to account for changes in business operations.Â
Additionally, organizations must implement remediation plans to address identified gaps and vulnerabilities. Remediation plans bolster an organization’s overall security posture.
User Authentication and Encryption
User authentication is a means for determining whether or not an entity attempting to access data is a trusted party. The best way to implement user authentication is through multi factor authentication (MFA). MFA requires users to input multiple unique login credentials, such as a username and password in combination with security questions, before they can access data. MFA prevents unauthorized access to data as, even if a hacker has access to an employee’s login credentials, they will be unable to access data unless they have access to the employee’s other login credentials.
Another way to prevent unauthorized access to data is through encryption. Encryption masks sensitive data so that is unreadable to entities that don’t possess a decryption key. As such, even if an unauthorized user gains access to an organization’s network, they will be unable to read sensitive data.
Access Controls and Audit Controls
Part of HIPAA requires that healthcare employees only have access to the data that they need to perform their job functions, known as the minimum necessary standard. To ensure that this standard is upheld, organizations must designate different levels of access to data based on their job role (access controls). Access controls are implemented by providing each employee with unique login credentials so that they are only granted access to the data they need. Additionally, through access controls the scope of a breach can be limited, as a hacker using stolen employee login credentials will only be able to view the data that that employee is permitted to access.
Furthermore, by implementing audit controls, unauthorized access can be quickly detected, also limiting the scope of a medical practice software data breach. Through the use of unique login credentials, audit controls determine regular data access patterns for each employee, alerting administrators when data is being accessed outside the norm.
