NTreatment, an electronic medical record vendor, accidentally exposed thousands of patient files by failing to password protect one of its cloud servers. The details of the EHR vendor breach are discussed further.
NTreatment EHR Vendor Breach
It was recently reported that NTreatment inadvertently left one of their cloud storage servers exposed to the public when they failed to password protect the server. The cloud server, hosted by Microsoft Azure, contained 109,000 files. The patient records compromised in the EHR vendor breach included protected health information (PHI) such as lab test results, medical records, doctors’ notes, insurance claims, and other health data.
What’s worse is none of the files were encrypted, leaving them readily available to anyone stumbling upon the server. TechCrunch, a news publication, discovered the exposed data during a routine investigation, and notified NTreatment. It is unclear how long the server was left unprotected, however, it has since been secured.
What Are the Potential Implications of the EHR Vendor Breach?
Although it is unclear whether or not anyone accessed the data with malicious intent, it is highly likely that could be true. If a threat actor did in fact access the leaked files, it could lead to major implications for the patients affected by the breach.
Say for instance there were patients’ Social Security numbers contained in the files. A threat actor could use this information to commit financial fraud or identity theft. This could lead to financial ruin for patients, and compromise their credit scores, likely causing long-lasting implications.
Preventing a Healthcare Breach
As healthcare breaches become more commonplace, it is important to ensure that you are adequately securing protected health information. There are many ways in which you can do this, however, there are certain precautions that have become an industry standard.
Multi-factor Authentication (MFA). Although HIPAA does not require that healthcare organizations implement MFA, it is considered best practices to do so. This is because it provides more security than a simple username and password. MFA requires users to input their username and password in combination with another unique login credential such as answers to security questions or a one-time PIN, to access sensitive data. MFA provides more security than traditional login credentials as unauthorized individuals who have access to an employee’s login information will be unable to access data without access to the other login credentials.
Access Controls. The HIPAA minimum necessary standard requires that employees are only given access to the PHI that they need to perform their job functions. Enabled through the use of unique login credentials, access controls designate different levels of access to data based on an employee’s job role.
Audit Controls. Since HIPAA requires use and disclosure of PHI to be in accordance with the minimum necessary standard, you must track data access with audit logs. By keeping an audit log, regular data access patterns are established for each user, facilitating the quick detection of breaches.
Encryption. Although not explicitly mandated by HIPAA, the Department of Health and Human Services expect healthcare organizations to secure data through encryption. Encryption is the most secure form of data protection as it masks sensitive data, preventing users from accessing it if they don’t possess a decryption key.
What Does the NTreatment EHR Vendor Breach Teach Us?
Had NTreatment implemented these security measures, it is likely that the EHR vendor breach would not have occurred. Additionally, had their files been encrypted, even if their cloud server was left without password protection, the files would not have been able to be read by unauthorized individuals.
