In May 2015, Fort Wayne-based Medical Informatics Engineering sustained a data breach that compromised the records of more than 3.9 million people living in 12 states. The resulting 12-state lawsuit alleges that the web-based electronic health records company was negligent in protecting its WebChart application, through which attackers used a generic ‘testing’ account to access and harvest the patient information.
Records accessed and stolen include patients’ names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information, email addresses, dates of birth, Social Security numbers, health information and health insurance policy information.
According to the lawsuit, the company did not put in place an active security system to alert employees to possible hacking attempts. Additionally, the lawsuit contends that the company did not encrypt sensitive personal information within its own system, a measure that would have rendered the data unusable. These appear to be just two of the Health Insurance Portability and Accountability Act (HIPAA) violations that directly contributed to this breach.
We won’t know the magnitude of the hit to MIE’s bottom line until the settlement has finalized or trial has ended, but rest assured that it will be substantially higher than the cost of controls to detect threats and protect resources.
When your organization is breached, failing to detect and respond quickly is like allowing a tiny cancer cell to metastasize into a much bigger illness.
But this raises another question. If we’ve learned anything from Equifax, Yahoo, Marriott, and any number of other mega-breaches, this is the new normal. It’s not going to stop. Assume that your data has already been compromised, and that the bad guys will continue to compromise with reckless abandon.
That doesn’t alleviate the need to protect resources, of course. Automated patch management, web content and anti-malware controls, and security awareness training are more important than ever. But what this new reality highlights is the need for rapid adoption of the next step: effective incident response.
When your organization is breached, failing to detect and respond quickly is like allowing a tiny cancer cell to metastasize into a much bigger illness. If it’s not detected, contained, and eradicated, it can spell the death of the organism. That’s why coupling tools and techniques for threat detection and hunting with an incident response plan can mean the difference between stopping a threat in its tracks and stopping the entire organization in its tracks.
An incident response plan should define what constitutes an “incident” (e.g., an unexpected event that is malicious in nature and negatively impacts the availability, integrity, or confidentiality of resources). It should define roles and responsibilities for the incident response process. And most importantly, it should define the steps necessary to discover, contain, investigate, recover from, and prevent reoccurrence of the incident.
To learn how Symplexity Secure managed services facilitate threat detection, containment, and response, or for assistance with shoring up your organization’s incident response capabilities, contact us today at email@example.com or 260-432-1364.