Responsibility for Your Personal Health Data
Should a healthcare provider or hospital be blamed in the event of a successful data breach? According to the American Hospital Association, the answer is no. “Merely because an organization was the victim of a cyber attack does not mean that the organization itself was in any way fault or unprepared,” the organization said in a statement. While I can agree with this sentiment, it only applies if the organization did in fact take every preventative measure possible, and was not lackadaisical in its approach to what should by now be a well-heeded issue.
This all came about as part of an official statement from the AHA to members of the House Energy and Commerce Subcommittee on Oversight and Investigations, advocating greater resources for law enforcement agencies in preventing and responding to breaches. Currently, several federal agencies already work with the AHA in this capacity, including the Department of Health and Human Services, the FBI, FDA, and others; but more is still needed, according to the statement. Whether it’s proactive information sharing, investigative capability, or victim assistance, the AHA believes these measures are necessary ones. Cooperation between the public and private spheres, they say, is therefore the best way to ensure strong cyber protection and response—especially for smaller organizations, which may lack the resources of larger entities.
Ultimately, however, the responsibility falls primarily on the shoulders of the hospital or healthcare provider, and asking for increased government assistance in proactive and reactive practices is not a get out of jail free card. Not with seemingly everyone, from hackers to some federal agencies, putting their best foot forward to undermine people’s private information.
An important defense for organizations is to be educated on the various ways in which this can happen. Cyber thieves are, after all, constantly taking advantage of new tools and innovative methods to abscond with your data. Users still click on phishing links at an impressive rate, and recently a group of Chinese hackers even used fake cell phone towers to enact a phishing scheme via SMS text messages. Your webcam can also be hijacked, and used to take snapshots of the user for future nefarious purposes, such as blackmail (why do you think Mark Zuckerberg tapes over his?).
The Internet of Things has also allowed crooks to distract an organization’s security team with a massive Distributed Denial of Service (DDoS) attack that overwhelms a network’s servers with queries, while they then breach the network. Even ransomware attacks have evolved: now, if someone refuses to pay the ransom to unfreeze their computer, the hacker might publicly release their personal information, or hold it hostage until the victim spreads the malware on to others. As far as hospitals and doctor’s offices are concerned, the ubiquitous electronic medical device presents another point of vulnerability from which to steal your data.
Considering the losses that can ensue from any of these attack types, from damage to internal servers and systems to liabilities that can run in the hundreds of thousands of dollars, no doubt increased public-private cooperation will be effective. Healthcare providers and hospitals have started taking critical steps in protecting their data; what is needed is continued vigilance and support in the changing cybersecurity landscape, and to never let complacency sneak its way in.