Partners should have known better than to allow employees to send sensitive patient data via email, experts said in the wake of yet another healthcare data breach, and should have responded faster when the breach was discovered.
Late last month, Boston-based Partners HealthCare System notified 3,300 patients that hackers got access to employee emails that contained such information as Social Security numbers, health insurance information, and medical data.
The system includes such well-known hospitals as Brigham and Women's Hospital and Massachusetts General Hospital.
According to Partners, employees fell victim to phishing emails that allowed hackers to get access to their email accounts.
The organization said it is stepping up employee training about phishing and enhancing "existing technical safeguards" to protect patient information, but did not provide details about what those technical safeguards were.
Instead of better protecting the emails, the hospital chain should instead consider not using email at all for transmitting sensitive patient information, experts said.
"Putting patient data into emails introduces elements of risk to both privacy and security," said Amy Abatangle, executive vice president and general manager at network security vendor Untangle. "It is a very questionable practice, outside of the phishing breach."
Educating employees about phishing may not be enough, she said.
"Scammers can be very clever when it comes to getting employees to reveal credentials or even seemingly harmless information which can then be used to gain access to vulnerable systems," she said.
All it takes is one employee to fall victim to a phishing attack, said Mike Paquette, vice president of security products at Framingham, Mass.-based Prelert.
After that, it's easy to get other employees to click the same malicious link, he said.
"The clever attacker simply finds emails already in the inbox of the first victim, and replies to them with enough context to make the link seem plausible," he said. "The new victim sees a reply from an associate's email address containing details from an actual email that he or she previously sent, and has absolutely no reason to suspect foul play."
Targeting healthcare companies in particular is attractive to criminals.
According to the FBI, healthcare records can cost up to $60 or $70 each on the black market, significantly higher than credit card numbers. With insurance fraud, criminals can charge up to the limit of a health insurance policy — and the information can also be used to order drugs for resale.
"Also, since medical breaches often go undetected for longer periods of time than credit card breaches, patient data usually remains valuable for longer," said Mark Orlando, director of cyber operations at Foreground Security.
Sign up for CIO Asia eNewsletters.