Partners should have known better than to allow employees to send sensitive patient data via email, experts said in the wake of yet another healthcare data breach, and should have responded faster when the breach was discovered.
Late last month, Boston-based Partners HealthCare System notified 3,300 patients that hackers got access to employee emails that contained such information as Social Security numbers, health insurance information, and medical data.
The system includes such well-known hospitals as Brigham and Women’s Hospital and Massachusetts General Hospital.
According to Partners, employees fell victim to phishing emails that allowed hackers to get access to their email accounts.
The organization said it is stepping up employee training about phishing and enhancing "existing technical safeguards" to protect patient information, but did not provide details about what those technical safeguards were.
Instead of better protecting the emails, the hospital chain should instead consider not using email at all for transmitting sensitive patient information, experts said.
"Putting patient data into emails introduces elements of risk to both privacy and security," said Amy Abatangle, executive vice president and general manager at network security vendor Untangle. "It is a very questionable practice, outside of the phishing breach."
Educating employees about phishing may not be enough, she said.
"Scammers can be very clever when it comes to getting employees to reveal credentials or even seemingly harmless information which can then be used to gain access to vulnerable systems," she said.
All it takes is one employee to fall victim to a phishing attack, said Mike Paquette, vice president of security products at Framingham, Mass.-based Prelert.
After that, it's easy to get other employees to click the same malicious link, he said.
"The clever attacker simply finds emails already in the inbox of the first victim, and replies to them with enough context to make the link seem plausible," he said. "The new victim sees a reply from an associate's email address containing details from an actual email that he or she previously sent, and has absolutely no reason to suspect foul play."
Targeting healthcare companies in particular is attractive to criminals.
According to the FBI, healthcare records can cost up to $60 or $70 each on the black market, significantly higher than credit card numbers. With insurance fraud, criminals can charge up to the limit of a health insurance policy -- and the information can also be used to order drugs for resale.
"Also, since medical breaches often go undetected for longer periods of time than credit card breaches, patient data usually remains valuable for longer," said Mark Orlando, director of cyber operations at Foreground Security.
As a result, the number of data breaches reported by healthcare companies rose 60 percent in 2014, according to PricewaterhouseCoopers -- twice the rate of other industries.
The breach also indicates another problem at the hospital chain -- although the breach was first detected in November, it took months for the hospital chain to do the forensic analysis, identify the compromised data, and contact patients.
"This attack indicates a clear need for stronger cybersecurity regulations," said Muddu Sudhakar, co-founder and CEO at security vendor Caspida.
Organizations need to not only improve their security, but their reaction time as well, he said, suggesting that regulations should be mandated to inform customers within 30 days of discovering a data breach.
Unstructured data in particular is a problem for many companies.
"This is one of the main things that organizations need to get up to date with," said David Gibson, vice president of marketing at security vendor Varonis Systems. "They need to make sure they understand where all the sensitive information is, and watch what people are doing with it."