The hack that compromised medical information of Olympic athletes illustrates the challenges of protecting health data for high-profile individuals.
More incidents are likely when such data is stored with organizations less well protected than a major medical center, Sean Curran, a security expert with consultancy West Monroe Partners, tells HealthcareInfoSecurity.com.
While the hack on the World Anti-Doping Agency that exposed Olympians’ data was attributed to a Russian group, malicious insiders, whether politically or financially motivated, also can be difficult to stop, especially if they already have access privileges.
Healthcare organizations need to fully understand the value of all the data they hold, including that of celebrities, athletes and other high-profile people, Curran says.
Groups with 10 years worth of data used for multiple purposes may have multiple copies in various places. It’s essential to know where all the data resides and to minimize replication of it, he says.
The next step is to rethink who has access to it and minimize access as much as possible, including by using two-factor authentication, according to Curran.
“Security is often a balance between how much I’m willing to spend, how much convenience I’m willing to give up and the amount of controls I want to have in place to protect the information. Convenience is the area that’s really easy to give up,” he says.
Hackers also tend to go after softer targets, Curran adds. That was illustrated when more than 100,000 internal documents from Central Ohio Urology Group were stolen. The hacker wanted to protest Pentagon research in the Caucasus region that he claimed was poisoning people. He told DataBreaches.net that he chose the Ohio target because he was unable to hack U.S. Defense Department systems.