Are You Having A Technology Emergency?

Datalyst Blog

What Businesses Can Learn from the Massachusetts General Hospital Breach

What Businesses Can Learn from the Massachusetts General Hospital Breach

Data breaches are never a good thing, but this is especially true when medical records are involved. Take a look at Boston’s Massachusetts General Hospital, where nearly 10,000 records were exposed in a third-party data breach. This is quite a blow for the U.S. News and World Report-ranked number two hospital in the nation, as this breach is the largest for a Boston-area hospital in quite a few years - the last affecting Cambridge Health Alliance in 2018 and “only” exposing 2,500 patient records.

Even more disconcerting, this isn’t the first data breach the hospital has suffered. Back in 2016, there was another third-party data breach that stole the data of around 4,300 dental patients.

The Stolen Data

In 2016, MGH’s dental breach had lost the names, birthdates, and Social Security numbers of those patients, and for a percentage of those affected, dental appointment information, provider names, and their medical record numbers.

This time around, two computer programs used for research purposes by MGH’s Department of Neurology were accessed by a third party. As a result, the participants of the research project the researchers were working on had a variety of data compromised, including their first and last names, demographic information, birthdays, and medical record numbers and histories were breached.

You may have noticed that this breach didn’t score the perpetrators any Social Security numbers or credit card details. This is because - hopefully learning from their first breach - these particular data points were kept in a separate database. This database required greater permissions than the attackers had managed to obtain, meaning that its contents were safe from the attack. 

Why This Matters

Have you ever heard the saying, “Don’t keep your eggs in one basket?” This effectively means that you don’t want your important things kept all together, as there’s a better chance of losing everything.

Well, for our purposes, your workforce is the basket and your data are your eggs. If all of your employees have access to all of your data, the potential for something to happen to your data increases steeply. To keep your “eggs” safer, it helps to subscribe to something known as the “Principle of Least Privilege.”

What is the Principle of Least Privilege?

To put it simply, the Principle of Least Privilege is the practice of only giving someone as much access as they need - the absolute bare minimum - to successfully do their job.

One simple way to accomplish this is to leverage user roles. By creating and applying roles to your workforce, you can preconfigure what they will need to access to do their tasks, without allowing them access to materials and data that have nothing to do with their responsibilities. This is also simpler and more consistent than assigning privileges to each individual user.

If one of your users temporarily needs access to additional privileges, you can give them this access for the duration of their need. This is also why it is important to regularly review the access privileges and alter them as needed - adding permissions to those who have additional responsibilities and removing them from those who have more than their position requires.

While Massachusetts General Hospital clearly has some security concerns to address, it must be said that they have at least started protecting their data through access permissions… hopefully, this breach will show them how much more work is required.

Working with the professionals of Datalyst can help ensure that your data is properly secured, with the appropriate privileges assigned to your team members. Give us a call at (774) 213-9701 to learn more about our security services.

Why VoIP is a Great Option for Your Business Telep...
Diving Into the Differences Between Proactive and ...

Contact Us

Learn more about what Datalyst can do for your business.

Call Us Today
Call us today
(774) 213-9701

10 Riverside Drive
Suite 106

Lakeville, Massachusetts 02347

The United States Patent and Trademark Office reference number: 5,341,888

Latest Blog

Modern businesses generate a lot of data, some of which they couldn’t really function without. This makes the prospect of data loss especially dangerous, making a data backup imperative. Today, cloud computing is seen as the premiere option...
 
TOP