In light of MGH healthcare data breach, experts call for transparency

A call for more transparency

MGH and its corporate parent, Partners HealthCare, have invested significantly in information security programs and cybersecurity defenses since 2011, according to Holtzman.

David Holtzman

The effort was spurred by a settlement with the Department of Health & Human Services' Office for Civil Rights related to a 2009 data loss incident. According to the resolution agreement, an MGH employee took home documents containing the protected health information of 192 individuals. The employee left the documents on a train when commuting to work on March 9, 2009. The documents were never recovered.

MGH was charged with a $1 million fine and committed to a corrective action plan to strengthen its information security programs.

It's MGH's investment in cybersecurity plus its "good reputation in the healthcare community" that should spur the organization to be more transparent when a cybersecurity incident occurs so that other organizations can learn from the incident and strengthen their own programs, Holtzman said.

He believes details such as whether MGH has evidence that the healthcare data breach was the result of an outside attack as well as the mode of attack would be helpful for other healthcare organizations.

"Was it the type of attack that overwhelmed or pretended to overwhelm the security of the enterprise information system? Was it accomplished through social engineering or an email phishing attack? Or is this the work of a malicious insider," Holtzman questioned.

Israel Barak

Israel Barak, CISO for Boston-based cybersecurity company Cybereason Inc., said MGH sets a high standard for cybersecurity across the healthcare industry, and if it can be breached, CIOs and other healthcare leaders should pay attention.

"This should be an indication to the healthcare industry as a whole that we really need to step up our game. Because if this is what's happening in an organization that sets the high standard, then what can we expect from organizations that look up to Massachusetts General and try to improve based on their example?" he said.

He was also struck by how long it took for MGH to discover the breach in the first place.

This should be an indication to the healthcare industry as a whole that we really need to step up our game.

According to MGH's statement, the organization discovered the breach on June 24. Yet, an internal investigation revealed that between June 10 and June 16, the unauthorized third party "had access to databases containing research data used by certain neurology researchers," two weeks before the breach was discovered.

Data breaches happen frequently in healthcare, but Barak said becoming aware that a breach occurred two weeks after it happened is "a standard we need to improve."

Takeaways from MGH healthcare data breach

MGH's statement said the affected research data could have included participants' first and last names, some demographic information such as sex or race, date of birth, dates of study visits and tests, medical record number, type of study, research study identification numbers, diagnosis and medical history, biomarkers and genetic information, and types of assessments and results. The data didn't include Social Security numbers, insurance or financial information and did not involve MGH's medical records systems, according to the statement.

The MGH communications department has no further information on the healthcare data breach other than what's contained in the statement, according to Michael Morrison, director of media relations at MGH.

CynergisTek's Holtzman said all data that contains personally identifiable information should have "reasonable and appropriate safeguards to prevent the unauthorized use or disclosure of the information." Any organization handling sensitive personal information should take a risk-based approach to assessing threats and vulnerabilities to enterprise information systems, he said.

"Take the results of the risk analysis and develop a plan to mitigate and identify threats and vulnerabilities to reduce the risk to sensitive information to a reasonable level," he said.

Barak said it's a given that healthcare security systems will get breached, "but the bigger question is, how quickly and how efficiently we can recover from something that happened. What is our cyber resiliency?"