The February edition of Report on Patient Privacy (RPP) featured an article, “Startegies to Thwart Human Error Help Ensure HIPAA Compliance, Limit Breaches” that points out covered entities (CEs) and business associates (BAs) can learn from some of the recent retail breaches suffered by Target, Neiman Marcus and Michaels and reviews how human error and employees are often a vulnerability to security.

It is estimated that the Target breach may have affected 110 million people. Seculert recently reported that Target suffered a two-pronged attack. “First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for six days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network,” the firm said. In addition, downloads of the stolen data began Dec. 2. “The cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over two weeks for a total of 11 GBS of stolen sensitive customer information,” Seculert analysts said.

When asked about the Target breach in particular, Mac McMillan, CEO of CynergisTek, said, “This could happen to any one of our hospitals. What happened to Target may not necessarily have been a sophisticated attack but might have been prompted by ‘mismanagement’ of Target’s information technology system, which created the perfect ‘opportunity’ for lurking data hackers.” He adds these recent breaches suffered by retailers should trigger CEs and BAs to review their own security practices. Both need to pay attention to their use of credit cards and McMillan suggests larger organizations should outsource credit card payment operations. He says that it is much easier to outsource than try to comply with PCI on their own. He points out that healthcare organizations should never retain their patients’ credit card data. 

To read the entire article you must have a membership to RPP.