In the wake of HCA Healthcare's massive data breach announced last week, Orlando experts say it's important for Central Florida businesses to constantly monitor and update IT systems regularly, among other key steps, to protect their own data.
HCA Healthcare (NYSE: HCA) was penetrated by a hacker who accessed the data of 11 million patients and offered the compromised data for sale on the deep web, according to a DataBreaches.net post on July 5. HCA — which owns five hospitals in Central Florida — acknowledged the breach in a statement issued July 10 and included metro Orlando patient data as being among the stolen files. Naturally, the ripple effect impacts not only HCA and its patients, but the entire business community as companies wonder who's next.
Orlando Inno asked three Central Florida information technology experts to weigh in on the data breach and why area businesses should pay attention, what they should do to secure their data, what the real results of a hack are and how to navigate once a breach has occurred.
“When I talk to business owners about security and the importance of safety, I can usually see a look in their eyes of, ‘It won’t happen to us,'" said Jay A. Cohen, owner of Jayco CIO Services in The Villages. "Yet here we are with another security breach, this time of the HCA chain.
"It is still early to know the true cause of the breach, but it seems to be from a shared storage server, and while HCA is not saying personal information was stolen, they are asking patients to call them before paying any invoices. It is reasonable to assume that personal information was taken if the company that took the data can invoice you.”
Cohen predicts most news coverage will focus on security practices that shouldn’t be ignored, as often happens after a breach. “But we also need to ask, what is the cost of a data breach? This particular incident, with 11 million patients affected, is the largest data breach in health care to date.”
HCA Healthcare has offered credit monitoring, which on average costs about $15 a month per person. Some popular credit monitoring services include IdentityForce UltraSecure+Credit at $13.99 per month and Experian IdentityWorks at $24.99 per month. That alone totals at least $165 million per month in costs for the health care giant.
Cohen also noted that HIPAA violation penalties range from $500 to $50,000 per violation, for 11 million patients, “and that could come to between $5.5 billion-$550 billion.”
He also mentioned potential interruption in cash flow due to unpaid invoices, as patients likely will hesitate to trust invoices from HCA Healthcare and the expense of hiring a third-party forensic and threat intelligence adviser to help track the source of the breach. “Not to mention legal costs, regulatory fines, and possible lawsuits,” Cohen said.
Danny Jenkins, CEO and co-founder of Orlando-based ThreatLocker, said there’s typically an uptick in cyberattacks on businesses during holidays. “Yes, it is a time for celebration, but this is when businesses are most at risk."
“Cyberattacks are happening closer to home, with the UF Health Central Florida ransomware attack around Memorial Day weekend and the Kaseya VSA attack that took place around the 4th of July holiday in 2021. Like bees to honey, hackers are enticed by the lack of support and staffing around holidays, making it the perfect time to strike.”
Of the many undesirable outcomes of a hack, Jenkins said the loss of trust — even if it can’t be quantified — is one of the most serious. “Health care is based on confidentiality. If a provider can't be trusted with your data, how can it be trusted with your care?”
In health care, a hack can have a catastrophic impact on the provider, with the compounded effect of financial loss and compromised trust taking businesses down, said Jenkins. “We saw earlier this year that a cyberattack was partly responsible for the closure of a health care provider.”
Dan Stockman, president and COO of Ocoee-based i-Tech Support, can’t stress the importance of cybersecurity enough. A managed services IT provider, his company closely watches data security developments.
“The recent HCA Healthcare data breach has once again highlighted the critical importance of robust cybersecurity measures in today's digital landscape,” he said. “This incident serves as a stark reminder that even organizations with extensive resources and sophisticated systems are not immune to the relentless threat of cyberattacks. The scale and impact of the HCA Healthcare breach underscore the need for proactive and comprehensive security strategies.”
Stockman said the HCA breach reinforces the urgency for businesses to prioritize continuous monitoring, vulnerability assessments and advanced threat detection mechanisms.
Like Jenkins, he emphasized that the fallout from this breach goes beyond financial implications; it erodes trust and jeopardizes the privacy of individuals whose sensitive information has been compromised.
Cybersecurity action plan
Orlando Inno compiled the suggestions of the three experts who weighed in to produce this list of cybersecurity practices for businesses:
- Put the right team in place. If your company doesn’t have a chief technology officer or chief information officer in place, create the position, engage a managed services provider with a stellar reputation or hire an experienced fractional CTO or CIO.
- Implement a robust security framework based on NIST standards and best practices for your industry. The National Institute of Standards & Technology is an arm of the Department of Commerce, and its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and tech in ways that enhance economic security and improve quality of life. The group produces and updates a cybersecurity framework.
- An audit by a third-party vendor could identify holes missed by an internal IT team. Since malware is just software, implementing “least privilege controls” can prevent unknown software from running and safeguard IT systems during the holiday downtime. The principle of least privilege is a concept in computer security that limits users' access rights to only what is strictly required to do their jobs.
- Limit data access privileges and ensure you know who has access to data. Restrict users when they no longer need it. Encrypt sensitive data.
- Train employees on best practices and company cybersecurity policies.
- Understand the difference between privacy and security. If you lead a health care organization, don’t rely on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Health Information Technology for Economic and Clinical Health (HITECH) when establishing aggressive cybersecurity operations, as they emphasize data privacy, not security.
- Realize cybersecurity is an ongoing process, continuously adapting and evolving to keep pace with the ever-changing threat landscape. Conduct regular risk assessments, usually done annually — but risks can change, so it is important to assess, update and patch regularly as it is to continually monitor and detect unusual activities.
- In the event of a breach, be prepared to swiftly identify, contain and mitigate the impact of any security incident, minimizing the potential harm to your operations and customers.
Sign up here for The Beat, Orlando Inno’s free newsletter. And be sure to follow us on LinkedIn, Facebook and Twitter.
