What Businesses Can Learn from the Massachusetts General Hospital Breach

Data breaches are never a good thing, but this is especially true when medical records are involved. Take a look at Boston’s Massachusetts General Hospital, where nearly 10,000 records were exposed in a third-party data breach. This is quite a blow for the U.S. News and World Report-ranked number two hospital in the nation, as this breach is the largest for a Boston-area hospital in quite a few years - the last affecting Cambridge Health Alliance in 2018 and “only” exposing 2,500 patient records.

Even more disconcerting, this isn’t the first data breach the hospital has suffered. Back in 2016, there was another third-party data breach that stole the data of around 4,300 dental patients.

The Stolen Data

In 2016, MGH’s dental breach had lost the names, birthdates, and Social Security numbers of those patients, and for a percentage of those affected, dental appointment information, provider names, and their medical record numbers.

This time around, two computer programs used for research purposes by MGH’s Department of Neurology were accessed by a third party. As a result, the participants of the research project the researchers were working on had a variety of data compromised, including their first and last names, demographic information, birthdays, and medical record numbers and histories were breached.

You may have noticed that this breach didn’t score the perpetrators any Social Security numbers or credit card details. This is because - hopefully learning from their first breach - these particular data points were kept in a separate database. This database required greater permissions than the attackers had managed to obtain, meaning that its contents were safe from the attack. 

Why This Matters

Have you ever heard the saying, “Don’t keep your eggs in one basket?” This effectively means that you don’t want your important things kept all together, as there’s a better chance of losing everything.

Well, for our purposes, your workforce is the basket and your data are your eggs. If all of your employees have access to all of your data, the potential for something to happen to your data increases steeply. To keep your “eggs” safer, it helps to subscribe to something known as the “Principle of Least Privilege.”

What is the Principle of Least Privilege?

To put it simply, the Principle of Least Privilege is the practice of only giving someone as much access as they need - the absolute bare minimum - to successfully do their job.

One simple way to accomplish this is to leverage user roles. By creating and applying roles to your workforce, you can preconfigure what they will need to access to do their tasks, without allowing them access to materials and data that have nothing to do with their responsibilities. This is also simpler and more consistent than assigning privileges to each individual user.

If one of your users temporarily needs access to additional privileges, you can give them this access for the duration of their need. This is also why it is important to regularly review the access privileges and alter them as needed - adding permissions to those who have additional responsibilities and removing them from those who have more than their position requires.

While Massachusetts General Hospital clearly has some security concerns to address, it must be said that they have at least started protecting their data through access permissions… hopefully, this breach will show them how much more work is required.

Working with the professionals of Datalyst can help ensure that your data is properly secured, with the appropriate privileges assigned to your team members. Give us a call at (774) 213-9701 to learn more about our security services.