Is This the Longest Healthcare Breach Ever?

File under "horror stories." One Massachusetts hospital finally detected an inside threat, 14 years after it started.

Healthcare Breach

Last month, the Massachusetts Department of Public Heath fired a Tewksbury Hospital employee who was inappropriately accessing public records. They discovered this transgression after a patient alerted them, in April, that his or her electronic health records (EHRs) appeared to have been compromised.

Now, for the kicker: Upon further investigation, they learned that this employee had been digging into these records for 14 years.

That lapse between the act of a breach and the discovery of that breach is also called dwell time. Minimizing that dwell breach is central to a strong security posture—especially in healthcare, which is the most breached industry. Here, EHRs and IoT technologies are valuable in how they palpably reduce spending and increase employee efficiency. But they have also created several more attack vectors.

Healthcare leaders must confront these looming threats through a larger lens of risk management, strategizing a full spectrum of cybersecurity, from software solution to security teams’ response protocols. The post-breach forensics process, in particular, is a costly and time-intensive process that highlights a pressing need for security solutions that are quick, accurate, and eliminate the need for forensics experts.

Analytics-based security, which uses machine learning to spot suspicious behavior, is adept at providing expansive visibility into seemingly invisible threats. It eliminates alert fatigue associated with SIEM systems—instead, delivering a prioritized list of threats for security teams to focus on. It also exposes areas of risk to help institutions continually strengthen their security postures.

The Tewksbury case underscores just how challenging it is to detect inside threats. They can be sparked by the actions of a malicious employee or, in many recent cases, an outsider threat such as malware, infiltrating systems and hiding behind legitimate credentials. This period of setting up an attack is valuable time lost.

For healthcare organizations, minimizing risk empowers security teams to lead the enterprise away from reputational damage and financial blows (in the form of HIPAA fines and lawsuits). And in the worst-case scenarios—such as ransomware attacks that offline systems—it will also save lives.