They say that everything happens for a reason, and I’m a firm believer in that. I recently took the position of Director of Business Development for Edge Networks, a Managed Services Provider that specializes in Cybersecurity. In the past 2 ½ weeks, I’ve come to the realization that many companies, from small business to large corporations, do not take cybersecurity seriously enough.
Why are so many companies failing to take cybersecurity seriously enough?
From what I’ve seen, companies fail to take cybersecurity seriously enough for the following reasons:
- They believe that ensuring compliance with a security framework, such as FISMA or NIST, is enough.
- They haven’t experienced a security breach in the past, so they don’t believe they’ll deal with a security breach in the future.
- They don’t want to deal with the hassle and/or don’t have the knowledge to find and implement the right security solutions.
Does anything listed above sound familiar? Most businesses are surprised when reality strikes them and they must write their clients, consumers or patients a letter with the subject line: Notice of Data Security Incident.
Yet another example of failing to take the steps necessary to prevent security breaches…
Today that “Notice of Data Security Incident” letter came to me from The Oregon Clinic, and alarms went off in my head. For the past 2 ½ weeks, I have lived, breathed and dreamt about cybersecurity and what the implications are to a business who does not take the steps necessary to prevent these “incidents” from occurring in the first place. And now I am seeing it not only as it pertains to The Oregon Clinic, but to their patients.
Their letter starts like this: I am writing to inform you of a data security incident that may have involved your personal information. At The Oregon Clinic, we take the privacy and security of your information very seriously. This is why I am contacting you, offering you identity monitoring services, and informing you about steps that can be taken to protect your personal information.
It goes on to outline the when, what, and how they plan to resolve this “incident”.
- On March 9, 2018, The Oregon Clinic learned that an unauthorized third-party accessed an email account.
- The Oregon Clinic immediately disabled the account and began an investigation to determine what had occurred and whether protected health information (PHI) may have been affected.
- Cybersecurity experts were engaged, including a digital forensics firm, to determine the nature and extent of the incident.
- On April 19, 2018, the investigation determined that PHI may have been affected. This information included patient’s name, date of birth, and certain medical information (that may include medical record numbers, diagnosis information, medical condition, diagnostic tests performed, prescription information and/or health insurance information.)
- They determined that the incident was restricted to one email account and did not affect any other aspect of The Oregon Clinic’s network.
- In addition to their investigation, they are offering additional steps patients can take to protect personal information. This is an identity monitoring service for 12 months at no cost through Experian.
- And, lastly, they give recommendations to protect your personal information, (which is a long and arduous task as anyone that has had their personal information/identity put at risk knows).
In an article, dated May 9th, Scot Gudger, CEO at The Oregon Clinic, issued the following statement to Health Data Management:
“We are very sorry this happened and apologize to the patients who have been affected by this incident. We value our patients and will continue to work closely with cybersecurity experts to remediate this situation, and, most importantly, are taking steps to help prevent similar incidents from happening in the future.”
This mindset of “oh we’re sorry, and NOW we will take steps to prevent this” is becoming less and less acceptable in a world where hackers are always looking for that one company with an out of date AV or Firewall, or no IDS/IPS, or the plain and simple mindset of “it won’t happen to us”.
Don’t let yourself become another number in the world of cyber-attack statistics. Your staff and customers deserve the best from you. If you’re unsure of whether or not your network is secure, call us at 503-334-0551 to schedule a security assessment now.