Case Study: Breach Response
ABC Associates* is a New York based psychological practice with two employees and approximately one hundred patients. The company has been in practice for over 20 years. There are an additional 15 contracted health care providers that share the company’s location. The ABC* outsources administration of insurance billing and employs a service that cross-refers patients from other local medical practices.
ABC’s* accountant reported that emails with payroll information were being copied to an unknown 3rd party. The suspected breach resulted in a call to Kalki, who assisted ABC* with a full breach response and investigation of sensitive emails being intercepted from a cloud based email provider to their accountant.
- Lack of understanding of HIPAA obligations
- Storage of medical and patient information in non-secure locations and devices
- Poor vendor management
- No technical staff
- Breaches of sensitive data
- Compliance liabilities
- Facing severe fines in the event of any further breaches
- Lost revenues
- Threatened brand image and reputation
- Vendors not meeting compliance requirements
Kalki performed a full investigation of ABC’s* breach, determined the cause and then worked with both ABC* and their vendors to manage and remedy the situation. While responding to the breach, Kalki built ABC* an incident response process.
Following the breach, Kalki performed a full assessment of ABC* to identify additional practices and issues which could potentially lead to another breach. Kalki mapped client’s obligations, including HIPAA, to the ISSA-5173 framework. ISSA-5173 is a globally recognized security standard designed specifically for small-to-medium sized businesses.
Kalki’s testing unveiled existing vulnerabilities:
- ABC* lacked understanding of HIPAA obligations
- ABC* had never conducted risk assessments
- Storage of Electronic Protected
- Health Information in non-secure locations and on non-secure devices
- Transmission of Personally Identifiable Information via non-secure methods
- High level of risk associated with vendor contracts and relationships
- Lack of employee understanding of data classifications and security of cloud services
The Road Ahead
Kalki allowed ABC* to meet their regulatory obligations including HIPAA, PCI and FTC. ABC* was also ARMed with the processes and tools to maintain their compliance over time.
Kalki also provided ABC* with a SecurITy Roadmap aimed toward future growth of the program. At the close of the engagement, ABC* had in place all the foundational elements of a securITy program with the roadmap detailing the improvements and additions needed for maturity.
- Industry: Healthcare
- Regulations: HIPAA, PCI and FTC
- Repeated cloud based email provider breaches
- 15 healthcare providers sharing single location
- High Level Technology Assessment
- Creation of Security Policies and Procedures
- Employee Training and Awareness
- Vulnerability Scans
- Fully tested incident response, disaster recovery and restore processes
- Auditable documentation of HIPAA compliance
- Implementation of Security Event Logging Technology