Medical offices are actively targeted

Medical offices continue to be targeted by attackers. A few of the reasons include the lack of
InfoSec being applied and the valuable medical records (EHR and EMR), which can be sold
or used for their own deviant based benefits.

An unfortunate incident occurred with the Virtua Medical Group, P.A. This is a physician’s group
with over 50 medical and surgical practices. Due to a breach, they have the “opportunity” to pay
$417,816 as a settlement. There were allegations of a failure to properly protect the data of
1,650 patient’s records. These records were online due to a misconfigured server.

The doctors and medical practitioners are, at the end of the day, responsible for the data and
records. The medical records were still the medical group’s responsibility to secure. The issue
originated when the vendor misconfigured the web server unintentionally. This issue allowed
access without a password, allowing the unauthorized parties to access and download the
patient’s data.

With any new modification or change, the party requesting the change should go through the
approval standard operating procedure for the change. Any forms that need to be completed,
should be approved and applied to each request. This would provide an adequate audit trail
and also provide for the other parties to verify the work and audit the work that had been done
and done correctly.