Monday, June 22, 2020

Why You Shouldn't Trust Your Backup Strategy to Others




I’ll never forget a discussion I had years ago with a doctor who rather fancied himself a “big time operator”.  When I asked him what his backup strategy was, he rolled his eyes and waved his hand at me dismissively.  “Oh, please.  That’s the girl up fronts job to deal with."


I never spoke with him again and I don’t know whatever became of him, but I can tell you he was just one electronic hiccup from a disaster.  If he had suffered a data loss incident, he was totally at the control of “that girl up front”.


Knowing everything about your backup strategy’s increased importance since that conversation, and it continues to increase.  At the time I spoke with that uninformed and insensitive individual, the most critical thing about business data was the ability to do billing and manage your accounts receivable.  Today not only face the AR issue, but also issues that deal with data security, HIPAA, and identity theft.  


I got to thinking about this as I was reading this article from KrebsonSecurity.  It seems that an employee at the Federal Emergency Management Agency (FEMA) was smart enough to devise a system where he broke into a University of Pittsburgh Medical Center human resource database.  Normally a healthcare facility works hard to ensure the safety of *patient*  data so that it cannot be stolen by scammers.  However, in this case Justin Sean Johnson decided to steal data from the UPMC HR department.  While this is speculation on my part, I’m thinking perhaps the security focus on employee records might not have been as great when it came to security as it would be for patient data.


UPMC is a huge healthcare system that that generates 21 billion dollars in revenue and has a base of more than 40 hospitals.  The amount of employee data had to be massive for an organization of that size.


Johnson took the stolen data and then sold it on the dark web to groups that then used it for financial fraud.  The scammers used the info, including employee W-2 forms, to file false tax returns for employees which created over 1.7 million dollars in undeserved tax refunds.


While Johnson was not an employee of the UPMC itself, his knowledge allowed him access to information he should not have had.  This whole idea got me to thinking about how many practice owners simply turn over their data to an employee with blind trust that they will do the right thing.  Unfortunately that doesn’t always happen.  Statistics indicate that 1 in 4 practices will be embezzled from.  Utilizing data to make money frequently doesn’t even leave a paper trail like embezzlement does.


Getting back to my original premise of this post… there is a great deal of value in the data of even a small healthcare practice.  By not knowing the backup protocols, not performing the backups yourself, and/or not knowing where backups are stored leaves the practice owner at the mercy of whoever holds these keys.  Simply copying data to a jump drive and selling it can bring a huge amount of income into the pockets of an unscrupulous employee.


Simply giving someone the keys to your summer home and then never checking the home to see its condition is a really bad idea.  Giving someone the keys to your data and never checking on them is even worse.

No comments:

Post a Comment