After Change Healthcare Breach, ADA Announces Data Breaches can Happen to Anyone

 

Not to be snippy about this important subject, but I find it a tad 'interesting' that the ADA is now announcing that "Data Breaches can Happen to Anyone".  The organization is now telling the profession this after the organization itself suffered a *major* data breach in the spring of 2021.  From what I've discovered by talking to sources that wish to remain anonymous, that data breach was massive.  Plus we as the membership still don't really know what happened, what was stolen, or how the breach was accomplished.  The entire subject became something no one wanted to go on the record about.  Instead, like a police officer directing traffic after a major accident, the company line was "Move along... nothing to see here... keep moving..."

Don't get me wrong, I understand the philosophy of getting back to normal as soon as possible.  However, when these events happen, transparency is critical to restoring trust.  We still don't know for sure how the ADA breach happened or for sure what was taken.

The unfortunate thing about breaches is that they have become so incredibly common.  Because of that, our society has come to a type of acceptance of these events.  My grandfather used to say "locks keep honest people honest" and he was right about that.  He passed away long before the tech revolution changed our world, but that expression still applies.  In my grandfather's day, if someone really wanted to break into your house and the door was locked, they'd just break a window and go in that way.  In the tech world you can only do as much as you can do from a security standpoint, but there are always going to be smart people with bad intentions who will find a way around it.  There is way too much money to make just *finding* the flaws... not to mention in exploiting them.

My concern in healthcare tech security is that it seems the rules have changed in the last 5 years or so.  Healthcare breaches used to seem rare.  Now that rarity is gone.  The frightening part (at least to me) is not just the potential for patient identity theft.  I mean, no one wants to go through the nightmare of identity theft, but when criminals start tinkering in the healthcare space they run the risk of truly hurting, or God forbid, killing someone.  

I know that it's now being reported that Change Healthcare paid a $22 million ransom to get their systems back running.  Many tech experts feel that paying a ransom simply encourages more of these nightmare scenarios, but when people's lives hang in the balance, I can certainly understand why that decision was made.  If I knew someone died and I could have prevented it, the guilt would be more than I could bear.  Simply put, I can understand why the ransom was paid.

I don't know what the answer to all of this is.  The scope is way beyond what I can fathom or impact.  Something needs to be done, but I'm hard pressed to define what that something is.

The ADA article on data security features an interview with Gary Salman, the CEO and cofounder of Black Talon Security and is a very good read.  I highly recommend reading and saving this interview.