A Bon Secours Health System hospital recently reported a data breach affecting 655,000 patients. Their patient data was left online and open to the public by a consulting firm.
You apparently do not have to “hack” anything these days. Lately we have seen the email servers of political parties and politicians accessed and embarrassing emails released. What if, instead of emails, hackers wanted patient and compliance information from your company to use in order to commit fraud? Let’s start our discussion with email server hacking.
How do you hack an email server?
Let’s say someone targets your company. They start by going to your company website and obtaining a list of staff and executives. This also gives them the email domain, for example “yourcompany.com.” Now they will need to confirm an email account. They can use a piece of software called “Telnet” that will verify batches of email names associated with your server.
So now the hackers have the name of your server and your email addresses. Now they just need a password, and they can get it using the power of social media and the Internet. Sites such as Facebook and LinkedIn are gold mines of information on the people for whom hackers have compiled email addresses. Your IT department tells you to use a generated password with wild characters, yet most people settle for the name of their spouse, child, or a favorite pet.
Hackers can also “phish” to gather information directly from your computers. Say you get an email from your utility company or a local bank. You open the email and it installs onto your computer what’s called “keylogger” software that sends everything you type to the hackers. This includes passwords. They can also install software that allows them to run your computer from a remote location after business hours. They would have access to anything you would, including accounting and patient care systems, and no one is watching at 3 a.m. in the morning.
You like being able to share data with other people. Your business has come to depend on it. And there are a variety of services such as Google Drive and Dropbox that offer convenient ways to do it. Hackers can access this data in much the same way as email. If they can get into your emails or log on to your computer, they can copy the links you have used to share data with people that are supposed to have it.
Why is this such a big compliance issue?
It is not just the obvious we should worry about. Yes, hackers can steal and sell patient information. But what about issues like the recent political email scandals? What if hackers release damaging emails that embarrass your company? What if that information leads to government investigations and audits? What if they quietly sell information to your competitors? What if they use information in your email to submit fraudulent bills to Medicare and Medicaid?
Is there a solution?
My daughter works in the area of data security for an extremely large technology company. To protect her from backlash, I won’t name the company. But I asked her if they talked internally about whether we really can protect emails; whether email can truly be secure. She told me that they tell the public they can, but the scary truth is that, behind closed doors, they admit that at best they can only try to deter hackers.
About the Author
Timothy Powell is a nationally recognized expert on regulatory matters including the False Claims Act, Zone Program Integrity Contractor audits, and U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) compliance. He is a member of the RACmonitor editorial board.
Contact the Author
Comment on this Article