The data breach shows that hackers can remain undetected for long stretches.
The Marriott data breach might not seem to be related to healthcare, but the incident offers some important cybersecurity lessons, especially for healthcare mergers and acquisitions.
The healthcare industry is in a very active period of mergers and acquisitions. Just yesterday, for instance, CVS Health finalized their acquisition of Aetna for $70 billion. The wave of consolidation ripping through health systems and hospitals has only grown stronger in recent years.
But healthcare mergers and acquisitions can lead to leaked personal health information (PHI) — and that’s exactly where the Marriott data Breach comes in.
Today, hotel chain Marriott announced that a data breach affected 500 million of its Starwood guests. More than 325 million people’s names, phone numbers, passport numbers, date of birth and arrival and departure information were exposed. Millions more potentially had their credit card numbers and expiration dates compromised.
Given the size of the Marriott data breach, Healthcare Analytics News™ wanted to know what, if anything, healthcare organizations could learn from the catastrophe.
For starters, we looked at the credit card issue. Dan Berger, national director of healthcare at AxiaMed, said that there is a possibility that tools to decrypt credit card numbers were also stolen.
“It’s a huge violation of best practices to have the decryption tools accessible to the hackers who compromised the database,” he said.
But the big takeaway from Marriott’s data breach is that it occurred in Starwood’s system in 2014, two years before the companies merged, noted David Finn, executive vice president of strategic innovation at cybersecurity firm CynergisTek. That means that hackers operated there for years — all without being detected.
As more hospitals are merging, the more different IT networks are merging, whether its electronic health records (EHRs) or accounting systems. These data infrastructures are often difficult to bring together, and the more exchanges of data internally, the more likely a system is to get hacked.
“The more systems, the more difficult it is to take care of all them,” Finn told Healthcare Analytics News™.
One thing the healthcare industry does not do well is its due diligence when it comes to privacy and security, he said.
When companies merge, both need to deeply evaluate the systems being used to make sure there are no issues before the acquisition is complete. If this is not done and one system has a dormant hacker, the new merged company puts even more patients’ information at risk.
“If you’re buying a system, you want to do every kind of audit and test before you acquire that system,” Finn said.
Then healthcare leaders can determine what needs to be fixed before becoming responsible for a potentially harmful software or system.
In the case of the Marriott data breach, international privacy laws are at play because many international travelers stay at Starwood hotels. For instance, the company may be involved in violations of Europe’s recently enacted General Data Protection Regulation (GDPR), Finn said.
Though most providers are not doing work that falls under GDPR, he said it is important for healthcare providers to pay attention to domestic privacy regulations, which often vary by state.
Get the best insights in healthcare analytics directly to your inbox.