This week Atrium Health, a respected US healthcare institution, reported a potential data breach due to unauthorized access via their vendor AccuDoc.
The notification posted states the following:
AccuDoc Solutions, Inc. (“AccuDoc”) and Atrium Health announced that following an extensive internal investigation, Atrium Health has reported possible unauthorized access to databases hosted by AccuDoc that contained personal information provided in connection with payment for health services at an Atrium Health location (formerly Carolinas HealthCare System) and at locations managed by Atrium Health, including […]. AccuDoc is a vendor that provides billing and other services to healthcare providers, including Atrium Health.
What makes this case interesting from cybersecurity and data protection perspective are the actions which were reportedly taken “immediately”:
As soon as AccuDoc discovered the incident, it immediately terminated the unauthorized access, engaged a forensic investigator, and took steps to secure its affected databases and enhance its security controls.
This case demonstrates what cybersecurity experts have been saying for a long time. Implementing data protection controls is not about ticking boxes or going through the motions but instead focusing on effective measures. Over the last few years and in part driven by GDPR, all organizations have started or continued their data protection journey. Actions such as appointing Data Protection Officers (DPOs), writing privacy statements and policies, implementing data breach notification procedures and most visibly attempts to gain consent for processing are commonly carried out.
This case highlights the most practical step in GDPR compliance - "...it immediately terminated the unauthorized access". Actionable and practical measures that improve data security by actually securing the data.
We could debate what “unauthorized access” means, how effective these measures were or what went wrong in the first place. This is not the first data breach and won’t be the last one either. What is critical is the part where AccuDoc terminated the access to data, even before notifying Atrium. By the time information got passed on, the acute problem was already taken care of and further harm was averted. All that was left was to figure out what went wrong, how to avoid it in the future and take care of responsibilities towards data subjects in timely manner.
What is the lesson to learn here? Managing access to the critical data – personal or otherwise – is the critical responsibility of data controllers and processors. GDPR and other regulation should not be seen as a token effort to increase bureaucracy or create new process descriptions. It is easy to create the illusion of data protection through compliance that isn’t backed by real capabilities and actions. It’s far harder to create effective controls that protect data in the first place. True compliance is all about managing access to data and preventing unauthorized access in a timely manner.
At the end of the day, it's all about Identity Management and Access Control...
In two previous blogs, we wrote about managing access using Role Based Access Control. Give them a read to get an overview of how access control can provide you with effective tools to truly protect the data others have entrusted to you.