Last month, Wood River Health announced a data breach that affected nearly 55,000 patients in Rhode Island and Connecticut. It was the latest in a string of instances that have seen hundreds of thousands of Rhode Islanders’ personal health data exposed.
Morning Host Luis Hernandez spoke with Lee Kim, senior principal of cybersecurity and privacy of the Healthcare Information and Management Systems Society, about what Rhode Islanders can do to protect themselves if their personal data is compromised in a data breach.
Interview highlights
What patients can do, generally do to protect their personal information
Lee Kim: Health care is about trust, so there is some degree of responsibility on the provider. But there is so much that we do online to converse with our doctor and to pull our records and reports as well, such as through the patient portal. As a result, we need to ensure that we are using multifactor authentication, where we can, to log into those portals; we are using strong passwords that are not inappropriately shared or reused.
On what patients can do if their personal info is compromised in a data breach
Kim: I would recommend to review, like a hawk, your explanation of benefits that you get from your insurance company to make sure it matches the services that you get. One of the problems is that sometimes there’s medical identity theft where someone can use your insurance information to get medical services, things that you never really signed up for, so to speak.
The other thing that you could do is on the financial side. What is really important is that people go to freecreditreport.com, and with that you can check your credit score and activity vis-a-vis the three major credit bureaus in the United States. That is something that you could pull for free once a year. Each of these three credit bureaus have, for a fee, credit monitoring services, which you can partake of if there is some kind of change.
On what health care providers can to do prevent data breaches
Kim: What providers can do to ensure that this happens less is, first of all, they need to get their security teams in order in terms of governance; make sure that security is a priority across the entire organization; train them on phishing; ensure that they have the best state-of-the-art security tools, and they’re using AI to fight AI, and make sure that vendors and other third parties and contractors are following suit as well.
On whether certain types of medical practices are more vulnerable to data theft
Kim: The answer is yes. Obviously, the weaker your defenses, the less money you have to defend yourself. Let’s say you are an entity that is publicly-funded or you are an entity that is essentially subsidized in part by the government or you’re a rural healthcare provider. That’s a lot more difficult because, unfortunately, many of the security tools that are out there today do require significant investment. So those small entities are much more vulnerable than others. Also, vendors that are smaller or startup companies might be more vulnerable than others that have been around the block, so to speak.
