Hidden Signs of a Healthcare Data Breach (and How to Detect Them)

Man working on a laptop

When it comes to cybersecurity best practices, timely detection is key. This is especially important for healthcare organizations. Hospitals, clinics, and administrative offices handle private patient data every day, and this data in the wrong hands can have significant consequences. 

But how can you tell when your network has been compromised?

The signs of a healthcare data breach might not always be obvious. Rather, the early signals may seem like basic technology issues. So, if your organization’s IT department notices any of the following issues, it’s time to act quickly. Here are some subtle (and potentially hidden) signs of data exposure. 

Device Tampering

Sometimes, the signs of a data breach are immediately obvious. Such as when a computer, tablet, mobile device, or connected medical device has been tampered with, likely by an internal party. For example, you might turn off your office computer at the end of your shift and notice that there are windows open the next day. This shows that someone else has been using the computer and potentially accessing sensitive data. 

Since unauthorized use can expose sensitive patient and organizational data in healthcare, it’s important to understand where system and event logs are aggregated and stored. All device user accounts should be protected with strong password and multi-factor authentication, and data should be stored with strong encryption. All employees should also understand how to report a security incident through the appropriate channels or the IT department. 

Locked Credentials

A lone failed login attempt certainly is not a red flag. However, a locked-out account could be an indication something is wrong. If several employees in an organization receive a lockout message after trying to log in once, this could be an indication that your environment is under a threat of being compromised. The lockout may show that someone else has attempted to use a user’s login credentials to access the organization’s network. It is important to take additional steps and scan the network if this occurs. Your IT department might find additional signs of a breach upon further investigation. 

File Changes

With so many files moving between users, it can be tricky to notice changes. However, file modifications can be a sign of a data breach. Hackers might move, delete, replace, and change files when accessing a system. This commonly manifests in the imaging or mass copy of an entire system as attackers prepare to steal large amounts of data at once. So, it is important that employees immediately file a report if they notice altered files or unfamiliar processes and applications installed on their system. As soon as the employee reports the issue, make sure to freeze any actions on the device or cloud that holds the files in question. This can allow the IT team to assess the file history and detect malicious action. 

Abnormal User Activity

From healthcare administrators to medical assistants, employees typically use their accounts the same way every day. So, it is essential to take note of any activity that’s outside this daily norm. Abnormal user activity can look like:

  • Login activity outside of office hours (such as in the middle of the night)
  • User activity from another city, state, or country
  • Unplanned password changes 
  • Logins from multiple devices at once
  • Logins from multiple locations at once

As a rule, your organization should take note of any user activity that seems suspicious, even if you may be able to trace it back to a legitimate source. Setting up alerts and carefully logging this type of activity can help your organization stop a malicious actor in their tracks. 

Atypical Outbound Traffic

For healthcare organizations, outbound activity typically involves patient communications, billing, and ordering equipment. However, malicious actors may use these same channels to steal data and communicate with external parties. It is important to take note of any unusual outbound activity. IT teams should take note if there is an unusual amount or destination of outbound traffic or if the activity simply looks different than normal. Again, in such an event all activity should be frozen until the channel is scanned. 

Slow Loading Times

A slow internet connection or lagging computer is certainly cause for a workday headache. However, this issue might be more than just a nuisance. Unusually slow loading times can be a sign that there is a virus or malware on the system, as these types of unauthorized programs can slow down the computer’s processing ability. Be sure that employees always report slower than normal loading times to the IT department, even if it might not seem suspicious at the time. A scan might reveal that a malicious actor has introduced unauthorized software, potentially accessing patient and organizational data. 

Computer Glitches

What may seem like a glitch may actually be a sign of a security breach. Computers that have been compromised may show frequent popup messages, either from internet browsers or antivirus software, and systems may unexpectedly freeze or shutdown. Employees may also notice new files, toolbars, and settings on the computer itself or on a web browser. It is also possible that the user will not be able to type or take control of their mouse. 

Hackers may put these types of changes in place to bait computer users and further access the network. So, employees should be advised to stop use and report the glitches immediately to prevent further data exposure. 

Web Browser Redirects

Indications of a compromise can show up within a web browser as well. An employee might notice that they are being redirected, and this can mean that the website they are visiting has been compromised and soon too, so can the system browsing that site. Other signs may include constant pop ups and unusual search results. Keep in mind that employees should never try to fix this issue themselves, even if they are completing an important task. Ensure that staff members know to report internet browser issues to the IT team. 

As we noted, the first signs of a data breach may not always be obvious. Further, it can be tricky to monitor the network of a busy healthcare organization. This is why you need professionals on your side. Based in Franklin, TN, the team at Fortified Health Security offers robust Threat Indicator Assessment services, so your office, clinic, or hospital can focus on patient care. 

Known throughout the industry as a “Compromise Assessment,” Fortified prefers the term “Threat Indicator Assessment” as the prior presumes that there has been a breach in a client’s security. Instead, Fortified offers and recommends these services to confirm or deny the suspicion of a compromise and strives to inform the client so accurate and timely decisions can be made, based on factual evidence rather than suspicion. Our security solutions and managed services can help shield your network and prevent costly data loss. Contact us today to get started.