The Incidents
HIPAA Journal reported cybersecurity incidents at three healthcare organizations: Medenet (a revenue cycle management company), United Medical Doctors, and Stewart Home & School. All three incidents involved unauthorized access to protected health information.
The article doesn’t specify the exact attack vector, but the outcome is clear: someone or something accessed patient data files without authorization. That’s the definition of a HIPAA breach requiring notification.
Why File System Access Control Matters
Here’s what most healthcare organizations miss: the actual breach happens at the file system level. Before PHI can be exfiltrated, encrypted, or sold on the dark web, it has to be read from disk. That’s a file operation—and file operations can be controlled.
Most security tools try to detect the breach after it happens. Anomaly detection, signature matching, SIEM correlation—all of these operate after the unauthorized read has already occurred. The data is already in memory, already transmitted, already gone.
FileSure Defend operates at the kernel level, intercepting file operations before they reach the file system. It enforces a simple policy: these specific programs are authorized to open files containing PHI. Everything else gets blocked.
No signature database. No machine learning model. Just a whitelist of authorized applications enforced at the Windows kernel filter driver layer.
A Specific FileSure Configuration for PHI Protection
Here’s what a real-world FileSure policy looks like for protecting electronic health records:
File filter: *.hl7, *.xml, *.dat, *.mdb, *.accdb (common EHR and medical data file extensions)
Allowed programs: C:\Program Files\EHR_Vendor\*.exe, C:\Program Files\PACS\*.exe
Blocked operations: Read, Write, Delete
Scope: All local and network drives
Action: Block and log
Any program not explicitly listed—including malware, credential-stealing tools, or an employee’s personal email client—cannot open those files. The operation is blocked at the kernel before the file is touched.
Every attempt, successful or blocked, is logged with the user name, program path, machine name, timestamp, and operation type. That log is encrypted, stored separately from the protected files, and ready for your HIPAA breach investigation or OCR audit.
The Upstream Intervention
The strongest defense happens at the earliest point in the attack chain. If unauthorized file access is blocked at the kernel level, exfiltration never happens. The attacker never gets the data into memory, never transmits it, never encrypts it.
FileSure doesn’t detect breaches. It prevents the file operations that cause them.
Most healthcare organizations are spending their budget on tools that detect problems after the damage is done. The file system layer is where you stop the damage from happening in the first place.
If you’re responsible for HIPAA compliance or PHI security, you can start a free 21-day trial of FileSure Defend at bystorm.com. No credit card required. Install it on a test system and watch it block unauthorized file access in real time.
Source: PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School
Category: Compliance
Tags: hipaa, phi breach, healthcare data security, kernel filter driver, file system security, unauthorized access, audit trail, data exfiltration prevention
