Professional colleges involved with the training of health-care professionals face an increased threat from the cybercriminals today due to the many different types of data that they are collecting. They are neither hospitals nor banks, yet they collect patient records for student clinical experiences as well as provide financial aid, process tuition payments and verify identity.

Cybercriminals now view career colleges as attractive places to attack. The possibility of patient records being compromised came to light recently after a data breach at The College of Health Care Professions that reported to the Texas State Authorities that a breach affected approximately 69,000 residents of Texas. Technical information regarding the intruder has not been made public; however, the State awarded disclosed that there were many different types of personal and PHI items.

Healthcare training institutions accumulate a greater number of types of records than do traditional colleges. The typical enrollment file at a health-care training institution may contain SSN, government-issued photo ID, state and/or national background checks, immunization records, and financial account information related to tuition/aid. These records build a digital file on an individual that can provide a very complete history of their identity over time.

Due to their multi-campus operations, online learning platforms, and third-party services (for admissions, billing, etc.), career colleges may have unique cybersecurity challenges compared to larger university systems. Each of the new integrations presents another entry point that must be both secured and monitored. In at least smaller or private institutions, competing priorities (e.g., program expansion or increased facility footprints) may limit the dollars available for cybersecurity investments.

Another issue complicating risk management for career colleges revolves around records retention. Many educational institutions are required to retain certain student records for long periods; in some cases, compliance actualities (i.e.; health-related types of programs) may create even longer requirements to retain documentation associated with training or certification. In these scenarios, older data (often stored in legacy systems) remains active and therefore subject to potential threat long after a student has graduated.

Catalyzed by ongoing trends across industries generally, the recent growth in cyber incidents in the education sector is evident. Cybercriminals continuously search for large datasets; they repeatedly target organizations that hold sensitive information but may lack the same level of defense (and therefore, overall maturity of cyber defense) as similarly sized heavily regulated financial institution organizations. The potential for exposure through even marginal access is significant in the case of thousands of students transitioning through any number of programs annually.

Impacts for current students and alumni may come at a later time than originally thought. Many times identity misuse is discovered months or years after an event occurs, but almost always is discovered independently from how or when the data was first compromised. This makes it much more troubling; especially when you consider that often the most sensitive identifiers are being misused, i.e., SSNs or government IDs.

As two-year career colleges increase their use of digital enrollment systems and online education, organizations will see more concern regarding protection of data. Organizations that exist at the intersection of education and health care will need to recognize that the data they collect will have a long life and if it gets into the wrong hands can lead to a long-term impact.

The larger message is that because we now live in a data-centric world, specialized education institutions are no longer solely on the outside looking in when it comes to cyber-security. They are now frequently on the front lines of this issue.