Cyber Threat Compels Changes in Security Assumptions
Top health information security risks haven’t changed much in 10 years; theft or loss of data is still No. 1 in the number of incidents, Mac McMillan, CEO of IT security and compliance services firm CynergisTek said at the AHIMA Convention in New Orleans. But the entire security landscape has changed.
Based on the number of incidents, theft or loss of data is by far the most prevalent reason for a breach, followed by identity theft or fraud, and then mistakes such as errant emails, forgetting to patch some software, faxes sent to the wrong location and other unintentional acts.
Coming way behind in terms of incidents are cyber attacks, but they now account for 95 percent of records exposed. Healthcare cyber attacks doubled in 2013, doubled in 2014 and already have quadrupled in 2015, McMillan said.
Phishing, under which hackers send emails with embedded malware that recipients open, or pose over the phone as a trusted person who needs your network credentials, are the top way to get in a network. A hacker will send emails to dozens or hundreds of people at a healthcare organization; only one has to open it and 20 to 40 percent will actually do so. Some 70 percent of those will click on the attachment, and the malware is activated. About 20 percent will open an email believed to be trusted and asking for information, and will fill out the form and give their password or other credentials.
On a side note, physicians are particularly vulnerable to cyber tax fraud; McMillan advises doctors to file their taxes early and file on paper.
A cyber attack on a healthcare organization’s business associate can damage the organization as much as a direct attack if the business associate’s security posture is weak. MacMillan recounted a claims clearinghouse that got hacked and hit for ransomware so its clients’ data was encrypted. McMillian asked where the data backups were and the clearinghouse didn’t have any backups. Further, none of the clearinghouse customers had ever asked the clearinghouse about its security posture.
The lesson: Don’t pay ransom because almost always the data will not be returned anyway. But beef up security and do regular backups.
Many hospitals have information security professionals who manually monitor their networks for suspicious activity. This is a task that can no longer be done, McMillan asserted. There are just too much data to watch and too few resources to monitor adequately, so just outsource the job to professionals, he advised. “If someone comes in with the right amount of horsepower, time, expertise and resources, they will get in your network; it’s just a matter of time.”
Another tip: In the age of mobile health, stop trying to manage devices and manage the data, McMillan said. “There are way too many of them, just give up.”