How hospital database controls can reduce vulnerability to hacking
As hackers increasingly target healthcare organizations to gain access to data, hospitals need to improve efforts to protect patient information, often stored in multiple places throughout their systems.
Hospitals have hundreds if not thousands of databases and most of them can serve as a launch pad for hackers, contends Bill Fox, vice president of healthcare and life sciences at MarkLogic, a vendor that provides enterprise database technology.
Too often, employees and clinicians have unlimited access to data, he says, and that access should be restricted on a need-to-know basis; and after a task is done, that access should be eliminated to reduce the chance for accidental exposure.
“Hackers can do a lot of things at even the lowest database level,” Fox notes. “They can go in the database and use it to get to another database, not just using that second database as a hijacking device, but using it to get to the motherlode.”
Fox was a former deputy chief of economic and cyber crime at the Philadelphia District Attorney’s Office, where he investigated and prosecuted hackers targeting healthcare organizations and other industries. In one case, hackers sat in a car in the parking lot of a large retail chain and used the inventory mainframe to access other information systems, eventually stealing data on 5,000 individuals.
Hackers don’t just come from the outside; in many cases, they work inside an organization and, as many providers have learned over the years, they’re just as dangerous, Fox says. Too many providers are not monitoring employee activity when simple analytics could quickly spot an offender. Using business intelligence tools to analyze an organization’s network activity might identify employees accessing parts of databases that they’ve never used before.
Creating formal separation of duties among employees will lessen accessibility to information that they don’t need, so healthcare organizations should give pieces of documentation and limit authorized information systems access, with everyone only having the information they need, he counsels.
“You really want to make sure that the ability to roam all over the network is extremely limited. Teach and enforce rules, including rules on clinicians who did not go to school to become security experts but to be doctors and nurses, and only now are catching up to the need for security to become a priority. Some 73 percent of healthcare users are security novices—there’s your attack surface for a hacker.”