How small healthcare providers can toughen cyber defenses
Healthcare is an absolute goldmine for hackers. Each time new patients enter a doctor’s office, sensitive information is recorded. This means that emails, phone numbers, health insurance information and Social Security numbers can all be stolen easily.
Executives at many small healthcare institutions believe that a breach will only occur at large, well-known providers, but this is just not the case. Urgent care is projected to increase 5.8 percent each year through 2018, which means more standalone centers will open their doors to more patients and their data. It is individual locations like these that serve as hotbeds for hackers, as they often don’t have strong security and IT teams in place.
These criminals are all about profit. When identity theft is accomplished through stolen healthcare data, the amount of money a hacker can generate by opening fraudulent credit accounts in someone’s name makes credit card theft seem like a drop in the bucket. The higher the amount of money the hacker makes, the greater the impact the theft has on the life of the individual, causing potential mistrust for the compromised healthcare organization. In 2016, it was reported that victims of medical identity theft paid an average of $13,500 to resolve the crime.
Cybercriminals are aware of these facts and figures. Efforts to exploit this have resulted in hackers, once perceived as lone individuals, becoming more organized in their approach—running their malicious operations like full-time businesses. They are well-funded with labs and an abundance of time and resources devoted toward research and development.
What was acceptable 10 years ago as adequate security is simply not acceptable now. The frequency with which hackers are successfully infiltrating healthcare organizations indicates that anti-virus, anti-malware and firewalls alone are not enough to secure their internal and sensitive patient data from the modern threat landscape.
Securing medical records is a complex undertaking. It goes far beyond the minimal technical requirements of HIPAA and involves a precise balance of technical knowledge of IT teams, properly trained office or hospital staff and even third-party vendors that service systems within an organization. So what can the healthcare industry do to prevent their security from being compromised?
Employ penetration testing. Companies need to educate employees on security policies and should also be doing penetration testing multiple times per year. This is accomplished by having a security expert try to break into your network to see if your security measures hold up. This includes not just technology, but physical access. Are your file cabinets locked and how do you open them? The more sensitive data that exists in your network or on your premises, the more frequently you should be doing penetration testing.
Use encryption. Files must be encrypted. In early 2016, it was discovered that nearly 400,000 records were compromised when a staff member’s computer with unencrypted records was stolen. HIPAA technical requirements state that electronic personal health information (ePHI)—whether at rest or in transit—must be encrypted.
Ensure third-party vendors are secure. Your systems may be secure, but what happens when you require outside assistance with an issue? Ensure that all vendors you use follow guidelines to secure their related technology to keep both you and your data safe and secure. There is a strategy known as “vendor as vector,” which can be a direct attack on a healthcare system or an attack on a smaller practice’s IT vendor in order to breach many clients at once. Ensuring these third-party companies have the latest endpoint security in place is also part of the healthcare practice’s responsibility.
Monitor external devices. Another necessity is to monitor any external devices being introduced to the network. USB devices, such as flashkeys and thumb drives, can easily infect computers with self-replicating viruses that spread—similar to the floppy disks of years past. A USB device can emulate a keyboard and install malware and other malicious material. A USB drive or external hard drive can infect connected computers upon initial start, before antivirus tools have a chance to catch the attack.
SIEMplify the network. The last consideration healthcare outlets can make is implementing a Security Information and Event Management (SIEM) system. SIEM has become a key technology in fighting off cybercriminals and keeping healthcare companies informed of suspicious network activity. SIEM platforms ingest the millions of logs generated by all the systems and devices in the infrastructure and then sort through them for you, in real time. Proper SIEM systems can pinpoint a threat in real-time and alert you immediately, helping stop an attack in its tracks, while tracking it to the device it started in.
It is difficult and expensive to hire and retain an IT security team that has the bandwidth and capability needed to monitor and analyze the alerts and reports produced by SIEM technology. Advanced toolsets can be outsourced to a managed security firm specializing in this type of service. If they’re used correctly, healthcare organizations can see anomalies that could lead to breaches prior to any damage being done—allowing them to halt hackers in their tracks.
Whether it’s a hospital system with multi-location brands, an urgent care facility, or a doctor, chiropractor or dentist with a single practice, the computer network in those offices can quickly become highly complex, exponentially increasing the risk of data theft. Every patient should have peace-of-mind that their personal information is safe when they step into a provider’s office and fill out a form with their full medical history and personal information.
It’s time that the industry make use of these advanced tools packaged with the services needed to use them effectively to keep them safer and better protected from the relentless attacks—creating a healthier security posture and fostering patient trust.