[BreachExchange] IT risks that health care firms can overlook

Audrey McNeil audrey at riskbasedsecurity.com
Fri Apr 1 16:05:41 EDT 2016


http://www.nhbr.com/April-1-2016/IT-risks-that-health-care-firms-can-overlook/

Health care companies have to consider the Healthcare Insurance Portability
and Accountability Act (HIPAA) as well as the Health Information Technology
for Economic and Clinical Health (HITECH) Act within all of their daily
transactions, particularly while handling personal health information (PHI)
and electronic PHI (ePHI).

While managing sensitive patient data, three important factors need to be
considered by all health care businesses: physical, network and process
security procedures.

While the physical security procedures might seem more apparent or
intuitive, it’s the network security procedures that either inhibit or aid
those with criminal minds trying to access PHI and ePHI. Here are some of
the network safeguards that should be considered and/or put into place to
prevent unlawful hands getting access to confidential information.

• Patching: Patching your servers and PCs with automated security updates
is a critical security control that is all too easy to overlook as it often
happens in the background and without the user’s knowledge. Many
cybercriminals will look for unpatched vulnerabilities to exploit and gain
access to systems. This is often the method used to infect users who visit
a website with malicious code embedded in an ad.

A solution is to use an automated patching tool or service to ensure
security updates for operating systems and common applications are updated
on a regular basis.

 • Backup: Backup of your data has taken on more importance than ever with
new threats like ransomware. Be sure your backups are running and secured
off-site. Not only do you need to protect data from a hardware failure loss
or natural disaster, but you also need to protect it from a cyberattack,
which could encrypt that data. Your options are to restore from a good
backup or pay the ransom which is now escalating into extortion.

A solution is to use a business class backup, not a USB drive, for example,
and regularly check to ensure the backup is working. Also be sure that
backups are stored off site in an encrypted format to minimize risk of a
data breach due to lost or stolen backup media.

 • Unsupported OS: In the past two years, Microsoft has discontinued
support and updates for the two widely used operating systems, Windows XP
for desktop PCs and Windows 2003 for servers. That means new
vulnerabilities will be found by criminals in these operating systems. Even
with patching in place, there will be no updates to apply, which places
your system at the mercy of potential attackers. It is also highly likely
that any security audit of your network would not pass.

A solution is to upgrade to a currently supported OS, like Windows 8.1 or
10 for desktop PCs. Alternatively, evaluate if your Windows 2003 servers’
current function could be better achieved with a cloud solution like Office
365 before upgrading to Windows Server 2008 or 2012.

 • Firewall: Another critical IT asset that are oftentimes forgotten
because they’re hidden in a computer room or closet. Despite the fact that
they continue to work seamlessly, regularly evaluate what you have and
whether it’s up to compliance standards. Most firewalls have two components
– hardware and software licensing. If you have had a firewall for more than
five years, ask yourself if the hardware is still supported by the
manufacturer and if the licensing is current. If not, you and your network
are open to unnecessary risk.

Part of annual IT planning should be understanding the age and licensing
requirements of critical network components like your firewall. If you
don’t know how to manage, check with your firewall vendor. A lot has
changed in the past five years and it might be time to obtain a more
capable and current firewall.

 • Email: There is a growing requirement to encrypt emails containing
sensitive personal and identifiable information as well as personal health
information (PHI) from state laws to federal regulations like HIPAA.

A common data breach occurs when an email containing personal information
is accidentally sent unencrypted or to the wrong party. An additional risk
is being out of compliance with state laws related to securing consumer
information.

If you regularly work with such information, you need to implement an email
encryption solution. The best approach is to have a solution in place which
will scan for the information, thereby forcing encryption.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160401/d1d2dc95/attachment-0001.html>


More information about the BreachExchange mailing list