[BreachExchange] HIT Think How small healthcare providers can toughen cyber defenses

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 3 18:35:33 EDT 2017


https://www.healthdatamanagement.com/opinion/how-small-healthcare-
providers-can-toughen-cyber-defenses?feed=00000151-59e2-
d9eb-add9-5bff195d0000


Healthcare is an absolute goldmine for hackers. Each time new patients
enter a doctor’s office, sensitive information is recorded. This means that
emails, phone numbers, health insurance information and Social Security
numbers can all be stolen easily.

Executives at many small healthcare institutions believe that a breach will
only occur at large, well-known providers, but this is just not the case.
Urgent care is projected to increase 5.8 percent each year through 2018,
which means more standalone centers will open their doors to more patients
and their data. It is individual locations like these that serve as hotbeds
for hackers, as they often don’t have strong security and IT teams in place.

These criminals are all about profit. When identity theft is accomplished
through stolen healthcare data, the amount of money a hacker can generate
by opening fraudulent credit accounts in someone’s name makes credit card
theft seem like a drop in the bucket. The higher the amount of money the
hacker makes, the greater the impact the theft has on the life of the
individual, causing potential mistrust for the compromised healthcare
organization. In 2016, it was reported that victims of medical identity
theft paid an average of $13,500 to resolve the crime.

Cybercriminals are aware of these facts and figures. Efforts to exploit
this have resulted in hackers, once perceived as lone individuals, becoming
more organized in their approach—running their malicious operations like
full-time businesses. They are well-funded with labs and an abundance of
time and resources devoted toward research and development.

What was acceptable 10 years ago as adequate security is simply not
acceptable now. The frequency with which hackers are successfully
infiltrating healthcare organizations indicates that anti-virus,
anti-malware and firewalls alone are not enough to secure their internal
and sensitive patient data from the modern threat landscape.

Securing medical records is a complex undertaking. It goes far beyond the
minimal technical requirements of HIPAA and involves a precise balance of
technical knowledge of IT teams, properly trained office or hospital staff
and even third-party vendors that service systems within an organization.
So what can the healthcare industry do to prevent their security from being
compromised?

Employ penetration testing. Companies need to educate employees on security
policies and should also be doing penetration testing multiple times per
year. This is accomplished by having a security expert try to break into
your network to see if your security measures hold up. This includes not
just technology, but physical access. Are your file cabinets locked and how
do you open them? The more sensitive data that exists in your network or on
your premises, the more frequently you should be doing penetration testing.

Use encryption. Files must be encrypted. In early 2016, it was discovered
that nearly 400,000 records were compromised when a staff member’s computer
with unencrypted records was stolen. HIPAA technical requirements state
that electronic personal health information (ePHI)—whether at rest or in
transit—must be encrypted.

Ensure third-party vendors are secure. Your systems may be secure, but what
happens when you require outside assistance with an issue? Ensure that all
vendors you use follow guidelines to secure their related technology to
keep both you and your data safe and secure. There is a strategy known as
“vendor as vector,” which can be a direct attack on a healthcare system or
an attack on a smaller practice’s IT vendor in order to breach many clients
at once. Ensuring these third-party companies have the latest endpoint
security in place is also part of the healthcare practice’s responsibility.

Monitor external devices. Another necessity is to monitor any external
devices being introduced to the network. USB devices, such as flashkeys and
thumb drives, can easily infect computers with self-replicating viruses
that spread—similar to the floppy disks of years past. A USB device can
emulate a keyboard and install malware and other malicious material. A USB
drive or external hard drive can infect connected computers upon initial
start, before antivirus tools have a chance to catch the attack.

SIEMplify the network. The last consideration healthcare outlets can make
is implementing a Security Information and Event Management (SIEM) system.
SIEM has become a key technology in fighting off cybercriminals and keeping
healthcare companies informed of suspicious network activity. SIEM
platforms ingest the millions of logs generated by all the systems and
devices in the infrastructure and then sort through them for you, in real
time. Proper SIEM systems can pinpoint a threat in real-time and alert you
immediately, helping stop an attack in its tracks, while tracking it to the
device it started in.

It is difficult and expensive to hire and retain an IT security team that
has the bandwidth and capability needed to monitor and analyze the alerts
and reports produced by SIEM technology. Advanced toolsets can be
outsourced to a managed security firm specializing in this type of service.
If they’re used correctly, healthcare organizations can see anomalies that
could lead to breaches prior to any damage being done—allowing them to halt
hackers in their tracks.

Whether it’s a hospital system with multi-location brands, an urgent care
facility, or a doctor, chiropractor or dentist with a single practice, the
computer network in those offices can quickly become highly complex,
exponentially increasing the risk of data theft. Every patient should have
peace-of-mind that their personal information is safe when they step into a
provider’s office and fill out a form with their full medical history and
personal information.

It’s time that the industry make use of these advanced tools packaged with
the services needed to use them effectively to keep them safer and better
protected from the relentless attacks—creating a healthier security posture
and fostering patient trust.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170403/8ae72208/attachment.html>


More information about the BreachExchange mailing list