[BreachExchange] These data security challenges are plaguing the healthcare industry

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 15 18:50:40 EST 2018


Frequent cyberattacks are a grim reality of our tech-savvy society. The
healthcare industry is particularly vulnerable to these attacks given the
wealth of information found in medical records, including personal
identifiers, insurance details, and prescription numbers.

Safeguarding electronic protected health information (ePHI) is more complex
than ever with continuous advances in digital resources and cybercrime
activity. In June 2017, insurance giant Anthem paid the largest healthcare
data breach settlement fine in history—$115 million—for a 2015 cyberattack
that affected nearly 80 million plan holders.

As a provider, how do you avoid falling victim to more of these massive

To start, evaluate the evolving healthcare data security landscape and
consider the obstacles in your way:

#1: Low Cybersecurity Awareness
Many of the cybersecurity problems health facilities face stem from a lack
of awareness. They see data security as an issue that affects the IT
department rather than the entire organization. Because of this mindset,
they fail to build a culture of security where everyone understands and
values secure data, equipment, and processes. And this leads to weak
passwords and authentication practices, as well as participation in what’s
known as shadow IT—where employees access sensitive patient data using
unauthorized devices and apps.

Widespread lack of awareness makes the people working at a healthcare
facility the weakest security link. To combat security flaws introduced by
employees, make it a top priority to boost awareness at your organization
through comprehensive training and adoption of strict authorization and
authentication policies.

#2: Outdated Software Systems
The healthcare industry historically lags behind other industries when it
comes to adopting technology. Hospitals and medical practices often use
outdated operating systems, elementary backup systems, and consumer-grade
routers. Additionally, they offer unsecured guest networks for patients and

Using modern software and equipment and habitualizing updates to systems
and apps is key to protecting your facility from cybercrime. Outdated
software exposes data to recent bugs and cyberattacks through antiquated
features and missing protections.

#3: High Phishing Vulnerability
Healthcare organizations are highly vulnerable to email phishing attacks
thanks to email address availability and above-average email traffic.
Healthcare email addresses tend to be less protected than email addresses
in other industries. Additionally, healthcare professionals receive a large
volume of emails as they collaborate with other providers and order drugs
or equipment for treatment, so they are more likely to open a phishing

Healthcare professionals must exercise extreme caution when opening
unsolicited email attachments and accessing the Internet on facility
networks. To limit your practice’s phishing vulnerability, provide training
sessions that offer tips for spotting phishing attacks and limiting
Internet activity while logged into the organization’s systems.

#4: Lax Access Controls
According to the U.S. Department of Health & Human Services (HHS), access
to ePHI should be limited to the “minimum necessary” for employees to do
their jobs and care for patients. This is where many organizations fail.
It’s all too common for health facilities to share large datasets across
the organization simply because they lack the resources or time to manage
access properly.

Considering the number of healthcare data breaches that result from
internal staff errors, you can significantly reduce your organization’s
risk by introducing data access controls. On top of limiting who has access
to sensitive patient data, you should also keep detailed documentation of
authorized access so appropriate action can be taken when an authorized
employee leaves the organization.

#5: Prolific Mobile Devices
Laptops, tablets, and mobile medical devices are increasingly being used to
treat patients and record data, but spreading sensitive information across
all these devices exposes facilities to even greater security risks. In the
first few weeks of 2018, the HHS received five healthcare data breach
reports related to theft or loss of a laptop or other portable electronic
device. And other reports indicate that a high percentage of mobile
healthcare apps lack privacy policies. Additionally, mobile devices can be
used to insecurely transfer sensitive data over public Wi-Fi networks.

Mobile devices require the same security measures used to protect desktop
computers. In fact, some malicious malware is formatted to specifically
target mobile devices. To safeguard your facility from the risks introduced
by laptops and other electronic portable devices, require data encryption
on all devices and adopt technology that allows you to remotely wipe a
device if it is lost or stolen. Additionally, only allow certain
information to be housed on approved devices and restrict use of personal
laptops and smartphones on facility networks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/0908e3de/attachment.html>

More information about the BreachExchange mailing list