Ransomware and electronic records access, healthcare's biggest threats
Of the varied threats facing healthcare provider organizations today, both external and internal, what rises to the top? Some cybersecurity experts have solid opinions on that.
When it comes to external threats, ransomware is the most urgent said Mike Fumai, COO at AppGuard, a cybersecurity software company.
“The longer term and newer threat with ransomware is medical devices,” he said. “Already hackable, but no real economic model yet for adversaries to focus on. That can change quickly. For example, they can simply extend the ransomware model by denying medical device use until a ransom is paid. The complexity of the medical device supply chain, however, poses even more exotic ransom possibilities.”
[Also: Old legacy devices pose greatest security risk, experts say]
If a provider organization cannot treat patients because it doesn’t have access to medical equipment, records, billing processes, scheduling or vital third-party services, the impact is immediate, pervasive, urgent and even life-threatening – far worse than HIPAA fines and other typical data breach consequences.
“Healthcare providers are not prepared for ransomware attacks,” Fumai said.
So what should healthcare providers do to better prepare? Implement system back-ups and conduct realistic exercises to be sure they work is one tactic.
[Also: Obama's cyber czar warns of 3 troubling security trends]
“Continuously conduct realistic, simulated attacks on your employees and track them individually, and on your organization two to four times per year to seek and fix human weaknesses,” Fumai said. “Form at least one peer group within 30 days with signed letters of intent to learn how to better fight ransomware and to field-test and hype-test cyber products and services before deploying them.”
When it comes to internal threats, access to patient records rises to the top, said George Brostoff, co-founder and CEO of SensibleVision, a cybersecurity technology company.
“Twenty-seven hospital employees in New Jersey were suspended after they improperly looked at the files of actor George Clooney, who was being treated after a motorcycle accident,” Brostoff said. “All of them had access to the files from inside the system. External hacks get all the press, but the real security issues that affect hospitals every day come from inside the building.”
When very private information is leaked, it is very embarrassing and damaging to a healthcare organization’s image and destroys the trust it has built with its patients. The specific data in patient records allows the source of the leaked information to be tied to the organization at fault.
“Most important, these leaks violate federal HIPAA rules and other regulations, which can put accreditation at risk and also open up the risk of lawsuits,” Brostoff said.
To combat problems associated with internal access to patient records, the first step is getting rid of passwords to protect any data, Brostoff said.
“They just don’t work, and everyone acknowledges that – even the guy who came up with the ‘Change your password every month’ approach to security,” he said. “Following industry best practices such as secure authentication, encryption and proper access policies is the only way to protect data.”
Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com