Healthcare providers are among the most frequently pursued cyberattack targets, largely because the data stored in their systems has become a lucrative currency to hackers.
Protected Health Information is a juicy target for hackers because it is easily sold on the dark web, where hackers openly promote themselves and their stolen wares. Motivated by the chance for a big pay-off, hackers are developing increasing proficiency in identifying and exploiting security vulnerabilities in healthcare IT.
Yet lack of robust security controls in this critical infrastructure persists because healthcare organizations are focused on running their business in environments with limited resources and often a shortage of trained IT security personnel. So how can you best fortify your organization’s security controls to defend against cyber threats?
- Recognize the risk. No organization is impervious to cyber-attack. The number of incidents that evade traditional security defenses are increasing at an alarming rate, and with the growing prevalence of Electronic Health Records, the playing field has become even more enticing to scammers. True cybersecurity requires preparation, vigilance, and a proactive game-plan.
- Understand both the mind and practices of a hacker to better recognize the risk and prepare a defense. While no two hackers are alike, hackers generally fall into two categories. One category includes hackers that ply their trade as a compulsive hobby and are motivated by either an ideological cause or the thrill of outsmarting their victims. The other category practices hacking for strictly financial motives. Hackers typically use the following process to select their targets:
- Reconnaissance– hackers begin by researching public information about an organization to gather information about potentially lucrative victims.
- Scan- Once a target is selected, hackers will use various technical tools and/or social engineering techniques to identify vulnerabilities which can be leveraged to gain access. These attempts are typically undetected by the target.
- Gain Access– hackers then exploit vulnerabilities by employing malware to infect computers or networks or through entry points using compromised credentials.
- Maintain Access– hackers maintain entry points to allow continued access.
- Cover Tracks– hackers typically bury their tools deep within the network to allow continued access through a backdoor and are often able to remove traces of their attack altogether.
- Cultivate workforce security awareness. Your employees are often your first line of defense. Monitor and communicate industry security trends and vulnerabilities. Keep alert to current and emerging threats and provide periodic security updates and reminders to your workforce. Educate your employees on the mechanics of spam, phishing and malware.
- Develop a password management game plan. Passwords are one of the primary security breach points, and depending on level of access, can sometimes be “the way in”. Implement user authentication controls through strong passwords and biometrics. Doing so provides an additional layer of security that can buy you time to locate, recover or wipe the device. Passwords should be a minimum of 8 characters, but the newer NIST recommendations is 14, a mix of upper and lower case, numbers, special characters, and be changed every 90 days. Paraphrases are better than random computer-generated passwords
- Install Malware detection software and ensure Antivirus software is in place and that both are kept up-to-date. Using software or other security policies to block known payloads from launching will help to prevent infection.
- Encrypt Sensitive Data. Encrypting data can prevent sensitive information from being compromised in transit or at rest and is critical considering the high incidence of lost or stolen disks, tapes, laptops, USB storage devices, and/or smartphones. Hackers often use mobile devices as “the way in”, and if one mobile device is compromised, the EHRs on the server could be at risk.
- Conduct frequent vulnerability and penetration testing. Penetration testing can identify and exploit vulnerabilities to determine the likelihood of real-world threats against an organization’s IT assets and physical security. Successful testing will simulate the practices and methods of external or internal agents attempting unauthorized data access. Immediately address and correct all security gaps identified in the testing.
- Maintain Firewall Protection. A firewall will mitigate your system’s exposure to hacker intrusion by evaluating data coming in or going out against a set of security rules you assign. Best practice is to frequently review your firewall logs and settings, update firmware and implement intrusion detection and intrusion prevention.
- Mitigate Mobile Device Exposure. Require password protection on all mobile devices. Additionally, install remote lock and wipe capabilities to provide a second line of defense to encryption, allowing you to lock/erase sensitive data remotely in the event of a lost or stolen device.
- Guard against Social Engineering Scams. It is sometimes difficult to recognize real-life examples of social engineering attacks because the crime is not easily traced. The employee(s) that was victimized may not realize he/she disclosed sensitive information to an untrustworthy source, or may be unwilling to admit the disclosure, and therefore the incident goes unreported and undocumented. Furthermore, social engineering breaches sometimes leave no physical evidence or an easily identifiable entry point, so if a breach does occur, the method may remain a mystery. Test workforce awareness by initiating internal phishing expeditions.
- Conduct Routine Security Risk Assessments. Routine security risk assessments will identify potential cybersecurity vulnerabilities as well as better position an organization for an audit. The Security Risk Analyses should evaluate ePHI access, track security incidents, evaluate security measure effectiveness and assess new and emerging security threats.
Cyberattacks have cost healthcare providers millions of dollars, generated negative publicity and created reputational damage. These breaches also instigate OCR investigations, as well as incur credit monitoring fees for affected individuals.
The best strategy for healthcare IT is to recognize the risk and adopt a course of action that proactively defends, detects and denies cyberattacks.
Finally, don’t underestimate the complexity of cybersecurity. Complex vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to stay in front of emerging threats.
Consider hiring a compliance partner to help navigate the process by designing a customized approach based on your organization and tailored to meet your specific needs.
John DiMaggio is the CEO of Blue Orange Compliance.