Bill Balderaz, president, Fathom Healthcare.
In light of the recent hacking healthcare news in which of health insurer Anthem, hospitals and health systems should be reminded of the need to assess their own vulnerabilities. Historically, healthcare organizations have lagged behind other regulated industries in keeping pace with information security despite compiling patient data at expanding rates. Unfortunately, the Anthem attack is unlikely to be an isolated incident: Industry executives have already predicted phishing and malware will be on the rise in 2015.
With an ever-increasing number of Internet-connected devices accessing hospital networks, hackers have an increasing number of ways to exploit vulnerable systems and steal information.
Understanding hacker motivation is important. Some want to sell private information, such as Social Security or credit card numbers. Patient and consumer data have a lucrative black market. Other hackers commit corporate, industrial or political espionage by compromising systems and stealing sensitive information, trademarked designs or strategic plans.
To combat these growing threats, hospitals and health system have prioritized measures such as two-factor authentication; encryption and mobile device security; security risk analysis; advanced email gateway software; and expansion of IT security staff.
What other actions should prudent institutions take?
First, hospitals should develop comprehensive risk assessment plans. These plans can identify potential weak points, determine best practices and provide a roadmap for increased security. They should be reviewed and updated continually. Hospitals also need regular security assessments and training sessions for anyone who uses a computer.
The biggest oversight most organizations make is neglecting the training of end users. Basic training of users upon hire and at least annually will help protect an organization. Users need to make sure they’re not making common mistakes, such as clicking links in phishing emails. Following bogus links can easily allow hackers to steal information or infect computers. Users need to be educated about how to identify and avoid these types of risks.
At the device level, anything that goes online—desktops, laptops, tablets, etc. —needs antivirus, anti-malware, encryption and other precautions installed. This software must be updated and monitored regularly. These tools can catch and block infections, and ongoing monitoring of these systems can identify issues. Also, encryption can prevent data loss if a device is stolen.
Software and operating system updates and patches should be installed on a regular basis. Hackers typically look for exploits in common software application, such as Java and Adobe Reader.
Guest wireless networks should always be kept separate from primary networks; guest devices should not have access to primary networks.
Where possible, some type of Web filter should be used. Even if a user visits a legitimate website, it’s possible for a “drive-by” attack to infect the user’s computer with malware. If Web browsing is restricted, the risk of infection from this attack vector can be mitigated.
Finally, all users (even IT administrators) should only be granted the rights and permissions they need to perform their everyday tasks. The less access a user has to a system, the less chance a hacker can use that account or device in an attack.