Hacking Healthcare Reminds Us of Our Need to Assess Vulnerabilities
Bill Balderaz, president, Fathom Healthcare.
In light of the recent hacking healthcare news in which of health insurer Anthem, hospitals and health systems should be reminded of the need to assess their own vulnerabilities. Historically, healthcare organizations have lagged behind other regulated industries in keeping pace with information security despite compiling patient data at expanding rates. Unfortunately, the Anthem attack is unlikely to be an isolated incident: Industry executives have already predicted phishing and malware will be on the rise in 2015.
With an ever-increasing number of Internet-connected devices accessing hospital networks, hackers have an increasing number of ways to exploit vulnerable systems and steal information.
Understanding hacker motivation is important. Some want to sell private information, such as Social Security or credit card numbers. Patient and consumer data have a lucrative black market. Other hackers commit corporate, industrial or political espionage by compromising systems and stealing sensitive information, trademarked designs or strategic plans.
To combat these growing threats, hospitals and health system have prioritized measures such as two-factor authentication; encryption and mobile device security; security risk analysis; advanced email gateway software; and expansion of IT security staff.
What other actions should prudent institutions take?
First, hospitals should develop comprehensive risk assessment plans. These plans can identify potential weak points, determine best practices and provide a roadmap for increased security. They should be reviewed and updated continually. Hospitals also need regular security assessments and training sessions for anyone who uses a computer.
The biggest oversight most organizations make is neglecting the training of end users. Basic training of users upon hire and at least annually will help protect an organization. Users need to make sure they’re not making common mistakes, such as clicking links in phishing emails. Following bogus links can easily allow hackers to steal information or infect computers. Users need to be educated about how to identify and avoid these types of risks. Continue Reading