Tag: healthcare IT security

Tips For Preventing Ransomware Among U.S. Hospitals and Healthcare Providers

By Bill DeLisi, CEO and CTO, GOFBA, Inc.

Bill DeLisi

In October 2020 a joint advisory by the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the FBI noted there is a “credible information of an increased and imminent cybercrime threat” affecting U.S. hospitals and healthcare providers. A main part of this threat features ransomware attacks, where hackers take control of data and systems to extract ransoms.

The alert detailed the actions of a Russian-speaking group called Ryuk and a type of trojan known as Trickbot. Even more alarming, many healthcare providers might already be infected with malware, with hackers waiting for an opportune time to launch an attack and cripple the organization’s operations.

To prevent successful ransomware attacks, hospital IT and management teams need to implement multi-pronged strategies focusing on training, technology solutions, and other best practices. See below for a few actionable tips to include in your plan.

Preventing Intrusions with Training

A fall 2020 phishing attack against the University of Missouri Health Center exposed data for more than 14,000 patients. The health center noted two employee email accounts were hacked, which led to data access to Social Security numbers, clinical information, and other patient-specific data. The breach underscores the threat of staff members as the most prevalent conduit for hackers. Preventing such instances takes diligent training that helps workers understand the various threats and how they should adjust their behaviors accordingly. This is critically important.

Hackers also attack healthcare providers to take advantage of overworked nurses, doctors, and other clinical staff. COVID-19 places enormous strain on these workers, and they may not make the best IT-related decisions when they’re functioning on limited sleep and enormous stress.

Preventing the “human element” that leads to ransomware attacks requires diligent training. Here are some key tips for employees:

Manage Remote Workers

The number of at-home healthcare workers is exploding due to COVID-19, as administrative and billing roles are easily handled through online platforms. And, with the rise in telemedicine, more practitioners are setting up HIPPA-compliant communications tools from home.

Continue Reading

Do You Know If Your MRI Is Secure From Hackers?

By Leon Lerman, CEO and founder, Cynerio.

Leon Lerman

Data driven medical care with connected devices is now the norm. Patient monitors, IV pumps, MRI machines, and infusions pumps all behave like computers with the ability to monitor patient conditions in real time, share data and even automatically adjust dosages. Although all of these innovations are improving in-patient care, their ability to communicate over internal computer networks has introduced new vulnerabilities to cyber attacks.

The health risks are high. Hackers can infiltrate devices and tamper with doses or even make devices show false data, leading doctors to the wrong diagnosis. Attackers can also hold electronic medical records ransom, causing delays in procedures required to treat patients.

The invisible threat

The biggest obstacle to securing medical devices is the simple fact that many of them are hidden. Hospitals often don’t have full visibility into which medical devices they have, so they aren’t aware of all the vulnerabilities. You can’t tell if your MRI is insecure if you don’t keep a full inventory of all the medical devices and all information necessary to assess the relative security risk.

Some hospitals rely on manual methods such as Excel spreadsheets to maintain an inventory of medical equipment. However, electronic files maintained by humans can’t keep pace with the growing number of the devices, and all the changes and updates that occur on an ongoing basis.

Often medical devices are added to the network without notifying security professionals and going through the necessary cautionary procedures. Many departments add equipment with the noble aim of improving patient care without notifying IT, since they are simply following the doctor’s orders and doctors are king. Something as simple as browsing for a local restaurant at a nurse’s station can put the hospital at risk if the computer isn’t adequately secured.

Continue Reading

Tips for Risk Assessment in Healthcare IT Security

Lysa M.
Lysa Myers

Guest post by Lysa Myers, security researcher, ESET.

Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.

How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.

How to do an EHR risk assessment

There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.

Continue Reading