With the rapid shift to telehealth stemming from the pandemic, both deployment and adoption of patient portals increased. This surge in usage has exposed security vulnerabilities, and we’re now seeing that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone cost the healthcare industry nearly $21 billion in downtime, affecting 600 providers nationwide.
COVID-19 transformed the healthcare landscape, making patient portals and telehealth the primary means by which to communicate with providers, access treatment plans and other documents and process payments. Given the convenience this affords for patients and providers alike, these digital experiences will likely remain a primary part of the healthcare industry for years to come. As organizations continue to invest in patient portals and other telehealth innovations, it’s critical that they are cognizant of the myriad security concerns.
It should come as no surprise that hackers view patient portals as an extremely attractive target—credit card data, personally identifiable information (PII) and personal health information (PHI) are all accessible via these platforms. Unfortunately, because patient portals were designed with the user experience in mind, it’s not uncommon for them to have minimal security to make the process as frictionless as possible. Hackers are only too eager to exploit this and other security holes, so it’s critical that organizations address these concerns. With that in mind, read on for five important steps to shore up these vulnerabilities and enhance patient portal security.
Screen for Compromised Credentials
In many cases patient portals are secured solely by a password; something that is widely recognized as a poor security practice, particularly for accounts that contain such sensitive information.?? This is largely due to the pervasive problem of reusing passwords across multiple sites–something 59% of respondents in a recent survey admit to doing. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that bad actors could launch a successful account takeover (ATO). To address this and other password-related vulnerabilities, providers should screen credentials against a dynamic database to ensure that patients aren’t inadvertently opening up the front to hackers. Given the rate at which data breaches occur, it’s also important to implement this screening on an ongoing basis, rather than solely when a patient enrolls in the portal.
Cybersecurity has been a major concern facing many digitalized businesses. Hackers have developed more sophisticated ways to breach security systems and steal essential data from businesses. Such security issues may cause significant financial loss and bring a business down to its knees.
Healthcare is one of the sectors that has been hard hit by cybercrime. This is due to the sector’s adaptation of technological advancement used in areas like storing patients’ data. Unfortunately, while the technology has positively impacted the provision of services, it’s also created an opportunity for hackers to attack and steal information. As a result, healthcare becomes an easy target for cybercriminals due to the nature of their information system.
Reasons For Cyberattacks On Healthcare
As stated, the healthcare sector isn’t immune to cyberattacks and other forms of security breaches from criminals. These attacks are being targeted due to the many loopholes that the sector has.
Here are some of the reasons why healthcare is targeted:
The Password Problem
One of the major concerns affecting healthcare is the lack of good passwords. An explanation of the password problem is when healthcare workers don’t set strong passwords on their devices for fear of forgetting them. In turn, they end up using weak passwords, such as their phone numbers or names.
This makes it easy for attackers to breach security and steal important information. In addition, colleagues can guess simple passwords, and they can use them to access your accounts. The password problem affects many businesses, as well as individuals. You should, therefore, be creative with your password and make it unique.
Lucrative Medical Records
Medical records always contain important information that could be lucrative to hackers when they sell them. Such information includes names, contact information, and credit card numbers when patients pay bills through bank cards. The attackers can then use these pieces of information to directly attack the patients or sell them to other people.
Because some medical facilities aren’t well-protected from security breaches, the patients’ data aren’t safe. Therefore, attackers use these loopholes to launch attacks on people.
With vaccinations underway, it’s becoming possible to envision the light at the end of the pandemic tunnel; however, the post-COVID world will have some notable differences. One such example is the likely requirement of “immunity passports” to do any number of things: have elective surgery, attend college, or travel internationally.
The European Union, China, Israel and Japan are among the nations that have launched or plan to unveil such programs. In the U.S., states will be in charge of developing their programs with federal support as required. Given the partisan differences surrounding the pandemic response and economic recovery, this is likely to introduce numerous challenges in and of itself. But political concerns aside, the emergence of more coronavirus tracing apps and programs also brings some serious security challenges.
As PBS’ Laura Santhanam recently put it, “Unlike the physical [vaccination card used to track Yellow Fever], there are growing concerns about data privacy as documents verifying COVID-19 vaccination would exist and generally be accessed digitally.” In fact, these concerns are so pressing that a new Forrester report includes the vulnerability of COVID-19 apps as one of the five major problems which could impede post-pandemic progress in 2021.
With that in mind, let’s take a look at some of the chief vulnerabilities and what governments and businesses alike should be cognizant of as these apps become more mainstream.
Improper Access Controls. Hospital administrators. Physicians. Insurance adjusters. Claims specialists. Pharmacy techs. The list of potential roles that could access vaccination data is massive, and that’s just within the healthcare setting. When you expand to other industries, the list is virtually endless. In order to protect sensitive data, it’s important that all COVID-19 apps and programs are designed with strong role and event-based access controls.
For example, a doctor may require “Write” access in order to edit or add information pertinent to a patient’s immunity or reaction to the vaccine. However, this permission should be the exception rather than the norm as hackers could wreak havoc should they be able to manipulate data within these apps and programs.
Response from Sarah Johnson, RN and the health ambassador, Family Assets.
I’m an RN and the health ambassador for Family Assets, an eldercare and senior living resource for older adults and caregivers.
Working in eldercare and watching how telehealth technology has radically reshaped geriatric care during the pandemic, I think the most important question healthcare technology professionals should be asking themselves right now is: given that hospitals and healthcare facilities have been prime targets for cybercriminals, largely because of aging infrastructure, what needs to be done to make the rapidly expanding healthcare tech industry more secure?
I think the obvious answer to this is the development of much more robust digital security protocols at individual institutions and a massive educational initiative for healthcare providers and workers. This should include, among other things, scheduled stress testing that probes for cybersecurity vulnerabilities.
Too many organizations, within and outside of healthcare, are completely unprepared for the cyberthreats they face and are not diligent enough when it comes to monitoring and probing for weaknesses.
All healthcare technology professionals should have this issue front and center
While cybersecurity is an issue constantly addressed by the media and something small and large businesses alike are consistently focusing on, one of the biggest digital dilemmas comes from the healthcare system. This may be unsurprising, given that financial records and personal data are all stored within patient care files. Hackers are fully aware of the value of this data, and it’s about time that the medical industry shows that it does as well.
Sadly, one in four consumers have had their
healthcare data breached. This calls for swift action by the players in the
field. Some experts think that the answer can be found in blockchain. That’s
right — the same technology that secures Bitcoin and other cryptocurrencies
could soon become the key to protecting patient records.
While there have been ongoing discussion among
government and finance officials about the actual risks of cryptocurrency, it’s
generally agreed upon by tech experts that blockchain is one of the most secure
ways to go. Will the world see this technology implemented into its healthcare
systems soon, though? It’s very possible that the answer is “yes.”
The Security of Blockchain Makes
It the Best Ledger for Healthcare Networks
The reason that blockchain technology a
regular part of public discussion and being normalized in new industries so
frequently is its transparency and security measures. It’s garnered public,
private, criminal, and government interest due to this, and it’s doubtful that
its popularity will stop anytime soon. But what is it about the ledger that
makes it so safe?
Primarily, it’s the unique approach it takes
to security keys. There wouldn’t be a way for someone to modify or corrupt
information within a blockchain system without the relevant key. At one point
it was even believed that the technology was unhackable.
While there is still debate over what it means to hack blockchain networks and
whether or not it’s even been done, that debate still points to the safety of
those networks at large. Without a doubt, it is the most secure ledger for
protecting personal data — and hospitals may need it the most.
Making It Official
The lengths at which blockchain is being
adapted cannot be understated. Government officials are starting to explore the
technology, and the big four investment firms are even beginning to pay attention to it. But what
does this mean for the healthcare industry?
Well right now, blockchain still is not the
norm. Currently, if a hospital or healthcare organization wants to adopt it,
they are probably making the best move in terms of security.
While there are downsides to this kind of mass
adoption (discussed at further length below), it also calls for advancements to
be made, which could better these systems as a whole. It should be noted that
with something as new as blockchain technology hitting the greater market,
there are a lot of changes bound to happen that cannot be accurately predicted
The Adaptation of Blockchain in
Culture May Challenge Security
Granted, it is very important to recognize
that blockchain’s mass acceptance could adulterate the technology. With
businesses at large implementing it into their operations and the parallel use
of mobile money tools in modern society, people are going to start looking for
loopholes. Hackers are going to make it their duty to try and disrupt it.
For this reason, there needs to be external precautions set up for security. A good example is business insurance — something necessary for every hospital, even with blockchain implementation. The loss of mass amounts of data is bound to occur, so hospitals need to be protected, even when their systems seem foolproof.
Right now, hospitals and organizations at
large need to understand that blockchain is a very important technology to the
future of healthcare. But it cannot be solely depended on, either. Other
precautions need to be taken to protect patient data by the healthcare
industry. Blockchain may be the best option healthcare networks have for data
It is not uncommon, in today’s age, to do large amounts of personal business online. This includes discussing or sharing medical records. You may think that any place that shares your medical records online would invest in intense digital security, but you would be surprised.
It takes just a small mistake on the part of the health organization working with your records and your data can be breached. In fact, there have been multiple examples of large medical organizations allowing thousands of patient’s information to be leaked.
In 2010, Columbia University Medical Center and New York-Presbyterian Hospital were victims of cyber security attacks involving the theft of close to 6,800 patient records. A Temple University doctor had his laptop stolen which contained the private medical files of nearly 4,000 patients. These are just two of way too many examples.
Part of the problem is that these records are being protected by individual not properly trained in digital security. Medical professionals all know about HIPAA (Health Insurance Portability and Accountability Act) — a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
They know that you don’t share medical information to anyone that isn’t approved of in writing by the patient. But even that standard is often broken by some medical professionals. So, if some people in the medical industry are willingly leaking information, just imagine how often information is leaked accidentally.
So, what can you do? As with most instances of digital security, it is best to take matters into your own hands. The only person who will always, 100 percent of the time, advocate for you – is you. It is vital that you do everything you can to protect yourself and your data when going online. This can prevent others from ascertaining your location, medical data, personal data, and much more.
Let’s take a look at a few ways that you can protect yourself in the digital realm:
Be aware with whom you are communicating
It might be obvious that you shouldn’t send personal information to strange email contacts or social media profiles, but not everyone considers the authenticity of medical websites. Often times people will look up medical advice and find themselves sharing personal details with any random website that offer to let you chat with a “real” medical professional.
These websites can not only put your medical information at risk but also your credit card information since we guarantee you won’t get to chat with anybody without coughing up your card number.
Beyond that, it is also important to consider the applications your medical facility is using to share your information. Before agreeing to access your data digitally, look into the software they are using to ensure it is considered respectable and safe.
The implementation of electronic health record (EHR) is not a new thing in the industry. The digital wave has completely transformed the way medical records were maintaining before and now. With increased demand for efficiency and faster solutions, more and more medical practices are embracing EHR to simplify and organize their data storage process. Initially, many providers were reluctant and hesitant to use EHR. However, with Medicare and Medicaid incentive programs, providers are encouraged to adopt EHR. As a result, since the time EHR implementation began in 2009, around 73 percent of providers have registered for the EHR incentive program.
However, still, some challenges hinder EHR adoption and slow down the process for many. The initial implementation may be easy, but the user experience was not a good one for many.
Here are some of the obstacles that medical practices, healthcare professionals and others from the healthcare industry face while leveraging EHR:
Software testing and quality assurance have grown in critical importance for companies. Over the few years, it has established itself as a formidable career choice which is unlikely to stop anytime soon. Now as the name implies, quality insurance is all about maintaining “high quality” on a constant basis. And it isn’t surprising at all to see the concept making its way to the core of several industry verticals including the healthcare.
Quality monitoring is gaining momentum for purchasers, patients, and providers who strive hard to evaluate the value of health care expenditures. Over the past decade, science has evolved in regards to quality measurement despite a few challenges that might be a counterforce to the demands of cost containment. Well, the following post explores those crucial challenges that must be addressed in the Healthcare sector. But before that let’s take a bit of a detour which will eventually lead us to the answer.
Why the healthcare sector needs QA and testing
Speed and quality are one of the core essentials that tend to serve the healthcare industry more efficiently leading to a significant amount of inventions and advancements. One of the best examples showing how digitalization is becoming more capable of transforming the industry is that more and more number of people and devices are found connected to deliver meaningful interference from the data generated.
Technology is the best support system where different kinds of applications are created to deliver best services even at a distant. A sudden increase is found in the growth of healthcare products such as wearables, followed by applications especially the ones being associated with them. It may quite interest you to know that these can be termed as products featuring a big market and will continue to have a tremendous impact on the economy even in the upcoming years. Down below I would like to mention a few reasons stating why QA and testing are crucial in the healthcare industry.
#1 Big Data Testing in Healthcare: Because of being well associated with tons of information related to their patient’s health conditions, the healthcare industry is believed to be one of the most highly data-intensive sector. Several healthcare institutions and the associated segments to devise the right strategy building the right and relevant kind of products. Initially invented to derive the right interferences and the data point big data testing also helps in making certain decisions in regards to drug inventions, disease cure, and the last but not the least research and development. These decisions are some of the best and informed ones that anyone could take.
#2 Security of applications: I am sure you will agree with me when I say that healthcare websites have the most sensitive kind of the data about their patients and their health-related information. By security testing and penetration testing, we can make the websites, as well as applications, hack proof and sustainable especially in challenging a digital scenario. It is very important to conduct quality assurance and testing to ensure security to all such applications.
#3 Usability testing in healthcare: Usability testing is the most required in the health care industry. However, there are various features and the user scenarios that a pharmacist or a nurse can continue to face during their working hours. Do you think these tasks are of prime importance? Absolutely not! In fact, they can be eased with the help of automation, adding in more number of features that will help to simplify the entire process.
QA Challenges in Healthcare Apps
Healthcare industry has also started to introduce mobile platforms across the care delivery cycle, creating a voluminous medical app market. Further, we have extracted a few QA challenges concerning testing and healthcare mobile apps and how to get over them.
Challenge #1 Users and their expectations
Software usability has been a core element in the healthcare industry. Look at those EHR systems; it is very important to come up with something that not just offers accurate physical records but also aggregate physical activity recommendations with nutrition tracking. While testing a mhealth app, thinks about situations which patients may need it. During critical cases, older patients can make the most of condition management app that aids well in finding what their actual condition is and tap the emergency call button at an extreme point.
In addition to this, healthcare mobile apps have the potential to influence the stakeholders this includes patients, caregivers, care team members, administrative staff, insurers and more. The app should adequately support their workflows, so QA specialists need to get a good picture of basic user needs. Let’s say for example if the patient likes to connect his or her smartwatch to the app to monitor heart rate while exercising or if a physician would like to review his patient’s treatment plan progress remotely.
It has become clear in the last few years that when it comes to cybercrime, hackers are not fussy about which organization or sector they focus on – if there’s profit to be made, anyone is a potential target.
However, there are of course institutions which will always be of particular desirability to cybercriminals. Financial institutions, banks and retail are among the most targeted because the goal of most cyberattacks is financial gain, and organizations in these industries are the most lucrative targets for cybercriminals. The healthcare sector is also heavily targeted because of the personal data it holds. This data may be stolen and used for different purposes, including fraud. As a consequence, the focus on healthcare institutions by hackers has ramped up in recent years.
This increased attention on the health sector is because of hackers seeing it as an inexhaustible source of money. On multiple occasions, media reports have described leaks of data from medical centers, followed by a ransom demand sent to clinic management and patients.
There are a number of other ways criminals can monetize attacks on healthcare equipment and applications. These include threatening patient health by altering stored information; using stolen data to fraudulently obtain access to medical care or controlled medications; leveraging personal information on patients and their family members; and sabotaging websites and/or infrastructure on behalf of unscrupulous competitors. Attacking healthcare institutions also allows criminals to resell stolen data to third parties such as insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
One such specific way that criminals can carry out attacks is by exploiting advancements in health technology and equipment in recent years. We’ve seen an increasing number of medical devices such as pacemakers, drug pumps (like insulin infusion devices), implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices potentially incredibly dangerous for patients. A criminal could research and reverse communication protocols and exploit vulnerabilities in a simple piece of software used in those tiny devices, for example changing the heart rate controlled by pacemakers, injecting incorrect doses of drugs or even making them show the wrong data — leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.
By Shane MacDougall, senior security engineer, Mosaic451
The other day I was asked what is the biggest information security threat facing any company in 2019. Is it ransomware? Some AI powered malware? Overpowering DDOS attacks? I didn’t hesitate – the answer is the same as it has been since I was first asked the question over two decades ago. The biggest threat to our infrastructure remains our users.
Social engineering, an attack where hackers extract information and access, not from traditional hacking attacks, but rather by interacting with a person in conversation, remains a devastatingly effective method of gaining unauthorized information or access to a network. It’s an attack vector that rarely fails. Unlike logical attacks, social engineering leaves no log entries to trip IDS or alert security admins. As organizations invest more dollars into security appliances and next-gen blinky boxes designed to harden their perimeter, attackers are increasingly opting to target the weakest link – the end user.
Recently, I was in Canada at the Hackfest hacker conference in Quebec, as host and organizer of the second installation of its social engineering “capture the flag” competition. The three part competition had the competitors first spend a week searching for specific pieces of information (flags) about their target company, from a list of items provided by Hackfest. The flags range from information that can be used for an onsite attack (who does your document disposal, what is the pickup schedule), those that can be used for a logical attack (type of operating system, service pack level, browser and email client information), networking information which gives the attacker information about the infrastructure (wifi info, VPN access, security devices), and finally information about the employee and the work environment, which could be used to help the attacker pose as an insider.
The second portion of the competition had the contestants hop into a sound proof booth, and were given 25 minutes to call their target company in front of an audience, and to gather as many flags as possible based on their dossier information. The third and final segment had competitors randomly draw a target, then each contestant had 30 minutes to use the audience members to search the web for flags or phone numbers to create a workable dossier. Each competitor was then put back into the booth to make another 25 minutes worth of calls in hunt of flags.
The results of this year’s contest were eye opening, but sadly reminiscent of last year’s event. Of the eight companies targeted, all gave out information that would give an attacker an advantage for a remote attack, on-site attack, or both. Specific breakdowns of results include:
75 percent visited a URL provided by their attacker
100 percent gave information about what version operating system/service pack version they were running
88 percent gave detailed information on what internet browser they were using
75 percent divulged information about Wi-Fi within their network
63 percent divulged information about secure document shredding, including their provider and the schedule for disposal
63 percent divulged detailed information about their email client
75 percent gave detailed information about the internal computer network
75 percent shared personal information about themselves and their work history