Guest post by Garret Grajek, chief security officer, dincloud.
A March 2014 study by the Ponemon Institute titled, “Ponemon Report on Patient Privacy & Data Security,” stated that cybercriminal attacks on healthcare organizations have doubled in the past three years. If you follow IT news at all, you know that healthcare organizations are also under attack, with some of the latest of these attacks being what experts classify as APTs (Advanced Persistent Threats). APT attacks distinguish themselves by being persistent attacks orchestrated by an organized (and usually well-funded) institution, either government or criminal, with a specific target and purpose for the attack.
APTs distinguish themselves from past “script kiddies” and accidental hackers who execute “crimes of opportunity” (e.g. they find a site that they can do an SQL injection and see what data they can download). Advanced persistent threats however follow the opposite workflow – they select a target and then use any and all mechanisms to obtain access to the data they desire.
You’re in healthcare – but should you care?
Healthcare IT systems are a target rich environment for advanced persistent threats attacks. What’s the reward? PHI (Personal Health Information) and PII (Personal Identification Information). PHI/PII for hackers is the gift that keeps on giving! With someone’s identity information, hackers can create multiple accounts – financial and other – for the purposes of fraud. This was seen in mid-August when Community Health Systems announced that it had fell victim to an APT attack earlier that year from an APT group based in China. Chinese hackers stole medical records for 4.5 million patients, according to a regulatory filing from the healthcare provider. And how can we forget the security breach at HealthCare.gov, the government’s health insurance marketplace.
Healthcare has the same type of information, and more. User identities, associated e-mail addresses, phone numbers, street addresses, and often insurance, credit, and other key PII information (like employer’s and spouse information), are held by health care providers. Attackers know this, and for these reasons, health care entities have become an easy target for advanced persistent threats attacks.
Guest post by Darren Leroux, senior director of product marketing, WinMagic.
Gone are the days where all personal health information solely lived in giant filing cabinets behind a receptionist’s desk or in the administrative office of a hospital. Today, patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives. Understandably so – given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, the once straightforward process of protecting patient’s personal health information has since evolved into a complex and overwhelming undertaking.
Just the Facts
According to a recent study, 81 percent of healthcare organizations are now allowing employees and medical staff to use their personal laptops and mobile devices to connect to provider networks or access company email. Interestingly enough, the same study found that of that 81 percent of healthcare institutions enabling a BYOD strategy, 54 percent did not believe that those devices were secure enough in the workplace; 65 percent of data breaches reported to the Ponemon Institute occurred on laptops and mobile devices over the last five years — it’s no wonder that more than half of those surveyed aren’t confident in the security of their devices
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – how? How is this significant rise in healthcare data breaches even possible, and how do we stop this from continuing?
Below are the top three gaping security holes in remote healthcare data practices that are answering our question of how is this rise in breaches in possible:
Safe guarding against healthcare data breaches is a proactive approach to protecting your practice, not a reactive one.
As has been noted recently by Healthcare It News, healthcare data breaches occur frequently, and as I have previously reported, most of them are inside jobs.
That aside (I’m not trying to dismiss the importance of this fact, just trying to move this piece along as I know your time is limited), many can be prevented by employing the proper information systems like two-factor authorization, but nevertheless, the costs of cleaning up after a breach is most more expensive than they are to prevent.
According to Healthcare IT News, healthcare data breaches are incredibly expensive procedures which are piled upon by investigations, notifications and follow up. With that, let’s take a look at some steps that you can take to safeguard against data breaches.
According to the magazine:
Cast a wide net: Ensure you assess your practice’s capabilities for dealing with a data breach. Establish a plan, bring in the practice’s appropriate leaders who can drive the practice forward and work to educate employees of the importance of data integrity. “This might include subject matter experts from cross-functional areas like IT and operations to human resources, or compliance and legal to other key supervisors or managers,” writes Healthcare IT News.
Here are a few additional points from the magazine’s report:
• establish protocols for tasks
• create timelines
• establish communication among the team to ensure everything runs as smoothly as possible.
Know thy data: Take stock of your data. Start with reviewing current and past projects, reviewing current documentation and how your practice typically gathers information. “One of the key components of any assessment is determining how personal health information (PHI) and electronic personal health information (EPHI) are received, stored, transmitted, accessed or disclosed. Once you have fully scoped your assessment, you can begin gathering the relevant data.”
Address your practice’s vulnerabilities: Known or unknown, this is the time in which you begin to putting your plan in place. This is the point of your plan in which you push play.
Document everything: Since you’ll need everything in writing as part of the process, you’ve got to prepare by making sure all of your processes, data and processes are in writing. According to the magazine, “Not only do those reports then become a historical document for an organization’s administration to refer to in the future, they’re also proof that a provider has performed due diligence around responsibilities for storing confidential data.”
Follow up and engage often: Don’t just put a process in place, but follow up on it. Adjust the process as needed and address any potential red flags immediately. Not doing so is paramount to failure. Silence is consent and if you become aware of an issue that you don’t address essentially is guilt by association.
Check your progress: Take stock of your risk assessment on a regular basis, “especially after a change in technologies, administration, regulations, or business operations.”