Countering Healthcare cyber threats has been a priority for all the healthcare entities. Unfortunately, no medical provider is immune from cyber criminals. Hospitals, clinics and other healthcare entities have become a favorite target for hackers due to:
- Lingering legacy computer software and hardware that lack up-to-date security measures.
- Layering vulnerable systems, such as “connected health” or the “internet of things” (IoT), on top of older networks.
- An emphasis on fostering “data liquidity” i.e., the ready availability of clinical information over data security, which could slow access to information that is otherwise vital to efficient clinical workflows.
- The high value of medical information, which often contains social security numbers, insurance information, birth dates and family history.
- The greater vulnerability of elderly – who are frequent users of healthcare – to follow-on scams that leverage their medical information.
Yet, even if computer networks are up to date, the employees who use them remain an important vulnerability. They can be victimized by “phishing,” which can be defined as the deceitful acquisition of access credentials to an information network. Phishing often involves misleading healthcare employees with phone calls or emails that sound or appear legitimate.
In addition to ransacking private patient information, another emerging threat is “ransomware.” Hackers can import software (“malware”) that restricts access to patient files by using encryption. Once a provider is unable to use their patients’ information, a time-limited ransom is demanded, backed up with a threat to permanently destroy the data.
Seven steps providers can take to protect their patients from this malicious activity-
- Teach and constantly remind all employees to recognize phishing attempts and not respond to unsolicited emails or phone calls that seek log-in credentials. In addition to regular training, one option is to engage a third party to send “pseudo” phishing emails to employees that prompt repeat education on the topic;
- Require all users to regularly change their password, which time-limits a hacker’s access to a network;
- Identify the “crown jewels” in the network that contain high-valuenformation, and protect them with even higher levels of the cycyber security one way to do this is to “segment” this information away from the rest of network and grant access to fewer users.
- “Perimeter” defense of the computer network that filters out suspicious emails and restricts access to websites that appear to innocently ask for credentials.
- Monitor for activity within the network that suggests that someone is exporting private or a large amount information (for example, such as data that are formatted like social security numbers).
- Use “two-factor authentication,” which requires a second credential such as a one-time code (which can be sent to the user via email or text message) or a fingerprint.
- Encrypt any databases that are not being actively used.
These seven steps are well within the reach of healthcare providers with information systems. Failure to use them risks significant business disruption, patient harm, loss of reputation and significant fines. If one or more of them are not being used, ask a simple question that your patients would ask:
Jaan Sidorov – Member Board of Directors at Medsolis