2020: Will this be the year that the healthcare industry closes the gaping hole in cyber security?
None of us have a crystal ball, but it doesn’t take a clairvoyant to recognize that as another year gets underway, the peril of cyber threats will not go away.
Presently, there exists a large gaping risk hole as a result of the IOT (Internet of Things) and HIOT (Healthcare Internet of Things). Just consider all those “helpful” robots roaming the halls of hospitals – all with access to networks, many of which are unprotected. The amount of sensitive patient data stored within those networks is monumental; it’s a security volcano just waiting to erupt.
Hospitals are especially vulnerable to cyber threats. Automation is on the rise in many major hospitals in the name of efficiency and budget, but often at the expense of security at best and patient safety at worse. Information hacking is serious enough but the possibility of someone accessing the output of a dialysis machine, for example, could be the difference between life and death for a patient. The good news is that most hacks are not targeted toward doing patients bodily harm, but placed in the wrong hands, that possibility becomes a reality.
The exploitation of patient information is on the rise, in large part due to scanned health records that can be captured (the process of obtaining and storing external data for use at a later time). So, how does a medical facility minimize these risks? Speaking strictly in technological terms, the best safeguard against patient information hacking is making sure that no IOT device is directly connected to the same backbone device on which sensitive information is stored.
The importance of separate wireless networks cannot be overstated. Far too many healthcare providers – particularly small clinics and offices – allow shared use of the wireless network they use to store patient information on with patients in the waiting room. This is an open invitation to data breaches. Dual wireless networks (one for waiting room patients and one for staff) is the remedy.
Outdated browsers are the culprit of many a hospital hack. Up-to-date Internet browsers are a must for healthcare facilities; it is advisable to use a browser such as Google Chrome, since it receives automatic patches and updates.
A recent cybersecurity report indicates that an estimated 70% of healthcare facilities will be running unsupported Windows operating systems by January of 2020 (yes, now!), opening the risk of cyberattacks even wider. Microsoft support devices running Windows 7, Windows 2008 and Windows Mobile have an expiration date of January 14, 2020, according to a report from Forescout, a medical device and IOT cybersecurity company. The use of unsupported operating systems not only exposes a facility up to data breaches, it can also impact regulatory compliance and that can translate into fines.
Outdated installations such as Flash and Java are another serious threat to healthcare organizations. While these programs are necessary for electronic medical records and e-prescriptions, outdated versions are a boon for hackers; the best prescription is to keep such software programs up-to-date and apply patches immediately when they are available.
While HIPAA security risk analysis is mandated annually, it may be wise for healthcare providers to submit a security evaluation more often, seeing that cyber attack strategies are becoming increasingly sophisticated.
Healthcare facilities should also be aware of an increase in third party provider breaches. As infamous bank robber Willy Sutton once said, “Why do I rob banks? Because that’s where the money is.” Ditto for confidential patient information. If a hacker breaks into a managed service provider (MSP) they can access a whole world of data from a huge sweep of sources. In this dire scenario, not only is the MSP breached, but so, too, are its clients.
The following may go without saying, but often the most basic defenses against cyberattacks are ignored. Healthcare facility employees absolutely must employ strong and unique passwords. Word to the wise, there exist password manager companies that automate complex passwords and then stores them.
Regular backup of important files is critical; these backups should be maintained on media that is physically disconnected from a facility’s local system – the cloud or an external drive are the best bets. Sensitive data should not be maintained on a local drive and patient information should never be transmitted over public networks.
Basic security measures like these can go a long way in protecting a healthcare organization against cybercrime, but today, when the unscrupulous can invade a system with a mere few clicks, heavier artillery may be necessary. To that end, there exist cyber security tools that monitor network system traffic. Some protect information stored on external hard drives, IOT devices and laptops using embedded security to safeguard data beyond basic encryption.
There are also security tools that protect email accounts from Spyware hidden in email transmissions. Another great line of defense is a tool that can detect ransomware (malicious software that essentially holds a computer system hostage) in real time and prevent the corrupt software from running.
Antivirus protection and basic security features can go some distance against shielding healthcare facilities from the scourge of hack attacks, but, sadly, those measures alone just don’t measure up to cunning cyber criminals. Investment in security infrastructure and professional services can aid in turning the diagnosis of a vulnerable network into a healthier prognosis.