At the RSA Cyber Security Conference in 2012, former FBI Director Robert Mueller was quoted as saying “there are only two types of companies: those that have been hacked and those that will be.” Unfortunately, this statement still reigns true today. Medical practices especially need to become more proactive and alert to the possibility of a data breach, because the healthcare sector is one of the most vulnerable to data breaches. Simply installing anti-virus software is not good enough. A hacker lies dormant in a compromised system for over 200 days before being discovered, and that’s IF they are discovered. A hacker’s expertise thrives in their ability to break in undetected, then get the data out undetected. Do you know if your business network has an undiscovered resident living within its ones and zeros, scanning for credentials to steal your data and make a fast getaway? Most non-cybersecurity professionals wouldn’t even notice an intruder. So, what can you do, as a medical practice, to ensure the highest level of protection for your patients’ data while maintaining HIPAA compliance? First, we need to understand the most common threats to us.
According to the 2019 Verizon Data Breach Report, the healthcare industry has significant reason to worry. Of the 466 healthcare cybersecurity incidents reported in 2018, 59% involved insiders. 83% were inspired by financial gain. 81% were caused by software errors or misused credentials. And 24% involved ransomware. These patterns lead us to build a profile of the “average” cyber-criminal related to healthcare incidents as: an employee or ex-employee using their credentials or stolen ones to exploit a known system for financial gain. How do we protect ourselves from this type of threat?
Backup patient & mission critical data.
First things first, we must always have a plan for ransomware. With 24% of incidents involving ransomware, we need to have a way to protect ourselves. Before we can effectively protect ourselves against this common threat, we need to understand what ransomware is.
Ransomware is a type of malware that is delivered primarily through email attachments, but also from visiting compromised websites. Ransomware installs behind the scenes and begins searching out files and network locations for data, then begins to encrypt it. Once it has finished its encryption and locked you out of your critical files, it will display a ransom note demanding bitcoin or other untraceable currency for the decryption key to unlock the files. Can your medical practice function without access to all your critical files and systems?
Once the files are locked down, your sensitive information is at the mercy of the cyber-criminal. If you pay them, will a criminal actually decrypt your files as promised? They are criminals after all. Your only defense against a ransomware attack is to isolate the infected systems by unplugging them from your network.
Next, bring in security professionals who can restore the data from backup and clean the infected systems. With 1 in 4 healthcare organizations hit in 2018 by ransomware, implementing a solid strategy is the best defense. This starts with secure offsite backups being made and maintained. Without them, you either rebuild from the ground up or you put your faith in a criminal to honor their word.
Patch and upgrade all medical equipment that is network connected, if you can.
Most medical and biomedical equipment is vendor-managed, but patch whatever you can. Medical equipment is seen as the Achilles Heel of healthcare, and the cyber-criminal knows it! The next evolution in ransomware will definitely target more Internet of Things (IoT) devices such as these, making them easy marks for the criminal to get a foothold into your network. Strong Wi-Fi encryption and passwords can help protect them as a first step, and even the FDA and DHS have begun to strategize a framework to protect new equipment introduced into the marketplace.
Before we can enter a world of secure medical devices, the older ones need to be protected and vigilantly watched for compromise. Having a good security professional baseline your devices for malicious activity can help them identify a compromised device. Also, being aware of security updates on your existing equipment and keeping a lookout for newer, more secure models that you can purchase can help stop a compromise.
Separate company Wi-Fi and guest Wi-Fi and rotate passwords routinely.
Now let’s refocus on the insider profile. How often do you change your Wi-Fi password? As a practice, it should be changed routinely and always after an employee leaves the team. Another solid practice is to change access credentials if a device is lost or stolen. 28 data breaches occurred in healthcare in 2018 due to lost or stolen assets, and having a lost laptop with stored Wi-Fi credentials on it is an easy way for someone to gain access to your network infrastructure.
Another strong practice is to separate guest and company Wi-Fi networks. A guest network is simply a way for your patrons to have internet access while in your waiting room or for information retrieval purposes. There is not a functional need to have it as an extension of your business network, but for simplicity's sake many companies do this. The solution is to buy a separate, cheaper router to keep guests away from your network. The last thing you want is a would-be hacker sitting in your waiting room browsing confidential patient data while waiting to get their tooth filled, or a disgruntled ex-employee knowing this vulnerability and using it against you down the road.
Protect PHI, lock unattended computers and disable USB support.
In the medical industry, patient confidentiality is paramount. Preserving patient privacy is part of the Hippocratic Oath, and in the modern age, this also means securing Protected Health Information (PHI). There are many ways to protect PHI, from simply locking your computer when you leave it unattended to restricting conversations to the back room out of earshot. These are routinely done by most medical professions, but there are some additional ways we can explore to protect data.
One important way is to lock down USB ports on workstations. The introduction of malware and viruses can come from an infected device being plugged into your workstation. It can be as innocent as an employee sharing family photos with their co-workers from their vacation on a flash drive, or as sinister as a cyber-criminal plugging in an infected device when you are not looking. It only takes a second for the infection to spread. USB drives are also an easy way for data to leave your network. A disgruntled employee can download everything in a matter of minutes and simply slip the device into their pocket. The Bleeping Computer blog outlines 29 different USB-based exploits which can cause harm to your network. These are worth a look and are very eye-opening. By securing something as simple as a USB port, we can not only secure a very weak link in our infrastructure but embody the dictum to “do no harm”.
Ongoing Employee education and security awareness training.
Employee education and training is our best defense against data breaches. With it being reported that upwards of 95% of security incidents are rooted in human error, providing ongoing and comprehensive security training for our people is extremely important. Security training is a low-cost solution that can produce effective results. Properly identifying phishing emails and providing employees with best practices for security are just some of the benefits of a good training program. The notion that security is a function of the I.T. Department is a common misconception. Every employee should be recognized as a deputized member of I.T.
Vigilance to security and practices should come from everyone at an organization, especially when the organization doesn’t have a full-time dedicated security professional or is just a small business trying to make ends meet. Security and best practices should be a part of everyone’s job description to the degree they are capable. When all eyes are watching and attentive, your medical practice can thrive and patient’s data will remain secure.
Moments after Robert Mueller uttered his quote in San Francisco in 2012, it became obsolete. It’s no longer a question of if we will be hacked, it’s if we will be hacked again. Cybersecurity is one of the new frontiers of technology that is getting better and better every day. Just like today's employees couldn’t imagine a job where they weren’t utilizing a personal computer to get things done, tomorrows world will be one of the employee not being able to imagine an environment where cybersecurity and awareness training aren’t a large part of their daily routine. Security must become part of our everyday regimen.
Cybersecurity in healthcare goes hand-in-hand with the Hippocratic Oath. The end goal is to protect patient privacy and data, and to provide an environment where the patient can be assured there is no risk of their private information falling into the hands of a cyber-criminal. By utilizing some of these techniques in your medical practice, you can ensure a safer environment for both employee and patient. Hippocrates would be pleased!