The Health and Human Services Office of Civil Rights (OCR) has been doing limited audits to ensure covered entities and business associates are in compliance with regulations governing health information privacy, security, and breach notification…
The healthcare industry is now one of the top three industries cyber attackers are targeting.
No matter what type of facility you work in – a hospital, clinic, medical center, health insurance company, or one that provides business or clinical services for health care – the data you store is worth millions of dollars on the dark web.
Attackers can hold a hospital hostage, freeze operations and disrupt critical medical processes until they get what they want. A recent breach with a global impact showed
us just how unprepared the healthcare industry is.
New Target: Healthcare Industry
We all remember the devastating breach known as WannaCry that infected 300,000 machines in 150 countries. Although a number of industries were affected by the WannaCry ransomware attack, none were brought to its knees like U.K.’s National Health Service.
With known vulnerabilities, experts predict follow-up attacks targeting the healthcare industry that will be even more vicious and damaging, cautioning those with outdated computer systems and subpar defenses to take cover.
The NHS was lucky, not prepared – a few alterations in the malware’s code would have caused havoc. These hackers were amateurs, merely firing a warning shot at the healthcare industry. Now that a number of vulnerabilities have been identified, healthcare institutions will be the target for more coordinated and sophisticated attacks.
Shield Your Business
Every member of your staff must know best practices and understand the importance of using them. Practices such as never sharing passwords and changing them regularly, patching systems so they are up-to-date, learning to spot suspicious emails, and not clicking on embedded email links or attachments are all necessary security measures. Training should include follow-up meetings to ensure best practices are being implemented and adapted.
- Note: Microsoft issued a patch for the particular hole that gave entry to WannaCry attackers weeks before the incident happened. Many users had either not installed it, did not have automatic patch management or their automated patch management did not work.
Today’s technologies represent a great advancement in the healthcare industry and patient care, but they create another challenge. More data and more endpoints leads to more vulnerabilities.
Data should be encrypted, both in transit over the network or in email, and while stored. HIPAA requires you to demonstrate your business is maintaining a strong security program and implementing a satisfactory baseline for preventing successful breaches of unsecured PHI.
Encryption gives your security team more ammo to make that happen. There are different levels of encryption and a number of ways to execute it – find what encryption tool works best for you.
Data backups are crucial, especially to protect against ransomware attacks. The only way to return systems and devices to normal after a successful ransomware attack is to restore data from a clean backup. Back up everything – business, medical, device, email and any other data. Perform backups on a regularly scheduled basis, keeping backups in multiple physical locations.
Perform Regular Scanning
Regularly scanning networks, workstations, mobile devices, and applications against known vulnerabilities is a must. Cyber attacks can enter through an organization’s network, wireless network, applications, devices and the physical environment itself. Anyone can walk into a healthcare facility. High risk is also associated with any text, chat or email messages sent to patients on their mobile devices.
Conduct Regular Threat Modeling
Threat monitoring and penetration testing exercises describe current threats and determine threats that could target you. They also effectively exploit vulnerabilities and potential entry points in networks, applications, and devices. In other words, think of ways that things could go wrong, work backwards to understand how current controls would help, then identify gaps. These exercises should be repeated regularly to ensure the confidentiality of health records.
Want to Learn More? Check out Managed IT Support and Services for Medical Practices