Some of the most recent headlines— focused on cybercrime—have, by and large, been about healthcare. Either directly at healthcare providers or third party healthcare vendors(Legacy Health, LabCorp Diagnostics, Med Associates, LifeBridge Health, and ATI Physical Therapy—just to name a few), criminals have been demonstrating their acute attention to the healthcare market (a market which continues to be a lucrative target).
This shouldn’t be too surprising to anyone, given that the healthcare industry deals with huge amounts of highly sensitive data (data which put in the wrong hands could lead to massive identity thefts). And while a credit card number, for instance, can change if hacked, a medical history cannot.
Hackers are essentially hitting big jackpots with serious long term side effects when hacking into healthcare networks.
The data they steal remains current and accurate (your health history can’t really be changed like that credit card number), and may even cause some to make life or death decisions depending on it.
For that matter, healthcare-related information remains a hot commodity on the Dark Web (the underbelly of the web where cybercriminals sell their stolen goods), often going for far higher prices than the typical credit card.
This raises some serious questions of what healthcare providers and vendors can do to limit their exposure to data breaches and how to maintain stringent cybersecurity regulations.
The State of Healthcare Cybersecurity
Privacy and security concerns particularly associated with electronic patient records make healthcare one of the most regulated industries in the country. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) both created much greater visibility on healthcare cybersecurity and a high standard of scrutiny compared with other industries (most of which are self-regulated).
HIPAA and HITECH both put increasing emphasis on how you protect the privacy of your patient information and how you disclose that information.
The Hard Reality Is Compliance Doesn’t Mean Security
Over the past decade—one in which cybersecurity experts have focused on healthcare to keep practitioners safe from data breaches and attacks—we’ve learned that being compliant doesn’t mean you’re secure.
The majority of offices—non-profit and for-profit healthcare organizations alike—all get their annual HIPAA audits and checkups. Nearly every single one that we’ve performed a network security assessment, have come back with shining HIPAA reviews. But not a single one has been safe against data breaches or ransomware attacks.
The reason for shiny HIPAA audits giving false senses of security?
Woefully, the standards set forth in HIPAA for cybersecurity are dated. Technology—particularly developing attacks—bombard healthcare so fast that even if HIPAA was updated annually, it likely would miss a good portion of threats.
While HIPAA’s framework still functions with some good guidelines, the specifics of how you implement those guidelines need to change with changing ways in which your offices are getting attacked. Those shiny HIPAA audits mean nothing when a month later you fall victim to a ransomware attack the likes of SamSam (true story—offices passing their HIPAA risk assessments are in fact still vulnerable to attacks!).
If You’re Not Careful Your Patient Record Will Be Published On The Dark Web
As I mentioned above, on the Dark Web, complete medical records—including patient names, birthdates, social security numbers and medical information—can sell for as much a $50 or more per record. Compare that to individual social security numbers that at most get $15 and a high credit limit credit card, maybe a few bucks.
Since medical records can be leveraged in a variety of ways—including fraudulent medical claims—and a medical record’s historic information will not change over time, healthcare information holds its value (and is one of the most desirable sources of information bought and sold by cybercriminals).
If you’re not careful with how you protect protected health information, your office may be breached or attacked and that information—hundreds to tens of thousands of records—could very well be posted on the dark web.
What safeguards should you have in place to minimize your risks of exposure to cybercrime?
Train your employees—drive change throughout your organization to incorporate security best practices at the user level. Make sure that staff habits won’t jeopardize your network. Create awareness and advocacy through experience-based learning rather than simply checking a box on your HIPAA assessment from a 1-hour mandatory lecture your team sits through once a year.
Encrypt your data—most offices do encrypt some of their data. But there is always PHI—especially the likes that ends up on desktops or in My Documents folders that ultimately is left unencrypted. These golden nuggets are exactly the type of information cybercriminals that are attempting to penetrate healthcare networks are looking for. Data encryption is both an effective and low-cost method to secure sensitive medical information, and can help mitigate consequences of physical theft of your digital assets.
Enforce least access privilege—most offices that we evaluate give administrator access—which is practically the key to the city for your entire network—to handfuls of people that don’t need this level of access. By limiting the amount of access and privilege a user has, you’ll be able to better control who has the ability to change or jeopardize critical applications and infrastructure on your network. Many cyberattacks actually spread through offices because of users having more privileges than they need.
Getting a second opinion—while the majority of IT Support teams may insist that they have your security shored away, there hasn’t been one single audit that’s ever come back clean enough to prevent a ransomware attack or data breach—especially in healthcare organizations. Getting a second opinion—especially a proactive and informative reporting of your network vulnerabilities—can be the difference between staying a low hanging fruit to cyberattacks and keeping cybercriminals at bay.
Concerned that your office might be the next target to cyberattacks? Contact us TODAY for a free network security assessment.