ebook - cybersecurity in healthcare

CYBERSECURITY IN HEALTHCARE

Recent advancements in tech have had a tremendously

positive impact on the healthcare industry.

Thanks to improved services like electronic health

records, information can be shared faster and more

efficiently. This makes it easier for healthcare facilities

to store patient records long term and cut operating

costs. It also helps patients by providing personalized

care when they need it the most.

INTRODUCTION

FOR HEALTHCARE PROFESSIONALS AND THE PATIENTS THEY SERVE, THE CURRENT TECHNOLOGY BOOM IS OVERWHELMINGLY BENEFICIAL.

Technology has even streamlined basic applications in

a healthcare environment in a number of ways.

Healthcare facilities can automate certain basic tasks

like sending checkup reminders and enabling patients

to schedule appointments online without ever picking

up the phone.

This relieves professionals of the burden of these

important yet admittedly basic tasks and frees them up

to return doing the most important thing of all:

PROVIDING THE BEST POSSIBLE CARE TO THOSE IN NEED.

These are just a few of the countless examples of how

tech solutions positively impact the lives of millions of

people on a daily basis in the world of healthcare.

As with all tech advancements, however, there is

another side to the coin. These solutions enable us to

access our networks virtually anywhere on any device,

meaning that threats have a myriad of opportunities to

breach your security wall. Attacks are so prevalent that

today it is increasingly common to hear reports about

yet another massive data breach that has struck a

recognizable company.

Perhaps the most famous recent example is the

Sony Pictures International hack in 2014. Between

lost revenue from films that leaked onto the internet

to the unquestionable damage that was done to the

reputations of writers, directors, actors, and studio

executives after confidential e-mails were leaked to the

public, the data breach is projected to cost Sony over

$100 million dollars.

Entertainment companies aren’t alone when facing

these issues. Anthem recently experienced a significant

hack that put the personal information of more than 80

million people at risk.

That total included current customers, former customers

and employees. Sony’s woes from “The Interview”

losing a weekend box office were terrible, but had little

to no impact on the safety of the public.

Anthem’s security breach dangerously placed the

personal healthcare information of 80 million people

into the hands of criminals.

EXPERTS PREDICT THAT THE FALL OUT FROM THE ANTHEM BREACH COULD TOTAL MORE THAN $100 MILLION DOLLARS IN TERMS OF

FINES, PENALTIES AND CLASS ACTION LAWSUITS ALONE - TO SAY NOTHING OF THE DAMAGE THAT WAS DONE TO

ITS REPUTATION.

While Anthem may be able to weather the storm because

of its size - smaller healthcare companies may not be

so lucky. To put it simply, healthcare professionals must

take steps to be digitally secure and compliant or risk

becoming another statistic.

In order to digitally protect a healthcare facility and

the patients that depend on it, you need to take full

advantage of the best tools available.

By far, the most powerful weapon that healthcare

professionals have in their arsenal is an evolving

defensive strategy.

Cyber security in a healthcare environment means not

only turning your attention towards what you can do

to fight threats of today, but also learning more about

ongoing protection from threats in the future.

Take a look at the state of cyber security in healthcare

based on a list of current trends. In April of 2014, the

FBI issued a warning to the healthcare industry about

the threat that hackers could pose to their operations.

The report from the FBI, which was later obtained and

published in its entirety by Reuters, said that “The

healthcare industry is not as resilient to cyber intrusions

compared to the financial and retail sectors, therefore

the possibility of increased cyber intrusions is more

likely.”

CURRENT TRENDS

The report indicated a startling trend - cybersecurity

systems in healthcare routinely lagged behind those in

other industries, including entertainment. Consider that

the cyber security at Sony Pictures International was

significantly stronger than the systems used in most

healthcare facilities. Despite taking precautions, Sony

Pictures was still victim to the largest data breach of a

private entity in the history of the Internet.

Even with the call to action in the FBI report, many

healthcare executives haven’t reacted. In a survey

conducted by Becker’s Health IT & CIo Review, nearly

75% of those who responded indicated that they did

not believe that the chief information security officer

(CISo) in a healthcare facility should be part of the

leadership team of that organization. As many as 55%

of those who responded, however, indicated that the

CISo should assume responsibility for data breaches.

For the CISo, this is something of a catch-22. They aren’t

given enough influence within the organization, yet they

bare the full brunt of responsibility should something go

wrong. This type of contradictory line of thinking perhaps

underscores the current issues in the healthcare industry

with regards to cyber security better than anything else.

These technological decisions that protect confidential

healthcare data need to be presented by the CISo at an

executive level. Unfortunately, more often than not, that

isn’t happening in most organizations.

A large part of understanding the severity of a threat

involves understanding exactly why it exists in the first

place.

Data breaches don’t just happen “because they can”

- they happen because personal data is a valuable

commodity to hackers. Unfortunately, there are

underground marketplaces online where the personal

data of individuals goes for top dollar, incentivizing

hackers to breach systems in hopes of making a

handsome profit.

EXAMINING THE THREAT

According to Becker’s Health IT & CIo Review, the type

of information that a hacker can obtain by attacking a

healthcare facility isn’t just more valuable than credit

card numbers and other types of financial information -

it is literally up to 10 times more valuable.

When a hacker steals a credit card number, it generally

has a very limited lifespan - and therefore is a limited

income stream for that individual. They may be able to

quickly charge a few hundred or even a few thousand

dollars worth of purchases to the card, but the issue is

likely to be discovered very quickly and the card number

will become invalid as a result.

THANKS LARGELY TO THE FACT THAT HOSPITALS AND OTHER HEALTHCARE

FACILITIES HAVE LOW CYBER SECURITY STANDARDS IN GENERAL, THEY BECOME

PRIME TARGETS FOR HACKERS.

PhishLabs, a cyber crime protection company, estimates

that stolen healthcare information, credentials and other

types of documents can be sold for as high as around

$10 per individual on the black market. This is between

10 to 20 times more than a credit card number.

One of the reasons for this trend is due to the fact that

medical identity theft is much harder to track. While a

stolen credit card can be deactivated quickly, a data

breach from a healthcare facility has a more long term

payoff. Hackers can use that information over time to

generate a series of fake IDs that can then be used to

buy drugs, medical equipment and other goods that

can then be resold at a premium.

Not only is it easier for hackers to do damage in this

type of environment, but the extent of the damage is

also significantly higher than it is anywhere else. This

creates a perfect storm for patients and healthcare

facilities.

Though the cyber security discussion in healthcare may

seem grim, there is a sliver lining. There are several

recognized tools that can protect your organization’s

sensitive healthcare information.

Currently, the number of healthcare practitioners who

use these tools is far too small. In order to protect

their employees, patients and reputations, healthcare

facilities need to invest in security intelligence solutions.

YOUR OPTIONS

SECURITY INTELLIGENCE

The major security issue for most healthcare

organizations is that they only focus on building

a reactive defense. This is the wrong approach entirely.

Instead of allowing themselves to fall victims to a

security breach and then asking “What can we do

now to make sure that doesn’t happen again?”, the

organization should instead be asking “What can we do

now to prevent a potential attack?”

DATA SECURITY

Professionals need visibility of the entire lifecycle of a

file. This includes: who created it, where it was stored

and where it ended up, and also who sent it, who

requested it and accessed it, when it was opened,

whether or not it is currently being downloaded, and

more.

It’s important to understand that personal health

information isn’t just vulnerable while it is sitting on a

hard drive in a doctor’s office. A patient’s medical records

are at the greatest risk when they are transferred from

one physician’s office to another for a second opinion.

FOR MAXIMUM DATA SECURITY IN THIS TYPE OF SITUATION, ALL FILE SHARING ACTIVITIES NEED TO BE VALIDATED.

Encryption techniques for data security are also a must

in today’s modern climate. Even though HIPAA does not

require data encryption, it is no longer a recommendation

- it is a requirement to protect sensitive data moving

forward. Encryption needs to be present both while PHI

documents are at rest on a facility’s hard drive and while

they’re in transfer. Not only should it be at least 128 bits

in nature, but it also needs to utilize a unique encryption

key for each file that is stored on a secondary location.

This will all go a long way towards making sure that

even if a healthcare facility’s network is compromised,

the sensitive data contained on it will be safe.

The largest insurance companies, the smallest private

practitioners and everyone in between needs someone

dedicated to the ever changing cyber security rules and

regulations on both the federal and state levels.

ABOVE ALL ELSE, HEALTHCARE ORGANIZATIONS NEED TO DEVELOP A SECURITY-DRIVEN CULTURE THAT BEGINS IN LEADERSHIP POSITIONS.

For instance, if a hospital employee working remotely

needs to access the server, they should be subject

to certain policies, protocols, security settings and

advanced configurations that will help prevent them

from becoming a vulnerability.

Another essential standard to enforce is the ability to

log not only devices for security audit purposes but

individual actions.

ENDPOINT SECURITY

You should additionally be able to gauge when a user

first accessed the system, session length and what they

did during that time.

AT ANY GIVEN TIME YOU SHOULD BE ABLE TO SEE WHO IS ACCESSING SPECIFIC FILES FROM SPECIFIC DEVICES.

A common theme in cyber security is not asking

“what did happen?”, but “what might happen?” Just

as predictive analytics help turn an eye towards a

disastrous potential future, those in decision making

positions within healthcare organizations need to do

the same.

AN EYE TOWARDS THE FUTURE

IT IS IMPORTANT THAT YOU TAKE STEPS TO MAKE SURE THAT YOUR ORGANIZATION IS PROTECTED AGAINST THE THREATS OF TODAY AND THE THREATS OF TOMORROW.

The major mistake that healthcare facilities make

involves assuming that they’re current security measures

are sufficient. That oversimplification accomplishes

nothing on the best of days and only sets up a disaster

on the worst.

The dirty little secret of cyber security is that you can

never do enough to keep important medical information

out of the hands of those who may wish to do you harm.

Only by both understanding the threat and by taking

proactive steps towards enterprise security can you

enjoy the benefits that technology has to offer with as

few of the downsides as possible.

EVERY YEAR THERE IS A LIST OF THE TOP DATA AND SECURITY BREACHES IN THE HEALTHCARE INDUSTRY. MAKE SURE THAT YOU’RE TAKING THE RIGHT STEPS TO KEEP OFF THE LIST.

yourCloud: Together we take a workload by workload

view to determine the best target infrastructure to

deploy your business applications - on or off-premise.

yourData: What can we learn from your business data to

help us craft intelligent solutions for protection, security,

compliance and resiliency of your most important asset

next to your people.

ABOUT US

yourSecurity: As a team, we work together to establish

a holistic and mature security posture that will help

detect, prioritize, address and help prevent security

breaches.

yourSupport: We ask, “Is everything essential to running

my business fully protected?” Define and address

gaps in coverage whether it be people, resources or

knowledge.

Our goal is to provide strategic outcomes that align

technology with the goals and objectives of your

business.

For more info click or call 800.991.9274 -

THINKASG.COM

YOUR TRUSTED IT CONSULTING AND SOLUTION PROVIDER, ALIGNED WITH

YOUR BUSINESSthinkASG enables technology and business alignment through timely expertise, services and

solutions crafted to meet long-term vision, goals and objectives of the business.

http://www.THINKASG.COM