The Healthcare industry has unique data security concerns given HIPAA privacy and security regulations. Our industry must take great care to protect patient data, but how can we do this given the daily news of cyber crime and data theft from even the biggest and most successful companies in this country? There is no escaping the fact that the responsibility belongs to all of us for patient data security. Healthcare professionals across the entire spectrum of services we provide from clinical staff, administrators, to the IT staff itself – all must be aware of the security threats that face our facilities daily. The human element tends to create the biggest opportunities for exploitation and penetration of our IT systems.
Why Our Facility?
Many healthcare facilities might wonder why would anyone target our IT infrastructure. The answer may surprise you, but many times cyber criminals are interested in the computing infrastructure itself for use in other illegal activities such as storing data (for example stolen movies, pornography, hacked user data from other systems and so forth) or using the computing cycles to attack other networks. One fairly common usage of hacked machines is for hackers to controls dozens to hundreds of machines (“bots”) to overwhelm target networks with connection requests. Of course the cyber criminals might also seek credit card numbers from your patients or your corporate financials or even worse, your patient data for identify theft purposes.
Do not be lulled into a false sense of security if you think your facility it too small to be a target – small businesses, in fact with limited IT staff and small cyber security budgets are well-known and easy targets for hackers. No matter what the reason for an attack might be, it is imperative that all healthcare facilities periodically perform security audits to ensure the systems are as secure as possible – the risk is simply too high not to do this verify your systems are secure.
Recently Community Health Systems (CHS), the largest non-urban provider of general hospital healthcare services in terms of number of acute care facilities, experienced a massive breach resulting in the exposure of 4.5 million patient records, making it the second largest breach in HHS’ records dating to 1997. Foreign hackers, believed to be from China, struck in April and June of this year and the long-term repercussions could be devastating. If one of the largest health systems in the country is not secure, what does this mean for your office or healthcare facilities?
The Human Element
Effective “security awareness” is essential to ensure the healthcare staff can how security risks while operating any computing device that can access your healthcare network, to include mobile devices which carry unique security & privacy concerns in and of themselves.
Managing the security risks for your organization requires policy and procedures with periodic security training. An example of an enforceable security policy would be “Acceptable Use” of information systems effectively limiting the connection only to external networks or websites related to the business of the healthcare system or practice while other policies might be the restriction of personal devices connecting to the internal network. An obvious, but often ignored policy is that corporate owned hardware should never leave the premise with patient data on them. Cedars-Sinai Health Systems experienced a data breach when a password-protected laptop with 500+ patients’ private information was stolen during an in-home burglary according to Health Data Management. A security policy only allowing data to reside on private clouds might mitigate data losses such as Cedars-Sinai suffered.
Security Awareness Training
An effective way to reduce the likelihood of successful attacks on your computing systems is to conduct periodic security training for all of your healthcare staff. A recent study by The IT Industry Trade Association CompTIA of its members cited human error as the most common cause of information security breaches, with some 80 percent of respondents believing this human error was caused by a lack of security knowledge, proper training or failure to follow security procedures.
Proper training is cost effective, helps in protecting important data and engages a computer security-mindset among staff by weaving security into the operational fabric of your practice or healthcare system.
Your computers are not necessarily safe from Internet hackers even though they are likely behind a firewall. A basic question that is rarely asked is do your computer systems need to be online 24×7. If you cannot answer this question as a yes, then make it part of your business operations (and security policy) to unplug computers with sensitive data from the network during non-working hours.
Preventative Medicine – Conduct Periodic Checkups
All healthcare systems and medical practices should take a preventative medicine approach to security by conducting periodic security audits via a trusted outsourced consulting firm. The objective of these security audits is to examine the internal processes and policies to prevent intrusion into your IT systems and your healthcare organization’s plan if a hacker has penetrated your machines. In addition to reviewing these security policies and practices, your organization might elect to have your systems “attacked” by trained “white hat” hackers who can provide recommendations on how to secure your network from the vulnerabilities they uncover.
Clift Briscoe, Partner, Artius OCD