It’s simple to protect patient data from malware with the right tools, controls, and people in place.
This article was originally written for The PAHCOM Journal.
In the last few years, the healthcare industry has become a goldmine for attackers. According to the Department of Health and Human Services (HHS), over 125 covered entities and business associates experienced data breaches due to a hacking incident in 2015 (affecting more than 99 million Americans).
How do hackers gather patient (and other) data from healthcare systems? In virtually all hacking incidents, malware is the assumed culprit.
Malware is malicious software designed to gain access to a network, find sensitive data, and/or steal that data. Keylogger malware can track every keystroke a user makes on a computer or mobile device, allowing criminals to access those same systems. Memory scrapers capture, or ‘scrape’ sensitive information from system memory and return it back to the attacker. Packet sniffing malware intercepts incoming and outgoing network traffic, and is able to decode and analyze data found.
Once on your system, malware essentially allows attackers unlimited access to your system. Think of all the patient data that could be extracted.
Although malware has been infecting computers for decades, new strains of malware are created every day. These new strains often go unrecognized because they are created to dodge most anti-virus software. Some have the ability to self-update to avoid detection, or automatically reinstall in different locations if deleted.
See also: How to Confront Hospital Ransomware
Malware knows no boundaries. According to the Ponemon Institute’s Annual Benchmark Study on Patient Privacy and Data Security, criminal attacks on healthcare increased 100% in 2014. Because healthcare is notorious for its lack of security, healthcare organizations are a target for new waves of malware attacks. Most healthcare attacks go undetected due to a lack of security knowledge and implementation of proper security tools.
See also: SecurityMetrics HIPAA Guide
The Health Insurance Portability and Accountability Act (HIPAA) was established by the HHS to protect your organization. Some HIPAA Security Rule requirements specifically assist with making it more difficult for attackers to download malware onto your systems, such as:
Learn how to win your healthcare security marathon in 7 steps.
Some important aspects of HIPAA compliance that should receive attention first are; keeping systems current with security patches, restricting administrative privileges, and whitelisting applications on each system.
One of the easiest ways for attackers to break into your system and download malware is through insecure remote access applications. There are three main ways remote access is left unsecured:
Many remote access systems come pre-installed with a default password, and those passwords are easily found via a web search. If you haven’t changed your default remote access password, you’re just making a hacker’s job easier.
An attacker must correctly guess both the username and password at the same time to gain access to your system, so both the password and username should be unique. Don’t use your organization’s name. Instead, use fictitious usernames like Spok236.
Only provide remote access to those whose job requires it. Don’t share remote access credentials. One of the best ways of correctly determining who should have access is by setting up user privileges by role. First, define roles that correspond to your organization’s structure. Hospitals will likely have 20+ different roles. Physician offices will probably have less than 10. Each role is then assigned the minimum amount of access required for an employee to perform his or her job. This access will determine their level of remote network access.
Using a single factor (a password) makes it easy for attackers to gain access. However, by implementing strong authentication processes, you can keep remote access secure. Two-factor authentication helps prove you are who you say you are, and greatly reduces the risk of attack. When configuring two-factor authentication, factors must contain two of three aspects (a username does not count as one of the two factors):
For example, if you implement a password and a four-digit PIN sent through SMS to your phone, an attacker would have to learn your password and have your cell phone before being able to gain remote access to your systems.
One of the biggest areas organizations can be weakened is through their employees. Your staff doesn’t necessarily know the dangers of malware and might accidentally download malware if not properly trained.
Train your staff to never browse the Internet, check non-work email, play online games, or do anything unnecessary on computers that handle ePHI. They should know never to click on links that are unsolicited, especially in emails.
Another important thing to train your staff on is social engineering. Social engineering happens most often when individuals pose as janitors, IT, public services, or telecommunication professionals. Criminals pick these professions because they often are granted unlimited access and their actions are not monitored. Individuals should not have access to areas with sensitive data without proper authorization.
I hope the technical information presented in this article didn’t make you feel overwhelmed. But if you do feel overwhelmed, discuss these data security points with your IT vendor, or consult with a HIPAA compliance vendor. They can assist you with understanding and implementing the most current security processes and procedures. It’s simple to protect patient data from malware with the right tools, controls, and people in place.
.svg)
