Medical Data Security is important for patients, medical professionals, and employees of healthcare organizations. To adequately secure patients’ electronic Protected Health Information (ePHI), all healthcare organizations and auxiliary offices must maintain a strong defensive posture. For medical offices in the United States, failing to transmit and secure ePHI is a violation of HIPAA. Being negligent in cybersecurity practices, such as leaving servers with patient data unencrypted, will result in reputational and monetary losses. More importantly, there is the risk to patients. Cybersecurity incidents create chaotic environments in offices, with procedures needing to be rescheduled, ambulances being rerouted, and the risk of patient data being stolen and sold on the dark web.
To defeat vulnerabilities in the healthcare sector, organizations must be able to diagnose threats and create an effective treatment plan.
Vulnerabilities in Medical Data Security
The first step to treating an issue in medical data security is to acknowledge where the weaknesses are in the current defensive posture. A sober look at the symptoms an office is exhibiting is important: do update notifications of software get ignored? Do employees indiscriminately open email attachments, or express confusion over their responsibilities in the event of a security incident? Are machines connected to an unsecured Wi-Fi router?
Outdated Machinery
Medical offices and hospitals are full of specialty machinery. These pieces of equipment are expensive, so often they are kept in operation as long as they are still running, even when their age makes it increasingly difficult to secure their connections to each other and the medical office network. These legacy machines continue to perform their tasks, but are not seen as mobile devices that can serve as a gateway to the healthcare organization’s digital network. However, these items are part of the Internet of Things (IoT) and should be secured. Even though an imaging machine does not seem like a high risk mobile device, anything with connection to the internet is at risk of being breached or used as a pivot point to further network access.
Healthcare office IT Departments handle the safety of thousands, or even hundreds of thousands, of devices. With the technicalities that come with managing hundreds of systems, patch implementation may be slow. With this delay, updates designed to address software vulnerabilities are left on the table. Threat actors can exploit this and replicate successful attacks across organizations utilizing tried-and-true strategies.
Human Error
Staff and employees are the backbone of each organization, but they are also potential weak links. Many of these actions are not intrinsically malicious; it seems faster to run to the bathroom without locking down a workstation, but this is a risky gap in defensive posture that shows a lack in data privacy training. Sometimes, employee actions that seem to highlight their dedication to their jobs and care for quality patient care are also a security risk, such as answering emails from a personal cellular device or utilizing a work computer on public Wi-Fi on a lunch break.
The damage that can be done by human actions unintentionally is separate from the risk posed by internal threat actors. Staff, employees, vendors, and contractors might be bribed, threatened, or coerced into providing information in a way that a software program or physical lock box is not. Internal threats need to be tackled in a way different from errors. Learn more about Insider Threats
External Attacks
Healthcare organizations are at great risk for attacks by an outside malevolent force. The data they possess is valuable on the dark web. External attacks, such as phishing (and variants such as spear phishing, whale phishing, etc.) can provide access to an office’s network with devastating consequences. DDoS attacks can take down websites by drowning the site in fraudulent traffic, and ransomware attackers encrypt entire systems and demand payment in return for access.
Medical offices and vendors that handle medical information, such as insurance and billing agencies, are also at risk for data theft. Doctors’ mobile devices can be snatched, exposing patient files, credentials, and passwords that may help an attacker gain access to a broader network. Unprotected Wi-Fi routers, or faulty uses of a VPN, can allow access to online traffic.
Healthcare providers and support organizations need to take these broad concerns under consideration when assessing where their vulnerabilities are, though these are just a starting point. Specific organizations may have unique concerns, such as remote workers’ home offices or the physical safety of offices.
Treatment Plan
Once healthcare organizations have assessed their current defensive posture, they can begin treating issues. Taking steps before a cybersecurity incident shows care for patients, medical professionals, and employees.
Protect Software and Hardware
Update software regularly. New versions and patches are designed to respond to vulnerabilities, increase efficiency, and optimize the technology. Up-to-date software is primed to combat the latest known threats, which means that attackers aren’t able to replicate breaches utilizing known weaknesses.
Organizations such as the FDA track Cybersecurity Vulnerabilities in healthcare devices and provide updates on their websites, as well as recommendations to mitigate risk.
Invest in protecting the endpoints of healthcare networks. Physically secure endpoints with locked cabinets, cameras, and secure facilities. Invest in software that manages encryption and provides avenues to remotely manage mobile devices, tablets, and computers. Verify that the software is HIPAA compliant. Streamline the process by implementing a software such as DriveStrike that can locate missing devices, remote wipe data from hard drives, and manage encryption.
Create Backups
Encrypted system backups will protect medical offices from forced closures in the face of a ransomware attack. Groups such as the Federal Bureau of Investigation do not suggest paying the ransom — even if the ransom is paid, there is no reason to assume control will be returned or that data will not be sold on the dark web later. Having an encrypted backup in a separate location allows the medical practices and healthcare support businesses to continue serving patients. Regularity is key, so IT specialists should maintain a backup schedule. With this data secured separately, healthcare organizations will be prepared to continue operations, even in the event of a data breach.
Update Company Policy
Telehealth appointments, video interpreters, digital medical records…all of these things have created a more convenient experience for patients, and increased the availability of information for doctors around the world. With that being said, healthcare organizations need to make sure that their policies are formulated to maintain the health of their security posture.
Medical practices and their support businesses should maintain a Mobile Device Management program optimized to protect patient data from attackers and cybersecurity incidents. Multi-Factor Authentication should be instituted for all accounts where the option is available. For data as sensitive as ePHI, completely banning access to work material on personal devices is best practice. It is a serious breach if a doctor or nurse loses a cell phone that contains emails with patient details, or credentials to access secured parts of a medical complex.
Engage in threat hunting and penetration testing to proactively locate breaches, threats, and vulnerabilities. When feeble sections are located, take decisive action to strengthen those sections of the organization.
Medical offices and businesses in the healthcare sector should review their Incident Response Plan, and update it as necessary. Having a plan in place to act quickly is key to mitigate damage in an emergency situation when patient information or proprietary data is at risk.
Train Humans
Employee and staff training is the heart of any plan to strengthen a healthcare system’s defensive posture. Comprehensive staff training should not merely be a lecture discussing cybersecurity topics, but should include practical methods for identifying and handling phishing emails, guidance on proper password hygiene, and demonstrations of workspace security. Management should take proactive steps to create a culture of data protection, with regular reminders and policies in place to incentivize safety. Construct a policy of least privilege so staff and employees are only in possession of the minimum amount of information that they need to complete their tasks. Human engagement is the most valuable commodity of a cybersecurity plan – creating a culture of vigilance is one of the best ways to maintain data security.
An ounce of prevention is worth a pound of cure. Assessing the state of an organizations’ medical data security is a core aspect of protecting patients and employees – take steps to improve the health of your cybersecurity program today!