How to hack-proof your medical practice
[Note: an excerpt of the article was published in Healthcare Innovation News, July First Edition 2016.]
There was once a time that malicious hackers would skirt medical practices and health systems—a kind of a gentlemen’s agreement among thieves that sick people shouldn’t be a target for their nefarious plans. But that time has past. February’s ransomware attack of Hollywood Presbyterian Medical Center in Los Angeles was a wakeup call for the healthcare industry. And security experts expect that ransomware and other cyber attacks will increase due to the high value and sensitive nature of healthcare data.
Breaches are especially costly to healthcare providers both in terms of revenue lost and reputation lost. Due to the personal nature of health data, they could also result in lawsuits against your organization. When working with your IT service provider, discuss the value of a three-pronged approach that protects against future threats, prepares in case of a breach, and develops a recovery action plan to limit the damage.
There are a number of proactive steps that practices can take to reduce their risk profile. While HIPAA standards establish some requirements to ensure a minimum level of security for electronic protected health information (ePHI) security, meeting HIPAA is far from sufficient for protecting against an intentional hack of your practice.
Here are some considerations to help protect against a hack in the first place:
- Run free online tools such as https://www.qualys.com to get a basic idea of how secure your network is. Address any security gaps in the website or network as quickly as possible.
- Keep servers and desktop computers up to date with the latest security fixes and update malware software. Microsoft, for instance, provides an auto-update service to keep Windows current. Remember, however, that there are no security updates for obsolete operating systems. Security updates ensure systems are less vulnerable to being hacked. Not updating systems leaves them vulnerable to known attacks.
- Deploy the appropriate firewalls and network security measures. These are networks’ first line of defense against attack. Firewall software also needs to be kept up to date so that known attacks and hacks are detected and prevented. The stronger the firewall, the less risk to the overall network.
- Keep public wifi separate from private wifi as public wifi networks provide tempting targets for the would-be hacker and can provide access to the private network.
- Educate users on good password management as many breaches result from poor password management. Once a hacker obtains a valid user id and password it’s much easier to acquire the administrative password and cause more damage.
- Educate every worker on the most up-to-date tactics of malware perpetrators. Everyone from front desk staff to physicians needs to be wary of pernicious email attachments and other commonplace methods for accessing the medical practice’s network. Schedule a brief quarterly meeting to focus on security.
It is impossible to guarantee that your organization will never be the target of cyber crime. One of the most important things you can do is to start viewing your organization’s security infrastructure the same way a would-be hacker sees it. Identify the weak links and get a sense of just how porous your security perimeter really is.
- Leverage the hackers within. A recent survey of U.S. IT leaders by Canadian security firm Absolute found that 33% had hacked their own or another system. While organizations may frown upon IT professionals breaching their own protocols, the reality is that you may already have valuable insight within your organization about your security gaps, and how to fix them.
- Hire an outside third party to analyze the network. Unbiased outside experts are paid to give objective security profile assessments and will find weaknesses that any internal assessment misses. Immediately address any issues.
- Perform a penetration test (PENTEST) on the network to expose known security vulnerabilities. Most practices are unaware of vulnerabilities until an actual breach occurs. Once the PENTEST results are known, take the appropriate corrective action to address the vulnerabilities. Most third party companies that analyze networks will also perform this service.
- Keep abreast of successful hacks within other organizations. Knowing the techniques and methods of attack can help a practice to develop a stronger defensive posture. If your practice identifies similar vulnerabilities, take corrective action.
The Absolute survey found that 25% of organizations with fewer than 500 employees did not have a security breach disaster recovery plan in place. But smaller organizations are often more vulnerable to breaches in the first place, due to less sophisticated encryption and fewer backup systems. Medical practices need to view these recovery plans as they do malpractice insurance: you hope to never need it, but you wouldn’t think of practicing without it.
- If you don’t have a recovery plan in place, do it now. It should include clear instructions on who is in charge during the recovery, where backup files will be housed, how data will be accessed during the interim recovery period, and who will have access during that time.
- Pay particular attention to mobile devices and media as mobile devices are stolen and lost every day. Access to a lost mobile device is an open invitation to be hacked. Develop strong policies for bring-your-own-device to work systems. Ensure all users of mobile devices understand the risks and importance of managing their data. Your organization may want to include emergency tactics – such as automatically wiping data from mobile devices beyond a certain distance from your facility.
- Make sure you know right away when you’ve been hacked. Perform a review of all policies at least annually and review system logs frequently for potential security problems. Practices are often completely unaware they have been hacked until error logs have been checked.
The possibility of a security breach is every IT leader’s nightmare. In the case of Hollywood Presbyterian, the medical center was forced to pay a ransom of 40 Bitcoins ($17,000) to unlock their machines, despite assistance from the FBI and LAPD. The hit to their reputation—plus the two-week lock out from crucial patient data—was far greater.
Taking a proactive stance to prevent, prepare for and recover from a cyber attack is the best medicine to ensure that patient information doesn’t fall into the wrong hands, and patient care is not compromised.
By Dan Henderson, Aprima Release Manager & HIPAA Security Officer