How the Healthcare Industry Can End Its Cyberwarfare
Jun 21, 2016 07:00AM ● Published by MED Magazine
By Marie Ruettgers
With nearly all software, applications, systems, and devices connected to the Internet, the transition from paper records to EMR has left the healthcare industry exposed, laid bare for cyber criminals. In fact, the Ponemon Institute reported that some 94 percent of medical institutions have now been victims of a cyber attack.
How, then, can the industry protect itself? While it is no easy task, the following five steps will tighten networks before you can say “malware.”
Staff training is imperative to patching the vulnerabilities of EMR. No, it is not just the IT department’s concern. It only takes one untrained system user to expose thousands of patients’ documents to ransomware. All employees should be properly trained to not only understand their system, but also understand the world and risks of cyber attacks. The Department of Homeland Security recently urged healthcare employees to not use computer disks or flash drives unless they are from a trusted source. Additionally, extra caution should be taken with email. Ransomware attacks are occurring with hackers sending seemingly routine emails loaded with documents prepared to steal patient data and unload malicious software. Cyberattacks can, and do, happen anywhere. Employees must be trained to act with caution.
Backup Your Data
Yes, it is a no-brainer. However, many healthcare organizations such as the Hollywood Presbyterian Medical Center found themselves paying expensive ransoms to hackers after failing to back-up their system. Ransomware, as its name indicates, achieves successful ransoms due to healthcare organizations’ failures. Many companies, such as GoodSync, specialize in backing up data. Every healthcare organization should consider hiring a company for data backup assistance, as well as follow industry and manufacturer/vendor best practices for securing all their devices such as printers, personal medical devices, etc.
Construct an Emergency Plan
When mistakes happen and systems are breached, an emergency plan is vital. The plan should include an analysis of the financial and legal implications of a cyber attack. Is there a system that your organization cannot function without? If so, perhaps it is time to rework your system. In 2015, Anthem failed to have an emergency plan, resulting in compromised names, birthdates, member IDs, social security numbers, emails, and addresses of 80 million people. Bottom line: have a plan to shut down attacks immediately after they happen.
Perform Regular Audits
Who has access to your system? Is the system running the expected version of the operating system and software? What are the peak loads, data dropout rates, and number of APs? These are all questions that should be asked routinely. By performing audits in regular intervals, you’ll ensure that your system is configured and running properly. The best way to prevent an attack is to catch your own mistake. When auditing, do not forget about infrastructure such as wireless or wired links, and also remember to check that all stored data is encrypted.
Change Up Your Passwords
Password protection is key in preventing cyber attacks. When creating passwords, always use passphrases, or longer sequences of text for added security. Every password should have a measure of entropy and be changed on a regular basis. Dictionary attacks by cyber attackers have often exploited parts of systems that still use default passwords. Default passwords are well-known. Every item requiring a password, whether printer, Internet, or computer, should have its default password changed.
With the shift to EMR and an increasing number of open exchanges of health care information between patients, insurers, doctors and pharmacists, cyber security has become a dire part of the healthcare industry. If your healthcare organization has experienced a security breach, talk to a lawyer specializing in cyber security. Healthcare organizations must familiarize themselves with the dangers of cyber attacks and follow best practices for configuring systems and monitoring them for abuse. The time to act is yesterday.
Marie Ruettgers is Managing Attorney at Goosmann Law Firm