Feb/March 2016

The healthcare industry is a fabulous target for hackers looking to gain access and compromise databases full of diverse patient data. Think about the treasure trove that is for the taking if they can gain access remotely; bank account information, credit cards, social security numbers, address, phone, email, diagnoses, electronic prescriptions, specific patient health-insurance information, and much more. This makes one wonder when does healthcare stop becoming a medical issue and start becoming a security one?

Compromised Patient Data
In the dark Web, stolen medical information can fetch 10x more money than from your standard compromised credit card. These days, many patients have higher co-pays and thus pay via credit card so when hackers steal patient data that is like a bonus in the data file. This stolen data is lucrative to hackers who buy and sell it in order to file fraudulent medical claims in someone else’s name as a form of identity theft. This chain of vulnerable medical data can lead to further kinds of fraud including hard to attain prescription drugs and even some medical misdiagnosis. This directly affects the doctor’s malpractice insurance coverage and their patient’s health.

The incidence of medical identity theft continues to rise. This most recent report shows that it has nearly doubled since the first study five years ago. In 2014, there were almost 500,000 more victims than in 2013.

Remote Access Risks
There are constant advances in technology being implemented throughout healthcare organizations to improve efficiencies and make data more readily available to doctors. When doctors can use this big data efficiently, they can provide a great level of care to patients. These advances save time which saves money and more importantly lives. Enter the hacker, who exploits these advances in technology that are often cutting edge, untested on a greater scale and have many unknown exploits. The hacker will gain access through remote portals, network servers or directly from stolen user credentials. They might start by compromising an internal healthcare computer network or server that holds patient data. All they need is the legitimate login credentials of an IT administrator and then they can start their remote hacking from the comfort of their own home. Data breaches such as this often go undetected as a skillful hacker will carefully erase any evidence of their theft. And since they are generally using authorized credentials during the breach, no suspicious red flags or alerts are triggered.

Remote Access Solutions
The best way to authorize remote access to sensitive patient data is to implement layers of effective security. Start with long and strong passwords that are not easily guessed or hacked, at least 15 characters made up of upper/lower case/numbers/symbols. Another essential security layer that should be implemented throughout the organization is two-factor authentication for granting remote access to all systems that contain patient data. Two-factor authentication adds a second level of security to an account login such as entering a PIN or a one-time code only the authorized user can receive in a text message.

Of course nothing is 100% hack-proof, but two-factor authentication is much more than just twice as hard to hack as a standard username and password. It requires hackers to have direct access to hardware or proximity to some designated device which increases security substantially. Limiting remote access and local access to certain types of data to specific applications (also known as least privilege) will help to minimize remote access risks as well. The HHS (Health and Human Services) recommends implementing and mandating strong encryption solutions for transmitting any patient data as well as not ever allowing the transmission of patient data over open networks. This is standard security protocol and should be the baseline of any secure data network.

When healthcare organizations weigh the advantages of remote access to improve healthcare they need to balance this with effectively mitigating the risks. The last thing anyone wants to think about when they walk sick into the doctor’s office is if they will be the next victim of a hack.

By Scott Schober, President, CEO, and cyber security expert, Berkeley Varitronics
Systems, Inc. scott@bvsystems.com

[button link="https://connectedworld.com/subscribe-connected-world/" color="default" size="small" target="_self" title="" gradient_colors="," gradient_hover_colors="," border_width="1px" border_color="" text_color="" shadow="yes" animation_type="0" animation_direction="down" animation_speed="0.1"]Subscribe Now[/button]

Gain access to Connected World magazine departments, features, and this month’s cover story!