Hollywood. It’s famous the world over for movies, celebrities, glitz, glamour and – as of February 2016 – one of the most highly publicized cyberattacks and IT security breaches in health care history.
A hospital in the area bearing the Hollywood name became the latest target of a high profile cyberattack. It was the victim of a ransomware hacker who took control of the hospital’s computer/IT system, locking it down until the hospital paid $17,000.
While ransomware has been around for several years, the attack really brought it to the forefront of public consciousness, and served as a reminder that hospitals and healthcare systems are targets for and susceptible to attacks by cyber criminals.
The Means and the Motive
Retailers have faced the threat of hackers since the dawn of the internet. However, the healthcare industry wasn’t as much a focus for the dark underbelly of the cyber world until 2009, with the passage of the HITECH Act.
The bill moved health care data online and promoted widespread adaptation of electronic health records. Anytime a trove of personal data is moved online, it automatically becomes a target for fraud and/or extortion regardless of industry.
While people are rightly concerned about having their credit card information stolen, health information is even a more attractive target for criminals. Why?
“Stolen patient health records can fetch as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry,” notes a recent INFOSEC Institute article. The story goes on to state that more than 29 million Americans have had their health information hacked since 2009.
Pillars of a Secure Healthcare Information Program
Given the market on the dark web for personal health records, it is incumbent on hospitals and health systems to do everything possible to prevent cyberattacks and protect patient data.
Baylor Scott & White Health believes an effective information security program takes a layered, multifaceted approach.
Be Realistic. A good health information security program is realistic about what works and what doesn’t, and realistic about preventing all unauthorized access. In other words, at a large health system like Baylor Scott & White, with thousands of users and thousands of devices across hundreds of locations, it is impossible to keep the bad guys out in perpetuity. So being able to limit the damage a hacker or unauthorized user can do is crucial.
Practice Basic Hygiene. It’s not exactly the cool, cutting-edge stuff you read about in IT trade magazines, but keeping patches, firewalls and encryption up-to-date and current on all devices throughout the organization is crucial to keeping weaknesses from being exploited. There’s a reason manufacturers issue patches and make updates.
Strong ID Access and Management. ID/user management is often one of the most challenging aspects of information security given the size of the workforce employed by health care systems and the number of settings (hospitals, clinics, practices etc…). Having a program in place to effectively onboard and offboard staff – carefully granting and quickly revoking access to systems – is the cornerstone of being able to restrict access to systems.
Internal and External Assessments. A good information security team is like a team of security guards constantly making rounds, checking the doors and locks, and probing for weaknesses. Being proactive in seeking out vulnerabilities is vital to discovering what needs to be fixed and where and how to deploy resources.
Leverage Peers. Talking to counterparts at other health care organizations and information security industry groups about what they are seeing as far as attacks, and also protocols they have tried which worked and didn’t work is vital to planning for the future and knowing what types of attacks may be coming.
Awareness. Awareness. Awareness. From social engineering to phishing to ID management, making sure employees are educated about how bad guys might try to gain access to systems is critical. Often, regular staff members are the either the first or last line of defense in stopping an attack or containing it.
There is no perfect system or program to prevent every attack by the guys in black hats. But a comprehensive approach to information security can go a long way in keeping the most crucial data – patient information – out of their hands.