Article

Protect Sensitive Non-Acute Patient Data With Cybersecurity Solutions

January 22, 2021
Hooded figure on laptop

Data breaches are an ongoing and increasingly difficult problem for healthcare providers—both from external and internal sources. The COVID-19 pandemic has exacerbated the issue.

Non-acute healthcare providers are looking for information on how to ensure their patient data is secure. Fred Langston, CISSP, CCSK, executive VP of Professional Services for CI Security, has more than two decades of experience in information security for healthcare organizations. In this Q&A, he offers some advice.

Q: What mistakes are non-acute facilities making that leaves their data vulnerable?

A: Many facilities experienced mergers and acquisitions. That usually means they’re mixing and matching security teams and technologies. Maybe they acquired an organization with a vastly lower level of security, like if they’re buying small clinics and building a clinic network, which can bring risk. They’re usually not planning for that security issue ahead of time, so they play catch up later to bring the acquisitions up to speed.

Another common problem is non-acute facilities that have a Managed Services Provider administering their networks. If the service provider has unaddressed security issues, then bad guys will target them. Criminals target vendors with high-value customers like healthcare companies. It’s easier to go after managed service providers with a lot of clients than to go after the clinics individually. That’s why it’s important to work with a vendor that can demonstrate it has taken appropriate measures to secure its own systems and networks.

Q: Is electronic protected health information (ePHI) often at risk?

A: You have a lot of people interacting with your IT systems where ePHI is stored. With medical devices, how much of that information never lives in the clinic’s IT operations but lives in the cloud? Where is that data going and what systems is that data flowing through on its way to storage in a database or EMR system? All of the systems that the data passes through provide opportunities for someone to capture the data in transit. You need to know the data endpoints because if data is ultimately being stored in the cloud, you need to make sure the cloud environment is secure. Many organizations make the mistake of securing their in-house networks but assuming that their cloud provider handles all of the security for them.

Data often flows in and out of your organization in various ways, and you may not have considered all of them. This is especially true for growing organizations adding new technologies and medical devices that use cloud services.

Q: Are you seeing more attempts to hack patient data?

A: For the last 10 years, patient data has been the No. 1 target. If you’re a bad guy, it’s better than credit cards and Social Security numbers. Ransomware, which is a malicious software that prevents a company from accessing its data or network operations unless a ransom is paid, is also becoming more prevalent. It’s more difficult to  steal patient data by compromising a system from the internet than to launch a ransomware attack via a simple phishing email that extorts the medical facility by withholding access to systems and data. Criminals can get money faster with ransomware, demanding a big payout instead of taking months hacking in and extracting data, and then selling it to a black market broker.

But, the bad guys are smart. They are now doing both things at once: stealing data first, then launching ransomware. So even if you say, “No, we’re not going to pay. We can recover quickly using our data.” They counter by saying, “In that case, we’re going to sell your data on the black market to the highest bidder. Then you’ll have the regulatory agencies breathing down your neck, fines, audits and front page news.” Criminal hacking organizations are nothing if not innovative and realize there are a multitude of ways to extort you. 

Q: Why is patient data so valuable to criminals?

A: Probably the No. 1 use is fraudulent insurance claims, such as all sorts of Medicare and Medicaid fraud. Some use it to receive care fraudulently. Also, if a celebrity comes in, the likelihood of someone with unauthorized access looking at the person’s record is surprisingly high. It’s one of the main ways insider breaches happen, and you can monetize this information by selling it.

Q: With COVID-19, more patients are using telehealth solutions. Is this resulting in spikes in theft of patient data?

A: We have a double whammy due to COVID-19. It encouraged criminals to ratchet up their activities to the highest levels I’ve ever seen. Since COVID-19 hit, my incident response teams have been working 24/7. There is absolutely no question that the threat level has rapidly gone up. Working from home and telehealth have clearly added an entirely new set of attack surfaces. Healthcare has always been a little behind because facilities need to spend money on cutting-edge healthcare technologies, so it’s hard to also spend on cutting-edge security technologies, which have been put on the back burner.

Q: Stats show most healthcare breaches are caused by insiders. How can facilities stop this?

A: Sometimes insider breaches are caused not by someone doing something malicious, but because employees did something they thought was appropriate for their job, then they saw data they should not have seen and it becomes a reportable incident. Clinics should make sure only people with proper access can see sensitive data.

The fines, increased auditing costs, notification costs and everything clinics have to pay for in a breach are costly. If you’re not a multinational corporation or a big clinic, this can put you out of business.

Q: What basic cybersecurity steps can non-acute facilities take to ensure patient data is safe?

A: I’ve been in information security for 30 years. On day one, my first recommendation was, “Patch your systems.” I’m still making that same recommendation at the same frequency. Encrypting data is also critical. If you’re not encrypting every piece of ePHI inside your organization, then you’re making a mistake. If you’re going to invest money, invest it on patching and encrypting.

Multifactor authentication, with username, password and a code sent via a text or an app, also has become essential. The best practice to recover from a ransomware attack is to ensure strong backups. It’s based on a 3-2-1 formula. You have three copies of the data in two formats, like disc and tape, and one copy offsite, updated weekly, where the bad guys can’t get it.

And, you should be monitoring for attacks around-the-clock. Criminals are inside a healthcare network for more than 200 days on average. If you can spot them and kick them out in hours, your breach will be exponentially less impactful. 
Every bit of security is important.

You Might Also Like

Ready to Get Started?

Take the next step to start saving.

Become a Member