Q: What mistakes are non-acute facilities making that leaves their data vulnerable?
A: Many facilities experienced mergers and acquisitions. That usually means they’re mixing and matching security teams and technologies. Maybe they acquired an organization with a vastly lower level of security, like if they’re buying small clinics and building a clinic network, which can bring risk. They’re usually not planning for that security issue ahead of time, so they play catch up later to bring the acquisitions up to speed.
Another common problem is non-acute facilities that have a Managed Services Provider administering their networks. If the service provider has unaddressed security issues, then bad guys will target them. Criminals target vendors with high-value customers like healthcare companies. It’s easier to go after managed service providers with a lot of clients than to go after the clinics individually. That’s why it’s important to work with a vendor that can demonstrate it has taken appropriate measures to secure its own systems and networks.
Q: Is electronic protected health information (ePHI) often at risk?
A: You have a lot of people interacting with your IT systems where ePHI is stored. With medical devices, how much of that information never lives in the clinic’s IT operations but lives in the cloud? Where is that data going and what systems is that data flowing through on its way to storage in a database or EMR system? All of the systems that the data passes through provide opportunities for someone to capture the data in transit. You need to know the data endpoints because if data is ultimately being stored in the cloud, you need to make sure the cloud environment is secure. Many organizations make the mistake of securing their in-house networks but assuming that their cloud provider handles all of the security for them.
Data often flows in and out of your organization in various ways, and you may not have considered all of them. This is especially true for growing organizations adding new technologies and medical devices that use cloud services.