* Article first written and appeared on Daft Blogger an e-journal.
Today, hospitals and healthcare organizations face many risks that they didn’t have to deal with until few years ago. This ever growing list of risks includes social engineering, redundant applications, within a network and keeping patient files secure and confidential but yet available and escalation of privileges. The last two, in my opinion, are the most difficult to cope with at present.
Keeping patient files confidential and secure is hospitals’ or healthcare organizations’ number one priority as stated by many government regulations such as HIPAA and HITECH. With the requirement of keeping patient data safe, come threats from both inside and outside an organization. Outside threats such as malware have been known to target healthcare data. Some recent examples of malware targeting health care data have come from the United States and Australia where criminal gangs have used a variant of malware called ransomware to encrypt servers full of patient data and hold them ransom for large sums of money. Although only a handful of these instances have occurred, malware constitutes a serious threat against which healthcare organizations need to defend by ensuring that their networks and patient servers are hardened and properly backed up.
Other outside threats like physical attacks on healthcare organizations have occurred as well, most notably the Sutter Healthcare incident where a person physically broke in and stole a desktop computer which stored records of millions of patient. Making sure that all desktop and laptops are properly encrypted as well as properly secured at all times can help in mitigating this risk. This includes the securing of server rooms and other highly critical machines.
Insider threats consist more of an employee snooping in another person’s medical record. Although these cases are not object to as much press coverage as malware attacks, they do happen frequently. Ways to prevent this would be to install a monitoring application like Fair Warning that can send alerts when a medical record has been viewed by unauthorized personnel.
Escalation of privileges
Escalation of privileged access is another growing risk that hospitals and healthcare organizations face but against which they rarely take mitigating counter measures. Organizations can deploy the usual AV (Anti-Virus) and IDS/IPS (Intrusion Detection System) but if you don’t know who has access in what application this can be a huge risk that could result in a breach from the inside. With thousands of applications being used and new users being added daily the task to monitor every user can be very daunting, which is why it is imperative that healthcare organizations have an Identity and Access Management (IAM) program. Using such tools like Sailpoint which is an IAM tool, users can be assigned certain access privileges based on their role within the organization while sending verification certifications to managers to verify their access in various applications. In fact, with an IAM tool one can completely automate the process of creating a new user, assigning access privileges and revoking such privileges. This helps an organization not only to protect from the inside out but also helps to achieve the much needed transparency concerning the accessability of their employees.
Social engineering attacks and Redundancy of Applications
Other risks that hospitals and healthcare organizations face are social engineering attacks and the redundancy of applications which can be a drain on system resources. Social engineering is the manipulation of human interaction to gain access to sensitive data. A recent much publicized example of this exploit involved an Australian radio station that called a hospital where Duchess Kate was staying and, pretending to be the Queen of England, asked of updates on her condition. Preventing a social engineering attack is hard because it exploits a person’s willingness to help another but training and awareness are efficient methods in mitigating such risk.
Redundancy of applications in the healthcare field is nothing new as every application is supposed to be an organizations solution to their problem. The best way a company can lessen this risk is to develop a process that includes a valid business use case for the application and a security risk evaluation of the application. Having guidelines such as these will help reduce risk to an organization as well as the redundancy of adding yet another application to its environment.
With risks though, the solutions advanced by the security technology have grown as well. Today, thanks to research, innovative tools and advanced know-how are available to help these organizations be resilient, operational and providing the needed care that we expect from them. Yet, often, they are aware neither of risks nor solutions.