With the increasing risk of security breaches, bank and email accounts shouldn’t be the only areas of concern. Health care providers hold a more serious risk with cyber security as it can affect not only their financial bottom line but also their patients’ sensitive data.
Types of Sensitive Data
Several types of data are considered to be “sensitive data.” Any type of data that is protected by an organization’s policy is considered confidential and sensitive. Other forms of sensitive data include:
- Data that violates a confidential agreement
- Personal identity information that could lead to fraud or identity theft
- User and system credentials in which unauthorized visitors could gain access
- Information that could lead to unauthorized use to a medical account, including account numbers, usernames, and passwords
- Data that is subject to regulatory or legal oversight, including financial or medical records
- Any data that is accessed in which could lead to reputational or financial loss.
The Truth About Cyber Threats and Attacks
It’s no secret that cyber threats and attacks have increased – but why? Many people believe it’s because more people are learning to hack and gain access to accounts. Unfortunately, it’s more than that. We’re unknowingly making it easier for cyber-attacks to occur. With the explosive growth of devices that easily connect to the internet, cyber-attack tools can easily send out automatic attacks on several accounts at once.¹ Out of all the industries, such as finance, communications, pharmaceutical, education, and others – healthcare has the highest risk with breach due to sensitive information.²
Motivation and Risks With Cyber Attacks
What motivates criminals to create a cyber threat or attack is mainly identity theft. For example, a woman in Utah experienced identity theft and found that she was billed $10,000 for hospital services because of the person who stole her identity. Another example is when an extortion took place at Hollywood Presbyterian Medical Center in Los Angeles. This scenario occurred due to ransomware that took their computers offline and requested a ransom. The Medical Center eventually had to pay $17,000 to re-gain access to their information.
Healthcare poses serious digital attack risks regarding the safety of patients. For example, a security researcher found a flaw in hospital pumps, which could have potentially delivered fatal drugs to patients. Another example is that pacemakers could be vulnerable to the same cyber-attacks and could endure damage.
Tools Involved With Security Breaches
Criminals use several tools when trying to create a security breach. Common tools are viruses, ransomware, Trojan horses, and worms. Botnets is an additional tool that is used, which is short for Robot Network. Ultimately, Botnets are a network of computers that are infected by malware, which end up being controlled by a “bot-herder”, commanding all computers on the botnet.³ This tool will allow an attacker to develop malware, financial breaches, email spam, and other serious cyber-attacks.
6 Steps to Protect Your Health Care Facility
Thankfully, you can take several actions to protect your health care facility and patients against security risks. With all the different devices used to store records and other personal information, it may seem a bit overwhelming, but by following specific steps you can increase your safety.
- Opt for Passphrases Rather Than Passwords- Passwords can typically be easily guessed and exploited by a criminal. Password cracking tools lose their effectiveness once a password is around at least 10 characters. Passphrases may be long to type in, but they will provide your facility the security you need. Think of a unique sentence and add some symbols and numbers throughout. One example is: Ilove2cre8artwithGrandma
- Secure All Portable Data Devices– For optimal safety on all portable data devices, including cell phones, lap tops, and electronic notebooks, updates should be performed on a regular basis to ensure the latest software patches and antivirus files are up-to-date. Ensure that laptops used in your healthcare facility have full disk encryption. Furthermore, any device that has a sensitive PHI should be encrypted.
- Practice Safe Computing– Make sure you are regularly installing and updating your security software. For convenience, set your internet browse, operating system, and security software to update automatically. Make sure to never change your browser’s security settings and always be advised regarding your browser’s security warnings. When you install new software, avoid downloading additional software with it.
- Protect Emails With Patient PHI– Ensure you’re taking the proper precautions when handling emails to avoid any unintentional disclosures. Double check the email address for accuracy prior to sending an email to a patient, per the HHS. If a patient emails a provider, it’s safe for the provider to assume that communication through encrypted email.
- Avoid Unencrypted USBs– While it may be convenient to store information on USBs, it’s important to avoid any that are unencrypted. USBs are often lost and sometimes even stolen. A quick tip is to disable any auto run on your USB, which opens the flash drive automatically as you plug it in; this will help prevent installation of a malicious code. It’s beneficial to scan a USB before using it to ensure there is no malware, even if it’s brand-new. The American Dental Association sent out some USBs, and without them knowing, some of the USBs had malware, which was then tracked back to the vendor who had originally sold them.
- Be Cautious When Disposing Data- Per the HIPAA Security Rule, appropriate procedures must be set in place for the removal or destruction of PHI. Electronic PHI or PHI can’t be disposed of in containers, dumpsters, or other ways that an unauthorized person could gain access. Instead, if your healthcare facility needs to dispose of data, use hardware or software products to overwrite media with non-sensitive data. An additional option is to expose or purge the media to a strong magnetic field or to destory the data.
Cybersecurity can be overwhelming, but it’s in your facility’s and patient’s best interest to safeguard your patient PHI. Not to mention, as a healthcare provider, you have a legal and ethical duty to follow the HIPAA procedures and policies. It’s critical for providers to be trained in new, innovative ways to protect themselves regarding security breaches.
¹ Weber, R.H., & Studer, E. (2016). Cybersecurity in the Internet of Things: Legal Aspects. Computer Law & Security Review, 32(5), 715-728. http://dx.doi.org.pnw.idm.oclc.org/10.1016/j.clsr.2016.07.002
² Ponemon Institute. (2016, June). 2016 cost of data breach study. Retrieved from https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN
³ Paltoaltonetworks (2017). What is a botnet? Retrieved from https://www.paloaltonetworks.com/documentation/glossary/what-is-a-botnet