Healthcare providers must first identify where hackers can enter their system before developing effective security measures
Because of their sensitive nature, medical records are a big target of hackers. In 2018 alone, HHS’ Office of Inspector General investigated nearly 400 reports of medical data breaches that potentially impacted thousands of patients, according to the Advisory Board.
Stolen healthcare records can have an enormous financial impact to a hospital system, said Terry Moon, assistant vice president of strategic sourcing, IT and cybersecurity at HealthTrust. The main concerns with stolen medical records are identity theft and filing false medical claims.
“In most cases, victims of fraud are not even aware that their information has been stolen until it’s way too late,” he said.
The rich information in a medical record could include social security numbers, credit card numbers, birth dates, addresses and more, and is far more valuable than a single item of the same, with less effort to obtain.”
Once an intrusion has been verified, systems need to deploy network forensic experts to identify the root cause and bring a systematic approach to isolating the issues, mitigating the impacts of the breach and implementing permanent corrective actions.
“Depending on the data exposure and local laws, breach notification, credit monitoring and more are also put in place to help protect patients,” Moon said.
Know the threats
Phishing scams via email chains are a well-known threat. But Moon said one of the main ways hackers can breach a hospital system is through unsecure medical devices attached to the network.
“These devices are critical for patient care and must be protected from cyberattacks,” he said.
Historically, hospital systems have secured their networks at the perimeter using various methods, as well as deploying micro-segmentation internally throughout the enterprise to reduce the scope and risk of cyberattacks.
“While this has mitigated the issues considerably, the sophistication of attacks has also improved over time with social engineering becoming the most prevalent method used by attackers,” Moon said.
Today, additional efforts are needed by the medical device manufacturers to implement security controls within the medical devices themselves to create a defense in-depth approach to combating this extremely serious situation.
“Working together, hospital systems and manufacturers can create further barriers to reduce attack vectors and provide a safer environment for our patients,” Moon said.
Within the hospital or health system itself, Moon said ensuring that connected devices are protected is a highly complicated task due to the number of devices, the size and architecture of the network environment and the management of asset inventory. Many electronic systems and discovery tools need to be implemented to identify threats, manage inventories and control the flow of traffic.
“Hospital systems can continue to add protections by only acquiring medical devices that have security controls and making sure that each device is identified in an asset management database so that if a vulnerability is identified, the susceptible devices can be quickly located and patched or isolated from the network,” he said.
Security assessment
At the point of contracting with a service provider, HealthTrust conducts a formal security risk assessment on medical devices and supplies. Each system has to determine what is in their best interest according to their business strategy.
“A security assessment should be multifaceted and include working with the device manufacturers to understand the devices’ components and protocols used, dataflow diagrams, configuration options and implementation requirements,” Moon said. “From there, depending on the initial findings, deeper analytics may need to be performed, including the possibility of getting a device into a lab and trying to infiltrate it to determine what mitigation steps may need to be deployed if implemented.”
The assessment should also include the collaboration of a cross functional team that includes security engineers, clinicians and business owners so that all stakeholders are fairly represented to ensure the best possible outcomes.
“As a final result, the contracting process should anticipate that a supplier who has implemented better security measures would be given higher considerations for an award,” Moon said.
Lessen the impact
In the event of a cyberattack, a hospital or health system should have a plan in place for disaster recovery.
“First and foremost, health systems should have a documented, verified, and repeatable defense along with an in-depth recovery plan that is tested routinely before any event takes place,” said Moon.
This should include:
- Aspects of real/near time backups of critical systems (isolation from the rest of the network for protection)
- A dedicated officer of the company to champion this initiative and provide insight to the rest of the executive leadership
- Continuous education to the end users and various other teams to ensure that when a disaster is declared, all hands are on deck with a full understanding of their responsibilities.
“Having all of this in place before a disaster happens will lessen the impact to our organizations and the patients under our care,” Moon said.