Just days ago one of the country’s largest healthcare systems announced it had become the victim of a cyber attack from China. Personal data, including social security numbers, from millions of patients was accessed as part of the attack.
The so-called “APT 18” hacking group is suspecting of being behind the attacks. The group, which may have links to the Chinese government, has historically targeted aerospace and defense-related companies.
This attack should serve as a warning to other hospitals and healthcare organizations of all sizes. Hospitals house a tremendous amount of personal data, including financial data, social security numbers and, of course, health information.
To uncover ways you can help protect your patient data and prevent security breaches in healthcare, we interviewed Jay Ketchaver, Manager of Information Technology and Security for Fathom Healthcare. Fathom Healthcare serves 15 healthcare systems, representing more than 700 hospitals and care sites across the United States.
Jay, what’s the first step a hospital or any organization with patient data should take to protect that data?
Jay: First, hospitals should develop comprehensive Risk Assessment Plans. These plans can identify potential weak points, determine best practices, and provide a roadmap for increased security. These plans should be reviewed and updated continually. Security assessments should also be performed regularly. Next, implement security awareness trainings for anyone who uses a computer. The biggest oversight most organizations make is neglecting the training of end users. Basic training of users upon hire and at least annually will help protect an organization. Users need to make sure they’re not making common mistakes.
What kind of mistakes?
Jay: A common one is clicking links in phishing emails. This can easily allow hackers to steal information or infect computers. Trainings should educate users on these types of risks.
In addition to training, what are some technical safeguards to put in place?
Jay: Antivirus, antimalware, encryption, and other precautions should be installed on all devices: desktops, laptops, tablets, anything that goes online. The software must be updated regularly, and monitored regularly. These tools can catch and block infections, and monitoring these systems can identify issues or causes for concern. Also, encryption can prevent data loss if a device is stolen.
What about everyday users? What can we do to protect patient data?
Jay: Software and operating system updates and patches should be installed on a regular basis. Hackers typically look for exploits in common software application such as Java and Adobe Reader.
There is an expectation among patients that WiFi is available in hospital and doctor office waiting room. How can you keep a secure network with so many unknown and unprotected devices?
Jay: Guest wireless networks should always be kept separate from your primary network. Never allow guest devices on your primary network.
Should hospitals limit websites users can access?
Jay: Where possible, some type of web filter should be used. Even if a user visits a legitimate website, it’s possible for a “drive-by” attack to infect the user’s computer with malware. If web browsing is restricted, the risk of infection from this attack vector can be mitigated.
How do you minimize the risk of a hacker accessing a hospital’s network through a user’s device?
Jay: All users, even IT administrators, should only be granted the rights and permissions they need to perform their everyday tasks. The less access a user has to a system, the lesser the chance a hacker can use their account or device in an attack.
Why is it every time we turn around there is a new hacking story in the headlines?
Jay: The threat of cyber attacks continues to grow. With an ever-increasing number of internet-connected devices accessing our networks, hackers have an increasing number of ways to exploit vulnerable systems and steal information.
Why do hackers hack?
Jay: That’s a little like asking “why do fools fall in love?” There are a lot of reasons. Some hackers hack so that they can sell private information, such as social security number or credit card information. Lots of money can be made selling patient and consumer data. Other hackers are committing corporate, industrial, or political espionage by comprising systems and stealing sensitive information, trademarked designs or strategic plans. For some, it’s about the thrill and the challenge. They hack for the rush of hacking.
See the entire interview below: