Earlier this year Community Health Systems, which operates 206 hospitals across the United State, announced that hackers have broken into their computers and stolen data of 4.5 million patients. Information such as patient names, Social Security numbers, physical addresses, birthday and phone numbers were accessed which put the victims at a risk of identity fraud. The FBI has warned the healthcare industry companies about potential attacks from hacker groups.
Healthcare institutions are being considered as softer targets compared to other industries. Data is stolen for the purpose of financial or medical identify theft, insurance fraud, sale of information, financial gain and blackmail. For companies in this sector, it is very important to not only have security in all the layers, but also integrated to allow reliable detection, coordinated defense and efficient response. Some ways that healthcare companies can protect themselves from future attacks include:
- Perform regular security risk assessments
This will give your organization a better understanding of the risks posed to Protected Health Information (PHI) and Personally Identifiable Information (PII). This process will be helpful to identify the gaps in the system and compare your security with others in the industry. The recommendations from the assessments can be used to update your overall information security program.
The implementation of IDS and IPS will help detect and block attempts by cyber criminals to access data on your servers and networks. Proactive alerting mechanisms and monitoring services can notify you of attempted cyber-attacks and allow you to respond in real-time as a component of your Information Security Program. It is much less costly, both from a monetary and reputational perspective, to prevent a cyber breach than to be faced with notifying affected individuals and the Department of Health and Human Services (HHS), as required by the HITECH Act.
- Data Loss Prevention (DLP) – A DLP solution can help monitor your network traffic for possible leakage of PII such as social security numbers and PHI, such asHealth Level 7 (HL7) codes (medical standards/procedures codes), etc.
- Log Monitoring – Log Monitoring centralizes and correlates audit logs from your applications and systems to allow you to identify improper access to sensitive patient data from internal or external sources. Proactive monitoring or regular reviews of logs is a key step in ensuring that your patient data is secure, as well as in meeting the short time-window required by the HITECH Act for notification of a breach.
Web applications are becoming more common in healthcare environments. Due to their increasing role in the IT business environment and prevalence of security flaws, web applications are a frequent target of Internet hackers. Healthcare organizations and business associates should perform web application security testing regularly and when significant changes are made to the web applications in order to protect against current security threats. Also, the implementation of a web application firewall can help protect against emerging attacks being launched from cyber criminals.
- Encryption – Implementing strong encryption policies and technologies on mobile devices, laptops, portable storage and backup tapes is key to reducing your risks with regards to improper data disclosure.
Source: cnn and secureworks.com