As the healthcare industry adopts electronic medical records and increasingly relies on technology, providers and facilities face new challenges in protecting patient information and minimizing their exposure to cyber risks. The healthcare industry is the most targeted and the least prepared industry when it comes to cyber attacks. Criminal hacking is now the leading cause of healthcare data breaches because the average selling price for a medical record is 10 to 20 times that of a U.S. credit card number. Modern Healthcare estimates that 1 in 3 Americans have had their medical records compromised in some way.
What healthcare facilities and providers can do is take steps to manage their risk by getting expert help in pre-breach planning that may include self-assessment tools. A Wall Street Journal article outlined five specific steps organizations can take to help protect their computer systems – simple things that can make a difference.
#1 Keep up with patches. Many organizations are slow to update their software. This can leave them exposed to even the most rudimentary hackers who borrow tricks from last year’s breach. Here’s what happens – when software companies find a flow, they release a patch and indicate how the flaw could be used for ill. It doesn’t take hackers long to figure out what the hole is that the patch seeks to cover – and they immediately write tools to take advantage of it.
#2 Keep your online doors closed. Many businesses don’t know how many computers they have and sometimes they don’t know which ones are online. So computers end up online when they shouldn’t be – where they become a tempting target for hackers. When the government health-insurance exchange at HealthCare.gov was hacked, federal investigators learned the intruder got in through a Web-development server connected to more sensitive parts of the network. The server wasn’t supposed to be online, so it didn’t have the same protections as other HealthCare.gov machines. The solution is to ensure that only necessary machines are online and they are protected.
#3 Encrypt your data. If numbers are encrypted from the instant they enter your computers, there’s not a lot that hackers can do with them. For example, companies reported 298 data breaches to the state of California during 2012 and 2013. In 83 of those cases (more than a quarter of them), the lost or stolen data was not encrypted – affecting 2.6 million residents, according to a report from the state attorney general. Companies often avoid encryption because it can be expensive and slows things down but it’s certainly not cost prohibitive.
#4 Get rid of passwords. Hackers love them. According to Verizon, a quarter of the data breaches analyzed in a 2015 report, could have been stopped if the victimized company had required more than a password to enter its network. Hackers have figured out that users often reuse the same password and email address for various accounts from social media to banking. Google and Facebook have been experimenting with adding an extra layer of security by using a tiny USB token inserted into a computer to verify the user’s identity.
#5 Check out your vendors. Vendors, working for your company, often get the same access to your computers and may not treat the issues with the same severity. Anywhere from one-fifth to two-thirds of data breaches have been linked to hackers getting into a vendor or third party. The solution is careful oversight. Larger firms sometimes have vendors sign declarations on their approach to computer security.
These simple things can make a difference but to significantly reduce the risk of a cyber attack, it’s wise to seek the advice of a cyber-security expert who can audit your systems and help you develop and implement a plan of action.