Did you know that medical data on 20,000 people could be exposed to abuse today? According to the U.S. Department of Health and Human Services (HSS), that is the number of people whose protected health information was breached per day on average in 2013. While healthcare practitioners may not realize the value of the data in their care, criminals certainly do. Clinicians and nurses may feel wary of security measures that might slow them down, but there are ways to improve security that will not cost precious moments in an emergency situation. Being lax with security can have a long-lasting impact on all of your patients, not just those with emergencies.
What Motivates Cyber Criminals?
You may be wondering what data healthcare practitioners have that is all that interesting to criminals. Are people really profitting by stealing records of little Johnny’s ear infection? Not necessarily, though insurance fraud and blackmail certainly do happen. It’s less often the specific details of treatment, but rather the treasure trove of information that electronic health records (EHR) contain that can be sold on the black market to perpetrate identity theft and financial fraud. While federal rules and regulations (namely the Health Insurance Portability and Accountability Act of 1996, or HIPAA) exist to help healthcare practitioners protect data, compliance with those rules does not necessarily equate with security.
Most of us think retail stores are the obvious choice for cyber criminals looking to wreak financial havoc. While Target retail stores stole the data hijacking headlines late last year, only 13 percent of the reported breach incidents in 2013 were in the retail sector, while 45 percent were in the medical field, according to Privacy Rights Clearinghouse (PRC). According to the HHS “Wall of Shame” where HIPAA violations are reported, more than 30 million records have been exposed between September 2009 and June 2014.
Obviously credit and debit card information is useful for criminals, and most doctors’ offices and insurance companies accept both forms of payment from patients. But electronic health records may include other information that is useful to criminals as well.
Social Security numbers are often required for insurance purposes, and these can be used to steal a person’s identity, which can be a lot more problematic to correct than someone stealing your credit card. Physicians and insurance companies also gather a patient’s name, physical address, phone numbers and maybe an e-mail address. The black market for this sort of information is mature and robust, and criminals can expect a big payday if they target healthcare providers that are unprepared and unaware of the value of the information they are storing.
The bad news is that breaches are a very real and scary thing. The good news is that there are simple things you can do, as a healthcare practitioner, to protect that important data. Here are a few things that will help you improve your security without impeding your ability to respond to patients quickly.
Update early and often: Regular updates of all software is one of the most important things you can do to minimize the vulnerabilities criminals use to get into your machines. And, vendors often provide updates at no cost to you. When you get a notice from your vendor, be sure to go directly to the vendor’s website or a reputable app store to get the update as soon as possible. Some malware will pretend to be a software update warning, so this is an important step. Do not let that nagging update notice go unheeded.
Create layered defenses: While your security department may have robust protection for your network, mobile devices and cloud computing can make boundaries very foggy. It is important to protect data, as well as devices. Do not expect that because your company has security products that this will protect you against everything. Many times lost or stolen devices or login credentials are all criminals need to get into a network. Make sure you have a good quality anti-malware suite, including a firewall, on all devices that you use to access or discuss healthcare information (do not forget Android tablets, Mac computers and Windows machines). Be sure to keep your security software and malware definitions updated. Any important data should be encrypted both in storage and any time it leaves your machine, such as via e-mail or on devices such as smartphones or USB sticks. Do not discuss patient information on unencrypted channels such as SMS texts.
Go beyond passwords: If you are protecting a lot of patient data, a password alone may not be enough. Consider implementing two-factor authentication. This can be a biometric such as a fingerprint or a one-time passcode that is provided via a small digital key card or fob, or even a smartphone app. You can also increase your password security by upgrading your password to a passphrase — a short sentence is much more difficult to crack than a single word, and it can still be easy to remember. Each of your digital devices should be protected with a passcode or biometric, with a short time-out setting. That way, if one falls into the wrong hands, the data is not easily accessible.
Choose to protect your own device: Having the ability to use a mobile device to check on your work-related information whenever and wherever you are is a huge boon for responsiveness. But it also leads to a host of problems, as those devices are easily misplaced and they are less apt to be protected from malicious access. More and more offices are offering employees the choice of a mobile device, one that IT staff can scan for problematic apps or links, or remotely wipe in case the device is lost or stolen. If you are not offered this, you can still get many of the benefits with free or low-cost apps. Anti-malware scanners on Android devices can help you avoid problematic apps and links, and device-finder apps that can also wipe data from lost devices are available for all smartphone operating systems.
Practice the principle of least privilege: The principle of least privilege simply means that no person, machine or system should have access to things they do not strictly need. For instance: If you use a personal device at work and at home, you can create a separate profile for each location. And if you share that device with other people in either place, you can create a separate guest account that does not have access to your sensitive information.
Encrypt everywhere: As said earlier in the “layered defenses” tip, encrypting is a very simple and effective way to safeguard data. When we have something that is valuable, we lock it up when it is not in use. The same is true with data; valuable information should be encrypted whenever it is not directly in use. That means when it is in storage, it should be encrypted. When it is being accessed or sent over the network, it should be through an encrypted connection. Having encryption from “end to end” minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defenses.
Watch out for leaky data: Wi-Fi is becoming a fact of life — there are free hotspots available wherever you go these days. But that public Wi-Fi can be an easy way for attackers to eavesdrop and snag your data in transit if it is not properly secured. It is best, if you are using Wi-Fi when you are out and about, to avoid accessing or transmitting sensitive information. If you do need to do so, it is very important to make sure the connection is encrypted. Using a VPN can help you create a private network connection between your own personal devices and work resources. When connecting to the Internet or office network from unfamiliar places, consider using your smartphone’s 4G connectivity or a 4G hotspot instead of sketchy public Wi-Fi.
Good security should not make doing your job impossible: With a variety of small changes, the effect on your ability to do work should be negligible. And the effect of maintaining your patients’ trust by protecting their data will certainly make your job easier.
Editor's note: Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. She enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.