Opinion: How medical practices can reduce data breaches
Health records and financial information are juicy targets for hackers, as they can use the harvested data for financial gain or for fraud, creating other accounts using personal data or using that data to compromise existing accounts.
In August of this year, a US-based hospital chain lost 4.5 million health records and these attacks are on the rise, as medical records are more valuable for the non-medical information they contain, which can be used to obtain credit or services using the victim’s details.
Australia has also had its dealings with hackers. In 2012, they used ransomware (a virus or software program designed to block access to a system until a payment is made) to demand $4000 to unlock a Gold Coast medical centre’s data.
However, with a little knowledge and careful planning, it is possible to prevent the majority of these attacks. I say the majority, as even large corporations fail to protect against some highly skilled hackers or a concentrated attack involving thousands of them.
The first step is to identify all possible avenues of attack. Medical practices and clinics are no different from traditional businesses in this respect, despite the value of the data they store. Most businesses, regardless of industry, include some or all of the following data repositories:
- Workstations and internal networks – normally comprised of staff computers that may or may not be connected to a server
- Wireless networks – a gate to the entire network if unsecure
- Portable devices – notebooks, tablets and smartphones. and if lost or stolen, ensure a remote wipe of all data is possible
- Physical storage – filing cabinets etc
- The cloud – not normally a concern if the service provider uses encryption and is SSAE16 certified and complies with ISO security guidelines
- Employee devices – if a bring your own device (BYOD) policy is in place.
Evaluating the security of the business infrastructure is not a job for amateurs and it is always best to involve the services of an ethical hacker or penetration testing company. These companies will evaluate all aspects of the business, including vulnerabilities in physical security.
This is an important consideration as even rubbish is used by hackers to obtain data, making shredding and secure disposal of documents essential for any healthcare practice.
Even visitors can create risk as they peek over the shoulder of staff members to gather specifics (known as shoulder surfing to hackers). This leads to another crucial aspect of security – staff awareness and training.
Your staff are often the weakest link when it comes to security and they are targeted directly and indirectly by hackers. Therefore, it is vitally important that staff are aware of the ways hackers gather their information.
Hacking attacks come in many forms but staff training can reduce the success rate of these attempts.
The most common ways they gather data are:
- By email – staff must never open an attachment from someone they do not know, as the chances are the attachment is a virus that will compromise data. This simple approach can eliminate ransomware as described earlier. Similarly, requests to update banking or other accounts should be reviewed carefully. Ignore all requests from Nigerian princes, as they only want your financial data
- On the web – staff must only interact with trusted websites and never download anything to company systems
- By reviewing social media – never post work-related details online and especially information that can lead to someone guessing a password for other accounts
- By exploiting vulnerable programs – as soon as an update is available, IT staff should install it, as hackers often attack networks when a risk is announced, taking advantage of time zone differences or delays in implementation. Users of Windows XP, for example, are popular targets now that Microsoft has ended support
- By bypassing passwords and attempting to answer account security questions instead. If successful, the password is changed and the true user is locked out of the account
- By breaking into the actual premises and collecting data from the computers or servers
- By using cameras (a part of most portable devices) to gather data
- By analysing rubbish from the business – even rubbish must be controlled by use of cross-cut shredders or incinerators
- By stealing portable devices – never leave smartphones, laptops or other devices unattended.
If all of these tips are employed, then the chances of a data breach are lessened considerably. If strong password and encryption is used at all points in the documentation process, it will make a hacker’s breach attempts all the more challenging.
He or she will more than likely seek an easier target. It is also worth noting that security checks are always ongoing, never sporadic, as the threats evolve all the time. We must be ever diligent to protect our medical data, despite their best efforts to compromise it.
Rob Khamas is an eHealth solutions strategist with REND Tech Associates.
Posted in Australian eHealth