tostphoto - stock.adobe.com

Preparing Against Current Healthcare Cybersecurity Threats

Healthcare cybersecurity threats are continuously evolving, and covered entities need to ensure that they are implementing necessary and applicable security measures.

It’s hard to believe that anyone would think of anonymous hackers taking down websites and disrupting networks just for fun as the good old days, but in many ways they were. At least compared to today.

This is especially true when it comes to healthcare cybersecurity threats, as covered entities are often holding numerous amounts of sensitive data that third-party attackers find extremely valuable.

The old school hack attacks tended to be one-offs, measuring sticks for bragging rights as to who had the best skills. Today there is an entirely different motivation: money.

Ransomware is the current hot button issue, but other threats such as stealing PHI and siphoning off or secretly redirecting reimbursements in the background, are also profit-driven.

Juniper Research estimates that cybercrime will cost businesses more than $2 billion globally by 2019, four times what it is today. And therein lies the problem.

Now that there is money in it, the heads of cybercriminal organizations can afford to hire armies of hackers to use technology or social engineering to find a way into healthcare provider or payer networks. Or they can purchase software on the Dark Web that does it automatically.

Either way, these dedicated resources can quickly overwhelm a provider or payer’s IT department where security is just one of many tasks they must manage each day. It’s like the Spartans facing off with the Persians at Thermopylae. Only without the benefit of a narrow passage to negate the cybercriminals’ superior numbers.

Instead, there are all sorts of avenues cybercriminals can take to gain entry. Which means IT can’t protect the entire enterprise alone. It takes a strong effort on behalf of everyone in the organization to truly take a big byte out of cyber risk.

The battle can essentially be broken into two fronts: technology and user. Following are some of the best practices for each.

The technology front

Obviously, this front is primarily IT’s responsibility, although users still have a role to play in it.

At this point, most organizations have their networks and internal technologies pretty well locked down. They are largely able to control what happens within their four walls.       

The real threats generally come from outside the core IT infrastructure, beginning with the devices we all carry in our pockets.

If the business supplies smartphones or other devices such as tablets to users, IT can dictate whether (or which) apps can be downloaded, whether PHI can be stored on them and other critical aspects of use.

It can also dictate to users that if a smartphone is lost its contents will immediately be wiped.

Increasingly, however, we are living in a BYOD business atmosphere. While less expensive and more convenient for the business in some aspects, allowing BYOD creates a significant loss of control over which devices are used, how they’re set up, whether they have sufficient security provisions, and how users use them.

Some best practices on the technology side include:

  • Stipulating that if a personal device with access to the network is lost or stolen, IT will immediately wipe it clean. While users may worry about losing personal information, wiping the device will also protect against stolen passwords and credit card information.
  • Disable all external ports (USB ports in particular) that can be used to transfer data onto an external hard drive or thumb drive or malware from an external drive to the device. IT may even want to disable data transfer capabilities of charging ports on mobile devices, at least for users who travel frequently. Fake charging stations (known as juice-jacking) can quickly download all of the contents off a device, capturing valuable data, saved passwords and other information.
  • Prevent PHI from being downloaded into a device’s storage. That may mean changing technologies, which can be painful but not as painful as a data breach. Look for applications that enable users to view PHI remotely but do not download it onto the device.

The user front

The technology front is the easier one to manage. It is rules-based, and for the most part, IT has control over all the elements within it.

Getting users to become aware of healthcare security requirements and educating them on how to protect themselves (and the enterprise) is far more challenging.

It’s not just a matter of neophytes or technophobes versus experts.

Recently, a cybersecurity expert told a story on the radio about finishing a lecture on that topic. As he walked off the stage he saw a short message asking him to look over a document. He said he was about to click on the link when his Spidey-sense started tingling, and he then realized it was an example of spear phishing.

If an expert can be nearly fooled, it can happen to anyone.

The key to preventing these types of attacks is user education, especially about email and the use of mobile devices. Tell users:

  • Be very careful about opening emails or texts with messages such as “Hey check this out” or “Can you look this over” with no other context. Techniques such as spear phishing play on our natural tendencies to connect or to help others. When in doubt, users should ask a co-worker to review. They should also forward fake messages to IT to make them aware of the issue.
  • Never connect to an unsecured Wi-Fi network in a public location. It may be more convenient to connect directly than to go to the counter and ask for a password, but it’s not uncommon for cybercriminals to set up a Wi-Fi connection that appears to be provided by the business. Once users log onto that network, cybercriminals can see/capture all the data that passes through them and use key loggers to capture passwords for future intrusions.
  • Don’t react or respond to messages claiming to be from the IRS, FBI or some other government agency – especially if there is an urgent time factor attached to it. That’s not how government agencies operate. Again, the proper reaction is to either delete the email or ask a co-worker to give it a look and forward to IT so they can address any security holes.
  • Never leave downloaded PHI on any device. Lost or stolen devices with PHI become a cornucopia for cybercriminals. Users should close all sessions when they are finished, preferably before they leave the facility. If they are reviewing data remotely, be sure to close the session and the application.
  • Never store passwords on a device. Yes, it’s inconvenient to have to enter a password each time users want to access an applications, but better that than leaving a wide open entryway into the network.

Finally, when it comes to security, users should be pessimistic in their approach. Assume any unusual emails or texts are attempts to breach the network, and any unsecured Wi-Fi networks are being used to steal data.

Preparing for the future

There are two other forms of attack on the rise that, while uncommon now, are likely to gain popularity among cybercriminals in the future.

The first is memory-level attacks. Most malware currently requires a file to be downloaded onto the user’s device before it can go to work. Yet as data breaches become big business, cybercriminals are now beginning to embed malware at the BIOS (basic input/output system) level. This sort of attack is much more difficult to detect.

Often it takes the form of a “sleeper.” The malware sits quietly in memory, watching and learning about the network and its weaknesses. When the time is right, it either “phones home” with a report so a stealth attack can be launched, or it launches the attack itself. Much damage can occur before the source of the attack is discovered because it can come from anywhere on the network – including individual users devices.

The second, which is just beginning to be seen, is the misdirect. Malware will enter the system and cause a disruption that is relatively easy to detect, i.e., cybercriminals want it to be caught. Then, while IT resources are focused on this obvious attack, a second stealthier and more damaging attack will occur. While you’re distracted in one area, the real attack comes from somewhere else.

Winning the healthcare cybersecurity battle

The road ahead for healthcare data security won’t be easy. Cybercriminals outnumber IT security resources, they are highly motivated by profits and technology to help them achieve their goals is more available than ever. But with a concerted effort, and the assistance of better-educated users, payer and provider IT departments can still prevail.

Darrin Haehle is president and chief information officer of Wonderbox Technologies, a benefit administration software company focused on building next-generation technology for the specialty payer market.

Dig Deeper:

Healthcare cybersecurity requires a comprehensive approach from covered entities

Dig Deeper on Cybersecurity strategies