Did you realize that using out of date software, or software that is no longer supported by the manufacturer, poses a significant risk to PHI? This is notable because last month Microsoft stopped supporting the Windows Vista Operating System (“OS”). While Vista is not widely used in the healthcare industry, there are still an anticipated 200 million users worldwide.
Vista notwithstanding, you may very well be using a software that has reached the end of its life and is no longer being supported. This is concerning because without the consistent security updates that come with a supported software, your applications are vulnerable to malicious software and other threats. Moreover, hackers are known to target these vulnerabilities. These threats are not mitigated by encryption of anti-virus software, which do nothing to stop exploitation of OS vulnerabilities.
You should periodically (2-4 times a year) run a vulnerability scan on your system to detect for unpatched software or software that is no longer supported by the manufacturer. You should use the results of each scan to update your software, thus mitigating your vulnerabilities. If you are using an application that is no longer supported by the manufacturer, you should immediately update to a current version. These small steps are easy ways to reduce your risk and help your protect PHI.
New data indicates that small and medium healthcare organizations are a growing target of ransomware attacks. The data also suggests that of the victims of a ransomware attack that paid the ransom, only 45 percent got their information back.
This changes the thinking about ransomware from something you might be able to recover from, to something you should do everything possible to prevent. Good ransomware prevention is a combination of high-tech and low-tech solutions.
High-tech solutions include having adequate backups. If you are equipped with a good backup, you can switch to that backup without losing access to any data and avoid having to deal with whether you will pay a ransom or not. To be successful against a ransomware attack, backups should be located on alternative media to avoid being encrypted by a hacker. They must also occur frequently enough to allow you to restore to the backup without losing any information. Finally, your backup should be tested to ensure it can be relied on if necessary.
Low-tech solutions include a disaster recovery plan and workforce training. Your disaster recovery plan should anticipate and address ransomware. It should also require that you test your backups and your plans regularly.
Training should also be done to educate staff how to spot and avoid a ransomware attack. In most instances, ransomware attacks are initiated by an employee downloading an e-mail attachment that looks legitimate. Therefore, your workforce members should know how to spot such attempts, and what to do if they see one. A simulated phishing attacks is an excellent way to help improve staff behavior. In these scenarios you will send a benign phishing e-mail to staff and track who downloads the attachment inappropriately. You then use this as an opportunity to re-train those individuals.
It is uncertain whether paying the ransom will allow you to gain access to your data in a ransomware attack. Therefore, the focus must be firmly placed on prevention of such an attack. While there is no silver bullet, ransomware attacks can be prevented with a multi-faceted approach.
Can We Really Win the Ransomware War?
Last week the U.S. Department of Health and Human Service Office for Civil Rights (“OCR”) announced a $400,000 HIPAA settlement with Metro Community Provider Network (“MCPN”), a Federally Qualified Health Center (“FQHC”) in Colorado. The settlement is the result of a 2011 breach in which a hacker used a phishing campaign to access employees’ email accounts and obtained PHI of 3,200 individuals. Here are a few things you can learn from this situation and prevent the same from happening to your organization.
Conduct a Risk Analysis: It is a common theme throughout breach settlements, but it is worth repeating; conducting a security risk analysis is a fundamental part of preventing a breach. MCPN did not conduct a risk analysis until after it discovered the phishing incident. A risk analysis should be conducted and reviewed to ensure it is still accurate. It should also be thorough enough to identify all of the risks within the organization, and should be organization wide. A risk analysis should include an analysis of all devices which store, process, access, or transmit PHI as well as all locations (offices, cabinets, off-site storage, the cloud, etc) with PHI. The output of the risk analysis should be a comprehensive risk management plan which outlines remediation activities and how risks will be identified and evaluated in the future. While a risk analysis is a point in time assessment, the risk management plan must outline how the organization will consistently manage and mitigate risk into the future.
Implement and Update Policies and Procedures: OCR’s investigation indicated that MCPN had inadequate policies and procedures. This led to either a complete lack of PHI protection, or the inconsistent implementation of safeguards. Having policies and procedures that are implemented and consistently updated lends to consistent implementation of the safeguards themselves. Without the policies and procedures, it is difficult to effectively protect PHI.
Train Your Staff: MCPN did a poor job of training its employees. Better training may have prevented that one employee from clicking on the phishing e-mail. Training is an essential component of protecting PHI. In your organization you should train all of your employees at hire, and at least once each year. You might also consider sending a simulated phishing campaign to your staff. This could be a critical opportunity to educate staff on what to look for in a phishing email and potentially prevent one in your own organization.
While this most recent breach settlement is similar to other recent settlements, it emphasizes the notion that conducting a risk analysis, having policies and procedures, and training employees are the fundamental building blocks of protecting PHI.
Does Your Org Need Cyber Insurance?
Are You Prepared to Prevent a Healthcare Data Breach?
Timely Healthcare Data Breach Notification
No one likes to think about it, but malicious attacks by an insider and other insider threats are the cause of a significant number of healthcare data breaches. They can be from a disgruntled employee, a recently terminated member of the staff, or even someone who is being bribed to provide patient information. While they may be some of the hardest attacks to guard against, they are preventable. Here are a few steps to keep in mind,
Screen New Hires: One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place. You may consider completing a background check on all new hires and even periodic checks on current staff members. While not an exact science, it may help to identify potential bad actors before they cause any damage;
Terminate Employees Immediately: Often when employees leave any organization there can be hard feelings which potentially leads to irrational decisions. To help guard against this, you should terminate all access to PHI immediately upon the employee leaving the organization. Any delay in terminating access can leave you susceptible to the whims of a disgruntled former employee;
Perform Regular Access Audits: Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and
Train Staff on Sanctions: Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.
Admittedly, guarding against insider threats is a challenge, but it is possible. If you implement reasonable protections then you can prevent or stop nefarious actions by your staff.
Denial-of-Service (DoS) attacks occur when an attacker attempts to prevent legitimate users from accessing information or services. Often this is accomplished by targeting a user system and its network connection, or the systems and networks of the sites users are attempting to use. These attacks commonly occur when an attacker floods a network with information.
Experts predict that DoS attacks will escalate in the future due to the increased usage of IoT (Internet of Things) in the healthcare sector. IoT allows multiple devices with internet access to communicate and transmit data with each other without the interaction of humans. This is often used in the healthcare industry to allow facilities to monitor medical devices, patients, and personnel. While DoS attacks are on the rise, they are preventable.
Here are a six ways to prevent DoS attacks and how your organization can ensure healthcare data security:
- Continuously monitor and scan for vulnerable and compromised IoT devices;
- Create and implement password management for all devices and users ensuring all default passwords have been changed and strong passwords are required;
- Install and continuously update anti-virus software and security patches;
- Install a firewall and configure it to restrict traffic coming into and leaving your network and systems;
- Segment networks where appropriate; and
- Apply e-mail filters to help manage unwanted traffic.
The pervasiveness of IoT devices in healthcare creates opportunities for hackers, which could lead to an increase in DoS attacks this year. However, common sense steps, like these six tips, can be taken to protect your network and prevent these attacks.
Are You Prepared to Prevent a Healthcare Data Breach?
The Gatak Trojan strikes again! Only this time the PHI-stealing malware from 2011 is targeting the healthcare data.
Symantec researchers warned recently that this piece of malware—built to steal important information and perform backdoor functions—is specifically infecting enterprise networks. And it’s primary target: The healthcare sector. Forty percent of the top 20 most affected organizations are from healthcare, according to the data security firm.
Also known as Stegoloader, the Gatak Trojan spreads through websites promising licensing keys for pirated software. The keys don’t work and users end up infected. In addition, the Gatak Trojan can move across healthcare networks by exploiting weak passwords and poor security in file shares and network drives.
By concealing bad files within files, cybercriminals perform healthcare attacks to expose medical records, said one Trend Micro analyst. While Symantec is unsure of how the attackers behind the Gatak Trojan are monetizing their attacks, the data security firm suggests it could be selling the personally identifiable information and other data they manage to pick up from the infected network.
This is why healthcare is especially susceptible to network breaches. With limited IT budgets and resources, and records that are rich in data and higher priced than any other information—the healthcare sector is likely to see more of this activity. Data security needs to move front and center as a healthcare priority. Many healthcare organizations could benefit from continued education and understanding of information system risks through annual security and privacy training.
For more information on how your organization can take advantage of subsidized annual security awareness training, click here.
Timely Healthcare Data Breach Notification