Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

6/26/2017
02:42 PM
Chris Byers
Chris Byers
News Analysis-Security Now
50%
50%

Five Questions for Healthcare Security

Healthcare security regulations come with teeth. Five questions can help healthcare CISOs from being bitten.

In 2014, hackers found medical records to be ten to 20 times more valuable than a credit card number because they offered copious amounts of sensitive personal data. McAfee Labs referred to it as "The Year of Shaken Trust."

In the time that's followed, we should have taken great steps in securing electronic protected health information (ePHI). Unfortunately, that's not the case.

If anything, healthcare data security breaches have become more common. In one incident, a Southern California hospital was forced to pay a $17,000 ransom to have its network restored. In another, 3.7 million patient records were accessed. The list goes on and on. In 2016 alone, the healthcare industry averaged nearly four data breaches per week. Over the last three years, the number of major HIPAA data breaches for which cyber attackers are responsible has increased by 300%.

Healthcare data is at high risk, which means it's a crucial time for web form security, HIPAA compliance and other healthcare IT measures.

What's happening with healthcare data security?
A single medical record offers countless black market opportunities, from prescription abuse and insurance fraud to credit card and identity theft, which makes access to ePHI a hacker's dream. Healthcare organizations are prime targets for cybercrime because they often lack the sophisticated backup systems that are common in other industries.

That's why the Brookings Institution has predicted that one in 13 patients will be impacted by provider data breaches by 2019, in part because federal mandates forced so many practices to adopt electronic health records (EHR) before they were ready to adequately invest in IT security. According to the report, many facilities share large datasets because they lack the time and resources to regulate who has access to patient information.

How do HIPAA data breaches happen?
Most healthcare data hacks begin with an unsuspecting employee doing something as simple as opening an email attachment from a legitimate-looking address or viewing a patient record over an unsecure network. In one experiment, IT security consultants hacked a computerized medicine dispensary by dropping off malware-filled USB sticks labeled with the hospital’s logo. In another, the same team filled patient portal form fields with malicious code to be triggered when viewed by a doctor or nurse.

A lack of mobile security is also to blame: A 2016 study found that eight in ten Google Play diabetes apps lacked privacy policies. Around the same time, more than 80% of surveyed healthcare employees admitted to being concerned about mobile cyberattacks involving ransomware, malware and blastware.

What can you do to secure your healthcare data?
Choose your vendors carefully. Web forms must be HIPAA compliant, privacy policies should be in place and digital tools should meet stringent security standards. Healthcare institutions must understand that their patients' data is incredibly valuable. At the very least, they need the same security measures now protecting other sectors.

Bottom line: It's up to each healthcare organization to take steps to ensure its ePHI stays secure. Instead of assuming your vendors have a variety of security measures in place to safeguard medical information, be prepared to ask questions such as these:

  • What security measures, such as SSL and advanced password protections like 2FA, are available for online forms?
  • How is information protected as it flows from one user to another?
  • How are emails and web traffic encrypted?
  • How is "at rest" data protected?
  • What steps are you taking to ensure you remain HIPAA compliant?

The future of healthcare data security is dependent upon the answers to these issues.

Chris Byers is the CEO of Formstack, an Indianapolis-based company offering an online form and data-collection platform. Prior to Formstack, Byers co-founded an international nonprofit that was built via remote relationships among partners in Europe, Africa and the United States.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25514
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
CVE-2020-25515
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
CVE-2020-14022
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
CVE-2020-14023
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
CVE-2020-14024
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...