From a security perspective, 2014 has clearly been the year of the compromised password. From Yahoo Mail to Apple iCloud to JP Morgan Chase, an alarming number of data breaches are successfully carried out using misappropriated account credentials. There is even a newly discovered piece of malware, known as the Citadel Trojan virus, that’s specifically designed to track and abuse passwords that have been stored in open source, freeware password managers.
Stealing passwords is now a big business, and healthcare facilities need to take this upward data breach trend seriously. Not only are there monetary consequences from data breaches in the form of HIPAA violations and fines, but there is also the possibility of tainted brand reputation in national media headlines and criminal charges.
This was the case for an east Texas hospital. Joshua Hippler, a hospital employee, pled guilty in August 2014 to charges filed by the U.S. Department of Justice for “wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain.” Hippler faces up to 10 years in a federal prison. HIPAA is still reviewing the case and deciding the facility’s degree of penalty.
Login Credentials: Protecting Your Keys to the Kingdom
When it comes to preventing healthcare data breaches, passwords are often the first line of defense. Although a strong password will not prevent all attackers from trying to gain access, it can slow the velocity of attacks and discourage attackers from seeing attacks through. Rotating complex passwords, when combined with effective access controls, such as two-factor authentication and real-time monitoring of privileged account activity, can help to prevent patient information from falling into the wrong hands.
To get a full understanding of the vital role of passwords, it’s important to note that the password is only one half of what makes up a computer user’s protected credentials. The other half is the user’s identity, or user name.
In most systems, these credentials (user name and password) are part of an overarching access control system, in which users are assigned certain rights to access certain data and applications based on their roles within an organization. This access control system might be part of an operating system (Windows, Linux) or built into a particular application (an e-prescribing module, or patient notes application), often both are true.
In any case, an e-health records implementation should be configured within the framework of this user role model to properly grant data access to the right people at the right time. The combination of user permission levels and credential protection reduces the risk that a cybercriminal or disgruntled healthcare employee can wreak havoc with your systems, violating compliance mandates and the trust of patients.
Why “Bad Guys” Target Healthcare
While a majority of hackers are simply motivated by thrill-seeking, some, like Hippler in east Texas, are looking to inflict damage in order to make money off the information they steal. They’re well aware of the value of data waiting for them in any healthcare network: personally identifiable information (PII), such as social security numbers, dates of birth and banking/payment data that can be sold to the highest bidder for use in elaborate identity fraud scams. In fact, victims of the Community Health Systems breach are already seeing their data pop up on underground hacker forums for sale.
Healthcare facilities have been moving toward electronic records and technology-based data systems for decades. Just like any other industry, moving data to an electronic or cloud-based model presents its own subset of risks. The difference is, with a healthcare facility, that data belongs to the most vulnerable of assets – its patients.
As more infrastructure and databases are migrating to modern models, it’s clear the vast majority of healthcare facilities are not adept at keeping up with the constantly shifting threat landscape. Information security practices tend to mature too slowly in healthcare to keep up with new attack vectors.
We’re learning, with each new data breach, that it’s not enough to invest in the latest infrastructure. Healthcare staff and administrators must be aware of the many ways cybercriminals and internal workers can exploit technology for personal gain.
What’s Next: Education, Risk Assessment, Reality Checks
Fixing healthcare data security won’t be an easy task, but senior management and IT teams need more open communication to make it a priority. In an age when health information is stored and transported on portable devices, education of best practices to end-users is the key. Your workers at all levels must understand the risks of leaving devices unattended, or sharing data with unauthorized personnel. Further, regular rotation and maintenance of passwords is crucial – especially when an employee leaves or changes roles.
While automating certain aspects of security can help, the reality is, there is no “magic bullet” tool or platform that will make data security a “set it and forget it” endeavor.
However, there are some key questions that should be on your list when evaluating security vendors for your organization’s needs. For example:
- Can a security tool create audit trails that can provide a paper trail of each staff member’s access to specific information on the network?
- Is access to patient and corporate data permission-based and tied to each user’s role within the company?
- Will all sensitive information be securely protected and properly encrypted in the event of a laptop theft or attempted breach?
- Will the tool provide the same security levels for remote workers?
A common-sense approach to the basic best practices will always serve as your foundation for protecting the patients you serve. It starts with a realistic, thorough assessment of the ways your data is at risk right now and then making improvements along the way. Educating healthcare workers about these risks is also a vital part of any security policy.
About the Author: Kevin Jones is the senior information security architect for Thycotic, a leading provider of password security management solutions for global organizations. A Microsoft MVP, Kevin has been a featured presenter at numerous IT and security events including IANS Forums, ISSA, ISACA and software development clinics.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.