Healthcare is Attacker’s favorite target – Let’s learn about ways to defend the Threats
Data Breaches are disruptive, expensive and even dangerous. Nowhere is this truer than in the healthcare industry, where people’s personal information – including extremely sensitive information about their health – is being entrusted to medical organizations and insurers.
That’s why it’s more important than ever to encrypt everything. In fact, encryption is required as a part of HIPAA (Health Information Portability and Accountability Act) compliance. This act governs the transfer and storage of healthcare information by health care professionals, hospitals, insurers and billing organizations.
The HIPAA Security Rule requires organizations to use specific safeguards to protect all Electronic Personal Healthcare Info, specifically mandating encryption and specifying key management protocols, as well as protocols for handling a data breach.
It’s worth noting that SSL encryption is just one piece of a larger puzzle when it comes to protecting Healthcare IT from various security threats – SSL can only protect data in motion – but it is a very important one, nonetheless.
The reasons for this should be obvious. In older times, medical records were kept on paper and housed in physical locations. But now the majority of records are kept online, and can be accessed easily by doctors, medical professionals and insurers who need them. This is a double-edged sword, on one-hand it’s more convenient, but on the other it leaves these records open to more security risks.
That’s because unless the record is being accessed on the same machine it is being stored on, accessing said records requires a connection to be made between two computers or a computer and a server.
Without SSL encryption protecting that connection, any third party can easily see the information being shared between the two machines and steal it.
This is where SSL comes into play. With SSL, you can encrypt those connections and shut down one of the easiest ways for malicious third parties to breach that data. SSL works by essentially protecting the information that is being shared by the two computers. Prior to the connection beginning, the computers perform what is called an “SSL handshake” wherein they decide on an encryption standard. From there all communication between the two is encrypted, meaning if a third party were to try to steal it all they would get would be a jumbled set of numbers and letters.
Only the two computers involved in the connection can decrypt the information.
SSL is just one component of a more comprehensive security solution though. While protecting information in transit is of huge importance, there are other vulnerabilities that the healthcare industry must also shore up in order to secure itself.
Case in point, in 2012, 94% of companies in the healthcare industry reported some form of a data breach. They likely had holes in their systems that SSL is not designed to protect.
Here are a few other tips for Healthcare Organizations looking to protect against cyber threats:
Protecting networks means more than just firewalls and antivirus software
Perimeter security is important but there are other ways to help protect a network as well, one of which is to focus on limiting the potential for damage should the network ever be breached. This includes practices like segregating networks so that intruders don’t have access to all the data stored on a network should they breach part of it.
Education is key
Employees are one of the easiest ways to infiltrate the healthcare industry’s computer networks—as they are in any industry. That’s why it’s important to constantly educate employees on developing security risks – phishing scams, social engineering, etc. – as well as training them on what does and does not constitute a HIPAA violation.
Mobile access can be dangerous
As mobile phone and tablet technology continues to evolve and become more prevalent the natural inclination may be to rely more heavily on these platforms. However, this can create a vulnerability if they’re not properly secured. Make sure to have a policy against using personal devices for accessing information, and make sure to secure and encrypt all organization-owned devices to help eliminate breaches.
Be sure to secure wireless networks
Wireless internet is everywhere and its convenience is undeniable. But unsecured wireless networks are also easily exploitable making them a huge security weakness. WEP passwords are simply not enough in this day and age. Rather, to protect against attacks healthcare organizations should make sure to keep their routers up to date, change passwords regularly and block access to all unauthorized devices.
Be sure to vet third parties
Sure, your organization has done everything in its power to protect against data breaches and other cyber-attacks, but any other organization or business you’re doing business with could pose a threat to the information you’re working so diligently to protect. Are they secure? Do they use SSL encryption to protect the data once it gets on to their servers? You’re only as strong as your weakest link, so make sure that weakest link isn’t another organization or company you’re partnered with.
