Hacking in Healthcare: How To Prepare in Any Situation

Hackers in the healthcare space can be some of the most ruthless in the business. 

Pretty much by definition, hackers are cold, heartless, unscrupulous menaces on “bullet headed” missions to get into their targeted systems to extract and exploit data.

Perhaps the cruelest form of these are “ransomwarers” who hold captured data hostage for safe return pending payment of a ransom which is often a catastrophic amount of money.

Although, even if paid, you can still never be sure they haven’t already sold your data to other nefarious actors on the dark web. 

As a healthcare software solutions provider, we make sure to keep up with all kinds of hacking and ransomware attacks in our industry. While many times these attacks are dangerous and damaging to both patients and providers, every once in awhile we see attacks that end up having the right intentions in mind. 

A Hacker with a Heart

Passavant Memorial Homes of Family Services’ system is a PA-based, non-profit human services agency that provides assistance to people with intellectual disabilities, autism, and behavioral health needs. Their system was hacked.

Once inside the system, the hacker was able to see the work PMHFS does and felt bad about completing the mission, and supposedly left without taking anything.

In fact, the intruder let PMHFS know through the PMHFS website’s “contact us” form that he or she was able to get in, and that PMHFS needed greater protection!

Let’s assume the hacker was honest about not going any further, especially since they took the time to alert PMHFS. No one in that situation could, or should, live with that assumption.

So, PMHFS upgraded their system security and correctly reported the intrusion as a breach to law enforcement, to their cyber insurance carrier, and to HHS who in turn notified state regulators and the 25,000 individuals potentially affected.

It appears PMHFS dodged a bullet in terms of not having to pay a ransom, and in not having their data taken for any illicit purposes.

What can we learn from this story?

1. You can’t trust that your hacker will have a heart. And even if he or she does, you’d still have to make the notifications and security adjustments as did PMHFS.
2. Do everything you can now to prevent an attack! You don't want to leave it up to someone's moral judgement to not hack into your system. Instead make sure you prepare your organization ahead of time to defend against attacks. 

How to Prepare if Your System is Customer-Hosted

If your healthcare software is installed locally on your own server (aka “customer hosted,” “locally hosted,” or “client server”), the onus is completely on you to ensure protections are in place, regardless of whether you have your own in-house IT resource, or if you use an outside IT company.

In order to prepare, here are some of the most important steps to take ahead of time:

• Ensure on a weekly basis your operating system (o/s) is current with any and all patches and security updates in place
• Keep security programs current, and run scans regularly
• Replace PCs that have outdated/unsupported o/s’ (e.g., XP, Vista, Windows 7, Server 2008)
• Monitor that computers are dedicated to business use only to avoid external viruses or malware (no personal shopping, social media, etc.)
• Perform daily backups of critical information & files
• Understand that email is the #1 source of attack, and instruct staff not to open or click on anything you don't absolutely know is safe, and to certainly not open any suspicious attachments
• If there’s any uncertainty about an email or website, stop for help or an opinion from your IT specialist
• Have a security plan, review and communicate it with everyone routinely
• Live on the side of caution and expect that attacks/attempts will happen

One other thing to keep in mind as if this wasn’t enough: there could be significant HIPAA fines and penalties coming your way if an intrusion happens and data is compromised, especially if you didn’t do everything possible to prevent the intrusion.

One prime example is if you continued to operate on an expired/no longer supported operating system. You would’ve left your system totally vulnerable even to amateur hackers and it would be completely provable forensically that your system was unsecured in that way.

Such an incident would also no doubt cause irreparable harm on a social media level with negative online comments. And as brutal as this is to say, the reality is it would be deserved, especially if it could’ve been avoided by following the steps needed.

It’s a little different if you can show everything possible was done to avoid an attack, but an attack still happened.

How to Prepare if Your System is Cloud-Based

The attack onus is on the hosting company in two ways. They need to ensure that:

• Their remotely-hosted servers are located within a comprehensively secured location, not in someone’s garage, and
• That every possible protection software-wise is in place to guard against malware and intrusions

That said, you still need to do your part to make sure all of your tablets, laptops, PCs and devices that are used to connect with the software are fully protected as noted above.

Before deploying in any vendor’s cloud, get their security information, ask for details on their hosting location, make sure everything is certified, etc. It may make sense to have an independent IT resource help with this, especially if no one on staff is familiar.

Always Prepare for a Ransomware Attack

Security in an insecure world can be…insecure. But if you take all possible - and necessary - precautions, you should be able to operate confidently and self-assuredly.

If you are looking for additional support to ensure you are protected against ransomware and other malware attacks, check out our free webinar 9 Ways to Prevent a Ransomware Attack to Your Medical Practice.