Healthcare System Security: Staying Secure in an Insecure World
Viruses. Spyware. Ransomware. Hacking. Intrusions. All are extremely damaging, especially when healthcare systems are involved.
That's because they not only compromise sensitive and confidential financial and operational information, but they put patients' personal health information (PHI) at risk, as well.
Since HIPAA will no doubt get involved on PHI breaches, that can mean devastating fines and penalties, especially if it's proven that you left yourself vulnerable and were negligent on things such as not upgrading out-of-date operating systems.
This article will look at the dangerous malware in the healthcare space and how you can prepare your practice against a future attack.
What is Malware?
Malware comes from the combination of "malicious software." It's the all-encompassing term for viruses, Trojans, spyware, worms, adware, botnets, and perhaps the most ravaging of all: ransomware.
Malware is intentionally created most often by teams of ne'er-do-well hackers for damaging devices, expropriating data, or to simply create havoc which gives their creators a sense of accomplishment.
Sometimes, the malware's creators aren't looking to deploy their malware themselves, but instead, to sell it on the dark web to others who want to implement it.
Malware developers could actually believe their purposes are rightful, especially if their malware is useful for protesting, testing the security of other systems, and even as a way to bring down the systems and networks of governments they perceive to be a threat.
Regardless of the malware's intent or the thinking of its creators, you need to prevent it from invading your computers or networks to keep your business and patient information safe.
Types of malware and how they work
This piece of malware works the same way viruses affect humans; it becomes attached to a file in your computer and then spreads unstoppably to other files. In a matter of seconds, every file in your computer could be corrupted or deleted.
These are named for the Trojan horse, which was used to sneak soldiers into the enemy's compound only for the sneaked-in soldiers to open the hatch, jump out, and wreak havoc. Trojans can appear as legitimate pieces of software, or they can become embedded into application software programs you're already using. Once inside your system, the Trojan software goes to work by opening the hatch, enabling even worse malware to enter.
Its name is pretty much self-explanatory. Once it gets in, spyware spies on users' work, which includes grabbing passwords as users enter them, capturing information such as credit card numbers and banking information. Spyware can also be used to observe and remember a person's internet activity, surfing habits, and more.
These are similar to viruses, but worse since they attack through interfaces written between programs locally or across an entire enterprise network. Worms can even go outside of the enterprise, depending on the interface's endpoint. Worms don't discriminate. They'll use interfaces to latch onto anything they can, irrespective of boundaries.
These "gems" are a little different in that they give the "botnetter" the ability to work in the system and even control it! Users may see or realize that weird things are happening, but it can take some time to figure out that someone outside the entity is haunting the system. At that point, it's too late.
Being hit by adware generally isn't overly dangerous on its own, often creating more of an annoyance than anything else with continual, unwanted ads popping up and interrupting work. However, damage can happen if popups are clicked into, or worse, if you open any links or attachments. Doing so will almost assuredly activate any of the malware mentioned above. That includes the one that may be the worst of all: ransomware.
The "big kahuna" of malware is universally thought to be ransomware. Ransomware kidnaps your system (you no longer have access to it) while compromising your data and your patients' PHI. It's called "ransomware" because it'll also cost you money to regain access to your software and all of the data that's in it.
The kidnappers will display a ransom note onscreen in the form of a gut-wrenching message saying your system has been kidnapped. They’ll give you a deadline to pay a large sum of money by a specific date and time, along with instructions for paying or you'll never regain access to your system. The kidnappers will say if you don’t comply, they’ll sell your data and your patients' PHI and information on the dark web.
In other words, the kidnappers are going to be paid one way or the other. And sadly, paying the ransom provides no guarantee you'll regain access to your system, and even if you do, that your data still won't be sold on the dark web, or that you won't be re-attacked.
Ransomware is real in the healthcare industry, and kidnappers are almost impossible to trace. That's especially true with so many attacks reportedly happening from offshore, including from countries such as Iran and North Korea. Even if the kidnappers are identified, the prospect is nil for prosecuting them and for you to regain money paid.
How to Operate Securely in an Insecure World
If you don’t already have one, identify and implement an IT management team as an in-house IT resource for helping you operate securely. Your software vendor presumably has its own IT department for providing assistance or suggestions. If the vendor doesn’t have an IT team, they should at least be able to recommend a few resources. If the vendor doesn’t have an IT team, that could be a red flag.
Keep your systems up to date by making sure your server(s) and every workstation or device that accesses it has anti-intrusion software and firewalls that are always current with their latest updates and versions.
Be sure to install updates immediately as you're alerted to them since there's a good chance they'll contain what's needed to combat the most recent wave of invaders. Remember, the bad guys are also continually updating their malware to circumvent your protections.
Maintain HIPAA compliance
As mentioned earlier on, if you’re hacked, it’ll help if you can show you did everything you could to prevent it. This will allow you to avoid the debilitating HIPAA penalties that often accompany a healthcare security breach.
Conversely, it stands to reason if you were using outdated or no software protection, or an obsolete operating system that created vulnerabilities, the situation for you would be much worse.
Also, don't count on fooling anyone. It would probably take no more than a few minutes for HIPAA or any team of cyber forensic specialists to determine the state of your IT at the time of the intrusion.
Expectations on software vendor communications
If the vendor’s software is implemented on your local server, the vendor certainly should send alerts about operating systems that are expiring, reminders about ensuring your protections are up to date, and about doing backups. But ultimately, it's your responsibility to make sure you're protected and that you're working under a secure operating system.
If you access your vendor's software in the cloud via the internet, the vendor must have super-protections in place to guard against intrusions. Ask the vendor about their security setups and the location of their servers. The hosting site must be in an ultra-secure facility with plenty of redundancies. Check out the hosting location's credentials.
Regardless of deployment models, your vendor must provide you with a HIPAA Business Associate Agreement helping to ensure your data and your patients' PHI are protected and safeguarded at all times.
If you are looking for additional support to ensure you are protected against ransomware and other malware attacks, check out our free webinar 9 Ways to Prevent a Ransomware Attack to Your Medical Practice.
We've seen how susceptibility is a fact of life in the cyber world, but you can operate as securely as possible in that world if you:
it’s your responsibility to ensure you’re protected and are working under a secure operating system
have updated protections in place on your server and all devices that access it, and
follow common-sense rules about not visiting dubious websites, not opening suspicious emails, and not clicking into links or attachments on them.
About Marc Klar
Marc was introduced to medical software sales after several years working in operations, management, and sales in the NYC hotel industry. He quickly learned the medical industry/software and more than held his own in sales. He got into assisting with marketing, created new business development teams and marketing programs with two different vendors, one of which became the largest vendor of that system in the country for three consecutive years. He then moved to Advanced Data Systems; as VP of Marketing, Marc oversees the company’s entire marketing effort. Among other things, Marc enjoys reading, cooking, and performing comedy which sometimes isn’t funny for him or his audience. He has an appreciation and respect for good music and art (where an apple is an apple…not someone’s head). Marc became an accomplished drummer and teacher after studying with some of the top jazz drummers in NYC, all as a result of being told since early in life to “beat it.”