Call Us
Eye openers to data security risks in the Health Sector
Data Security is of vital importance in the Health Sector. Everywhere on the planet. Every now and then stories of medical institutions being hit by cyber attacks reach the news headlines.
The following is meant to prove, with very few arguments, why Data Security is of vital importance in the Health Sector. Everywhere on the planet.
ID Theft
Stealing of medical data such as patient information (medical ID) is very lucrative because that information is worth a lot on the black market. It can be used to do fake claims to insurance companies. Or to use the ID to buy drugs or medical equipment that can be resold. Or the data can be used to create a complete false identity for a living person. On the black (internet) market Personal Health Information is more valuable than e.g. stolen credit card numbers.
Correcting such identity theft is extremely difficu lt and expensive, if at all possible. Unlike banks who have procedures to cope with credit card theft, the Health infrastructure does not have procedures to correct Identity theft.
The frequency of data breaches at Medical Institutes is already disturbingly high and will further increase. Countries with relatively little penetration of IT in Health Institutes, will see that penetration explode over the next few years, unfortunately accompanied by data breaches. Data Security should be taken very seriously by all Healthcare related parties.
Skilled People
Many medical institutes don’t have skilled data security people and have to rely on external partners. So they should hire an expert or cooperate with capable IT security partners.
Ransomware
Malware that encrypts data and then asks for large ransom to be paid. Everybody is a possible target but Health Institutes are in particular attractive because of the importance and sensitivity of their data. Criminals can ask very large ransom amounts because the loss of financial but also patient data can lead to reputation damage, liability issues and even to life & death situations.
Health Institutes must be aware of the possibility to fall victim of targeted ransomware attacks. They should therefore use state-of-the-art Anti Malware protection, capable of detecting Zero Hour malware, and apply policies that reduce the risk of Zero Hour Malware introduction in their network by any means such as removable devices, wireless networks, email/web/social media traffic etc.
Wireless
Health Institutes increasingly use wireless networks. For example to support doctors that use laptops, tablets and smartphones. Those wireless networks are an entry point to hack into the organization’s network and steal data or introduce malware.
Strict security policies should be applied to wireless networks by any available means like firewalls and Anti Malware.
BYOD (Bring Your Own Device)
Doctors use their own devices on the hospital network. Those devices may introduce malware into the hospital network. They may lead to data leakage through the doctor’s device (including loss or theft of the device). Endpoint protection is mandatory, also for mobile devices. Encryption of any data stored on such devices is strongly advised. Firewalling within the hospital’s network is needed to prevent unauthorized access to parts of network.
Remote Access
Doctors and external supporters need remote access to hospital’s systems, leading to risk of break-in. Multiple factor authentication is needed for controlled access.
Email / Web / Social Media
Data leakage through email and web traffic and social media. Comprehensive DLP functionality is needed in email and web gateways and endpoints as well as Anti Malware protection of that traffic
The Internet of (Medical) Things
Medical equipment is attached to the hospital’s network, directly or indirectly reachable over the internet. This equipment might be more vulnerable to malware infections or hacker attacks than classical computers because they are probably not patched as should be. Malfunctioning of equipment due to malware may lead to unreliable performance and if not detected to jeopardizing patients.
So protection by Firewalls and overall Anti Malware with Zero Hour detection is very important. Also attention should be paid to the possibilities to secure each piece of equipment individually. This due to the nature of the machines not being ordinary computers.
Insiders
Insiders with wrong intentions can also be your administrators. Healthcare Institutes must protect (patient) data stored in servers against faul play of internal administrators or external partners who are given access to servers. Solution: Limiting, monitoring and recording of privileged users’ actions on servers.
Email
Email will become the daily tool for communication within hospital, interhospital and between hospital and 3rd parties like practitioners and insurance companies. The design of an adequate email content security policy and the enforcement of that policy with state-of-the-art tools is mandatory. Also all emails must be archived and retrieving an email must be easy and fast.
Regulations
EU Data Protection regulations coming into effect in May 2018. These regulations will impose huge responsibilities with very high financial penalties. Health Institutes should become familiar with the regulations and apply measures, such as comprehensive DLP functionality in Email, Web, Endpoint data on the move and data in rest.
Publicity
In the US Health institutes must publicly announce any breaches, leading to great damage to reputation. This will also become mandatory in Europe from May 2018 when GDPR will become effective. An extra reason to take data security very seriously.
These are just a few points. Inter Engineering actively contributes to making IT in the Health Sector more secure with advice, solutions and services. It will be an honor to discuss your organization’s specific needs and help you improve your security.