There is a bulls-eye on the healthcare industry, and hackers are zeroing in on the target. The number of cybercrime incidents that evade traditional security defenses are increasing at an alarming rate because the data stored in Electronic Health Records is a lucrative currency to hackers. Some cyber-risk experts have cited that one Electronic Healthcare Record can go for as high as $500 on the dark web, so it is no wonder that Healthcare is among the most frequently pursued cyberattack targets.
Healthcare data breaches have become almost commonplace. According to the Office for Civil Rights, more than 113 million medical records were compromised in 2015, and more than 3.5 million in the first quarter of 2016 alone. Healthcare’s best strategy is to recognize the risk and adopt a course of action that proactively defends, detects and denies attacks. Last week’s article discussed some of the administrative defenses an organization can employ to defend against cyber-threat.
This article will cover technical defenses that can better position an organization in today’s cyber-war arena. Below are some of the leading technical safeguards:
- Encrypt all sensitive data. Encryption makes sensitive data unreadable by using mathematical formulas to scramble data. Encrypting data can prevent sensitive information from being compromised in transit or at rest, and is critical in light of the high incidence of lost or stolen disks, tapes, laptops, USB storage devices, and/or smartphones.
- Maintain Firewall Protection. A firewall will mitigate your system’s exposure to hacker intrusion by evaluating data coming in or going out against a set of security rules you assign. Best practice is to frequently review your firewall logs and settings, update firmware and implement intrusion detection and intrusion prevention.
- Mitigate Mobile Device Exposure:
- Require Password Protection on all mobile devices;
- Use Data Encryption on mobile devices. Hackers often steal mobile devices as “the way in”, and if one mobile device is compromised, the EHRs on the server could be at risk;
- Install/configure Remote Wiping Features. Installing a remote wiping feature on mobile devices will provide a second line of defense to encryption, allowing you to erase all sensitive data remotely in the event of lost or stolen device;
- Develop mobile device Policies and Procedures. Implement and enforce a comprehensive set of policies and procedures related to the configuration and use of mobile devices in the work place.
- Prevent and detect malware:
- Scan USB’s and other external devices before using them;
- Purchase software directly from the source to avoid installing software that has been “bundled” with a virus;
- Install malware detection software and ensure anti-virus software is in place and that both are kept up-to-date. Using software or other security policies to block known payloads from launching will help to prevent infection.
- Perform regular vulnerability scanning. Routine vulnerability scanning followed by remediation of identified vulnerabilities can strategically position your organization to repel cyber-attacks.
- Perform a penetration test. A penetration test can prove or disprove a real-world attack on your environment and identify additional vulnerabilities unable to be detected through vulnerability scanning alone.
For more information, download our Cybersecurity eBook by clicking on the below link:
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, senior living organizations, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.