Scalpel, Banana & Reciprocating Saw: Healthcare Data Security

There is a scalpel, a banana and a reciprocating noticed laid out on a chilly steel table in the front of you.

Which do you pick out?

Well, in case you are a skilled scientific expert approximately to carry out surgical treatment you’d be achieving for the scalpel (no longer to mention having a couple of questions). After a few years of education, a scientific expert is aware of that’s the proper device for the job on the subject of healthcare. They are excellent at what they’re appropriate at. However, when it comes to protecting the healthcare IT systems that assist support affected person care they won’t be the ideal candidate for the challenge handy.

Attackers had been focused on healthcare providers increasingly as the price of the fitness information has validated to be better than the average credential set being found. Electronic health statistics, or EHRs, had been demonstrated to have a higher price based on studies. They contain a veritable treasure trove of facts that not best has a call, cope with, employment, credit facts and so on. They additionally include all your clinical history.

While you may take steps to mitigate the fallout from having your credit playing cards uncovered, there isn’t a great deal you could do if your medical records are exposed. That specific genie can’t be crammed again into the bottle.

In factor of truth, as of Dec. 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has acquired notifications of 351 records breaches of 500 or extra healthcare data. Those breaches have resulted in the publicity of 13,020,821 healthcare records.

This sincerely begs the question: how can this information be higher protected? There are several steps that may be taken to better guard EHRs standard. First and predominant is encrypting the information. This isn’t an exercise this is as pervasive because it should be in 2019. While some companies do leverage encryption to defend their systems, there may be an identical degree of corporations that don’t guard the facts they are accountable for. Another step that can be taken is to paintings towards de-identity of facts so that in the occasion there is a fact breach the aforementioned information can’t be mapped again to an man or woman.

Then there’s the need to have a robust eye closer to zero agree with from a network angle. Network sector segmentation has always been a great exercise to ensure that the simplest structures and individuals that need to have access can get entry to structures and information. That being said, I even have worked in environments in the beyond wherein there was no such segmentation and absolutely everyone related to the community could potentially view sources for which that they had no get admission to requirement.

One of the gotchas in any IT environment – and healthcare is not impervious to this – is the venerable static password. The cost of in my view identifiable information (PII) rises when there is healthcare statistics associated with it. The attackers understand this and they will happily leverage method along with phishing to advantage access to touchy covered health facts. Multi-issue authentication (MFA) is an superb manner to assist fight this hassle. If an attacker can benefit access to passwords they’ll not offer an exceptional return if MFA has been deployed. This is especially true if the MFA is using the Universal 2nd Factor to similarly confounding the attacker. U2F is an open authentication trendy that strengthens and simplifies -component authentication with the aid of utilizing USB or near-discipline conversation (NFC) devices along with YubiKeys.

Attackers will no longer be going away anytime quickly. Case in factor, years ago I turned into operating for a defense contractor and we might locate our customer turned into constantly being attacked from all components of the globe. One time out of frustration I asked if there was any purpose why there would ever be legitimate traffic from nations X, Y, and Z.

The answer turned into a flat “never.”

I crafted up a bogon listing that protected the netblocks for the aforementioned nations and added that to the brink router. Attack visitors dropped off exponentially. Now, this turned into an improvement, however, did not anything to obviate the attacker from finding some other avenue.

That’s the rub. The attackers will preserve coming. Ensuring that EHRs are covered is a consistent battle of increments, but one that can be gained. As the once a year HIMSS healthcare facts and era conference procedures, we need to remember that the requirement is to protect facts and structures in order that healthcare specialists can deal with patient care and now not ought to worry about the reciprocating saw (or the banana).