Scalpel, Banana & Reciprocating Saw: Healthcare Data Security

There are a scalpel, a banana, and a reciprocating saw laid out on a cold steel desk in the front of you.

Which do you pick out?

Well, in case you are a trained scientific professional about to perform the surgical procedure you’d be accomplishing for the scalpel (no longer to say having multiple questions). After many years of schooling, a clinical expert is aware of that’s the proper device for the job in terms of healthcare. They are superb at what they’re suitable at. However, in relation to protecting the healthcare IT systems that assist help affected person care they won’t be the appropriate candidate for the venture to hand.

Attackers were focused on healthcare vendors an increasing number of as the cost of the health statistics has confirmed to be higher than the average credential set being discovered. Electronic fitness information, or EHRs, were established to have a higher value based totally on research. They incorporate a veritable treasure trove of statistics that not only have the call, address, employment, credit score facts and so forth. They also contain all your clinical records.


While you may take steps to mitigate the fallout from having your credit score playing cards exposed, there isn’t a lot you can do if your clinical data is uncovered. That precise genie can’t be crammed lower back into the bottle.

In point of truth, as of Dec. 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has acquired notifications of 351 data breaches of 500 or extra healthcare information. Those breaches have resulted inside the exposure of 13,020,821 healthcare statistics.

Grads of Life BRAND VOICE
Who Will Fill The Jobs Baby Boomers Leave Behind?
Civic Nation BRAND VOICE
We Are All Revolutionaries
This sincerely begs the query: how can this facts be better covered? There are several steps that may be taken to better shield EHRs standard. First and predominant is encrypting the information. This is not an exercise this is as pervasive because it must be in 2019. While some corporations do leverage encryption to shield their systems, there’s an identical measure of organizations that don’t shield the facts they’re responsible for. Another step that can be taken is to paintings closer to de-identification of statistics in order that within the event there may be an information breach the aforementioned statistics can’t be mapped again to an individual.

Then there may be the want to have a strong eye toward 0 agree with from a network angle. Network sector segmentation has constantly been an awesome exercise to make certain that handiest systems and individuals that need to have to get entry to can get right of entry to systems and records. That being said, I have worked in environments inside the beyond in which there has been no such segmentation and all of us connected to the network may want to probably view sources for which they’d no access requirement.

One of the gotchas in any IT environment – and healthcare isn’t impervious to this – is the venerable static password. The value of in my view identifiable data (PII) rises whilst there are healthcare facts related to it. The attackers understand this and they may thankfully leverage way together with phishing to advantage access to sensitive protected fitness records. Multi-element authentication (MFA) is an superb manner to help fight this hassle. If an attacker can gain get right of entry to passwords they may now not offer an awesome go back if MFA has been deployed. This is specifically actual if the MFA is utilizing Universal 2d Factor to similarly confound the attacker. U2F is an open authentication trendy that strengthens and simplifies two-issue authentication with the aid of making use of USB or near-subject conversation (NFC) devices together with YubiKeys.

Attackers will not be going away every time quickly. Case in point, years ago I changed into working for a defense contractor and we would find our patron was constantly being attacked from all elements of the globe. One time out of frustration I requested if there was any purpose why there might ever be legitimate site visitors from nations X, Y, and Z.

Image result for Healthcare

The answer becomes a flat “in no way.”

I crafted up a bogon list that covered the netblocks for the aforementioned countries and added that to the brink router. Attack site visitors dropped off exponentially. Now, this turned into an improvement, however, did not anything to obviate the attacker from locating every other avenue.

That’s the rub. The attackers will keep coming. Ensuring that EHRs are included is a consistent struggle of increments, however one that may be won. As the annual HIMSS healthcare information and technology conference processes, we want to remember the fact that the requirement is to defend statistics and structures so that healthcare specialists can focus on patient care and now not need to worry about the reciprocating noticed (or the banana).