THREATS IN THE HEALTH INDUSTRY (PHI)
In recent years, most online attacks have been through various malware attacks or from viruses infecting healthcare systems. Medical information has become a popular target for cyber attacks, and failed firewalls or weak authentication measures could lead to a cybersecurity threat.
One of the biggest malware threats in 2014 occurred when Chinese cyber criminals hacked into the computer system at Community Health Systems, Inc. Approximately 4.5 million patients had their data compromised, including names, addresses, birth dates, telephone numbers and Social Security numbers. However, no credit card or medical data were involved.
From a Cisco report, mobile threats are becoming a greater issue for healthcare companies. Bring-your-own-device (BYOD) policies and secure messaging systems are gateways for more cell phones, tablets and laptops to be in facilities. From there, an unsecure device could be the entry point that a cyber attacker needs to access sensitive information.
The US Department of Homeland Security announced earlier this year that it was investigating approximately two dozen cases of suspected cybersecurity flaws in medical devices. The worry is that cyber criminals could attempt to gain control of the devices remotely and create problems.
As more healthcare facilities connect their networks and increase the use of mobile devices, it is unrealistic to assume that malware attacks are impossible. Even so, there are critical technical, administrative and physical safeguards that can be put in place to mitigate the risks.
- Authentication: Healthcare organizations must ensure that a user who is viewing protected health information (PHI) is actually authorized to do so. Current and former employees might improperly access data or try to upload malware.
- Access and audit control: Implementing hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI are critical tools. There should be a formal policy for access control that will guide the development of procedures.
- HIPAA safeguards: Data encryption and firewalls are just the beginning in terms of HIPAA technical safeguards. Along with that, healthcare facilities should properly train and educate all employees on how to access PHI properly and how to keep the network protected.