One of the first words that come to mind when I think of medical care is hygiene. Let’s face it, poor hygiene practices in a healthcare provider’s facilities can cause major issues and possible loss of life. Consumers of healthcare services, trust that their provider is taking every precaution possible to protect them from disease or infections that can occur if proper hygiene is not practiced.
There’s another form of hygiene at play here, even after a successful procedure has been performed and the patient is recovering comfortably at home. I’m talking about the hygiene of a provider’s information technology systems and infrastructure. Malicious attackers thrive on organizations with poor IT hygiene, and depending on the motive, the results can range from theft of patient information to an impact much greater.
In working with healthcare providers, I see significant time and money invested to protect the data and operational functionality of the organization. Most of this time and money typically is invested around being compliant with HIPAA and other regulations.
If I had to visualize what this looks like, I’d say imagine a cluttered room with the very center of the room straightened up and somewhat organized, maybe even spotless. This visualization represents what we see very often. In the center of the room you have the electronic system that houses the patient information and the outlying clutter is everything else that keeps the organization up and running.
Unfortunately, this cluttered room can be good enough to get the compliance stamp of approval, but all it takes is one weakness in your network for an attacker to wreak havoc. The same mindset that is applied to hygiene in the surgery room should be applied to the operations of IT.
Compliance Does Not Ensure Protection
Compliance does not ensure protection. Mandatory regulations were designed to protect patient data; therefore, organizations are focusing their security efforts on protecting systems containing that protected data, leaving the aforementioned outlying “clutter” exposed.
As technology advances and attacks become more sophisticated, this type of strategy puts organizations at a higher risk and makes data even more vulnerable. The outlying operating environment is often the foothold that an attacker needs to steal valuable patient information.
The focus should be on the security of the whole network to protect from advanced persistent threats. The saying “it’s not if but when” couldn’t apply more to healthcare organizations. Patient records are by far some of the most valuable information on the black market. A single electronic Medicare or Medicaid health record can bring up to $500 on the black market.
What could an attacker do if they gained access to your organization? Maybe it’s time you find out, on your terms. Evaluate your IT hygiene through advanced penetration testing to diagnose vulnerabilities, and ongoing security monitoring and threat intelligence.
Just like in your patients’ physical health, the health of your network security depends on these routine checkups.
For weekly insights into healthcare, please sign up here: