PHI is hacker gold. Healthcare organizations are the goldmine.

Tod Ferran, HIPAA Security Analyst
By: Tod Ferran
This article was originally written for The PAHCOM Journal.
In the last few years, the healthcare industry has become a goldmine for attackers. According to the Department of Health and Human Services (HHS), over 125 covered entities and business associates experienced data breaches due to a hacking incident in 2015 (affecting more than 99 million Americans).

How do hackers gather patient (and other) data from healthcare systems? In virtually all hacking incidents, malware is the assumed culprit.

What is malware?

ePHI security in healthcareMalware is malicious software designed to gain access to a network, find sensitive data, and/or steal that data. Keylogger malware can track every keystroke a user makes on a computer or mobile device, allowing criminals to access those same systems. Memory scrapers capture, or ‘scrape’ sensitive information from system memory and return it back to the attacker. Packet sniffing malware intercepts incoming and outgoing network traffic, and is able to decode and analyze data found.

Once on your system, malware essentially allows attackers unlimited access to your system. Think of all the patient data that could be extracted.

Although malware has been infecting computers for decades, new strains of malware are created every day. These new strains often go unrecognized because they are created to dodge most anti-virus software. Some have the ability to self-update to avoid detection, or automatically reinstall in different locations if deleted.

See Also: How to Confront Hospital Ransomware

Healthcare is in danger

Malware knows no boundaries. According to the Ponemon Institute’s Annual Benchmark Study on Patient Privacy and Data Security, criminal attacks on healthcare increased 100% in 2014. Because healthcare is notorious for its lack of security, healthcare organizations are a target for new waves of malware attacks. Most healthcare attacks go undetected due to a lack of security knowledge and implementation of proper security tools.
Here are three steps you can take to reduce the risk of malware to your patient data.

1. Become HIPAA compliant

The Health Insurance Portability and Accountability Act (HIPAA) was established by the HHS to protect your organization. Some HIPAA Security Rule requirements specifically assist with making it more difficult for attackers to download malware onto your systems, such as:
  • § 164.308(a)(5)(ii)(A) Install periodic security updates.
  • § 164.308(a)(5)(ii)(B) Procedures for guarding against, detecting, and reporting malicious software (anti-virus).
  • § 164.308(a)(5)(ii)(C) Enable logging and log alerting on critical systems.
  • § 164.308(a)(5)(ii)(D) Password management procedures for creating, changing, and safeguarding passwords.
  • § 164.308(a)(5)(i) Implement a security awareness and training program for all workforce members (including management).
Learn how to win your healthcare security marathon in 7 steps.

Some important aspects of HIPAA compliance that should receive attention first are; keeping systems current with security patches, restricting administrative privileges, and whitelisting applications on each system.

2. Protect your remote access system

One of the easiest ways for attackers to break into your system and download malware is through insecure remote access applications. There are three main ways remote access is left unsecured:

Unchanged vendor default passwords and usernames
Protect PHI from MalwareMany remote access systems come pre-installed with a default password, and those passwords are easily found via a web search. If you haven’t changed your default remote access password, you’re just making a hacker’s job easier.

An attacker must correctly guess both the username and password at the same time to gain access to your system, so both the password and username should be unique. Don’t use your organization’s name. Instead, use fictitious usernames like Spok236.

Limit those who can access the system remotely.
Only provide remote access to those whose job requires it. Don’t share remote access credentials. One of the best ways of correctly determining who should have access is by setting up user privileges by role. First, define roles that correspond to your organization’s structure. Hospitals will likely have 20+ different roles. Physician offices will probably have less than 10. Each role is then assigned the minimum amount of access required for an employee to perform his or her job. This access will determine their level of remote network access.

Lack of two-factor authentication
Using a single factor (a password) makes it easy for attackers to gain access. However, by implementing strong authentication processes, you can keep remote access secure. Two-factor authentication helps prove you are who you say you are, and greatly reduces the risk of attack. When configuring two-factor authentication, factors must contain two of three aspects (a username does not count as one of the two factors):
  1. Something only the user knows (e.g., a password)
  2. Something only the user has (e.g., a cell phone or an RSA token)
  3. Something the user is (e.g., a fingerprint).
For example, if you implement a password and a four-digit PIN sent through SMS to your phone, an attacker would have to learn your password and have your cell phone before being able to gain remote access to your systems.


3. Train your staff

One of the biggest areas organizations can be weakened is through their employees. Your staff doesn’t necessarily know the dangers of malware and might accidentally download malware if not properly trained.

Train your staff to never browse the Internet, check non-work email, play online games, or do anything unnecessary on computers that handle ePHI. They should know never to click on links that are unsolicited, especially in emails.

Another important thing to train your staff on is social engineering. Social engineering happens most often when individuals pose as janitors, IT, public services, or telecommunication professionals. Criminals pick these professions because they often are granted unlimited access and their actions are not monitored. Individuals should not have access to areas with sensitive data without proper authorization.

Protect patient data from malware

I hope the technical information presented in this article didn’t make you feel overwhelmed. But if you do feel overwhelmed, discuss these data security points with your IT vendor, or consult with a HIPAA compliance vendor. They can assist you with understanding and implementing the most current security processes and procedures. It’s simple to protect patient data from malware with the right tools, controls, and people in place.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.