It has been another busy year for Healthcare IT. Between acquisitions, changes in regulations, and IoT, there has been a lot of progress. However, there is one trend we aren’t so proud of and that is the number of breaches that have happened in 2019. If you made it to December without an IT incident, we congratulate you because many others haven’t been so lucky.
2019 has been a record high for cybersecurity attacks and breaches. Bad actors have been specifically targeting the Healthcare industry because many organizations have not properly secured their IT environments. No matter your organization size, everyone needs to prioritize security and compliance. In fact, due to so many healthcare organizations submitting to pay a ransom, a new market has emerged, Ransomware-as-a-service.
Only as good as your weakest link
They say healthcare IT security is only as good as the weakest link. This statement assumes an organization has put security program in place as a strategic goal. Unfortunately, that isn’t always the case. A breach can happen in the blink of an eye… or more likely in the click of a link.
Email phishing is a common way healthcare organizations are being breached. An email asks a user to re-set a password, login, etc. The user is tricked into thinking the email was legitimate and through that login a backdoor is opened. Hackers then login to the network and launch a ransomware attack requesting thousands of dollars to be paid in order to release the data. These attacks are successful because most users, once authenticated, generally have network access to the same files that are to be ransomware encrypted.
Another common exploit we see is contact information on a website. A company features a Doctor’s email on the company’s website and that Doctor hasn’t changed their password in 10 years nor have they implemented any additional security (e.g.; a passphrase instead of a password or multi-factor authentication.) Their user ID and password is breached, and the bad actor gains access into the network and wreaks havoc. Board meetings are uncomfortable discussing to pay or not to pay the ransom. Security measures that have been discussed for years (that could have been implemented for pennies on the dollar proactively) are now implemented at great expense. Attorneys are hired to handle breach communications between the Office for Civil Rights all the while patient records are not accessible. Expensive havoc indeed.
Even scarier is any non-technical criminal can leverage an existing Ransomware-as-a-service platform (once they get they get a successful login to the healthcare IT’s network from the internet) to launch a ransomware attack. The RAAS kits, or packages, often comes complete with Bitcoin amounts, ACH information and dashboards to see how many victims are in waiting to pay. Here’s one example:
It is important to note that many of these companies that have been breached could have avoided paying the ransomware or being breached if they had implemented the correct controls and basic security standards.
Common security best practices:
- Discuss the security impact of any changes on the network
- Appropriate authentication of workplace’s applications
- Annual workforce training and awareness
- Action plan for restoring your database in the event of a disaster (i.e. ransomware, hardware failure, unauthorized compromise) In most ransomware cases, the contingency and recoverability plan would keep patient care going while the EMR systems and ePHI data services are restored.
Looking forward to 2020
Looking forward, here are my predictions for what will happen to Cybersecurity in 2020:
- The trend of successful cybersecurity attacks will increase at least 50%.
- 40% of health care organizations will continue ignore HIPAA Security requirements because they believe they will not get caught attesting for MIPS or perceive a checklist is adequate.
- Frustrated hackers who did not get their ransom will begin releasing the ePHI data for those healthcare organizations who did not pay. Hence all ransomware breaches, past or present, will qualify as breaches requiring notice to Health and Human Services.
Scary? Yes. Unavoidable? No. Microsoft recently published their Office 365 Cloud user activity data showing adding a text-code to a user’s phone during logins wards-off 99.9% of attacks on user accounts. This is a free feature available once moved to Office 365 regardless of the level of subscription fees paid.
HIPAA One and Microsoft partnered together to write two whitepapers. Both whitepapers were written to health healthcare professionals to configure Windows 10 and Office 365. We want to help as many organizations as possible achieve security while being flexible to support and the needs of healthcare. We know that many clinics run their IT on a shoestring budget and have need help moving to a cloud solution to reduce maintenance costs.
Taking Healthcare IT seriously
HIPAA One takes the federal regulations and translates them into modern technologies and “Turbo-tax” like workflow in an easy-to-use web-based software (https://www.hipaaone.com/security-risk-analysis/). This model was adopted because it is user-friendly and its basic language is already understood by the public. It establishes a flexible approach to Policies and Procedures matching the culture of the organization and a establishing a standard using the spirit of HIPAA laws.
2020 will be an interesting year. We are sure to see a continuation of ransomware attacks and IT breaches. Our goal going into 2020 is to help organizations lower their risks of being attacked. The HIPAA One software follows NIST-based controls and best practices to help organizations identify where their risks are and then build an action plan to mitigate those risks. We can help organizations of any size create a go forward plan that best suits your organizations culture and readiness for an attack.
To learn more about HIPAA One and how we can help your organization’s security posture in 2020 visit, hipaaone.com/contact.