This week Tandem Cyber Solutions had the privilege of presenting to the Lowcountry Senior Network on the topic of “Healthcare through the Eyes of an Attacker”. We demonstrated the importance of a strong password and how easy an attacker can take over a health care system. Hopefully LSN enjoyed the time as much as we did. To follow-up on the information in the presentation, we created a list of items that will substantially reduce the risk of any Health Care Business.
Encryption is not only a great way to protect sensitive data from an attacker, but it is a requirement for HIPAA compliance. Luckily, Microsoft and Apple have made encrypting hard drives a simple process, by building the option into its Windows Operating Systems. In addition to the hard drive, organizations need to ensure they are always using a secure HTTPS connection on the internet, to prevent eavesdropping on web activity. Finally, when handling the transfer of patient information, use a secure email service or encrypt the data before sending with programs such as those built into Windows 10.
2. Strong Passwords
Passwords are the biggest weakness to user accounts and encrypted information because users have become complacent by way of overzealous password policies. Policies with 30-day resets and extreme makeup cause users to use the same password on all accounts or a password that changes by only a single character. By switching to using longer passphrases, businesses can ensure employees can remember passwords and the passwords will not be cracked.
Another requirement of HIPAA is that event logging is enabled on systems and software handling ePHI. Not only should events be monitored, the logs need to be kept for a reasonable amount of time, a minimum of several months to a year if possible. Most breaches are caught months after the hacker has penetrated the system with an average of six months to a year. Through studious logging and retention of logs, organizations will have a trail to follow in case of a breach. In some instances, audit logs may save a business from having to report an incident, if they can prove the ePHI was not compromised via audit trails.
4. Unique User Accounts
Often overlooked in smaller operations, unique user accounts are mandated by the Office of Civil Rights for all systems and software handling ePHI. This requirement ties into logging because if each user has their own account, the process of finding a culprit and building a storyboard after a breach is much easier. Additionally, insider threat cases where employees steal patient information have been rooted out by keeping diligent user logs.
5. Cyber Liability Insurance
Breaches are a costly problem to encounter and have been the death of many organizations. In fact most(60%) small business facing a network compromise go bankrupt. We recommend every business to carry a cyber liability insurance plan. To calculate how much coverage you may need, use the average cost of a breach in the healthcare industry of $408 per record multiplied by the number of records your organization manages. This as a great baseline to use and when working with an insurance partner, make sure social engineering is covered in the policy. We have found this coverage is often missed in policies and constitutes the origin of most breaches.
Of course these are only a fee ways to help protect a business in the health care industry. Comment below with more tips you have found useful.