Cyber-attacks have become the biggest reason of concern for organizations and individuals alike. This concern mainly stems from the fact that organizations are ill-prepared to deal with cyber threats. To add to this, hackers are leaving no stone unturned to get access to data worth millions.
A number of segments have borne the brunt of data frauds, and healthcare is no exception. According to SC magazine UK, half of the attacks in 2017 were targeted to healthcare. If we further diagnose the health of the sector, breach of electronic health records (EHR) continues unabated. According to a survey by Accenture, despite digital data protection measures, 26% of healthcare consumers have experienced data breach in 2017.
Why EHR Security Is Essential
EHR data has become one of the most lucrative segments for hackers. This is further proved by the unceasing breaches that are being reported across the world, the US being highly affected. But what makes the EHR data worth targeting needs to be looked into. EHRs are highly sensitive patients data that not just have individual’s health information but other personal information like patient’s address, credit card number, social security number and other key credentials. This data if leaked will result in credit card frauds, exploitation of insurance companies and other risks such as duplicity of identification cards.
This is why it is of utmost importance for healthcare providers and organizations to go beyond conventional audit procedures and to follow other disruptive measures. The measures such as monitoring of file integrity or change management, avoiding misconfigurations and continuously conducting compliance are the key for overall security enhancement.
Interventions for Protecting EHR Security
File Integrity Monitoring
Large hospitals are complex network of departments, assets, and data. Change is prolific when it comes to changing assets such as hardware, software upgrades besides other data updates. Therefore, monitoring changes and reconciling changes in original files is essential to discover tampering. For this, foundational controls or the file integrity monitoring need to be used that can track what changes were made, how those were done and who made these changes to check for unauthorized tweaking.
Several FIM software products are available that can be adopted into the IT systems of the healthcare organizations to ensure the integrity of data is maintained. Some of the well known software include open source tripwire, OSSEC among others.
Avoid Misconfigurations in EHR Ecosystem
To begin with, protecting the EHR ecosystem requires how well your assets are configured and protected. A lot of EHR data breaches happen simply because of compromised servers thus allowing malicious data to access the EHR data. One such incident happened at BJC Healthcare at St. Louis, Missouri, the confidential patients’ healthcare data was compromised as it was left accessible to the public. Another such incident happened in April 2018, when a New York provider’s misconfigured database resulted in the breach of 63,400 patients records. Therefore, configurational errors need to be continuously monitored to avoid breaches. In this regard, open monitoring software products like Zabbix that have remediation capabilities to repair and modify non-compliant systems can be put to use.
Continuous Compliance of Ecosystem
Conducting continuous compliance for a healthcare organization is difficult as it requires meeting a number of mandates and regulations. However, for eliminating the risk of data breaches, continuous compliance of healthcare data needs to be done. Investing in regulatory and healthcare industry compliance such as Food and Drug Association regulations, HIPAA is required. Healthcare providers need to have automated and continuous compliance over dynamic IT environment. For instance, Imperva is an automated solution that helps streamline audit of database and compliance.
Third Party Risk Management
Many times, risk associated with external sources such as third party vendors is often ignored. As some of the contracts with vendors are not of high relevance, healthcare providers overlook the need to consider risk. But one must understand that associated third parties also make the medical facilities vulnerable to cyber attacks. For instance, a pharmacist that had access to the patient’s record upgraded its software, and during the process, the servers were accessible to the public. This resulted in a cyber-attack on the EHR data that was originally the property of a big healthcare organizations. Third party risk can be managed by classifying the type of risk involved and duly conducting their screening, onboarding and monitoring the due diligence.
The Bottom Line
Though the interventions mentioned above are sure shot solutions to secure EHR database, the internal risk from staff must also be monitored. Staff having access to database and accounts must be trained to identify the possible malware that can be in the form of phishing emails. Apart from this, automation is the key to turning the tide in healthcare. Ensuring visibility in the layers of security is also essential as these layers will be the endpoints that can self-heal and detect anomalies in case the system is invaded.