Cybercrime. It has become a regular part of the conversation around healthcare. We are regularly presented with the stats, and we know that the risk is greater for our businesses when it comes to cybercriminal activity. WHY is that the case? While some factors may seem obvious, let’s look at some of the other issues in the healthcare industry that might be causing this increase in risk.
Layer Up Your Defenses
Your IT support team has likely enabled many things that can offset the risk, and that may include employee training, Multi-Factor Authentication, firewalls, intrusion detection systems, data backup…. These are all tools that you may be familiar with a little or a lot, and they are in place to support and protect your data and network. But there are more layers to your business being strengthened in order to best respond to a cyberattack, and if you haven’t had a conversation about these layers with your tech team, here’s are some topics that you may want to discuss or review as a business owner or healthcare employee.
Too Many Cooks in the Kitchen
Ensure that only the right people have the “keys to the kingdom”. This means that not everyone needs to have system access at an administrator level. Identify one or two people within your team that has credentials in addition to the IT team. You don’t need everyone to have everything. The risk of too many individuals having too much access means that if one of these employees were hacked or fell for a phishing email, the result could be that your entire network would be compromised.
It’s understandable why a business owner wants to maintain some control. You don’t want to risk the chance of being locked out of your network. Many companies have gone through multiple IT people and MSPs. You realize that not having “all-access” when replacing an IT company puts you at the mercy of the outgoing IT company. It’s sad but true. But be aware that by protecting your business from your very own vendors, you may be weakening your defense against hackers.
Sharing is caring – unless it means germs or passwords! Unfortunately, healthcare organizations often share accounts, and as a labor-intensive business, with physicians, physician assistants, nurses, front desk staff, techs that perform a variety of duties, many jobs are done in shifts. That means that operating specialized equipment such as EKG, glaucoma testing equipment, digital x-ray machines, and other job-related duties are done by multiple people on the same equipment. One exam room, one patient, but multiple eyes and hands involved, with each of these people needing access to the computer that is in the patient’s room. Instead of giving each employee access to the computer with their own credentials, some healthcare organizations address this by using shared credentials. Using shared accounts to access protected health information (PHI) is prohibited in HIPAA regulations. But many healthcare organizations take this approach:
HIPAA regulations are fine until it gets in the way of patient care. Then HIPAA is out the window.
Shared accounts usually lead to weak passwords that are easily remembered. Shared accounts usually prohibit MFA.
Not only are these shared accounts used heavily within the healthcare industry but what’s starts out as a shared exam room computer account usually expands to other areas, perhaps the patient forms directory…which means that overall permissions have to be opened up as well. If those forms need to be updated, then suddenly read access needs to be changed to write access, giving multiple people the right to modify things without being tracked individually.
It is an unfortunate truth that healthcare uses outdated software and hardware more than most other industries. The software that is needed to update an older PACS/Digital X-ray machine requires a newer computer to run the equipment. This computer is maintained by the machine’s vendor. When Microsoft retires software versions, the vendor states that that machine will no longer support the required operating system. This forces your business to continue to utilize the equipment and run it on an operating system that is no longer supported and therefore no longer receiving security updates.
It can happen for many reasons, including difficult regulatory approval for device manufacturers, manufacturers forcing upgrades to newer/expensive equipment, and healthcare businesses not wanting to, or being able to spend money on upgrades.
In conclusion, the risk factors are not all within your control, but what we want to do is make sure that they are at the very least within your sight. Have the conversations with your IT team to ensure that if you can’t fix them immediately, you can at the very least mitigate the risk that each threat presents.