Cybersecurity and the Medical Field: Six Solutions You Should Implement Today

Cybersecurity and the Medical Field: Six Solutions You Should Implement Today

United States healthcare organizations, from small two-person offices to massive hospitals, need to draw their attention to cybersecurity. While many medical personnel don’t understand or think they need it, a recent report by the U.S. Department of Health & Human Services on cybersecurity disagrees.

The industry must come together to address this growing concern and this blog will give you six solid ways to do so.

 

Why Healthcare Organizations are Targeted

According to the Identity Theft Resource Center, social security numbers have the possibility of being more exposed in healthcare than any other industry.

In addition, because doctors’ offices, hospitals and suppliers are often interconnected with Electronic Health Records, once a cybercriminal breaches one system, it’s much easier to crack into others.

Unlike credit card numbers that are generally used within a few minutes to a few days of being stolen, health records are valuable to a bad actor up to ten years after they capture the data. If the patient information is sensitive in nature, it can be used a blackmail against them.

One other important note, health records are ten to sixty times more valuable on the dark web than credit card information.

 

How Bad Actors Get In

Nurses, doctors and administrators typically don’t understand data breach risks; therefore, cybercriminals access patient records in one or more of the following ways:

  1. While smart devices help diagnose and treat patients, they often have the lowest level of encryption which make them great entry points
  2. Legacy hardware that doesn’t support current operating systems and applications and software that hasn’t been upgraded and updated is another method
  3. Electronic Health Records (EHRs), that are purposefully or accidently given to the wrong individuals
  4. Patient portals that do not have end-to-end encryption

Unfortunately, even today, only 25% of all U.S. hospitals have a designated cybersecurity specialist, according to Healthcare IT News. This makes reporting and monitoring difficult.

Ignoring Cybersecurity is Risky Business

If patient data is stolen or compromised, your organization will be held accountable under HIPPA guidelines and will incur heavy regulatory fines. In addition, if enough records are exposed, your brand reputation will suffer leaving patients to possibly seek other medical options. Last, if your records are held for ransomware, you may have to pay millions of dollars for return of those records.

 

Six Effective Cybersecurity Solutions

  1. Put one individual in charge of cybersecurity.
    Whether you run a small office or a sprawling medical complex, one person needs to oversee cybersecurity. This person will set policy. They will be the conduit to others to report problems and suspected breaches.
  2. Complete a benefit/risk analysis of all connected devices.
    What is the value of each device? Is there an alternative product that offers a better cybersecurity choice? What is your BYOD policy? A complete analysis should be completed before moving to the next step.
  3. Set in place cybersecurity standards and practices.
    Once a thorough analysis of your hardware, software and network solutions is concluded, which should include virtual workers and suppliers that can tie into your network, you are armed with enough information to move forward on an effective policy. Work with outside consultants who can analyze your vulnerabilities effectively.
  4. Subscribe to updates from the Health Care Industry Cybersecurity Task Force.
    This 21-member task force is responsible for researching and making recommendations on healthcare cybersecurity initiatives. They offer best practices, on an ongoing basis, to prepare your organization against an attack.
  1. Implement a strong continuous monitoring solution.
    Effective cybersecurity starts by protecting the data that resides on the network. Failure to have 24/7 monitoring can result in data loss, ransomware and impact your brand integrity.
  2. Outsource cybersecurity.
    The funding required to hire, train and keep cybersecurity talent may simply not be available for small-to-medium medical facilities. Tack on assessment software and monitoring solutions, which can be enough to push your small IT budget over the edge, not allowing you to move forward on other needed equipment upgrades. Outsourcing handles all of the above concerns and more.

Axiom Cyber Solutions Can Protect Your Medical Establishment

We offer the world’s first polymorphic cyber defense platform that can identify the newest threats, vulnerabilities, and automatically dispatch updates in real-time. This included ransomware and DDoS mitigation, as well as, dynamic dark web protection. Contact us today to learn more about how we can protect your data today!

Healthcare Cybersecurity Woes

Healthcare Cybersecurity Woes

2018 has not gotten off to a good start in the healthcare industry cybersecurity. Still the top targeted industry, we have seen hospital groups and one of the electronic medical record companies fall to very preventable SamSam ransomware attacks.

SamSam infections are troubling

The recent attacks with SamSam ransomware is particularly concerning because it requires the attacker to be inside the victim’s computer network to manually activate the ransomware. This means that the attacker(s) who held Hancock Health, AllScripts, the Colorado Department of Transportation, and most recently at the time of writing, the City of Atlanta, Georgia ransom had remote access to the computer systems of all those organizations.

Research shows cyberattacks have lethal results

Dr. Sung Choi, a researcher at Vanderbilt University’s Owen Graduate School of Management, has found that 2,100 deaths can be linked to hospital data breaches and lack of cybersecurity protections. The reason is that breaches “trigger remediation activities, regulatory inquires and litigation in the years following a breach…” and these activities affect the performance of the facility, leading to quality issues.

Thinking to the large-scale ransomware attack on Hollywood Presbyterian Medical Center in Los Angeles in February 2016 that brought their computer systems down for weeks, when the attack was at its worst, the hospital had to divert ambulances and even transfer patients to nearby medical facilities for treatment. When WannaCry ransomware hit 16 hospitals in May 2017, at least one facility had to cancel 10 scheduled operations due to computer system outages.

So what do healthcare organizations need to do?

The first step is identifying what is on your network. It is surprising how many organizations have no idea how many computers or internet-connected devices are on their networks, much less their protection status. How can you protect your systems and data if you don’t even know where they reside?

The questions “Do you have a firewall” and “when was it last updated” seems to catch many organizations off-guard and the all too common answer is that “I think my IT guy put one in and I’m sure he’s keeping it up to date”. But that’s not good enough. As an office manager or administrator, you need to know that you have all the protections in place not only to maintain HIPAA compliance but really because you care about your patient’s data and safety.

Contact Axiom today for a short and complimentary cybersecurity risk assessment to go over your cybersecurity strategy. Contact us or call 800-519-5070 to speak with one of our qualified cybersecurity experts.

The Internet of Things Security: Hacking Healthcare

The Internet of Things Security: Hacking Healthcare

One of the greatest technological achievements to date by far is the creation of the Internet. Not only did its emergence shake the entire world, effectively changing almost every aspect of our lives, but it has connected us all not only as a nation, but as a globe. Starting out with computers the size of walls and evolving to the laptops and smartphones of today, the Internet has become involved in more things than most had ever imagined. The most recent and rapidly-expanding Internet-related development is what is known as the Internet of Things.

The Internet of Things (IoT) is a term coined in 1999 by Kevin Ashton, executive director of the Auto-ID Center, that is used today to describe the network of physical devices which are embedded with technology that enables them to collect and exchange data via the Internet. Devices connected through IoT are commonly referred to as “smart devices” or “connected devices,” and they include a wide-range of numerous items, ranging from baby monitors, to cars, to kitchen appliances, and even light bulbs. Anything connected to the Internet falls under this broad category of the Internet of Things, so it is safe to say that IoT affects more areas of our lives than we may have once thought.

While it is an incredible feat that so many different and unique things are now connected via the Internet, IoT can also be an incredibly dangerous thing.

IoT Vulnerabilities, Real World Threats

As we have come to know all too well, when it comes to the Internet, anything that can be hacked, will be hacked. And while it may be an inconvenience to have your favorite social media site shut down because of a cyber-attack, or a major setback for a company’s image if they experience a data breach caused by phishing, IoT threats are different because they can have real-life, physical repercussions–a far greater and more lethal risk than any other cyber-threat.

Last year, hackers were able to remotely hack into a Jeep Cherokee’s Wi-Fi-enabled entertainment system, giving them access to the entire car–including its dashboard functions, brakes, and the car’s transmission. From across the country, these hackers were able to play with the car’s various features including the air conditioning and sound systems, and then suddenly, these hackers were able to cut the car’s transmission as it was going 70 mph down a major highway. While these ‘hackers’ were actually just researchers, Charlie Miller and Chris Valasek, testing their car-hacking research on a well-aware driver, the thought that in a similar situation, the Internet of Things could possibly be used by malicious actors to hurt or even kill a driver or other unsuspecting victims is terrifying to say the least.

IoT threats in the Healthcare Industry

Car hacking is not the only real-world, physical threat driven by IoT, as the healthcare industry has found a few IoT-related vulnerabilities of its own.

As more and more modern medical devices are being developed, they are adding to the collection of connected devices encompassed by IoT; however, many healthcare professionals have found that with these more advanced devices, comes more advanced cyber-threats as well.

One of the most recent and notable of these is the threat to Johnson & Johnson’s Animas One Touch Ping insulin pump. This insulin pump is special in that it is equipped with a remote control so that users do not need to remove their clothing to give themselves a dose of insulin. The problem with this is that the wireless connection between the remote and the pump is unencrypted, and consequently, highly vulnerable. Because of this, the pump can be hacked within a 25-foot radius of the user, and with the right radio equipment, a hacker can take control of the pump and trigger unauthorized insulin injections.

Not only does this threaten a specific device, but in some cases, it gives hackers access to the entire hospitals’ system. Similar to the car hacking instance, this not only poses immediate cyber-threats, but it could have deadly repercussions, as different diabetes patients need varying levels of insulin at different times. A malicious person could hack into these insecure devices and literally kill someone, so it is time that the healthcare industry started taking medical device IoT security more seriously.

IoT Security Tips for Healthcare

The IoT threats detailed above were caused primarily through security issues. The issue? There were no security defenses put in place to protect against any sort of attack. This is a serious problem and though it will take further research to make IoT security air-tight, a few tips to help enhance healthcare security for IoT medical devices include:

  • Conducting a secure boot–A secure boot is making sure that when a device is turned on, none of its configurations have been modified. This step helps to ensure that no tampering took places while the device was not in use.
  • Utilizing encryption–As we saw with the Johnson & Johnson insulin pump, a lack of encryption left patients lives literally in the hands of hackers. Encryption is an essential step that makes it that much harder for cyber-criminals to attack.
  • Implement authentication for devices–If authentication is used, device access is limited and device-to-device communication undergoes intense scrutiny. This makes it more difficult for a security flaw to go unnoticed.
  • Educate patients and staff–Though it affects such a huge portion of our lives, 87% of people have not even heard the term ‘Internet of Things.’ Education is really the greatest tool we have in our arsenal, so it is important to inform patients and staff of the very real risks of IoT security.

Security threats such as these make the Internet of Things seem like a terrible thing, but this advancement in technology is an excellent way to keep us all connected through items we would have never thought possible. Though this may be the case, it is important for these devices to be well-secured so that we can truly enjoy our connectivity.

Hailey R. Carlson | Axiom Cyber Solutions | 10/28/2016

Image Source

Why is HIPAA Data so Valuable to Hackers?

Why is HIPAA Data so Valuable to Hackers?

One of the few things that we all have in common is that we need to take some degree of care when it comes to our health. Healthcare providers—like doctors, dentists, nurses, and more—are there for us to take advantage of their extremely vital services in order to keep up with all aspects of our health. In order to properly know our healthcare needs, these providers need to have some pretty sensitive information about every one of us. But what if that very sensitive information was stolen by cybercriminals with plans to distribute it across the dark web? That’s exactly what could happen when healthcare providers fall victim to a data breach.

Stats

Figure 1: Total HIPAA Compliance’s List of 2015 Healthcare Data Breaches

 

In 2015, the healthcare industry saw more data breaches than any other industry—you can see some of the biggest breaches in Figure 1 above—and data breaches have cost the healthcare industry upwards of $6.2 billion over the last two years. Hackers and cybercriminals target healthcare providers because of the valuable information they have on their patients, often referred to as protected health information (PHI), personally identifiable information (PII), or HIPAA data. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting this PHI data and is a regulatory standard across the healthcare industry to this date.

 

Data protected by HIPAA includes health status, provision of health care, or payment for health care that can be linked to a specific individual. This data is valuable to healthcare providers because it is individually identifiable health information related to the patient’s past, present, and future medical conditions—this means it helps the doctor or dentist to make informed decisions about what their patient’s needs are and what means of medical attention are necessary to address these requirements. This is the good side of HIPAA data. However, hackers want this information just as much as healthcare providers, but for a few different reasons.

 

HIPAA data is attractive to hackers and other cybercriminals because it is one of the biggest gateways into stealing a person’s identity.  Even more than credit card information, medical data is the easiest way to steal a person’s identity because of the sheer amount of information that is readily available. Medical records include sensitive information like patients’ full names, social security numbers, credit card numbers, signatures, and more—everything a malicious person would need to steal a person’s identity, or in the case of a data breach, multiple people’s identities. Unlike credit card-induced identity theft, ID theft via stolen medical records does not show up as quickly as credit card fraud. In addition to this fact, healthcare information sells online for ten times that of credit card data.

 

In addition to stealing identities, hackers can utilize HIPAA data that is stolen in health insurance and Medicare fraud. Dark web users who buy full medical files could use patient numbers with false provider numbers to file fraudulent claims with payers. When they do this, the victim does not know about the fraud because bills are being sent to his medical provider without his knowledge and the insurance provider does not know that he is not the one filing.

 

With all of this information needed by healthcare providers, it is their duty to their patients to protect this data. Here are a few ways healthcare providers can protect their PHI from data breaches and attack:

 

  1. Educate staff members—Education is key in all aspects of life, but protecting data is one of the biggest areas where education is required. When staff members know what is and is not HIPAA data, they can take the necessary amount of care in keeping that data safe. Phishing is one of the main ways hackers get into hospitals’ networks, so informing employees of things to look for that could potentially be malicious is vital when it comes to securing your information.
  2. Consider EncryptionBe sure to encrypt both your hard drive and any electronic communication that you can. When hackers have to work harder to get your data, they are likely to skip you and move onto the next, more vulnerable victim.
  3. Protect your network—Having multiple stages of protection is key to keeping your PHI and HIPAA data secure. This includes wired networks, wireless networks, and connected medical devices via IoT. One of the best ways to do this is by installing a next-generation firewall. Axiom Cyber Solutions offers its SecureAmerica® Firewall as well as HIPAA compliance help as a partner to those healthcare providers that need to be HIPAA Compliant.

 

It is important to secure your networks in any industry, but it is even more crucial in those industries where real customers and clients could be compromised in the event of a breach of security. Healthcare has faced many hurdles in cybersecurity recently, but hopefully by creating multiple barriers for hackers to overcome, the industry will see a turn for a safer, more secure environment.

 

Hailey Carlson | Axiom Cyber Solutions | 8/15/2016

Image Source

The Healthcare Industry is Undeniably Vulnerable to Ransomware Attacks

The Healthcare Industry is Undeniably Vulnerable to Ransomware Attacks

HEALTHCARE DATA BREACHES

Recently it has become obvious that we are all vulnerable to attacks by anonymous people on the internet who wish to hack into our lives and steal our private information for their own personal gain if we do not take the proper measures to protect ourselves. Hospitals and other healthcare facilities are goldmines for hackers looking to steal hundreds of people’s information at once. You would think that with all of this sensitive information in their files, hospitals would be highly concerned about the protection and security of this data. However, the Healthcare industry has become one of the most hard-hit industries when it comes to cyber security due primarily to the heavy amount of data breaches that have plagued the industry in recent years.

Data breaches have skyrocketed over the past six years, especially in the Healthcare industry, and things are looking worse, making us more susceptible to breaches of our own personal medical information—and we’re not the only ones who are afraid. In just one year, Healthcare professionals have grown 13 percent more worried about attacks on their databases; and with 59 percent fearing that the existing budgets set in place for protection against these kinds of incidents are insufficient, it is obvious that the Healthcare industry is struggling to keep up with the changing world of cyber security.

According to the sixth annual Benchmark Study on Privacy & Security of Healthcare Data conducted by Ponemon Institute, 89 percent of Healthcare providers fell victim to multiple data breaches over the past two years and one-third of providers were subject to anywhere from 2-5 breaches. Approximately 50 percent of these breaches were due to a mix of employee negligence, third-party snafus, as well as stolen electronics. When the study was conducted six years ago, the majority of data breaches were caused by these issues; however it is clear that today, responsible for the remaining half of these breaches, the number one cause of Healthcare data breaches is cybercrime.

RANSOMWARE

One of the fastest growing, most devastating of these cybercrimes is ransomware and the Healthcare industry has taken more than its fair share of the brunt of this issue just this year. A few months ago, ransomware was found to be the cause of two Healthcare networks to be forced to take their systems offline, for fear of the issue spreading. Prime Healthcare Management, Inc. in California and Methodist Hospital of Kentucky were in a state of crisis when their networks were compromised by ransomware. While it seems that Prime was able to detect and handle the situation prior to any protected health information (PHI) being made vulnerable, Methodist was not so lucky. Reports say that they paid $17,000 as a ransom to regain access to their PHI files, while insiders claim that the amount paid could be significantly higher. This is one of the worst situations you could be in when dealing with ransomware, second only to your business being shut down. Prevention is a much better defense than reaction or negotiation with criminals.

Axiom can aid in these preventative measures due to its proprietary ransomware algorithm built into their Sentry firewall that would have been able to block these ransomware communication protocols at the firewall before criminals could have encrypted the PHI files. This would have saved Methodist Hospital of Kentucky thousands of dollars in ransom paid to criminals as well as their patients’ peace of mind.

HIPAA COMPLIANCE

When these Healthcare providers wish to combat ransomware, it is important for them to be aware of their HIPAA compliance. HIPAA HITECH requires that you have a disaster recovery plan and adequate backups, so HIPAA regulations have been a hot topic of discussion during this spike in Healthcare breaches. While some influential figures have questioned whether or not these breaches caused by ransomware are protected under HIPAA, it is conclusive that the industry is in dire need of revamping their approach to cybersecurity.

Axiom is able to help businesses in the Healthcare industry feel at ease by acting as their HIPAA Compliance Partner through providing them with professional and technical product services that include a HIPAA Security Assessment, Gap Analysis, Preparation and Certification as well as VOIP and 24-hour technical support.

If you’d like to find out more about what Axiom Cyber Solutions can do for you in regards to HIPAA compliance and protecting your business from cyber threats, please visit www.axiomcyber.com.

Think You’re Immune to Cyber Crime Because You’re Small? Think Again!

Think You’re Immune to Cyber Crime Because You’re Small? Think Again!

Do you believe your healthcare practice isn’t appealing to a cyber criminal because of your small size, lack of revenue, or maybe because you’re just a drop in the vast bucket of healthcare practices?

You are dead wrong. You are actually more appealing to cyber criminals because they know as a smaller practice, you are probably less secure.

A poll by KPMG showed that over 200 healthcare providers were polled and found that four out of five providers had been hacked. 44% of healthcare organizations have been attacked 1-50 times while 38% have been attacked between 50-350 times in the last year. 13% were attacked more than 350 times.

These cyber criminals are going after smaller healthcare practices with full force and the consequences are dire. If a cyber criminal is successful in attacking your network, you will have violated the Health Insurance Portability and Accountability Act (HIPPA), lose all trust from your patients, or even worse, you could lose a life and your entire practice. You are not immune to these consequences if your healthcare practice is small.

KONICA MINOLTA DIGITAL CAMERA

Out of all the industries that exist, the healthcare industry is probably one of the most complicated to get a handle on their cyber-security. Many healthcare practices have been holding onto old practices, and with the ever-evolving landscape in cyber-security, if you’re not staying up-to-date, you are opening yourself to these attacks. For many, the idea of tackling this is too much. Instead of being so overwhelmed by all the ways a hacker could breach your network, take that time to reach out to the professionals who will help manage your cyber-security.

According to the American Medical News, a five physician practice named Phoenix Cardiac Surgery was fined and penalized after it was found that they had a host of problems amongst their cyber security and were negligent in fixing these problems.

The practice ‘failed to implement adequate policies and procedures to protect patient information; failed to document that it trained employees on HIPAA Privacy and Security Rules; failed to identify a security official within the practice and conduct a risk analysis; and failed to obtain any business associate agreements for its Internet-based email and scheduling services.’

In the end, Phoenix Cardiac Surgery had to pay over $100,000. Leon Rodriguez, director of the Health and Human Services of The Office for Civil Rights stated,

We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

Once a healthcare facility has violated HIPPA privacy laws, HIPPA will continue to audit the practice. That means that they have eagle eyes and are looking for other violations. It does not help anyone to ignore your cyber-security issues.

How can Axiom Cyber Solutions help your healthcare practice?
Axiom Cyber Solutions is offering Managed Cyber-Security Protection for Small Business starting as low as $199 per month. We realize that most small businesses do not have a dedicated IT team and business owners may be handling their cyber security matters on their own.

Let us take over and provide you with peace of mind. Axiom will provide your business a firewall and manage it so you don’t have to worry about securing your business. We will assess the security risks for your business and will help implement the right cyber security service for your business.

Axiom’s solutions come in different sizes and all our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom

Attention Healthcare Organizations: Get Ready For Some Serious Cyber Security

Attention Healthcare Organizations: Get Ready For Some Serious Cyber Security

2015 has been inundated with cyber-attacks against the healthcare industry. In recent headlines, Excellus Blue Cross Blue Shield stated that approximately 10 million of its customers had their healthcare records compromised.

Not only did critical information such as names, Social Security numbers, addresses, and birthdays get leaked but financial data such as credit card information was also compromised. Additionally, this puts their customers at risk for fraud and identity theft.

Criminal cyber-attacks are rising amongst the healthcare community and despite strict HIPPA guidelines and regulations, many hospitals and healthcare providers are grappling with keeping their patients’ data safe.

Cyber-attacks and data breaches cost the U.S. healthcare system approximately $6 billion annually, according to security research firm, The Ponemon Institute.
KPMG polled over 200 healthcare providers and found that four out of five providers had been hacked.

44% of healthcare organizations have been attacked 1-50 times while 38% have been attacked between 50-350 times in the last year. 13% were attacked more than 350 times.

It doesn’t take a stretch of the imagination to realize just how many additional attacks are left undetected and unreported such as the case with Excellus, wherein hackers first accessed patient records in December of 2013 but weren’t discovered until August of 2015. This gave the attackers nearly two years of running data collection. In the same study, KPMG also found that only 53% of healthcare providers are ready to defend against a cyber-attack.

They listed five issues that healthcare organizations are facing.

1. The adoption of digital patient records and the automation of clinical systems.

2. The use of antiquated electronic medical records (EMRs) and clinical applications that are not designed to securely operate in today’s networked environment — and software vendors who push that problem to the provider.

3. The ease of distributing electronic personal health information both internally (via laptops, mobile devices, thumb drives) and externally (third party firms and cloud services).

4. The heterogeneous nature of networked systems and applications (i.e. network-enabled respirator pumps on the same network as registration systems that can browse the Internet).

5. The evolving threat landscape, where cyberattacks today are more sophisticated and well-funded, given the increased value of the compromised data on the black market.

“Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for executives is to advance their institution’s protection to create hurdles for hackers”, according to Michael Ebert of KPMG’s Healthcare & Life Sciences Cyber Practice.

These data breaches and security vulnerabilities cannot and should not be underestimated and there severity and frequency is a cause for concern. Healthcare providers must make cyber security a priority. No longer is this an issue that companies can ignore.

Protecting patient data is critical and the healthcare industry must start preparing and implementing a strategy to prevent these hacks before the U.S. Government begins to levy heavy penalties and fines on those who do not step-up to today’s threats.