Last week, we discussed the opportunity that is present to best support your healthcare clients, the importance of those organizations being HIPAA compliant, and how cybersecurity comes into play in healthcare. This week, we’re taking an even deeper dive into healthcare cybersecurity to answer the question, Why Is Healthcare Such a Target for Cybercrime?
We see the stats and know the risk is greater for healthcare businesses when it comes to cybercriminal activity. But did you ever wonder WHY that’s the case? Let’s look at some of the issues in healthcare that may be responsible.
Cybersecurity professionals talk about layers of defense.
Employee training, Multi-Factor Authentication, endpoint detection, and response, firewalls, intrusion detection systems, data backup…. many times, we think of these as tools to run on a client’s network. These additional defense layers don’t have to be tools, they can be elements that when combined, make up the whole picture. These all work together and focus on empowering the humans that can be a strong first line of defense.
Keys to the Kingdom
Many of the discussions I have had with clients involve decisions that they have made that actually weaken security defenses. I can’t tell you how many times business owners have demanded that they or their staff members be put in the Domain Administrators group. I would go on to explain that the risk this presents if one of these employees were hacked or fell for a phishing email could result in their entire network being compromised. Many times, my arguments would fall on deaf ears or be met with resistance.
But why is this the case?
I understand why business owners want to keep control. They don’t want to risk the chance of being locked out of their own network. Many companies have gone through multiple IT providers and MSPs. They realize that not having Domain Access when replacing an IT company puts them at the mercy of the outgoing company. It’s sad but true. Many times, when my MSP took over an account from another IT company, they would refuse to hand over the credentials. As expected, this caused tremendous tension and stress for the business owner.
It seems that business owners are looking to protect themselves from their own IT companies and weaken their defenses against hackers. It seems crazy, but it happens all the time. This misdirected fear creates security gaps that are more easily breached.
Healthcare organizations often share accounts. Healthcare is a labor-intensive business. There are physicians, physician assistants, nurses, front desk employees, phlebotomists, techs that operate specialized equipment such as EKG, glaucoma testing equipment, and digital x-ray machines to name a few. On top of all the various roles that exist, many healthcare staff employees work in shift rotations. So, each of those roles could be multiplied by factors of 2,3, or 4. That is a lot of people doing the same job at different times or even locations.
That also means that patients see a variety of people for the same reason, with each of these employees needing access to the computer that is in their exam room. Instead of giving each employee access to the computer with their own login, healthcare organizations often bypass this by using shared credentials.
Are you wondering if that goes against HIPAA? Yes, using shared accounts to access protected health information (PHI) is prohibited in HIPAA regulations. Many healthcare organizations take this unspoken approach:
HIPAA regulations are fine until it gets in the way of patient care. Then HIPAA is out the window.
What needs to be emphasized is that shared credentials will likely lead to weak passwords, choosing something that is easily remembered. Shared accounts also are likely to prohibit multi-factor authentication.
Shared Account Sprawl
Not only are shared accounts used far too often in healthcare but what starts as a shared exam room computer account usually expands to other protected areas of healthcare as well. A shared account on an exam room laptop might lead to shared access to the patient forms directory as well. Now, these shared accounts must be placed in windows, permission groups. That means that as these forms need to be updated, or tracking of spreadsheets needs to be updated; the shared accounts go from read-only access to read and write access. Creating yet another way that security errors occur and unauthorized access can be obtained.
Healthcare historically uses more outdated software than most other verticals. Personally, I have seen old, end-of-life operating systems used years after they were retired by Microsoft.
The scenario goes something like this:
A PACS/Digital X-ray machine requires a computer to run the equipment. This computer is maintained by the X-ray vendor. When Microsoft retires an operating system, that vendor states that the equipment will not support a new operating system. This often, if not always, means that the healthcare organization continue to utilize the equipment and run an operating system that is no longer supported and no longer receives security updates.
This isn’t because the healthcare organization is being lackadaisical in their response. This happens for many reasons, including difficult regulatory approval for device manufacturers, manufacturers forcing upgrades to require newer and more expensive equipment purchases, or that the healthcare organization cannot or does not want to spend on upgrades. While there are possible reasons behind this, sometimes the timing of a required upgrade doesn’t match up with the timeline of that business’s budget. Cybercriminals know this, and use it to their advantage to breach networks.
So why is healthcare such a target for cybercrime? The answers are varied, but the bottom line is that it is. And ignoring that fact and not taking a proactive approach in ensuring that you mitigate the risk factors that you can control for your client is a mistake you don’t want to make. Start the conversation with your clients connected to the healthcare industry either directly or indirectly, and ensure that they know the risks they are facing and are also on board with taking a proactive approach to fighting those risks.
If you’re an MSP and are not currently offering HIPAA services to your clients, Breach Secure Now has a suite of robust HIPAA training and compliance programs available. You can learn more about them, here: https://www.breachsecurenow.com/hipaa-services/