The more computer technologies pervade all areas of human life, the more important the user data protection becomes. Earlier the hackers could only steal your e-mail address to send the spam messages from it. But today the World Wide Web stores much more comprehensive information about all us. You even don’t need to share this information on the Internet for hackers to get it. It is enough to open a bank account, or seek medical help.
It is the healthcare information security that recently has been growing concern among cybersecurity experts. After all, as we have already written here, the information from the electronic medical records is enough for the full identity theft. The personal information security in healthcare organizations is still in its infancy. The recent accident with the Hollywood Presbyterian Medical Center confirmed that even large treatment centers can be paralyzed with the hackers attack.
In early February, the cyber criminals hacked the Hollywood Presbyterian Medical Center. All the computers were infected with a ransomware virus that blocked their work. The medical data were encrypted, and the computer-based medical equipment ceased operating. The health and life of more than 400 inpatients were under the threat. The administration had to transfer them to other hospitals while the staff had to use the good old piece of paper and a pen to register the information.
As it turned out the attack was not even targeted. The security system of the medical center appeared to be so imperfect that it was just an accidental attack. One affected computer quickly spread the virus to the others via a local hospital network.
Being quick on the uptake, the owners of the virus demanded a ransom of $3.6 million. After 10 days, the administration decided to pay the extortionists to regain access to the medical records. But, it paid a much smaller sum than the hackers initially wanted: 40 Bitcoins (about 17 thousand dollars).
Due to a special danger of this incident, it was investigated not by the local police, but the FBI and a forensics team that specialized in cybercrime. But, according to the recent data, they have failed to track down the fraudsters.
This case is not the first example of hacking the medical institutions. Within the same year close to 80 million customers of one of the largest US insurance companies Anthem fell prey to hackers. There were others, less notable, but also unpleasant incidents. What conclusions can be made?
The conclusion is obvious – it is time for every medical institution not just to think about strengthening their healthcare information security systems, but to start taking actions. It is quite difficult to get protected from the ransomware viruses. In this case, the only thing that can help is instructing the personnel on the rules of information security in healthcare. But we should not forget about other types of attacks the health centers are exposed to day after day.
In 2015, hackers managed to get the data of more than 100 million customers of medical institutions. The number is impressive! Perhaps this would not have happened were the fundamental rules of the healthcare information security followed. One of them is to use two-factor authentication to protect the confidential information.
A common belief that it is hard to use such data protection means as 2-factor authentication often leads to it being completely neglected. Yet, the modern 2FA is not so difficult and takes not much time. The hardware tokens used to generate the OTP passwords without the Internet of GSM connection provide special reliability of the two-step authentication and make it immune to viruses. The two-factor authentication providers offer a wide range of devices that differ in functions and price, and thus any organization can choose the one that suits its needs.
The patients cannot protect their personal data in health care facilities since they simply have no access to it. It is only the staff who works with the information – both given by the customer and that one provided by the surveys and tests. Thus, the employees and management of medical organizations are solely responsible for data security in healthcare as the patients entrust to them not only their social security number cards but also their health and lives.