Across healthcare, data security has become a top priority. Kareo's Information Security Architect Jesse Salmon tells us why and answers some questions that are top of mind for anyone associated with healthcare, including patients.
Q: Why does the healthcare industry, in particular, need to pay more attention to cyber security?
The data is in and it’s clear that the number of breaches in the healthcare sector is growing year over year. In fact, Verizon releases an annual report of security trends and it identified a steady increase in the number of both breaches and incidents as well as the greatest threats to different industries. Interestingly, healthcare is the only industry where internal threats are greater than external threats. Human error is a major contributor and was the cause of 35% of the breaches in 2017. This is because while other industries, such as finance and information, have automated their data workflows, which limits the points of vulnerability and reduces the risk of attacks, healthcare continues to be very people- and paper-dependent, leaving possible access points available and increasing risks. Every time data is used or transferred or processed in printed or email form, there is a point of vulnerability where hackers can access. Humans can also be victims of phishing and social engineering attacks. These are not issues in other industries since the steps are automated and humans are not involved.
Medical practices need to secure the human. The most important step is training in security best practices. For example, it’s important that employees know how to identify and avoid falling victim to a phishing attack, how to manage passwords, and how sensitive information should be handled and sent. In some cases we’ve seen where small practices might share accounts and logins for systems and software, which is specifically prohibited by HIPAA requirements, although many practices don’t realize that.
Q. What has changed in the nature of cyber threats today?
Threats are, of course, continuously evolving and there are several new risks that medical practices need to understand. Today, there are three things driving increased risks: AI/machine learning; IoT; and a rise in state-sponsored attacks that has far-reaching impacts on a variety of industries.
AI and machine learning can be used to target malware and viruses and can enable them to make intelligent decisions to stay hidden or collect sensitive information. For example, hackers use machine learning to identify victims. They can send out massive spam campaigns to determine if users click links and the exploits available to them that they can leverage in order to identify victims. Previously, there was a high cost associated with massive attacks, but now they can be more efficient and focus their efforts by identifying users most likely to be victimized. In addition, new malware is being developed where hackers hide the malicious code in another kind of software that has a benign function and this code then exploits any weaknesses in systems. When antivirus software scans this software, it doesn’t identify this malicious code. At Kareo, we follow best practices to have white hat hackers regularly run penetration testing on our platform, so that we can identify and correct any potential vulnerabilities in our software.
Internet of Things (IoT) is another enabling technology that is also being exploited by hackers. For example, hackers can access systems and networks via unsecured medical equipment or third-party software systems that are connected to the network. Once in the system, they can either access other data on the network or lock out the practice from using its medical devices. To protect against this risk, it’s important for practices to maintain separate networks – one for the corporate HIPAA-compliant network and one for unsecured equipment and devices, including employee devices like cell phones and tablets and guest vendors who may need to access the network for demos, so that the devices do not provide a back door into the secure network.
In addition, state-sponsored attacks have resulted in risks to organizations across all industries, including healthcare. Cyberattacks on the government have resulted in cyber weapons being stolen. Those weapons are now available online to hackers, providing military-grade malware that can now be used against organizations.
Q. Why is it important for medical practices to use secure, cloud-based software?
The issue here is availability. If an attack happens, it’s important to limit how much damage can be done. For example, at Kareo we go above and beyond industry best practices by encrypting all data with military-grade encryption so that even if someone were to get into a system, they can’t access the data. In addition, we segment out the data and networks so that if there is an attack, how much data could be accessed is limited. We maintain multiple data centers in different states as well as using third-party services to store data outside of the Kareo network entirely to add another layer of security. Our customers use Kareo for availability and reliability by storing copies of their data on the Kareo system as that’s an off-site location.
Read more about how Kareo keeps your data secure.