Insider: Online hacking threats pose an elevated risk to healthcare companies — prevent them with the right precautions Insight Article - July 17, 2019 Risk & Compliance Business Operations Technology Policies & Procedures Sign in to save Andy Stonehouse MA It’s no longer science fiction — highly skilled hackers are actively working to break in and hold electronic healthcare data for ransom or steal millions of identities in an instant. Andrew Jahnke, a cybersecurity expert and owner and chief technologist for Rain Technologies, Inc., recently joined MGMA senior editor Daniel Williams on the MGMA Insider podcast to discuss how even small medical practices and companies are at risk, and what they can do to protect themselves and better train their staff to prevent breaches. Healthcare a top target for hackers Because of the vast amount of concentrated biometric data healthcare companies collect from their patients, it’s also made the industry one of the biggest targets, he noted. “In 2018, over eight million individual records faced exposure and hacking,” he said. Those problems often begin from the inside, with overly curious internal users rooting around in secure data. “When you make something available to people and it’s not policed or tightened down very well, it just lends itself to people who end up going in. In other industries (finance, for example), access to records is audited and controlled much more closely than it is in healthcare.” While viruses were once the biggest issue facing healthcare computer networks, Jahnke said the stakes are much higher now as global criminal networks and even state-sponsored hacking teams attempt to inflict damage or extort users for access to their own information. “In the late 90s and early 2000s, viruses were relatively benign, and sort of few and far between,” he said. “Now, they are much more high volume, and they’re more effective. Many parts of them are automated, and (hacker organizations) have people operating the scans and attacks all over the world. There are a lot more actors at play, trying to get at information and leverage it to make money in a lot of different ways.” Jahnke said hacking teams primarily seek to exploit minor security lapses to invade data systems. They’re sneaky, too, often hovering over an opening for as long as 200 days before striking, eventually locking users out, damaging files or stealing data for criminal purposes — or even as part of international espionage, sponsored by foreign governments. No one is immune And though smaller practices or healthcare groups may feel they are likely immune to online threats, Jahnke said they too face exactly the same kind of potential problems that have plagued larger companies. Training employees to spot potential threats is an important first step, as well, he added. “Smaller companies don’t realize that the compromises are coming in, primarily though the actions of users who are receiving phishing emails or credential-theft email. They’re the ones who are clicking on that. It doesn’t matter how big of an organization you are — when you’re sitting on tens of thousands of healthcare records, you are an absolutely ideal target.” Jahnke has dealt with many healthcare practices who either employed sloppy security protocols — simple or outdated passwords, or too many employees being given administrative access — and has seen what can happen when threats emerge. “We had two customers where the doctors put their foot down and said they were not going to employ these mechanisms. And they were compromised with a ransomware infection. Fortunately, in that case, we had sufficient tools in place monitoring network activity to know that no data was actually traded.” Jahnke said a safer approach is to work with an IT team to set up tools to safeguard data with layers of protection, in addition to training staff on safer protocols for accessing, sharing and handling sensitive biometric records. “Endpoint protection is really the last line of defense,” he said. “We want a lot of other layers to be defending users and networks before it ever gets to the workstation or software. So that means having fully licensed, next-generation firewalls inspecting traffic, looking at what’s going in and out of the network and working in concert with other layers of security.” He also suggested companies purchase technology to electronically screen and filter all incoming emails for threats, in addition to electronic firewalls which actively and actively update with real-time threats experienced by other users across the country.