Knowledge Expansion

Insider: Online hacking threats pose an elevated risk to healthcare companies — prevent them with the right precautions

Insight Article

Risk & Compliance

Business Operations Technology

Policies & Procedures

Andy Stonehouse MA
It’s no longer science fiction — highly skilled hackers are actively working to break in and hold electronic healthcare data for ransom or steal millions of identities in an instant.
 
Andrew Jahnke, a cybersecurity expert and owner and chief technologist for Rain Technologies, Inc., recently joined MGMA senior editor Daniel Williams on the MGMA Insider podcast to discuss how even small medical practices and companies are at risk, and what they can do to protect themselves and better train their staff to prevent breaches.
 

Healthcare a top target for hackers

Because of the vast amount of concentrated biometric data healthcare companies collect from their patients, it’s also made the industry one of the biggest targets, he noted.
 
“In 2018, over eight million individual records faced exposure and hacking,” he said. Those problems often begin from the inside, with overly curious internal users rooting around in secure data. “When you make something available to people and it’s not policed or tightened down very well, it just lends itself to people who end up going in. In other industries (finance, for example), access to records is audited and controlled much more closely than it is in healthcare.”
 
While viruses were once the biggest issue facing healthcare computer networks, Jahnke said the stakes are much higher now as global criminal networks and even state-sponsored hacking teams attempt to inflict damage or extort users for access to their own information.
 
“In the late 90s and early 2000s, viruses were relatively benign, and sort of few and far between,” he said. “Now, they are much more high volume, and they’re more effective. Many parts of them are automated, and (hacker organizations) have people operating the scans and attacks all over the world. There are a lot more actors at play, trying to get at information and leverage it to make money in a lot of different ways.”
 
Jahnke said hacking teams primarily seek to exploit minor security lapses to invade data systems. They’re sneaky, too, often hovering over an opening for as long as 200 days before striking, eventually locking users out, damaging files or stealing data for criminal purposes — or even as part of international espionage, sponsored by foreign governments.
 

No one is immune

And though smaller practices or healthcare groups may feel they are likely immune to online threats, Jahnke said they too face exactly the same kind of potential problems that have plagued larger companies. Training employees to spot potential threats is an important first step, as well, he added.
 
“Smaller companies don’t realize that the compromises are coming in, primarily though the actions of users who are receiving phishing emails or credential-theft email. They’re the ones who are clicking on that. It doesn’t matter how big of an organization you are — when you’re sitting on tens of thousands of healthcare records, you are an absolutely ideal target.”
 
Jahnke has dealt with many healthcare practices who either employed sloppy security protocols — simple or outdated passwords, or too many employees being given administrative access — and has seen what can happen when threats emerge.
 
“We had two customers where the doctors put their foot down and said they were not going to employ these mechanisms. And they were compromised with a ransomware infection. Fortunately, in that case, we had sufficient tools in place monitoring network activity to know that no data was actually traded.”

Jahnke said a safer approach is to work with an IT team to set up tools to safeguard data with layers of protection, in addition to training staff on safer protocols for accessing, sharing and handling sensitive biometric records.
 
“Endpoint protection is really the last line of defense,” he said. “We want a lot of other layers to be defending users and networks before it ever gets to the workstation or software. So that means having fully licensed, next-generation firewalls inspecting traffic, looking at what’s going in and out of the network and working in concert with other layers of security.”
 
He also suggested companies purchase technology to electronically screen and filter all incoming emails for threats, in addition to electronic firewalls which actively and actively update with real-time threats experienced by other users across the country.
 

About the Author

Andy Stonehouse MA
Freelance Writer and Educator Colorado

Andy Stonehouse, MA, is a Colorado-based freelance writer and educator. His professional credits include serving as editor of Employee Benefit News and a variety of financial and insurance publications, in addition to work in the recreation and transportation fields.
 

Loading...