Cyber threats to healthcare data are a growing concern, as evidenced by the number of leading hospital C-level executives I met with recently during a closed-door session of hospital CIOs. Many were old acquaintances, but several of the new folks I’ve met had titles of CSO, Chief Security Officer.
A number of them had broad experience identifying vulnerabilities in IT systems, networks and their users in industries other than healthcare. Although experiences in other industries may differ, I picked up several points that apply to my colleagues in healthcare IT.
The “online-ness” of healthcare information is what makes it vulnerable. Once the information is online or in the cloud, the bad guys can set a trap for the unwitting hospital employee who clicks the wrong thing or downloads the fake form. A successful phishing expedition results in the encryption of all the data on the server, which the cyber thieves now control. That’s when the demands for ransom begin, according to these experts.
Disk-based snapshots or deduplication appliances have taken over as the recovery copy of choice. The sad truth is that if the computer system that interacts with them is online, those systems also are vulnerable to hacking or phishing.
One idea occurred to me. We have had a nearly hacker-proof technology solution for nearly four decades: writing a backup copy to tape that is taken out of the tape library. I recognize I’m going old school, but why do many of my IT colleagues fail to see this as an insurance policy against extortion. My CTO reminds me again and again that a backup written to tape stored in a fireproof vault may be the simplest, cheapest way of fighting cyber-ransom.
More than 112 million patient records were breached in some form or fashion during 2015, according to the Office of Civil Rights, which publicly tracks breaches of more than 500 individuals. There were a few high-profile healthcare breaches that affected millions, but health facilities large and small were among the 235 breaches reported.
In the first three weeks of 2016, more than 50,000 patient records have been breached in four reported incidents. That figure doesn’t include the 950,000 patient records on six hard drives that insurer Centene Corp. can’t locate among its IT assets.
Security of legacy applications
Another popular discussion topic during our talk centered on the security vulnerabilities among legacy applications. When I poll our existing customer base on what operating system platforms exist in their environments, I am surprised, but not really, by how often examples such as Windows XP and AS/400 are mentioned.
There is general agreement that Windows Server 2012 has some level of security vulnerabilities, but what about an operating system that was created in 1991? We at BridgeHead have been working on this problem for years. Our independent clinical archive (ICA), coupled with our services capabilities can retire those applications and bring the data forward into more secure platforms. Further, we utilize healthcare standard architectures that allow sharing with current healthcare applications. Simply put, we can solve the security vulnerability problem while saving all the overhead and costs that come from maintaining legacy hardware and software.
All and all it was great opportunity to meet with past colleagues and make new connections. I learned something new, but, more importantly, I realized that BridgeHead provides real-world solutions to the problem of cyber security.
This article was originally published on BridgeHead Software and is republished here with permission.