The White House has recently confirmed that a hacker has breached Healthcare.gov, compromising personal data for millions of Americans. According to the investigation, the breach happened in July, but the Department of Health and Human Services (HHS) just discovered the attack last week. The White House has since then tried to downplay the incident, treating the breach as a small, one-time incident, stressing that there has been no great compromise or theft of personal information.
IT security experts agree though that the breach only further highlighted the overall vulnerability of healthcare organizations. And that while a breach on healthcare systems won’t result to a loss of customer base like what a breach would do to a retail giant like Target or a bank institution like HSBC, it will most likely lead to loss of patient trust, something that the industry has been trying hard to earn especially with the new Affordable Care Act.
How the Healthcare.gov Website Was Hacked
It all started with one oversight.
A hacker installed malicious code on test server that had kept its default manufacturer’s password. As a test server, it was not supposed to be hooked to the Internet. According to the HHS, the other areas on the website that houses private or sensitive information have tighter security controls than the test site so it wasn’t accessed.
While the fact that the hacker was essentially limited in a non-impactful area of the network seem to show strength in the site’s security, security experts note that the ease of access to any part of the site is always a cause for concern: Hackers often break into a weaker level of system security and then pivot to a higher level in a network.
IT security professionals know that test servers are often given more network privileges in many cases that could have been used as a foothold to compromise other infrastructure. Using the default password on the test server further points out how poor security was overall.
All it takes for a breach to happen is for hackers to find one vulnerable spot in security.
The Vulnerability of Healthcare Organizations toward Breaches
The Identity Theft Resource Center reported 276 healthcare breaches in 2013. With attempts to reduce costs and still be able to meet federal requirements, the healthcare industry has failed to sufficiently build security into their systems — healthcare exchange websites are just one example. And with most data dealt with electronically in hospitals nowadays, it is like leaving your door open and inviting hackers to freely get information. It’s going to be that easy for them.
While patient data would most likely have no credit or debit card information included, hackers can use your private information and save it for a future attack. Healthcare organizations have complete information about a patient’s identity – his name, blood type, address, Social Security number and even one’s immigration status. That’s more than enough information for a criminal to spend money in your name.
How Healthcare Organizations Can Protect Themselves against Hackers
It is with hope that with the growing number of publicly disclosed breaches, healthcare organizations will be encouraged to expend or allocate more resources on securing data, networks, and systems.
The HealthCare.gov hacking was easily preventable, according to Ashley Leonard, president and CEO of Verismic Software, but usually occurs in organizations without proper training and IT management. She further goes on to state that the hack was a simple (but lethal) combination of bad IT management and poor end-user training.
Here are some ways healthcare organizations can lessen their vulnerability to security breaches:
1. Have Highly-Skilled IT Management Staff
IT professionals should know how to fortify security and how to mitigate a breach if there is one. It is also very important that IT managers and technology vendors (manufacturers, software providers) need a better way to share information on vulnerabilities and how to patch (avoid) them to end-users – hospital staff, admin employees and whoever accesses the network.
2. Strong Identification Access/Restriction System
Healthcare organizations need to step up on protecting most sensitive data. Passwords should be routinely changed and at the most confidential (top-security) level, identification should at the very least be moving to pass authentication procedures to two-step (combination password and voice for example) or biometrics.
3. End-User Training
The IT management will not be able to oversee and control everything without educating end-users on how to protect the system themselves. IT security policies should be enforced and explained on a continuous basis.
4. Investing on Security
Experts have noted that most healthcare organizations have spent more on electronic medical records (EMRs) and mandates than on security. This should be reversed. Security should be prioritized before splurging on data centers or devices. How good is your data worth when it’s going to be stolen? IT security comes in the form of solid infrastructure, software and the right people who will work on securing your network.
No technology, no team or individual can assure total security. Healthcare organizations will do well to emulate what financial institutions do – constantly improve, check and maintain security, reduce risk, and work together as one industry to bring forth lasting improvements towards security.