The Exposure & Defenses for ASCs and Employees
Back in August, we reported in the Auxo Medical Examiner of the increasing victimization of health care facilities by hackers who disable access to key patient and status records until ransom demands are met. In addition to patients, employees often suffer as well because of a workplace breach of their confidential information.
In recent days, we’ve all seen the recent headlines of a data breach that literally may affect 50% of Americans.
Giant Equifax data breach: 143 million people could be affected
Equifax says a giant cybersecurity breach compromised the personal information of as many as 143 million Americans — almost half the U.S population.
Given the snowballing ransomware cyberattacks of ASCs and other health care facilities, coupled with escalating identity theft initiated by hackers for illicit use or sale to other thieves … this issue will deal with two specific data breach exposures:
- The burgeoning interconnectivity of medical devices, and
- Protection against theft of employee records.
The IoT of Medical Devices
Heart monitors, medical equipment, employees and patients are all candidates for apps that connect people to devices in the delivery of health care solutions … all targeted to better, faster and cheaper health outcomes.
And that’s where the issue of cybersecurity takes center stage. As with any technological innovations, there are risk factors associated with the rapid expansion of IoT in the medical field. It is incumbent upon both health care management and IT professionals to be alert to the threats and diligent in orchestrating defenses. Cyber attacks will likely accelerate as there is more potential to steal sensitive health data … often viewed by the thieves as even more valuable than the usual target of identity theft – financial information.
Consider the real-time impact of internet muggers taking control of medical devices that monitor vital signs and deliver drugs? Smart medical devices are more and more becoming the norm. And each has an IP address which raises the security stakes even higher. A cyber-assailant who successfully acquires the IP address, makes the device fair game for hacker control … and financial demands to back off.
That means that the IoT is something that will require increased attention by ASCs and other health care facilities to prevent patients being denied critical monitoring or required medications. By 2025, according to a McKinsey report, remote monitoring with smart devices could create as much as $1.1 trillion a year in value by improving the health of people with chronic diseases.
So, adoption of IoT is on a fast-track. New networks are being introduced to handle the increased internet traffic driven by IoT – including that attributable to smart medical devices. The accelerating proliferation and interconnectivity of smart medical devices, with yet to be developed safeguards against hacking, are likely to become attractive targets.
Traditional technology networks are generally vulnerable and lucrative to attack. Small to medium-size health care facilities are marked as primary ransomware targets because their security infrastructure is often lacking.
Refreshingly, health care leadership is becoming more alert and responsive to beefing up their cyber-security and backup of files making it more difficult to be compromised. That will have a negative (positive!) impact of decreased profitability for cybercriminals.
So what’s an ASC to do? Here are five ways to minimize the impact of ransomware attacks.
- Back up your files and save them offline or in the cloud.
- Ensure antivirus and anti-malware software are set to update automatically.
- Educate your employees:
- Be cautious when opening emails or attachments.
- Only download software from sites you know and trust.
- Limit employees’ abilities to install and run software on network devices.
- Contact your local FBI field office immediately to report a ransomware event and request assistance. Visit www.fbi.gov/contact-us/field to locate the office nearest you.
As a quick reference resource, here is the small business ransomware infographic developed by the American Bankers Association.
ASC leadership must continually become more diligent in identifying network vulnerabilities and take steps to remedy weaknesses through increased cybersecurity and aggressive data backup protocols. Anything less exposes the facility, patients and employees to exceptional penalties at the hands of ransomware hackers.
The Enemy Within – Number One Source of Identity Fraud
No lesser agency than the FBI reports identity theft as America’s fastest growing crime. That can spell havoc for an otherwise successful health care provider when patient or employee data is breached and hacked by fraudsters.
Now couple that bit of news with a pair of startling findings. A Michigan State University study reveals that the number one source of identity fraud is through theft of employer records, with 51% of identity thefts occurring in the workplace. Similarly, a survey conducted by the Identity Theft Resource Center reported that over 20% of all cases of identity theft involved employees committing insider theft or negligence relating to Social Security numbers and other personal information.
Whether the results are nearly a quarter, or better than half, of the offenses, employees are prominent in the theft of employee and patient sensitive information. Even in this digital age, the most common scenario appears to be a single employee gaining access to hard-copy, paper records. That becomes even more obvious when you consider just how much personal information a file cabinet of paperwork contains.
HR Hero identifies itself as “Your Employment Resource” and authored an article entitled Identity Theft and the Workplace.
The article highlights several important points for employers to note.
- “Increasingly, employers are being held liable for any harm their employees suffer because of a workplace breach of their confidential information.”
- “In addition (to federal laws), it appears that the courts are primed for holding employers liable for losses of their employees’ confidential information, even in the absence of a specific law requiring them to protect it.”
- Protecting employees from identity theft benefits the bottom-line as employees that are victims of identity theft are likely to be less productive.
Employers must take reasonable steps to protect sensitive employee information. Files and computers with key identifiers such as social security number, address, date of birth, etc. should be guarded and accessible only by authorized persons.
Involve Employees
Providing guidance to employees to protect themselves may deter exposure to identity theft. Ironically, Equifax offers Six Tips to Help Avoid Identity Theft in the Workplace as an excellent guide. Here’s a brief recap.
- Never give coworkers your personal information or leave key identifiers accessible.
- Don’t email sensitive information. (Editor’s Note: Much safer is an old-fashioned, secure paper fax transmittal)
- Password protect your computer and mobile device.
- Avoid public WiFi and unsecure networks.
- Don’t carry your identity around with you.
- Shred personal documents.
The bad guys are out there and their prey is both ASCs and individuals who are ripe for breaches in cybersecurity, i.e. gaps in safeguarding personal, facility and patient data. Diligence is the operative word to ensure that management, IT professionals and employees are aware of the risks and alert to defending illicit access to sensitive data.