Healthcare data has become a massive target for online hackers, with millions of personal health records exposed to hackers annually. With business booming and hackers showing no signs of slowing down, it's important for practices to be proactive when it comes to preparing for data breaches.
To a hacker, the choice between a person's credit card information and their healthcare records is easy, according to John Nye, vice president of cybersecurity strategy at IT consulting firm CynergisTek. Nye spoke on cybersecurity during a session at the Healthcare Information and Management Systems Society (HIMSS) Annual Conference in Las Vegas.
"A hacker can buy a useful credit card with a $10,000 dollar balance for like two dollars. They are so abundant and they have pretty good security, that they usually just get cancelled. Or, a hacker can go buy a medical record that has everything on a person," said Nye.
Healthcare records have traditionally been less secure, according to Nye, in part because of a complicated IT environment, especially among smaller practices. "Practices don’t know what to do when they invest in a $5 million EHR and then lack the resources to upgrade," said Nye.
As soon as a practice falls behind and simply reacts to attacks, they are in trouble. Proactively finding and correcting vulnerabilities is the only option, according to Nye. Once a practice becomes proactive in finding vulnerabilities, they need to then address those issues. "We have to start looking, and finding, these issues before the bad guys do," said Nye.
Education is also important for practices. "If your staff doesn’t know what to look for, all your hard work is at risk," said Nye.
If and when a practice is ready to go on the offensive against hackers, outsourcing the work to professional hackers is the first option. Nye has been a certified ethical hacker for more than a decade, serving as a penetration tester. Penetration testers are hired by organizations to hack into their networks with permission and report findings. Hiring ethical hackers spares a practice the burden of hiring additional employees, allows for an unbiased assessment of risks, and usually provides a quick turnaround time for assessment of potential weaknesses, according to Nye.
The second option for healthcare organizations is to perform the security testing in-house. This requires significant resources as hiring skilled ethical hackers is often a challenge. "There are certain aspects that can usually be handled in-house, but you can never test everything," said Nye.
The third option for practices is to put out "bug bounties," announcing that it will reward independent hackers who responsibly identify and report security issues. To do this, a practice must be ready to act quickly once a bug is found and have the resources to pay the hackers.
Nye suggests that healthcare organizations take an evolved approach, employing a little bit of all three methods. If a practice hires a third-party to check on their systems bi-annually or quarterly, employs a team of in-house testers, and uses bug bounties to catch anything that may fall through the cracks, it can cover all of its bases, according to Nye.
"The millions of [personal health] records that are reported as exposed annually are only the ones we admit to. We all know the number is easily double that. You'd much rather have me find something than a guy in North Korea," said Nye.