Tag Archives: Scott Maurice

How Healthcare Can Adapt to Cyber Threats

Posted on by

As the healthcare advances in technology, cybersecurity threats rise. Cybercriminals are becoming increasingly more creative with their hacks, making the need to up security direr. With the rise of security incidents such as WannaCry or the proliferation of cryptocurrency coin miners, there is a growing risk of disrupting the delivery of healthcare. The healthcare industry must now adapt to a more comprehensive and security-centric strategy. There are a number of ways the industry is planning on advancing their security:

How Cybercriminals Attack
Cybercriminals have become quite crafty with how the attack the healthcare system. One of the new and most popular ways is exploiting the software supply chain. Since the health industry heavily relies on a network of partners, attackers will choose a supply-chain-based attack to breach an organization or to get to one of their suppliers.

This kind of attack can take up to three forms: hijacking a supplier’s domain to direct traffic to an infected domain, directly compromising the software of a supplier, or targeting any third-party hosting services. The healthcare industry is at high risk for these kinds of cyber attacks because of how much they use third-party partners and services.

The Latest Industry Breach Trends
Security breaches that involve data of more than 500 people are the responsibility of the U.S. Department of Health and Human Services (HHS). By posting their findings of each breach on the HHS OCR Breach Portal, they provide data that can be analyzed to find the latest cyber security trends in the healthcare industry. Analyzing this data found that the number of breaches in the industry rose 10 percent within the last year. As the number of breaches is increasing, the healthcare industry’s security approach is beginning to change.

A study by HHS Analytics found that 40 percent of healthcare organizations cybersecurity is a scheduled item of discussion among the boardroom. The HHS also reported that the three biggest figures holding health organizations back from reaching a higher level of cybersecurity back were budget, staffing and skill set. The healthcare industry understands that the cybersecurity concerns are high and are in need of a stronger security program that is more broadly focused and go beyond HIPAA compliance.

Best Security for Healthcare
With so many cybersecurity threats for the healthcare industry, there is a desperate need for protection against hackers. Healthcare industries and organizations stand a chance against these cybercriminals by seeing cybersecurity as a business risk, address it regularly at a board level, hire qualified employees for new security roles or even consider the security implications when purchasing equipment. By incorporating these security measures, industries have a better chance against cyber attackers and hackers.

Managed Services For Cybersecurity

Posted on by

What’s the best defense against cyber attacks? As the summer continues, the abundance of employees traveling for work can cause vulnerabilities that can be exploited by criminals. Even a single misclick can cause a far-reaching disaster that can cost a company thousands of dollars.

What many enterprises don’t know about cyberattacks is that the effects are frequently not seen right away. When responding to a breach or incursion, it is important to catch it during what’s called “dwell time”. Dwell time is the period after which a cybercriminal has gained limited access to a system as they try to figure out additional vulnerabilities and the best soft target for a coordinated attack.

If a cybercriminal is successful at gaining elevated privilege on a system, they may wait days, weeks, or even months before launching a large scale attack. During this time, they may take the opportunity to drizzle in a payload, which could be a system exploit, a virus, or some other piece of malicious software.

When it comes to responding during this dwell time, it’s important to act as soon as possible. Even wasting minutes can be disastrous. For that matter, many people that work in IT may have some basic cybersecurity tools, but not the expertise necessary to react in a proper manner. This is why the best course of action to handle cyber threats is to hire a qualified managed services company.

Using an external managed services company is much more scalable and cost-efficient than hiring a full time cybersecurity expert. These firms can provide services that match an enterprise’s needs and monitor their infrastructure for potential problems.

That said, enterprises need firms that are able to do one task very well. While a Swiss army knife can be useful in a pinch, it pales compared to an actual knife when it comes to tasks like cooking. Ergo, specialization is important. Enterprises shouldn’t just be looking for a company that hardens security, as this is frequently ineffective. Instead, they should find a firm that knows the security space of their industry and can identify anomalies at a glance. They should also be poised to scale in the event of organizational changes.

When hiring an external firm, a company should be aware of the services that they are gaining. While all companies strive to provide an impeccable image to potential clients, thoroughly vetting possible cybersecurity firms is important. Know the services you will need and ensure they have professionals able to both implement and update them over time. They should also come equipped with the most up to date tools that can monitor activity and deploy solutions on a moment’s notice. This is why dwell time can be problematic for unprepared organizations—if it continues long enough, getting a sense of the timeline and the origin of the incursion becomes difficult, if not impossible.

An external firm is the best way for a company to monitor and shut down incursions. In these cases, it pays to do research and find a firm that provides a managed services package specific to your industry and your organization’s needs. Breaches can happen, but with the right people and the right tools, they don’t have to be large scale disasters.

Teaching Employees Cybersecurity

Posted on by

As the weather gets warmer and employees start looking forward to their vacations, enterprises should be wary. While the summer is seen as a time to be outside and active, many cybercriminals are waiting to take advantage of an unwary organization and steal sensitive information.

This is in part because employees on the move are more likely to access unsecured wifi networks. Public wifi may be convenient, but it can risk the compromise of sensitive data. For organizations, it may be difficult to respond. Not only is it nigh-impossible to track wifi usage outside of the office, but having fewer staff during the summer months can reduce response time in the event of a breach.

Some companies may invest in full time staff meant to screen against a breach. However, this is often not effective, especially if the staff are not specialized in cybersecurity. Combined with the cost of labor, maintaining a defense in this way is not cost-effective.

The solution lies in stopping the problem at its source—the people that can cause a breach. Many employees may not even be aware of the problematic conduct that can lead to a cyberattack, and awareness goes a long way. Paying to train employees against a cyberattack may be a more effective use of revenue than paying full time IT staff to hedge against breaches.

Of course, teaching employees the principles of cybersecurity is something worth spending time on and executing correctly. In many cases, enterprises may have security training in place due to compliance laws. This is often done as a way of checking boxes rather than providing any meaningful education.

For instance, some types of training may be entirely online, with employees required to read a short pamphlet and complete a test verifying that they understand its contents. This approach, though simple for management, does not foster good retention and may not adequately cover the types of threats an organization might experience. It’s all too easy to grow complacent with training, even as its limitations open up new attack surfaces for cybercriminals.

Generally, the best way to train involves small groups of five to ten employees. Training should involve roleplaying several common scenarios and teach employees how to spot red flags and respond to potential problems. Threat assessment should be the priority for training, as many may not know what a potential cyberattack looks like.

Threats can take many forms, both digitally and physically. Phishing schemes are the most common, with an innocuous-looking emails downloading a payload that can sit on an employee’s computer for some time, compromising the machine and even spreading to others. Other red flags can happen in a workspace, such as an individual masquerading as an IT professional and planting problem files on a computer under the guise of performing work.

Whatever the nature of an attack, employees should feel empowered to not only detect these red flags, but report on them as well. It does an organization no good to criticize an employee that raises a false alarm, as this can discourage them from speaking up in the event of an actual problem.

When it comes to dealing with cyberattacks, preventing them is vastly better than containing them once they’ve started. Because of this, it’s worth examining an employee training program geared toward an enterprise’s needs. New attack surfaces mean new issues, and training that starts before cybersecurity becomes a problem can pay dividends—even if an organization doesn’t know it.

Considerations For Healthcare in the Cloud

Posted on by

Healthcare organizations are in the midst of a massive transition, updating decades-old systems to fall into line with compliance and reconsidering the way they manage, store, and exchange data. This mass migration often includes moving infrastructure to the cloud and redoing EHR systems.

Cloud computing is sometimes looked on with suspicion by healthcare professionals, especially after several very public breaches in recent months. However, new HIPAA rules governing cloud services and patient privacy have made it easier for organizations to transition with confidence.

Even with this improved definition and numerous available cloud services, there are pitfalls that may be faced in the transition period, especially as companies learn and grow. I’ve listed some of the considerations that any organization should keep in mind when migrating and looking to gain more agility through the cloud.

Know Your Service

Before committing to migration to AWS, Azure, or another cloud platform, know what these IaaS providers will be giving your organization. Establishing a good service agreement requires an intimate knowledge of your organization’s needs. Consider which applications and functions are the most essential to your cloud services and build out your priorities from there. Finally, keep in mind that your needs may change over time. A periodic update of what matters from your cloud services will keep your business poised to get the most out of the service you are paying for.

Know Your Security

One of the biggest sticking points when transitioning to the cloud in a healthcare environment is security of personal data. It is easy to design a cloud infrastructure that fulfills your needs while also being very secure, but this does take some level of planning beforehand. These cloud providers may very well have specialized compliance plans in place for healthcare organizations, so ask about both your options and how they have served similar groups in the past. They may even have experts able to walk you through the migration process in as safe and expedient of a manner as possible.

Know Your Price

Total cost of ownership (TCO) can be surprisingly high for some subscription-based services, and knowing the financial burden of migrating to the cloud is as valuable as knowing security risks and the like. Design is huge here, and as with my first point, any organization looking to adopt a cloud infrastructure will need to be carefully audited to ensure that there are no excess costs. Scalability is also important, and a good cloud design allows for an organization to add more or dial back as needed.

Know Your Performance

Your network is defined not only by how data is stored, but by how quickly it can be moved and retrieved. Slow networks can be frustrating at best, and in a healthcare environment, can even risk lives. Consider both application structure and the location of the data when designing a cloud environment to maximize performance. Ensure that key applications and workloads receive priority. Fortunately, good architecture is easy to implement into the overall structure of the cloud.

EHRs and Compliance

Posted on by

Managing electronic health records, or EHRs, in a digital ecosystem takes some level of caution, given the high value of the personal information. Healthcare organizations have struggled when it comes to providing patients with their EHRs in a compliant manner. Many of these issues stem from the patients’ lack of knowledge about how to properly access these records.

As per HIPAA privacy rules, organizations are required to provide EHRs to patients upon request. In these instances, they are allowed to have them sent to a person or entity of their choosing after paying a reasonable fee.

The “reasonable” part of this requirement has been called into contention, with a patient advocacy organization reporting some patients paying hundreds of dollars for their medical records. In two instances, patients were charged a subscription fee by the organization to access medical records.

After the release of these findings, medical organizations defended the costs associated with EHR distribution. Retrieving medical records can be a surprisingly extensive process, with information pulled from multiple EHR systems, resulting in a document that can be hundreds of pages long and filled with minutiae. Additionally, much of this often needs to be trimmed to ensure that the information is only relevant to the patient the records are being distributed to.

Add in security concerns for the transfer of data, especially when requesting it from a third party, and it’s easy to see why it has proven difficult for many healthcare organizations. In several states, fees for third party requests are generally higher than those charged to patients. This is because fees for third party requests at the behest of a patient are not covered under HIPAA regulation.

Laws differ from state to state, making it important for organizations to understand how their laws determine charges for EHRs. For instance, Kentucky entitles individuals to a single free copy of their medical records.

Additional difficulty in handling EHRs is a result of inadequate patient education regarding ways to access records. Educating them on the subject is less an IT concern and more a question of how patient engagement can be leveraged to promote HIPAA compliance. New forms for both healthcare organizations and patients released by AHIMA have aimed to improve understanding of these processes.

Even just making patients aware that they have the right to access their health information is an important step toward compliance. The form was made with the intention of it being flexible across organizations, allowing them to adapt it for their needs and patients.

As more and more healthcare providers update their EHR systems in the coming years, expect to see improvements in the ways that information is both delivered and made apparent to patients. Tools that improve patient access and are HIPAA-compliant are sure to be in demand as organizations work to do away with their antiquated and unwieldy paper records.