Cybersecurity: Healthcare Organizations Can Learn from Mistakes
Suhail Nanji – Director, Eastern Region SMLR Group, Inc.
Healthcare entities have a lot at stake when it comes to cybersecurity. Sensitive patient data released into the public sphere puts everyone on edge. How can technology propel healthcare organizations forward if it’s founded on a fear of a breach, and a very real fear at that? Recently, Community Health Systems in Tennessee experienced a cyber-attack that exposed 4.5 million patient records. While the breach was significant, and CHS is still reeling from the event, healthcare organizations can learn a lot about how hackers circumvented security measures and penetrated weaknesses.
CHS operates a network of 206 hospitals in 29 states, and the affected patient database spread far and wide, impacting those who had received services from affiliated physicians or been referred to CHS from 2009 to 2014. Originating in China, the two cyberattacks occurred in April and June 2014, with the possibility of even more attacks occurring. Patient data loss includes names, addresses, phone numbers, birth dates and social security numbers.
As the investigation into what went wrong goes deeper, the real source of the breach is surfacing. A test server that wasn’t supposed to connect to Internet was erroneously live, giving hackers an easy “key” into the organization’s database. During the planning and implementation phase, security for this server was never in the plans. If security features had been deployed, the event probably wouldn’t have happened.
On the test server was stored VPN credentials through which hackers gained access to the system. Basically, it was as if CHS shone a light onto its data and welcomed anyone who noticed it into the building.
Say it isn’t so
The inevitability of a cyberattack and subsequent breach doesn’t have to be. With the rise of incidents and the extensive attacks occurring across industries, some may become influenced by the idea that a breach is inevitable, and sit back and wait for it.
This simply isn’t the way to approach cybersecurity. With a systematic approach to risk management and security, healthcare organizations can ensure top-level, best-in-class cybersecurity. Here’s what you can learn from the attack at CHS and protecting your data in general:
- Develop policies and procedures to prevent oversights and mistakes like the CHS incident.
- Periodically review in-place procedures for protecting patient data.
- Document steps for implementation of systems, their maintenance, and ultimately retirement of these data systems and computer networks to prevent a breach.
- Hire third-party vendors to identify security weaknesses.
- Monitor employee and vendor compliance, and ensure they’re following documented policies and procedures.
Healthcare organizations can successfully implement technology that improves efficacy and patient care, without compromising patient trust and cybersecurity. DataSurer specializes in helping healthcare organizations successfully implement cybersecurity measures and mitigate risk. Contact us today for a free consultation!