Page 64 - Cyber Warnings
P. 64
complexity is added when the vendors then contract out to other vendors. Many vendor staff are
not typically trained on security procedures, including password creation policies, log in/out
procedures, avoiding public Wi-Fi, etc. A diagnostics consultant might leave the vendor but then
discover their access credentials are still valid a year later and be tempted to offer the access to
a hacking group.
The sheer size and complexity of a large multi-faceted hospital and healthcare group
underscores the threat. Perhaps this groups has merged with several other providers and
worked with hundreds of vendors over the past 20 years. There might be hundreds of systems
operated by the group that all contain patient information. During those 20 years there could
easily be a hundred thousand personal users, between vendors and actual staff. Manually
monitoring all of these potential access points is a massive undertaking.
Managing the Problems with Technology and Training
Mitigating the security risks requires a two-pronged “people and technology” approach. On the
people front, healthcare providers need to first identify all of the known and unknown users and
compile them into a centralized source that is easily managed and analyzed. Such an auditing
must include all past staff members and vendors, to provide a true count of potential access
threats.
Staff training is essential, with providers offering mandated security awareness training. This
should include specialized training for those that work directly with the most sensitive records
data. Unfortunately, the current model of training is broken, and staff are not provided with clear
direction on log on/off policies, password protection, and rules on distribution of records. Staff
might perform seemingly innocuous actions that end up being major breaches of privacy. For
example, a RN might look up the x-ray scan of their nephew to check on their broken arm, but
find previously undisclosed private health information. This type of breach does not have the
same ramifications as a massive cyber breach, but it should still be handled with seriousness
and include additional training for the staff.
In order to handle the scale of healthcare organizations (in terms of staff and number of
systems), providers must adopt dynamic learning management systems that provide automated
and frequent training. Users must receive repeated messages about their part in managing data
compliance, so the organization can become a security-focused culture.
The technology piece of improved security is intended to keep track of the entire user base,
across staff and third-party vendors. Firms should put in place advanced monitoring tools to
identify poor security patterns, spot individual user credentials being used in different locales,
and to identify unapproved access. These tools will look at registration and login patterns and
send automated alerts to IT and management when it spots surges in patient record access.
Advanced tools will map directly to HIPAA guidelines, which will help providers to successfully
manage audits. Tech solutions can also be used to run predictive analytics which can help IT to
64 Cyber Warnings E-Magazine – June 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
