Criminals Leverage Remote Access to Patient Data Applications
Healthcare organizations contain a large diversity of information types, making them a prime target for online criminals. A healthcare network can potentially provide access to:
- Basic contact information, such as names, addresses, Social Security Numbers (SSNs), phone numbers, etc.
- Protected health information (PHI) like diagnoses and e-prescription information
- Credit card or bank account information on file
- Health insurance information, including medical card numbers and employer plan details
While last year, Reuters reported that your medical information is worth 10 times more than your credit card number on the black market, imagine getting access to both. Combining the value of the data health care networks collect with the relatively new standards for technology in healthcare organizations has resulted in many data breaches and security incidents.
One way that malicious hackers get access to healthcare data is through remote, online access - they often find a way to compromise Internet-facing servers housing databases of patient information. This was the case in a recent incident concerning a Texas-based mental health network facility that may have exposed 11,000 patients’ data records.
The HHS Wall of Shame, or rather, a database of reported healthcare breaches shows many incidents involving network servers. Early this year, the second largest healthcare insurance provider, Anthem Inc. reported that 80 million consumers may have been affected by a data breach.
An Anthem database administrator discovered a database query running using his login information - a query that he hadn’t sent. He also found that the login information for additional database administrators had been compromised as well, according to KrebsonSecurity.com. It would appear as though the attackers got access to the records by stealing legitimate credentials.
To address these issues, the Dept. of Health and Human Services (HHS) has released a guide (PDF) on securing remote access to electronic protected health information (ePHI) as part of the HIPAA Security Rule, the federal standards created to protect health data.
One of the recommendations includes implementing two-factor authentication for granting access to systems that contain patient data. Another involves the principle of ‘least privilege,’ which means limiting remote access and access to certain types of data to specific applications and business requirements.
Ideally, find a two-factor authentication solution that lets you do both - Duo provides two factor for one of the largest electronic healthcare record (EHR) applications, Epic, and also integrates to protect the digital prescribing of controlled substances, e-prescriptions.
With Duo Access, you can also set custom policies and controls to ensure only certain users or groups can access specific applications, and ensure that they must use two factor in order to authenticate to any applications with protected health information.
Another risk for patient data is the possibility that it could be intercepted or modified during transmission - e.g., insurance data sent to a healthcare provider, or an e-prescription sent to a pharmacy, etc.
The HHS recommends implementing and mandating strong encryption solutions for transmitting patient data (SSL, HTTPS, etc.) They also recommend that SSL should be a minimum requirement for Internet-facing systems that manage patient data in any form, including webmail systems. Finally, they also recommend prohibiting the transmission of patient data over open networks.
Learn more in Duo Security's Guide to Securing Patient Data, which includes:
- A summary of relevant health IT security legislation, including federal and state
- Information security guidelines on remote access risks and solutions
- Extensive security resources and a real hospital customer story
- How to protect against modern attacks and meet regulatory compliance with two-factor authentication
Download the free guide today to learn how you can protect your healthcare organization from external threats.