Phishing Attacks Threaten Patient Data Security in the Healthcare Industry
A new survey from HIMSS (Healthcare Information and Management Systems Society) found that 87 percent of healthcare officials rate information security as an increasing business priority. Another two-thirds reported that their organization had experienced a significant security incident.
According to the survey, 64 percent of respondents experienced a security incident involving an external actor, with social engineering, online scams and hacking as the types of incidents. Sixty-nine percent of respondents experienced a phishing attack.
These security incidents have direct consequences, too - the HIMSS survey found that the impact of these incidents include:
- Limited disruption to IT systems (62 percent)
- Loss of patient, financial or organizational data (21 percent)
- Significant disruption of IT systems (8 percent)
- Damage to IT systems (8 percent)
When it came to tools used to secure data, healthcare organizations reported using:
- Antivirus (87 percent)
- Firewalls (85 percent)
- Data encryption at rest and in transit (81 percent)
- Audit logs of access to data (64 percent)
- Patch and vulnerability management (61 percent)
A separate article in Forbes found that one of the biggest medical device providers in the world released nuclear imaging machines with weak default credentials, highlighting the issue with access security and authentication. And while default passwords should be changed, there is even documentation that states users shouldn’t change passwords as it could interfere with GE providing support.
Unfortunately, the survey reveals that the majority of health organizations aren’t deploying two-factor authentication, a security best practice for securing access to any number of sensitive applications and patient data.
While firewalls may work for on-premises applications, cloud/web-based applications also need to be secured in some way. Two-factor authentication provides more security for applications that can be accessed remotely by requiring another device to verify an employee’s identity before they log into electronic health record (EHR) systems, or other healthcare applications.
Data encryption is another basic highly recommended by HIPAA, the healthcare compliance law that dictates how patient data should be secured. But if an attacker gets their hands on a pair of valid credentials, they can easily decrypt data by logging in as a legitimate user.
Audit logs of access to data is important for auditors and security analysis. An advanced two-factor authentication provider may also provide comprehensive security logging capabilities that report on user and administrator behavior.
Learn more in Duo Security's Guide to Securing Patient Data, which includes:
- A summary of relevant health IT security legislation, including federal and state
- Information security guidelines on remote access risks and solutions
- Extensive security resources and a real hospital customer story
- How to protect against modern attacks and meet regulatory compliance with two-factor authentication
Download the free guide today to learn how you can protect your healthcare organization from external threats.