Catching a bug Medical providers beef up cybersecurity following ransomware, other attacks

Listen to this article

Before anyone can log into the computer network at Holy Name Medical Center in Teaneck, they must pass through a multifactor authentication process that adds biometric and other security procedures to the standard username-password combination. “This way, even if a hacker has figured out the username and password of an authorized user, there are additional obstacles to penetrating our system,” said Holy Name CEO Michael Maron.

Before anyone can log into the computer network at Holy Name Medical Center in Teaneck, they must pass through a multifactor authentication process that adds biometric and other security procedures to the standard username-password combination. “This way, even if a hacker has figured out the username and password of an authorized user, there are additional obstacles to penetrating our system,” said Holy Name CEO Michael Maron.

As more organizations go digital with electronic health records — a requirement for hospitals, physicians and other health care providers since 2014 — cybersecurity continues to be major concern. In one case, announced in late November, the U.S. District Attorney’s office in Newark charged two Iranian nationals with extorting more than $6 million from hospitals and other institutions in New Jersey and elsewhere since 2014 — in addition to causing more than $30 million of damage — by using sophisticated ransomware programs to hijack sensitive information from computers and holding it hostage until the hackers were paid off in bitcoin.

Hospitals, however, aren’t just sitting around and waiting to be attacked. Many, like Holy Name, are being proactive in protecting their sensitive data.

“In addition to taking steps to limit data access to authorized users, we also write our own software,” said Maron. “It’s more efficient, tailored to meet our professionals’ needs and it actually costs less than buying ‘off-the-shelf’ products.”

The institution keeps costs down by having offshore developers write much of the code, he said, “although as a security measure, they don’t have access to our data. Then, before we roll it out, our own team of developers thoroughly tests the code in a secure environment.”

The hospital also has strict standards governing its data storage, utilizing multiple firewalls to help keep out unauthorized access, “and we further segregate the data into multiple systems, so even if a hacker does breach our defenses, they will only have access to a limited amount of information,” he said.

Studies have shown that lax employees represent a big hole in cybersecurity, with many falling prey to “phishing” schemes that use official-looking websites that prompt them to enter passwords and other information. “We try to forestall that in a number of ways,” according to Maron. “In addition to using multifactor authentication, our in-house systems can only connect to external websites that have been vetted and added to a ‘whitelist’ of safe sites.”

EHR enables hospitals and physician practices to share information with each other and with patients, “but just as institutions and individuals have to learn to protect their banking and other financial information, they have to also protect their medical data,” noted Joseph Riccie, a partner and the practice leader of Withum’s Management Consulting Services and Cyber & Information Security Services practices. “When I log in to a health care provider’s site, one of the first things I do is to read their security disclosures to see if they’re compliant” with HIPAA (Health Insurance Portability and Accountability Act of 1996) and other data privacy and security regulations, he said.

Among other safeguards, health care providers should be encrypting patient data, “so even if a hacker gets access to it, the data can’t be read without an encryption key,” he added. “Of course the encryption key itself (typically a random string of characters that unlock the scrambled data) has to be protected by the provider.”

Both sides, providers and patients, have to be diligent about passwords, according to Riccie. “Individuals should be using complex passwords to help restrict access to their information, but unfortunately two of the most commonly used ones are easily guessed strings like ‘12345,’ or ‘qwerty,’ the first letters of a keyboard.”

Riccie said he’d like to see health care providers offer ideas to patients about enhanced passwords, “but I’m not seeing much of that. Some providers feel it’s not their role to educate patients about best cybersecurity practices.”

As a start, Riccie suggests individuals should take something that they know, “ldquo;like the first line of a song you like, or a sentence from a favorite book or movie. Then just use the first letter of each word and mix uppercase and lowercase letters.”

He also said to consider using a symbol for one or more of the words. “If one of the words in your mnemonic is ‘star,’ for example, use an asterisk. Password management is crucial, since an enhanced password makes it difficult for an individual, or even password cracking software, to figure it out.”

For providers, two factor authentication offers added protection “and doesn’t cost a lot,” he noted. “Role-based access control, which limits employee access on a need-to-know basis, also adds a layer of security.”

One other approach that Riccie would like to see — but hasn’t yet been widely adopted — are systems that leave a kind of digital bread crumb that could help track down weak points.

“Health care providers could use identifiers to track who comes into a system,” he said. “Then they could take these audit trail logs and use analytical tools to look for exceptions and patterns. We also periodically train employees about safe surfing and other cybersecurity issues. Technology keeps evolving, and we do too.”

Large hospitals and other entities “are sometimes richer targets for ransomware and other attacks since they may have high-profile patients,” according to Joseph Tomaino, CEO of Grassi Healthcare Advisors LLC. “But smaller practices may be easier to penetrate if they don’t have the personnel and financial resources that larger hospital systems have. We’ve introduced some clients to subscription-based monitoring services that can provide cost-effective security since it saves the provider from the upfront infrastructure investment.”

His consulting practice, which has an office in Park Ridge, is a member of the Grassi & Co. Group of Accounting and Consulting companies. “Medical providers and health care organizations are transitioning from a transactional fee-for-service business model to a value-based payment model,” Tomaino noted. “This paradigm shift requires high quality outcomes with controlled utilization and costs. During this transition, health care providers and organizations are taking on increased levels of risk.”

When it comes to security measures, don’t overlook employees, he added. “Organizations need to screen employees,” he said, “otherwise they may take patient identities and other sensitive information.”