Like a virus that slips past the body’s immune system, ransomware infected the entire network of a large medical practice in the Mid-Atlantic as hackers froze desktops, servers, and laptops used by more than 100 staff members. And these cybercriminals gained entry from the one device specifically set up to protect the healthcare facility from thieves: the security camera.
Instead of exploiting human errors through a phishing scam, hackers instead broke into the computer system via the software that ran the security camera. Because the medical practice had contracted with a third-party security vendor, the camera’s software sat outside the firewall installed to protect the computer network. Using a password cracker, a cybercriminal infiltrated the software, logged in as the IT administrator, and then encrypted everything in the network to spread the ransomware.
Fortunately, the practice was able to get its system restored—but the costly process of rebuilding servers and adding backups took the better part of a week before the network was fully restored.
Unfortunately, security cameras are only one of a countless array of devices and applications that make up the growing digital environment known as the Internet of Things (IoT)—an environment most consumers access through the disembodied voices of Siri or Alexa which connect and communicate data for everything from smart refrigerators to fitness wearables.
Not only is the IoT market expected to grow enormously – up to 20.4 billion devices by 2020 according to Juniper Research – the cybersecurity threats in this new environment are poised to mushroom as well.
IoT devices like smart alarms or wireless music systems can leave any business vulnerable to cyber-attacks, but the wealth of private information on patients makes the healthcare sector a particularly inviting target. Many hospitals and medical practices, for instance, have diagnostic equipment like ultrasounds, mammograms, and MRI machines that are not part of their normal network security – or else they operate on outmoded software.
That means any device that is not kept within the protective security perimeter provided by anti-viral measures and firewalls can become an entry point for cyber thieves.
Typically, healthcare practitioners share and exchange diagnostic images from ultrasounds or mammograms through a Proxy Auto-Configuration (PAC) file. But the servers and software used to distribute these PAC files from one location to another within a medical practice or through the cloud may not be updated, nor do they always configure with security best practices.
Three steps to better protection
If medical professionals install firewalls and anti-viral software but neglect to secure the IoT devices that surround their practices, it’s as though they’ve locked their doors but left the windows open.
Besides engaging in ongoing employee education about cyber-threats, practitioners can take these three steps to improve data security in the emerging IoT environment:
- Create a Virtual Private Network (VPN) and use two-factor authentication (2FA);
- Install an Account Lockout Protocol and develop tough password controls; and
- Conduct a rigorous Security Risk Assessment (SRA)
Creating a Virtual Private Network (VPN) provides an encrypted, private connection over the top of a public, less secure network that can be used for remote access and other online tasks. In the case of the hacked medical practice, the security camera was outside the firewall of the protected network, instead of being inside the safety of a VPN. Using two-factor identification—like the temporary code sent to a cell phone for making online payments—adds another layer of protection to the VPN.
Account Lockout Protocols prevent a hacker from getting into a system after a certain number of tries. That tool stops a “brute force” attack by cyber thieves who use password crackers to keep trying an infinite variety of passwords until they break the code. Developing strong passwords creates another line of defense. If the medical practice had installed account lockout technology it could have prevented the hacker from breaking into the active directory, even if the security camera software itself was breached.
A Security Risk Assessment (SRA) is a powerful weapon against cyberattacks because it requires a thorough inventory of every location where data is stored, as well as any point where it is vulnerable. Before the explosion in IoT, that assessment would cover items like mobile phones and laptops along with desktop equipment; but now it also extends to a whole gamut of devices ranging from energy monitors to remote printers. While all the new gadgets in the IoT must be checked for potential security vulnerabilities, it’s also crucial to deal with the host of legacy equipment still in operation. For example, because of cost considerations or compatibility issues, some medical facilities continue to depend on MRIs that run on Windows XP. As noted previously, when any device operates on outdated software, it creates the risk of a data breach, especially when security patches have not been updated.
IoT promises a world of convenience and connectivity in healthcare – but that promise will only be fulfilled if practitioners recognize that security is the most important thing.
Art Gross is president and CEO of HIPAA Secure Now!, which provides security services to medical practices. Send your technology questions to [email protected].