In December 2013, 40 million Target customers were affected by one of the largest breaches in retail history. In December 2015, Target agreed to pay $39 million to banks as reimbursement for money lost because of this attack — this was on top of $77 million paid previously in other lawsuits. But this is nothing compared to the potential loss that can come from stolen healthcare data.
Here are a few facts about the state of cyber security in the healthcare industry. According to the Ponemon Institute: 91 percent of healthcare organizations have suffered at least one data breach in the past two years; 39 percent have experienced two to five data breaches and 40 percent have suffered more than five.
Another fact: healthcare data is much more valuable than retail data and therefore a top target for criminals. When it comes to credit cards, they can be shut down nearly the instant a user gets notified of a bogus purchase. Plus, consumers are pretty savvy now about monitoring their transactions. The short shelf life renders this type of data less desirable now.
But with healthcare data — who is shutting the path down? The answer is: no one quickly. Tracing healthcare fraud is a complex process. Criminals can use the information to submit fake claims, get government benefits and even obtain prescription drugs. By the time the deception is detected a lot of damage has been done.
As part of operations technology (OT) you might be asking — “so what does this have to do with me?” It’s the job of IT to ensure that servers and the data they process are protected — right? Yes, this is true. However, take a step back and think about how many of the systems you manage are connected. Then go ahead and substitute the word connected with the word vulnerable. Now you should realize that facilities managers have a new role to play in cyber security.
Truth about Target
It’s fairly well known that the Target breach was a direct attack to the POS system; but do you know where the original attack vector came from? The building management system (BMS) third party contractor had credentials stolen and so the BMS became a pathway into the other systems. Saying the entire infrastructure is at risk would not be an over statement.
So if you are in a hospital setting that means all your electrical and power systems, temperature and access controls — any connected system you are in charge of is susceptible to bad actors. Considering a facility manager’s primary job is installation and maintenance, you probably have not had to think about risks to healthcare data. As demonstrated by the attack vector used in Target’s breach, any connected system provides a path in. Once in, bad actors can traverse like an insider. You used to worry that such threats meant impact to your uptime. Now, you need to consider the crown jewel of the healthcare system; patient data.
7 Golden Rules
There are some essential steps you can take to make sure your operations systems are protected. These are the very basic things that must be in place, but it’s often when something fundamental is missed that bad actors find their way in.
- Patch systems
- Monitor systems and networks
- Understand phishing and its implications
- Separate the network
- Remote-in securely
- Manage passwords effectively
- Set and enforce proper guidelines for contractors
It’s likely there are physical security practices in place in your facility, for examples, electronic badges. Extend that same mindset to cyber security. As the rise in connectivity goes up, so does the risk. And with the exponential worth of healthcare data, you can assume that there’s no longer a question of “if” you get attacked. It’s more like when. But, if you take proper care of the system and the people who have access, threats can be effectively mitigated.