Document Sharing, Digitized Medical Records Increase Cyber Risk for Nursing Homes, Medical Facilities
In January, we wrote about the increased cybersecurity risks that nursing homes and other healthcare facilities face today. We cited a report by Experian indicating that the healthcare industry will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014. This is due, of course, to the wealth of private data that these facilities possess that cyber criminals want to get their hands on, including medical records, credit card data, bank account numbers, Social Security numbers, and dates of birth. According to cybersecurity firm NorseCorp, medical records sell for approximately $60.00 apiece on the black market, while credit-card information sell for about $20.00.
The increased cyber risk nursing homes and others face was also recently underscored by an insightful article in the Wall Street Journal. The article discusses how cybersecurity researchers discovered information on a free document-sharing website called 4share.com that could potentially give hackers easy access to obtaining electronic medical records and payment information from healthcare providers. According to the article, the documents “detail the type of equipment used in computer networks, the Internet addresses for computers and other devices, and the passwords to network firewalls run by health-care providers such as nursing homes, doctors’ offices, and hospitals.” In fact, the Wall Street Journal itself decided to see what it could find by doing a search on 4share.com, and came up with confidential information on three nursing homes located in New York.
When the newspaper contacted one of the nursing homes, it said it hadn’t realized that its information was online until the Journal called. The information for this nursing home on the document-sharing site included network passwords from seven years earlier when the facility first installed medical-records software. Another nursing home’s information found on 4share.com, according to the Journal, included the brand of firewall, the networking switch, the Internet addresses of wireless access points for 11 rooms, precise blueprints of the facility, the locations of computers and printers, and the encryption keys, usernames, and passwords granting access to the network. According to cybersecurity experts, the documents for the three nursing homes most likely were posted to 4shared.com by people who gained access to the medical-records software.
As this information shows, nursing homes and other healthcare facilities have to be vigilant about protecting their data and pinpointing vulnerabilities as hackers become more focused in getting targeting this industry. Today, many more entry points exist where hackers potentially can enter a medical facility to try to access electronic medical records or billing systems, according to the Journal article. “Armed with administrator passwords, for example, it would be easy to gain entry into the network of a healthcare facility and install malicious software designed to capture passwords to the medical-records database, said John Pescatore, a director at the SANS Institute, a cybersecurity research and educational organization, to the Journal.
The article also notes that healthcare facilities are increasingly using medical equipment, such as dialysis and imaging machines that are serviced through the Internet and whose software can be administered or updated remotely. This presents real challenges for nursing homes and others to protect patient and confidential data on these machines from hackers.
Federal mandate calls for security of medical data to be strictly controlled. This type of information in the wrong hands could result in significant expenditures for a nursing home or other healthcare facility. As we have previously discussed, robust cybersecurity measures should be implemented, including determining who has access to what type of information, implementation of ongoing personnel training on where information/data is placed and the exposures involved, establishment of protocols with third-party providers, and much more. Along with tight security measures, a sound Cyber Liability insurance solution is critical to respond in the event of an attack. A policy can be designed to pay for patient notification expenses, credit card monitoring, regulatory actions and fines, reputational management, loss of income, etc. Additionally, a Cyber policy can be designed to cover litigation from affected patients, employees and other parties; failure to implement and maintain reasonable security procedures; negligence’ regulatory actions; invasion of the patient’s right to privacy; defense and damages; and spread of virus and malicious code.
Caitlin Morgan specializes in providing solutions for nursing homes and other medical and healthcare facilities, including Cyber Liability. Please give us call at 877.226.1027 to discuss how we can help your insureds protect themselves.
Source: Wall Street Journal