It’s the information, silly! A recent study by the Center for Technology Innovation at the Brookings Institution tells us what we already know: healthcare organizations hold high-value information electronically, and because they haven’t invested equally in cybersecurity, it’s all vulnerable. When those nifty EHRs hold names, dates of birth, addresses, Social Security numbers and health histories, they are eminently salable. What’s new here is that the vulnerability increases due to factors not based on security, but on legal and data exchange requirements:
- Data sharing and accessing
- Length of storage to comply with regulations
- The size of the records–the more information they hold, the more vulnerable
Lay on top of this ransomware.
The worst threat is not the hacker in a Bulgarian basement, but what is termed ‘state actors’ who want health information for a variety of reasons. They may be compiling a big database:”…a dossier of individuals that they could use for social engineering for future attacks”–such as sending phishing emails to government employees with specific, accurate information that when opened, infect their computers with malware for another purpose. Some solutions presented are using an outside cloud storage provider; using blockchain, which requires both public and private encryption keys; intrusion-detection systems (IDS) and security information and event management (SIEM) software. CSO, Brookings report (28 pages)