Cybersecurity Focus: Three Security Issues and an Archive Action Plan to #BeCyberSmart

Summary

Health data is the most sought-after data in the world for cybercriminals. Financial, business and patient records are lucrative on the dark web which keeps bad actors coming back for more. Since 2004, October has served as Cybersecurity Awareness Month. One big step to #BeCyberSmart (the 2021 Cybersecurity Awareness theme) is to decrease the data footprint of legacy EHRs and servers by decommissioning the vulnerable systems/servers and retaining the data in a secure, active archive.

Cybersecurity-blog-post

The story of healthcare being number-one for cyberattacks, unfortunately, continues. The three driving factors that create the perfect storm behind this unwanted title include less than adequate security protocols, vulnerable legacy applications/servers and the high value of the data.

Let’s look at this trifecta of cyber trouble.

Lackluster security protocols leave systems and data vulnerable

Wide-open data access – The average healthcare organization has 31,000 sensitive files (that include HIPAA-protected information, financial data and proprietary research) that are open to everyone in the organization. This equates to every employee having access to 1 in every 5 files and 1 in 4 files at smaller/mid-size organizations.

Not equipped with access monitoring – Many legacy EHR systems are not up to the task of monitoring user activity, data access and use. Many older systems were designed for easy data access as security wasn’t as big a factor when the systems were implemented.

Legacy systems and servers can’t keep criminals out or keep data safe

According to the HIMSS Cybersecurity Survey, legacy systems have known security vulnerabilities that can be relatively easy to exploit and are very difficult to rectify.

True story: More than 80% of healthcare organizations surveyed by HIMSS report they have legacy systems in place. There was a 32% increase in legacy operating systems in place from 2019-2020 based on Legacy Windows Servers (e.g., 2003, 2003R2 and 2008).

And, the footprint of legacy systems is growing.

Bottom line: Legacy systems no longer supported by the manufacturer are ripe for attack.

High-value health data is an attractive target

Healthcare is the most lucrative industry for criminals. The average security breach in healthcare is $9.42 million, the highest of any industry and more than double the global average. It’s not just patient health information (PHI) either, financial information is the most targeted type of data (51%), followed by employee data (48%) and then PHI (34%). Cybercriminals compromise bank accounts, divert wire transfers and even gain employee credentials to create whaling emails, which go after bigger targets within the organization.

Legacy systems that are running in read-only mode are vulnerable to technical breakdown, cyberattacks or even internal threats. Multiple silos of data stored in outdated systems can be compared to leaving doors and windows unlocked and open. Less open doors and windows to defend as cybercrime entry-points is a smart and necessary step in your organization’s long-range security plan.

Protecting business and health information requires a fully deployed data security strategy that includes decommissioning legacy systems and safely consolidating patient, employee and business records to a secure, HITRUST-certified active archive. There are numerous workflow, cost-savings and other business benefits to utilizing an archive, including four security-oriented benefits.

Four Security Benefits of Retaining Legacy Health and Business Records in an Active Archive:

 

  1. HITRUST Certification. Look for a trusted vendor with HITRUST CSF Certification. That means they meet an extensive set of security-focused controls that comply with the requirements of multiple regulations and standards. This certification demonstrates that the supplier adheres to exacting security measures to protect patient data, appropriately managing risk involving data protection, availability, confidentiality, processing integrity and privacy.
  2. Single Sign-On (SSO). SSO is a feature built into HealthData Archiver® that eliminates the need for manual log-in by clinicians seeking access to historical records. SSO seamlessly connects clinicians from the active EHR, in context, to the patient’s historical medical record. SSO for HealthData Archiver® is available for major EMR brands with Oauth/OpenID, Advanced Encryption Standard (AES), Security Assertion Markup Language (SAML 2.0) and other formats supported.
  3. Role-based Security/Audit Trails. Privacy and security for legacy data stored in an archive is as important as for active EHR records. This means rights and activities can be restricted and audited by user, role, group, and data domain/source. Role-based security and access controls are built-in. User audit logs are HIPAA-compliant and include the unique user ID, data subject ID, function performed, and date/time event was performed.  With Third-Party Auditing Integration, unusual user activity may be monitored to prevent internal threats.
  4. Break the Glass. Protecting the privacy and security of all medical records, both current and legacy—including those of high-profile patients—is important. HealthData Archiver® has numerous features built-in to manage, audit and protect legacy health records. Break the Glass provides:
    1. End-user access to privileged patient information only when necessary or in the event of an emergency, requiring that a reason to access the patient record be indicated.
    2. A Client Administrator option to add a Gatekeeper who is responsible for managing Care Team Member access for Highly Classified patients.
    3. Extra additional security measures, including explicit auditing of user authentication, authorization, and data-level access.

It’s time to step up the defensive moves to protect health data. Ransomware isn’t waiting.

A business will fall victim to ransomware every 11 seconds in 2021. That means, in the 5 minutes you took to read this blog, there likely were nearly 30 cybercrimes, with most focused on healthcare.

Our team is ranked number one as the top Data Archiving, Data Extraction and Migration company according to Black Book™ Rankings, a division of Black Book™ Market Research. This is the kind of number one ranking that we don’t mind receiving three years in a row (2019-2021). It underscores our commitment and keeps patient, employee and business records accessible, usable, interoperable, secure and compliant.

Ready to secure your legacy data?

Let’s connect.

Oct 07 2021

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

First Name *
Last Name *
Email *

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up