When Attackers Hit Deep and Wide to Target PHI: Cybersecurity and the Supply Chain

Weakest Link

Does it come as a surprise that in 2018, healthcare led all industries in cybersecurity breaches? Probably not. You may not even be surprised that health information made up more than 1/3 of the potentially compromised records, according to the latest security report from BakerHostetler. What could be surprising is the level of sophistication and complexity hackers and cyberattacks have reached.

Island hopping isn’t a new technique, but it’s an advanced one that’s increasing in prevalence, and the breadth of damage that can be done is wide. And, in fact, half of the cyberattacks surveyed in a recent incident response (IR) threat report leveraged this hacking method.

What’s the appeal? Supply chain. The island-hopping hacking strategy is not to directly attack the target company, but to go after their affiliates first – usually smaller companies that are less protected and more vulnerable. These targeted affiliate companies can be from any industry of any size, as was the case when an HVAC company was used to hack retail giant, Target.

Once a supply chain is compromised, the hacker infiltrates the shared networks to “hop” and access more valuable information from larger organizations. Essentially, attackers are out to own your entire EHR system.

With the potential for system breaches constantly increasing, it’s imperative to consider lingering EHR legacy systems. Here are a few considerations when developing a strategy to protect your supply chain and, ultimately, the PHI in your legacy data:

  • Educate and Repeat – Since more than half of all attacks involve insider error or activity, it’s critical to provide ongoing cybersecurity and risk management training for employees. Internal phishing tests should also be a regular occurrence, helping to refresh employees and identify those who may need additional training.
  • Vet the Vendors – Take a hard look at your supply chain. Are your EHR vendors up to date on their security protocols? Are you unsure of the best way to assess this? Start with these 10 privacy and security questions to ask any future data archiving partner.
  • Archive and Decommission Vulnerable Systems – If your legacy ERP and EHR systems are currently operating in read-only mode, the risk for breach is steadily increasing. Archiving historical medical records and decommissioning these systems adds a layer of security, decreases vulnerabilities, and helps protect your network from cyberattacks.

If your organization is still dependent on legacy EHR systems to meet retention requirements and provide legacy data access, Harmony Healthcare IT can help mitigate your risk. Our data archiving solution  consolidates data stores, reduces out-of-production system maintenance costs, and complies with record retention mandates. Most of all, it provides increased security from cyberattacks, protecting both your organization and your patients.

Ready to look at the weak links in your supply chain? Let’s talk.

Jun 05 2019

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up