- Healthcare organizations are facing a “perfect storm” when it comes to HIT infrastructure security, ERI Co-Founder and Executive Chairman John Shegerian said in a report.
The growth in hardware hacking puts patient data at risk for providers that host their datacenters on-premises and healthcare data hosted in off-premises facilities.
“With the massive increases in hardware hacking and cybercrime, the healthcare sector definitely has an uphill battle to fight in terms of protecting its digital data if they are to protect patient privacy and meet all HIPAA regulatory standards,” said Shegerian.
Shegerian cited a recent Protenus Breach Barometer report stating that in the second quarter of 2018, 3.15 million patient records were compromised in 142 different data breaches. Thirty percent of these breaches were performed by repeat offenders, indicating that healthcare organizations need to assess their infrastructure security risk.
“Hardware hacking in particular is an area that an alarming number of organizations are simply not prepared to confront,” said Shegerian. “Even if ‘wiped of data’ in the traditional sense, computers, cell phones, tablets and other devices used in medical scenarios, at the end of their life cycles pose a massive risk. Because the technology that organizations use may contain components that store sensitive information, health-related organizations must take this problem very seriously to avoid exposure and potential HIPAA regulation violations.”
Coordinating the disposal of hardware that is no longer used should be part of an IT security strategy. Appropriate methods of disposal of hardware along with software and data should be implemented so data cannot be recreated from abandoned devices.
“Unfortunately, hackers have become more sophisticated, leading to an urgent need for responsible and fully-integrated ePHI and PHI services,” noted Shegerian. “Outdated hardware has increasingly become the target of choice. It is urgent that outdated devices be replaced – and then responsibly destroyed. Here in the US, that process should be done domestically and should always include complete, physical data destruction. The hardware security issue is significant now on a number of levels because it leads to the wholesale liquidation of private data – which puts healthcare organizations at risk of inadvertently violating HIPAA regulations.”
Assessing legacy systems and outdated hardware is one of the first steps organizations can take when assessing their infrastructure security. Systems that are out dated can’t integrate with new systems well enough, and this lack of interoperability can lead to security gaps. These gaps can be used by hackers to steal patient data.
“Organizations spend a lot of effort continually trying to re-engineer legacy systems that are broken,” Health2047 Managing Director of Technology Charles Aunger told HITInfrastrucutre.com.
A lot of the time, “fixing” legacy solutions results in Band-Aid repairs and workarounds that don’t fully address the problem. One of the biggest challenges organizations face is identifying legacy systems that are vulnerable and taking the steps to replace those systems before they cause damage.
Organizations should take a proactive approach rather than wait for something to go wrong. While end users may not immediately realize when upgrades are made, they will notice when something goes wrong because of a system failure. When end users are unable to do their jobs because a legacy system failed, it hurts the provider organization as a business and can potentially harm patients.
Taking on hardware and software upgrades can be a large undertaking that is overwhelming to think about so coming up with a plan for each step and setting a realistic timeline can help organizations break down the projects.
“Change is hard,” Aunger stated. “Changing applications, upgrading features, and upgrading functionality takes time.”
“Organizations are trying to bite the whole apple instead of breaking down upgrades into smaller, projects that are easier to digest,” he continued. “They tend to see the whole technology system as one big heartbeat. They think, ‘if it isn't broken, don't fix it and don't break it.’”
Understanding the threat that legacy systems and unused hardware pose to HIT infrastructure security can help organizations defend against preventable threats.