Healthcare News & Insights

Controlled access: Key to guard devices from malware

The more health IT devices hospitals implement, the more access points hackers have to infiltrate their systems. However, many hospitals need help to protect these devices from intruders. 

ThinkstockPhotos-475358140Although devices rarely contain the kind of protected health information (PHI) hackers want, they often serve as entry points to get at more valuable data. Typically, hackers will infect devices with malware or other malicious viruses, which allows them to move laterally through systems and mine information from your network.

These kind of breaches can often go unnoticed for months, since the use of the device isn’t typically affected while the malware is running.

However, Adam Winn, senior manager at OPSWAT (a security software developer), notes that although protecting devices can be particularly difficult, it’s not impossible.

Guarding against malware

In an article he penned for Healthcare IT NewsWinn recounts how Billy Rios, a security researcher, found a vulnerability in drug pumps which could expose devices to outside attacks.

Unfortunately, given the design of these devices, they often run on outdated software and can’t be protected with anti-virus software. As a result, hospitals should focus on prevention to keep malware off devices, Winn says.

One way to do this is to limit how much access devices have to larger systems.

In another recent example, Winn spotlights a hacker who was able to compromise a computer in the facility through a website, and then access its picture archive and communication system (PACs), causing a PHI breach. Having that kind of connectivity isn’t required for a simple facility computer, Winn says. Instead, there should be a procedure in place for limiting access to the network based on the device.

Although not a cure-all, one solution hospitals should consider using is an air-gapped network to transfer important data. These networks give facilities a higher level of control over how data moves and is accessed in the system.

Given the growing prevalence of cyberattacks, and the expansion of health IT in most facilities, leaders will have to consider what devices or areas of operation pose the highest risk of infiltration, and take steps to limit how they interact with your larger system.

In this way, preventing cyber infections can be similar to how providers prevent the spread of typical infections and viruses, Winn says.

A $4.13 million mistake

Taking steps to protect devices from malicious attacks is crucial because the stakes for data breaches have been steadily rising, and there may be trouble getting relief from a cyber liability policy.

As Healthcare IT News reports, Cottage Health System in California reported a breach in 2013 and was hit with a massive class action lawsuit from affected patients, resulting in a $4.13 million settlement.

Cottage expected its cyber insurance policy to cover some of the cost, but the insurer, Columbia Casualty Company, is now challenging the system in court.

The insurer is claiming that Cottage didn’t take enough steps to protect PHI when it signed up for the policy, such as “failure to regularly check and maintain security patches on its systems, failure to regularly re-assess its information security exposure and enhance risk controls, failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers, and failure to control and track all changes to its network.”

Now, Columbia is seeking reimbursement for the full $4.13 million for Cottage’s alleged misrepresentation of its security procedures and lack of oversight on IT vendors, which was partly the cause of the breach.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.