Another eHealth Data Breach - IT Advisement
December 2020 by Vince Padua, CITO at Axway
Today, NTreatment, a technology company that manages electronic health and patient records for doctors and psychiatrists, left thousands of sensitive health records exposed to the internet because one of its cloud servers wasn’t protected with a password.
Vince Padua, CITO at Axway has provided some guiding advisement for CISO and Health IT admins that are affected by this continuing threat:
Situation: “We are living in a global pandemic. The world healthcare infrastructure is being tested. From hospitals at full capacity, to Personal Protective Equipment in short supply. In part because we are focused on the pandemic, there are others focused on how to take advantage of our healthcare infrastructure. These are hackers and cyber gangs seek to profit when our focus is on the pandemic. Today, there is a good chance the hospital–where system downtime could impact the health of patients or even the loss of life–would pay a ransom, making them targets. This is where cybersecurity protection and recovery in healthcare is most critical, especially in these times.
Complication: Through lockdowns, school closures, and remote working, we are all spending more time online. For some they are experiencing telehealth for the first time. Whether it is for mental support, request for medical supplies and medications, or reviewing diagnostic results. The overall surface area for data breaches has grown significantly in 2020 with more online time and activity. And these applications or APIs have shown to be a key attack vector given their high number of vulnerabilities. With telehealth and our increasing time online, the opportunity for phishing attacks via email, text, and web applications have increased significantly.
Resolution: Restoring systems after a data breach can be timely and expensive – that’s the intent. Preventing this situation is the goal. There are several options to help in preventing this situation in our increasingly digital world. As a user or consumer, don’t send or open email attachments you don’t know. Instead, use a trusted file sharing service. Both consumers and providers need to focus on authorization and authentication on the front end. And as a provider, recognize that all your applications are built on APIs (Application Programming Interfaces). These APIs should be protected by the latest security protocols and standards. Lastly, ensure your backend data has been properly backed up and encrypted.
Conclusion: We are all spending more time online interacting with digital services. Healthcare is no different, and is also heavily stressed because we are in a pandemic. Fighting server attacks is a multi-vector approach. Your clients need to be educated, your tools need to be up-to-date, and remediation strategy should be well rehearsed."