Sunday, April 16, 2017

How hospital database controls can decrease the susceptibility to hacking?

As hackers increasingly target healthcare industry to gain access to information, hospitals require improving efforts to secure patient information, mostly stored in several places throughout their systems. Hospitals have hundreds if not thousands of hospital database controls and most of them can serve as a launch pad for hackers, asserts Bill Fox, vice president of healthcare and life sciences at MarkLogic, a vendor that gives enterprise database technology.

Too often, workers and clinicians have unlimited access to data, he claims, and that access should be limited on a need-to-know basis; and after a task is done, that access should be eradicated to decrease the chance for accidental exposure.

“Hackers can do many things at even the lowest hospital database controls level,” Fox emphasizes. “They can go in the database and use it to get to another database, not merely using that second database as a hijacking device, but using it to get to the motherlode.”

Fox was an ex-deputy chief of economic and cyber crime at the Philadelphia District Attorney’s Office, where he inquired and prosecuted hackers targeting healthcare agencies and other industries. In one case, hackers sat in a car in the parking lot of a large retail chain and used the inventory mainframe to access other information systems, eventually stealing information on 5,000 people.

Hackers do not just come from the outside; in several cases, they work inside an agency and, as several providers have learned over the years, they are just as dangerous, Fox says. Too many providers aren’t monitoring worker activity when simple analytics could rapidly spot an offender. Using business intelligence tools to observe an organization’s network activity might identify workers accessing parts of hospital database controls that they have never used before.

Developing formal separation of duties among worker will lessen accessibility to information that they do not need, so healthcare agencies should give pieces of documentation and limit authorized information systems access, with everyone merely having the information they require, he counsels.

“You actually need to make sure that the capability to roam all over the network is immensely limited. Teach and enforce rules, involving rules on clinicians who did not go to school to become security experts but to be doctors and nurses, and only now are catching up to the requirement for security to become a priority. Some 73% of healthcare users are security novices—there is your attack surface for a hacker.”

 

No comments:

Post a Comment