Guest Column | January 20, 2017

Solving Healthcare's Biggest Security Challenge: Low-Tech, High-Success Social Hacking


By Scott Youngs, chief information officer, Key Information Systems

I recently came back to work after having brain surgery to remove part of a non-cancerous tumor that had wrapped itself around my optic nerve. Probably like any CIO who finds himself in the hospital, I spent some of my time there thinking about the technology the medical team used to plan and deliver my care. My doctors and nurses needed instant access to my records — my MRIs, CT scans, EKGs, and more — and they depended on IT to provide it. At the same time IT teams in this hospital and every other medical organization are tasked with instant access to digital records, they’re fighting to secure those records against data breaches. Often, getting that job done is as much about education as technology.

A recent study shows more than 80 percent of healthcare organizations spend less than 6 percent of their IT budgets on security. That is alarmingly high considering the number of ransomware attacks we’re seeing in this industry. According to the U.S. Department of Health & Human Resources breach report more than 120 million people have had their health data compromised as part of more than 1,100 breaches organizations suffered over the past seven years. When those breaches happen, it’s not just the hospitals that get hurt. Patients feel the pain, too, and not just in relation to their pocketbooks or privacy. If you’re in the ICU recovering from brain surgery, for example, you never want to hear that your doctor can’t access your MRI because it’s encrypted by ransomware.

Unfortunately, curbing breaches is not just about technology. A new and sneakier type of attack is on the rise in the form of social hacking. Beyond the phishing emails that have long managed to hook employees, healthcare organizations are also susceptible to low-tech phone scams. A seemingly legitimate “patient” calls in a request for a record, but he can’t remember his Social Security number. A staffer, believing she recognizes the voice on the phone, complies. And just like that, the least technologically savvy hack proves to be one of the most successful.

Certainly, smaller organizations are significantly vulnerable to social hacking, whether it happens via phone, email, or in person. Practices with only two or three doctors, or even branch offices of large insurance companies, often have an office administrator pulling double duty as the IT “team.” Those teams-of-one are rarely schooled on the latest phishing threats, and they might not be as aware of in-depth HIPAA regulations as they should be.

However, that doesn’t mean large, nationally ranked hospitals are immune to such threats. Even in the multi-campus teaching hospital where I was a patient, there is only so much IT can do. Encrypted storage, tight security policies, state-of-the-art networking safeguards, and a force of security guards patrolling the grounds aren’t much help against a cyber criminal who ensnares employees via email.

With a significant uptick in ransomware, it falls on IT to educate other departments, the least IT-savvy of which are the most likely entry points for hackers. We see this often. A sales representative, for example, receives a link in an email that appears to come from a lead, so he clicks on it. Before anyone realizes there has been a breach, hackers have taken control of the employee’s laptop camera, they’re recording his conversations, they’ve entered the organization’s network, and they’ve released ransomware.

Proactive prevention and team education has to be both mandatory and enticing if it is to be effective. Employees can easily tune out or multi-task during a dull video training, but they’re more likely to stay alert through a lunch-and-learn. Similarly, a funny video will likely resonate more than a binder full of dryly written instructions.

Similar to the financial industry, which has also suffered an increasing number of data breaches in recent years, the healthcare market is an enticing target for hackers. Unfortunately, cybersecurity investments remain flat; organizations tend to invest only after they’ve felt the pain of a data breach or are the focus of a new governmental regulation. Regardless of budget constraints, IT teams can protect their organizations by teaching non-technical staff to question everything, by automating backup processes to ensure they’re covered if systems are held hostage by ransomware, and by adopting cloud-delivered security to get the benefits of the latest solutions without the capital expenditure. As social hacking and other threats intensify, these approaches are the key to protecting healthcare organizations so they can focus on their core business: getting patients well.

On a personal note, I am grateful to the university hospital and extended team of medical staff for their support through my journey to date and as we tackle the remaining tumor together.

About The Author

Scott Youngs is the chief information officer of Key Information Systems, a leading regional systems integrator with world-class compute, storage and networking solutions and professional services for the most advanced software-defined data centers. These competencies are tightly complemented by a full suite of data center capabilities, including private and hybrid cloud offerings, connectivity services, colocation facilities and managed services.