Cybercriminals that locate and exploit vulnerabilities to access healthcare networks and patient information are increasing their activities. The last two months were the worst and second worst months in terms of number of healthcare data breaches reported.
Phishing attacks on healthcare companies have gone up with email as the most common location of protected health information (PHI) breach. However, according to the latest study of data breaches in the past 12 months by the Department of Health and Human Services’ Office for Civil Rights (OCR), servers are now the biggest risk. Over half of the healthcare data breaches studied involved servers.
Clearwater Cyberintelligence Institute (CCI) reviewed the 90 healthcare data breaches documented by OCR in the last year. Those breaches caused the impermissible disclosure, exposure, or theft of the PHI of over 9 million people.
The CCI analysis showed that 54% of reported breaches impacting at least 500 healthcare records were associated with servers in some way.
Servers store the important programs utilized throughout the healthcare organization, that is why they are highly targeted by hackers. If hackers could access the server, he could view, copy, modify or delete data, sabotage the systems, and extort from the healthcare organization using ransomware.
CCI conducted a risk analysis of health systems and hospitals to find out high and critical risks. CCI identified 63% of all risks to be related to the failure to sufficiently handle server vulnerabilities. The large number of data breaches related to server clearly indicates that hackers are exploiting those flaws access healthcare networks.
CCI determined that one of the most prevalent server vulnerabilities involves the the failure in user account management. Accounts of employees who leave the company should be removed because dormant accounts pose a serious risk. Malicious actors use dormant accounts to access systems and cover up their activities. CCI observed that the risk is proportional to the number of dormant accounts. The longer an account is left available, the higher the possibility of it being used for dubious or malicious activities.
To deal with this risk, security controls such as automatic deactivation or deletion of accounts as soon as the HR department alters an employee’s status must be implemented. If not possible, CCI proposes performing regular, periodic checks to make sure all dormant accounts are disabled.
It is ideal to disable an account instantly. However, CCI at least recommends having systems, policies, and procedures to deactivate unnecessary accounts in no more than 48 hours.
System activity logs must also be reviewed to ascertain if dormant accounts are used wrongly or if any active accounts are compromised or misused.
One more serious server vulnerability is the excessive permissions on user accounts. Exploiting this vulnerability can lead to accidental or planned data access, modification, or deletion. The failure to limit access rights additionally violates the HIPAA rule of least privilege.
CCI remarks that it is common to find the risk of excessive user permissions in 43.6% of organizations that don’t frequently review user permissions, 43.6% of organizations that conduct user activity reviews, or 43.1% of organizations that lack adequate user account management.
Frequent monitoring of user activity will aid healthcare companies to immediately identify flaws in user data that is indicative of account misuse or cyberattack. The regularity of those reviews ought to be influenced by factors, such as staff turnover and the number of users. CCI recommends reviews of user permission and user activity logs at least per quarter for a company having 100 or even more users.