Review cyber practices to keep data secureReprints
Training employees how to keep sensitive personal information safe while at work is key for health care organizations that want to avoid cyber-related incidents.
Using applications like VPN or pcAnywhere to work on the go has become common practice for many companies, however remote access to work makes an easy path for a cyber attack, leaving the door open for data breaches.
“Insecure remote access is the No. 1 compromise pathway of today's hacker,” said Gary Glover, director of security assessment at Orem, Utah-based SecurityMetrics, during the American Society for Health Care Risk Management's 2015 conference in Indianapolis.
As convenient — and sometimes necessary — as it is to have access to work email when off-site, especially in the health care industry, it's not safe, Mr. Glover said. “Sometimes you need to sacrifice convenience for safety,” he said.
The issue is when people open encrypted data and store it unprotected on their personal computers at work or at home. “These are people who are just trying to do their job, but your job as a risk manager is to audit processes and find out how they are doing these things,” Mr. Glover said.
During the conference, Mr. Glover showed the audience how easy it is for a hacker to get into a company's system by simply using the credentials of a login and a password.
By using hacking tools that are available for free on the Internet, Mr. Glover ran searches that could quickly find combinations of frequently used login names such as “Admin” and then match them to a database of passwords found on the Internet. In six seconds the hacking tool programs found the correct password for a login name in a company's system. After logging in, from there it was easy to browse the data in the computer's files and even bury a malware virus into a folder after renaming it a vague code, to make it appear innocent.
Ninety percent of health care organizations have had their data compromised in the past two years, according to the Ponemon Institute L.L.C. About 30% of patient records breached have involved an employee not practicing safe computer use,
which continues to be the leading cause of security incidents in the future.
“Is it going to continue to be a problem?” Mr. Glover said. “Yes … It's important for risk managers to annually perform a risk analysis to review the company vulnerabilities, threats and risks.”