- Online risk assessments can be greatly beneficial for healthcare organizations as they work to keep sensitive data secure, and also as patient engagement becomes a more important issue.
Engaged patients tend to better manage their chronic conditions, have better outcomes and have lower costs than non-engaged patients, according to research. One of the methods organizations are using to educate and motivate patients to improve engagement is their website.
The unfortunate consequence of having an interactive and convenient website is that it also attracts another type of engaged visitor: cybercriminals. These cybercriminals, often operating overseas, are increasingly targeting healthcare organizations due to the wealth of financial information contained within the websites, but also PHI, which is far more valuable on the illegal markets where criminals transact business.
The first step toward addressing an organization’s website vulnerabilities is to conduct an online risk assessment, preferably by a third party. In conjunction, a website should have a complete audit, particularly if a website was designed by the hospital’s own IT department and has never been audited. Once risk areas are identified, the organization can eliminate the vulnerabilities to ensure that its user-friendly, highly engaging website continues to promote and sustain patient engagement, but repels cybercriminals.
Three-quarters of healthcare websites vulnerable
Half of all healthcare websites are “always vulnerable,” according to an annual survey conducted by WhiteHat Security. Another 22 percent of healthcare websites are at least “regularly vulnerable,” which means 151 days or more per year. With nearly three-quarters of websites very susceptible to attack, and new security risks emerging each day, healthcare organizations should start on a risk assessment sooner rather than later.
A major risk area for healthcare organizations, which is also most attractive to cybercriminals, is a website that uses credit cards and other personal information. In addition, sites that have old or complex code on their servers that is no longer supported by the manufacturer, or is not well-maintained by the usually-understaffed IT department, are also often preferred by attackers.
Adding to these challenges, healthcare organizations must also comply with regulations such as the HITECH Act, Payment Card Industry standards and the HIPAA Security Rule’s implementation specifications and stringent documentation requirements. Faced with either dedicating IT resources toward updating code and systems that do not seem to pose an immediate threat or dedicating resources to regulatory compliance, organizations may choose compliance first. This further reduces the likelihood of proactive remediation—healthcare organizations had only a 20 percent remediation rate, according to WhiteHat—and leaves them vulnerable. Performing a risk assessment is an investment toward protecting patient information and the organization from the considerable financial consequences of a data loss or breach.
Automated tools and hands-on evaluation
There should be two critical components to any online security assessment: Automated diagnostic scanning tools and hands-on evaluation.
These inextricable parts combined with a thorough audit that evaluates the infrastructure code behind the website and in the applications themselves are all essential first steps.
Diagnostic scanning tools automatically check mechanical issues, such as: detecting open ports that might allow unauthorized entry; server configuration flaws and patch errors; possible open FTP sites, and many other red flags. In addition, the latest scanning tools can identify and test for exploits that cybercriminals use to attack websites and take advantage of a vulnerability. Such tools can detect 70 percent to 80 percent of potential trouble spots.
A complete identification of existing website vulnerabilities and risk, however, requires an experienced professional to conduct a hands-on review. Automated diagnostic scanners can identify and test missing pieces, mistakes or inadequacies—but a qualified health IT specialist who understands the healthcare environment can check for the intangibles and ask questions, such as why a critical process is not doing its specific job.
For example, websites can have the latest security technologies, but administrators may still fail to use them or may bypass them for temporary convenience. An experienced professional knows the questions that need to be answered to help an organization protect its data and reputation.
A fresh perspective
While it may seem more efficient to internally conduct an online risk assessment and audit, an organization’s own IT staff, internal developers and programmers are not likely to offer a reliable assessment. Moreover, they might not be able to fix of the security flaws in the website and applications that they may have constructed.
Without specific information, security training and certifications, an internal developer may not recognize weaknesses or know the latest remediation techniques.
Likewise, the temptation for organizations is often to simply purchase a budget-friendly out-of-the-box Web application firewall that sits in front of a website and tries to monitor transactions that have malicious intent. These fixes typically have little effect overall and can delay remediation since they provide a false sense of security about the integrity of the applications.
A preferred approach is to retain experienced and qualified third-party professionals who can objectively conduct a risk assessment to deliver an impartial report that details how susceptible the website is to potential problems and documents action steps. Not only will the results be more reliable, but overburdened IT staffs will have one less project to manage, and most importantly, patient and organization data will be better protected.
Jim Hunter is the director of monitoring and security for CareTech Solutions. He oversees CareTech Solutions' 24x7x365 IT monitoring service, and is also responsible for corporate information security programs and hosted client information security services, including systems auditing, incident response, forensic examinations, security assessments and policy review for nearly 200 hospital Websites. His duties include leading the Security Provisioning Team, a service that provides security provisioning for contracted clients.