The Monthly “Steal” by David Steele

The Monthly “Steal” is a bit of relevant technology information intertwined with personal thoughts, opinions and some real life experiences. It is written by David “Steele” and is free, hence a “steal” from a “Steele”.

206 Hospitals in 29 States were hacked effecting 4.5 million patient records in 2015. According to an article recently published in the Washington Post in February, a Los Angeles hospital paid $17,000 in bitcoin ransom to unload computer records.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Hollywood Presbyterian Medical Center CEO Allen Stefanek said. “In the best interest of restoring normal operations, we did this.”

But hospitals are not the only target. JPMorgan Chase, Home Depot and Target were all victims of cyber-attacks in 2014.   It is no secret that personal information is valuable; the FBI released an article that indicated that in 2013, over 2 million health care records were compromised which was 31% of all reported data breaches. Cyber criminals are selling the information on the black market at a rate of $50 for each partial electronic health record (EHR), compared to $1 for a stolen social security number or credit card number.

What’s amazing is that most companies still don’t take cyber security serious or value the importance of properly securing customer data. Companies install door access systems, alarm systems, locked server racks and camera systems all focused on physical security, but when asked how they are securing their customer data, there is often a lack of detail. Most IT companies and computer professionals practice “General Network Management” or “Best Practices”. There are general guidelines that, when followed correctly, produce safe and secure computer networks. Where most companies struggle is how to confirm that best practices are being followed, usage policies are enforced and employees, IT staff and vendors are trained and held accountable.  

In 1996, the Federal Government created the Health Insurance Portability and Accountability Act – HIPAA. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA focuses mainly on medical and patient rights but the same requirements located under the HIPAA Security Rule provide a solid foundation and accountability to ensure “General Network Management” or “Best Practices” are valid and are providing a solid network environment. Before, IT companies would send a network technician and tell them to secure the network. Now, they send in a network technician and say this network needs to be HIPAA or Payment Card Industry (PCI) compliant providing both the IT company and the customer with accountability.

Many companies may say, “but I don’t deal with medical so why do I need to be so secured. When IT companies are hired, they are trusted with financial information, personal information and company information. By applying a HIPAA or PCI compliance requirement to your network will force vendors and staff to be more aware and involved in both the physical and function security of information. In most cases, the cost to properly secure and manage a network is a fraction of the cost associated with a data breach or privacy violation.

Resources:

FBI Cyber Division - April 8, 2014

The Washington Post - February 18, 2015

Cyber Attacks on U.S. Companies in 2014 - By Riley Walters - October 27, 2014

David Steele, Partner / Webmaster

djsteele@intradatech.com
570-321-7370