Printer-friendly format

Storm worm, Prg, Pinch and Rbot. You may not know what these are, but they can bring a thriving medical practice to a screeching halt. They’re some of the most popular types of malware — malicious software-like viruses designed to infiltrate, damage or disrupt a computer system or network. Just like in medicine, some of these viruses can be deadly to their hosts.

“There’s a laundry list of them, and they come out daily,” said Geoff Pack about computer viruses, worms and so-called Trojan horses. Senior vice president of information technology with Nashville-based Emdeon Business Services, Pack works with healthcare providers.

“Small practices certainly are exposed,” he said. “What will happen particularly in a small physician space is that they may continue to run on legacy technology (old computers or applications), add a technology like the Internet and then don’t properly secure it. That’s when you create these particular vulnerabilities.”

In February, an Atlanta-based company called SecureWorks released startling statistics about the security of electronic healthcare information. The company said it’s seen an 85 percent increase in the number of attempted attacks directed toward its healthcare clients by Internet hackers. In less than a year, attempted attacks increased from an average of 11,146 to 20,630 per client daily.

Physicians may never know a computer hacker is busy at work, Pack said. In fact, doctors may believe their information is secure because it’s on a dedicated server in their office rather than accessed via the Internet. Yet hackers “can go through their Internet connection, for example, and get some type of spyware downloaded onto any one of the desktops. Then that spyware can actually send what’s going on on the desktop out to these hackers. They don’t really need access to the file server where the data exists in bulk,” he said.

Pack’s top tip for physicians is to invest in an expert to analyze the practice’s Internet use. “So many practices are using your standard, off-the-shelf Linksys® routers and things like that to set up Internet access, just like we do in our own homes, and don’t really understand how to secure those properly,” he said. He also encouraged physicians to vigorously protect their credentials, such as the new national provider I.D. number and access numbers to submit claims or check patient benefits.



The Magic of Firewalls

Most people with some computer knowledge understand the job of a firewall — it’s to stop the bad stuff from infiltrating the system. Here’s how Rick Williams, president of Nashville-based Techopoly, described it: “The word ‘firewall’ can be used very loosely. We use firewalls that deploy proxy servers, which are kind of like police barricades on Memorial Day. Everybody’s out drinking, so the police will set up and routinely stop all traffic and look in the cars, look in the trunk. A proxy server is that same scenario, inspecting all the data traffic.”

Williams said he recommends proxy servers to his healthcare clients, and added that over-the-counter firewalls “aren’t a firewall, in my opinion.” Most will block the traffic, but “they don’t inspect it, and that’s what you want,” he said. Two firewall technologies that Williams recommended are Watchguard and SonicWALL, which give users “more bang for your buck.”

Williams stressed that electronic security is no longer a “nerdy” preoccupation. “This is business, people,” he said. “This is the reason you need a firewall. It’s about return on your investment.”

Protecting data in the event of a disaster is critical, too, he added. TechSure, which is Techopoly’s data-recovery guarantee, offers clients an off-site digital backup over the Internet to a data center in Atlanta. “Remember, it’s never about the backup. It’s always about the restore — and it’s got to be encrypted,” he said.



Payers and Hospitals

Physician practices aren’t the only healthcare entities with vulnerabilities. Pack said third-party payers have become a popular target with hackers because their patient data is rich with information valuable to identity thieves. “I know that various payer Web sites are certainly under attack,” he said. “Once upon a time, payers really didn’t have a Web presence so much that consumers used or providers used, and now that they do, they have exposed themselves to the same type of attack and influence that online banking created for consumers and institutions. It’s a similar type of technique used to impact those sites.”

The effective scams are sometimes the simplest – an e-mail tells patients to log-on to a “secure” Web site to validate personal information for the payer. A patient’s identity, including insurance ID numbers, may even be sold to people with no access to healthcare — illegal immigrants, for example — who will use the information to receive free or low-cost medical treatment.

When it comes to hospitals, particularly the larger ones, the vulnerability comes from the fact that hospitals need many different computer systems and software packages to operate. “You’ll have a third-party registration system from one vendor, a lab system from another vendor and billing from another. One of the vulnerabilities that exists inside the hospital are the points where those systems interact with one another,” Pack said. That’s when the information is “publicly exposed, if not to the general public through the Internet, certainly internally in the hospital,” he said.

Another hospital weakness is an unexpected one — paper. “Hospitals still typically create a patient folder, and they print out a lot of information that goes in that patient folder. They will print that information out on shared printers, and that information isn’t safeguarded,” he said. Proper paper disposal — and the safeguarding of those folders — is key.

Finally, Pack encouraged hospitals to limit the access of employees to only the information they need to do their jobs.



The People Breach

Williams couldn’t agree more. “The true point of security is actually your people inside the network. Your biggest breach is actually your employees,” he said.

Techopoly spends “a lot of time and energy” educating the users of a client’s system — and it’s time well-spent, Williams said. “Why should a hacker try to hack a firewall that might take him a long time to figure out versus calling into the company and creating a story such as, ‘I’m such and such, and I forgot my password. Can you just please tell me what yours is? Or can you reset it?’ That’s so much simpler than trying to hack a firewall or a security network,” he said.

These hackers are preying on the “good nature” of a company’s employees, Williams noted; thus, making sure employees understand how to keep their guard up is important.

“It costs about $150 per user when there’s a data breach,” he said. Just look at the damage that was uncovered last year when a hacker struck retailer T.J. Maxx — 2,500 stores and how many users at each store?



July 2008

Tags:

None

Login and voice your opinion!