ECRI Institute recently announced their annual “Top 10 Health Technology Hazards for 2019.” If you keep abreast of Health Information Technology (HIT) news, you already know the number one risk: hackers can exploit remote access to systems, disrupting healthcare operations.
"The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," said ECRI Health Devices Program Executive Director David Jamison. "In critical situations, this could cause harm or death."
This should be an alarm sounding off for every one of us responsible for healthcare IT security!
While our initial response may be to "batten down the hatches, lock the doors, and keep everyone out," we understand such is not an option in today's healthcare environment. We must guard and protect our networks while making access readily available to the appropriate individuals.
The ECRI Institute 2019 report says, "The safe use of health technology—from simple devices to complex information systems—requires identifying possible sources of danger or difficulty with those technologies and taking steps to minimize the likelihood that adverse events will occur. This list will help healthcare facilities do that..." A simple explanation as to why remote access would be the number one risk.
It’s no surprise ECRI Institute identified the risk of remote access hacking as their number one concern. The 2018 Top 10 Health Technology Hazards had "Ransomware and Other Cybersecurity Threats" as number one.
The top concern for 2018 and 2019 are intertwined with each other. We recognize there are many ways a hacker can gain improper and illegal access to networks and systems; however, it can be an easy task to gain that access through poorly managed remote access policies and procedures or worse, weak remote access systems that only give a false sense of security.
While the 2019 report points out the legitimacy and value of remote access; it also recognized the problem that "remote access systems can be exploited for illegitimate purposes." We are all aware of the bad outcomes from such exploitation; ransomware and other malware threats, stealing data or rendering data unusable.
One example is the SamSam threat from earlier this year. Because SamSam hackers attack RDP connections, the department of Health and Human Services (HHS) recommend that healthcare organizations take the following precautions:
- Restrict access behind firewalls with RDP gateways and virtual private networks
- Use a strong/unique username and passwords with Multi Factor Authentication (MFA)
- Limit users who can log in using remote desktop
- Implement an account lockout policy to help thwart brute force attacks
ECRI Institute included this statement in the October news release for the report, "Cybersecurity is clearly a growing concern. ECRI Institute published 50 cybersecurity-related alerts and problem reports in the last 18 months, a major increase over the prior period."
The truth is, cybersecurity concerns are growing because cybersecurity events continue to grow year by year! Isn't it time for us as healthcare IT leaders to take control of all the IT weaknesses within our organizations? Of course, the answer is yes, and why not start with the number one risk of 2019?
We know the remote access concerns that must be hardened. Validation of each remote access authentication, every time, involves knowing which user is permitted and which user is not permitted to access your network based on your organization's compliance guidelines, making sure the remote user is using a computing device that is current with updates and disk encryption, and then monitoring remote access.
To understand if you could be at risk, ask yourself these four questions:
- Do you verify a valid BAA is in place with each vendor access?
- Do you verify the condition of the computer remotely accessing your network?
- Are you using multi-factor authentication internally and with remote access?
- How many remote access points are you having to manage today?
If you answered “no” to any of these, or have multiple access points, it’s time to take action.
It is often said that the definition of insanity is "doing the exact same thing over and over again, and expecting different results." It is time we do something different, make a change to what we do for remote access.
Start with these changes:
- The time has come to dictate how vendors access our systems and not vendors dictating how they access our systems
- The time has come to address weak passwords processes that exist for convenience sake
- The time has come to be proactive with cybersecurity and no longer be reactive
- The time has come for remote access systems to be valued more than your EMR
If our healthcare organizations cannot be 100% confident the data is reliable, safe, and readily available, then healthcare IT has failed a critical part of its core mission, but we can fix this!
I do not know any IT leader who is not concerned with cybersecurity, and my hope is that next year HIT concerns are nowhere on the ECRI Top 10 Health Technology Hazards for 2020.
If this information has your head spinning, you are welcome to schedule a meeting with me to discuss securing remote access to your network.