- Why ISO27001 Internal Audit Should Not Be CheckList Based? - 02/11/2022
- Comparison of Hardware and Software Firewall - 07/01/2022
- What is dynamic web page for VAPT - 13/12/2021
To the question in title, if I was a hacker I would ask myself “why not”?. Its simple really. Hackers always go for the data which either they can use for themselves or they can sell and earn money. PHI (Personal Health Information) or the EHR (Electronic Health Records) data is that form of electronic data, which satisfies both of these requirement and hence it is the most hacked commodity in the digital world.
A bit about new healthcare industries
Gone are the days when healthcare industry was merely a drugs and medicines manufacturing unit or a support unit of a medical company. Healthcare industry has changed its shapes and sizes lately, especially since the introduction of Information Technology wherein the data has become more important and so is the data security. While the healthcare industries today enjoy all the benefits of automation, data analysis and reporting due to IT enablement, they also attract the curse of IT which is “cyber security challenges”. Below are few examples of industries which indirectly fall under healthcare sector. Although these industries do retain their identity as IT companies, they lose the luxury of ignoring the data criticality of healthcare industry.
- An IT product company having a SaaS based cloud application that deals with patient’s data
- A web product company with an ERP solution for doctors in a syndicate, catering to their patient management.
- A mobile application development company that creates apps to connect to FitBit, Microsoft Band etc, wherein the app stores or processes patient’s health information
- Any IT outsourced service provider whose employees connect to the data center for managing servers storing PHI
- Any big-data analytics service provider who participates in processing data which is PHI
- Any IT company service provider whose customers are HIPAA compliant
While this list is elaborate enough to get the picture, it is not all. There are firms who support other firms who actually store or process PHI. These support firms, IT or non-IT are also easy targets of the hackers.
Why hackers like these companies?
It is simply because of the sort of data that is stored or processed. If that data goes in wrong hands, it can directly impact personal privacy, while the hackers can gain monetary benefits. See below.
- Data containing name, address, personal IDs etc can be hacked from hospitals and sold for money.
- Name, email-id database can be sold to mass email marketing companies
- Data can be sold to bogus drug manufacturers fraudulent insurance companies
- Data elements stolen from a web or mobile application can be used to target individuals either in-person or for spear-phishing.
- Data elements stolen from outsourced partner can be sold in international market for money.
How to prevent this?
The shortest answer is not to take cyber security lightly. I have seen owners of many famous IT software development firms, thinking that their product won’t be hit by hackers because they have done enough to protect it. The question is, how sure you really are? Was a third-party audit conducted which would strictly and impartially give an unbiased audit report, which will be a perfect reality check? If you belong to any of the company types list above, you may want to think about following.
- Conduct a vulnerability assessment & penetration testing of your product and IT infrastructure
- Comply to HIPAA standards to gain confidence on your policies and procedures and induce the same into the minds of your customers.
Lastly, nothing is secure you are supposed to do your best. But that’s the right approach instead of not doing anything about it at all, until the disaster hits you. Stay Cyber Secure !