Prevenir ciberataques a hospitales para proteger la información de los pacientes

Hollywood. Es famoso en todo el mundo por sus películas, celebridades, ostentación, glamour y, a partir del febrero 2016, uno de los ataques cibernéticos y violaciones de seguridad de TI más publicitados en la historia de la atención médica.

A hospital in the area bearing the Hollywood name became the latest target of a high profile cyberattack. It was the victim of a ransomware hacker who took control of the hospital’s computer/IT system, locking it down until the hospital paid $17,000.

Si bien el ransomware ha existido durante varios años, el ataque realmente lo puso al frente de la conciencia pública y sirvió como un recordatorio de que los hospitales y los sistemas de atención médica son objetivos y son susceptibles a los ataques de los ciberdelincuentes.

Los medios y el motivo

Retailers have faced the threat of hackers since the dawn of the internet. However, the healthcare industry wasn’t as much a focus for the dark underbelly of the cyber world until 2009, with the passage of the HITECH Act.

El proyecto de ley movió los datos de atención médica en línea y promovió la adaptación generalizada de los registros de salud electrónicos. Cada vez que un tesoro de datos personales se mueve en línea, automáticamente se convierte en un objetivo para el fraude y/o la extorsión, independientemente de la industria.

Si bien a las personas les preocupa, con razón, que les roben la información de su tarjeta de crédito, la información de salud es un objetivo aún más atractivo para los delincuentes. ¿Por qué?

“Stolen patient health records can fetch as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry,” notes a recent INFOSEC Institute article. The story goes on to state that more than 29 million Americans have had their health information hacked since 2009.

Pilares de un programa de información de atención médica segura

Dado el mercado en la dark web para registros de salud personales, corresponde a los hospitales y sistemas de salud hacer todo lo posible para prevenir ataques cibernéticos y proteger los datos de los pacientes.

Baylor Scott & White Health cree que un programa eficaz de seguridad de la información requiere un enfoque multifacético en capas.

Be Realistic. A good health information security program is realistic about what works and what doesn’t, and realistic about preventing all unauthorized access. In other words, at a large health system like Baylor Scott & White, with thousands of users and thousands of devices across hundreds of locations, it is impossible to keep the bad guys out in perpetuity. So being able to limit the damage a hacker or unauthorized user can do is crucial.

Practice Basic Hygiene. It’s not exactly the cool, cutting-edge stuff you read about in IT trade magazines, but keeping patches, firewalls and encryption up-to-date and current on all devices throughout the organization is crucial to keeping weaknesses from being exploited. There’s a reason manufacturers issue patches and make updates.

Strong ID Access and Management. ID/user management is often one of the most challenging aspects of information security given the size of the workforce employed by health care systems and the number of settings (hospitals, clinics, practices etc…). Having a program in place to effectively onboard and offboard staff – carefully granting and quickly revoking access to systems – is the cornerstone of being able to restrict access to systems.

Internal and External Assessments. A good information security team is like a team of security guards constantly making rounds, checking the doors and locks, and probing for weaknesses. Being proactive in seeking out vulnerabilities is vital to discovering what needs to be fixed and where and how to deploy resources.

Leverage Peers. Talking to counterparts at other health care organizations and information security industry groups about what they are seeing as far as attacks, and also protocols they have tried which worked and didn’t work is vital to planning for the future and knowing what types of attacks may be coming.

Awareness. Awareness. Awareness. From social engineering to phishing to ID management, making sure employees are educated about how bad guys might try to gain access to systems is critical. Often, regular staff members are the either the first or last line of defense in stopping an attack or containing it.

No existe un sistema o programa perfecto para prevenir todos los ataques de los tipos con sombreros negros. Pero un enfoque integral de la seguridad de la información puede contribuir en gran medida a mantener los datos más importantes, la información del paciente, fuera de sus manos.