OR Manager - April 2020 - 13

Don't fall victim to data breaches in your OR
Safety/Quality
ata breaches in the healthcare
setting are on the rise, according
to recent federal statistics.
In November 2019, the US Department
of Health and Human Services' (HHS) Office
of Civil Rights reported that 29 data
breaches affecting 570,565 patients
took place, a notable rise from the more
than 311,000 people compromised by
data breaches in the previous month.
D
Leon Lerman
Hospital adoption of sophisticated
connectivity
systems has increased
the risk of hacking, says
Leon Lerman, an ex-intelligence
officer and security
professional who
is chief executive officer
and founder of Cynerio, a healthcare information
technology (IT) security platform.
Physicians today have more data
at their fingertips, but that connectivity
means higher risk for breaches.
Cyberattacks take many forms, including
ransomware-a form of malware
in which rogue software code effectively
holds a user's computer hostage until a
" ransom " fee is paid.
In 2019, a ransomware attack at the
17-hospital system Hackensack Meridian
Health in Hackensack, New Jersey,
took down the computer network for
several days, causing administrative disruptions
to procedure scheduling and
forcing staff to use paper records. The
system eventually regained control of its
network for an undisclosed sum. (Leaders
at Hackensack were not available to
comment on this article, although news
reports say the facility has since taken
steps to investigate its ransomware attack
with third-party cybersecurity and
forensic firms.)
Lenny Levy, healthcare chief information
security officer at Security Cubed
Consulting in Grand Rapids, Michigan,
anticipates more cases like this. As
organizations tighten their external
network footprint, crooks are seeking
to gain entry through more effective
mechanisms such as phishing (sendwww.ormanager.com
Medical
devices
are the weakest
link in the hospital
network.
ing fraudulent emails that appear to be
from a trustworthy source) or compromising
equipment in the OR.
Once hackers figure out something
that works in one place that enables
financial gain, Levy says, " they'll keep
doing it over and over to maximize the
amount of money they get. " They'll specifically
look for systems with the same
types of vulnerabilities to replicate their
success, he adds.
A growing problem
Vulnerability to breaches stems from
a combination of issues, notes Sagar
Patel, a research scientist and software
engineer at Battelle Memorial Institute,
headquartered in Columbus, Ohio. Poor
data management practices such as
outdated IT systems, lack of focus on
data privacy, lack of appropriate protections
against network-based attacks,
and low cybersecurity awareness in
users can lead to successful phishing
campaigns.
Facilities that don't follow best practices-such
as data encryption, networks
with firewalls, limited access to
databases, or intrusion detection and
prevention systems-make it easy for
hackers to game the system, says Patel.
Patient data is probably the most
valuable target for hackers right now,
Lerman believes. The black market offers
a nice price for patient data, which
can be used for medical fraud. " Hackers
always want to go for the easy way
in. While servers, laptops, and other IT
devices have become more protected
over time, medical devices remain vulnerable
and are the weakest link in the
hospital network, " Lerman says. These
include patient monitors, anesthesia
machines, nursing stations, and glucometers-any
type of medical equipment
that links to the network and provides
patient care information.
In the past, many of these devices
weren't connected, but they are now, he
adds. This increased connectivity allows
physicians to make decisions in real
time but also offers more opportunities
for hackers, Lerman notes.
" This is something that OR managers
and staff need to be aware of and
communicate about to their IT counterparts
in order to understand what types
of protections they need to deliver the
best patient care, " he says.
New schemes
Sagar Patel
Hackers are constantly
trying to outwit the defense
mechanisms installed
by healthcare
and other industries to
thwart cyberattacks.
Until recently, two-factor
authentication was effective
in preventing attacks that rely on
phishing passwords or password
breaches, Patel says. Unfortunately,
crooks are now targeting the two-factor
authentication that relies on phone
numbers/SIM cards to provide a temporary
one-time PIN for login.
" The tactic being used here is called
a SIM-swapping attack, in which an attacker
manages to take over the victim's
phone number, getting access to
the temporary one-time PIN being used
as a second factor for authentication/
login, " Patel explains.
Hackers also have been targeting
vulnerable legacy medical equipment
connected to hospital networks, Patel
adds. " In this attack, once the equipment
is breached, it can be used as a
pivot to execute an attack chain in the
larger hospital network. "
Ransomware-when the attacker exploits
a vulnerability or loophole within
the healthcare system network-is anContinued
on page 14
OR Manager | April 2020
13
http://www.ormanager.com
OR Manager - April 2020

Table of Contents for the Digital Edition of OR Manager - April 2020
