Medical InnovationsTechnology

“How to Hack Healthcare” hosted by HIMSS

ezampino
ezampino
6 Min Read

“How to Hack Healthcare” presentation by Alluvien Information Security experts:

Aaron Hayden, MBA
Software Development / Ethnics & Compliance

Alex Haslach, GSEC, CEH
System Administration / IT Control Analyst

June 25, 2015

More Read

technology helps with sepsis treatments
How is Technology Shaping the Future of Sepsis Treatment?
Hospital mobile apps: benefits, trends, and development process
Merging Compassion and Science is the Future of Periodontology
Dedicated Software Development Teams Disrupt Healthcare Tech
EHR System Optimization Strategies For Top-Notch Performance

“How to Hack Healthcare” presentation by Alluvien Information Security experts:

Aaron Hayden, MBA
Software Development / Ethnics & Compliance

Alex Haslach, GSEC, CEH
System Administration / IT Control Analyst

June 25, 2015

This webcast hosted by HIMSS covered ‘recent’ healthcare entities that have been hacked (Anthem, Premera, CHS, etc.), how the hackers got into their systems and what safeguards (cover risk) could have been put into place to avoid these intrusions. Later in the webcast Alex covered HIPPA requirements; Administrative, Physical, Technical (Access, Audit, Intergrity and Transmission). Thoughtful and useful advice was given to the audience on the best actions for healthcare, etc. to take to avoid hacks.

*Image source: Fox Small Business Center

As mentioned in the slides, over the last decade healthcare providers account for 26.8% of data breaches (about 1200), however not every sector has mandatory reporting, healthcare is overrepresented. Both Anthem (2010) and Premera (2014) were hacked via spear phishing. A fake website was created with very similar web address; an employee went to this website and gave away their credentials. Aaron goes into detail of why hackers preform these ‘mega breaches’, citing the main reason is because there is a huge black market for data, and the suspicion is that hackers assemble a database about individuals and can use this protected information to target same group of people in the future by using better ‘crafted’ phishing emails; federal employees are usually main target. Another hypothesis is that this is illicit market research, used to generate new and better uses of healthcare products. This is the ‘positive’ spin on things, I applaud your efforts Aaron, but I am VERY doubtful! Aaron also talked about the Community Health Systems (CHS) hack of more than 200 healthcare facilities somewhere between April and June 2014. This was a far more sophisticated attack utilizing malformed requests (hackers asked for encrypted sessions with the webserver) and a OpenSSL Heartbleed vulnerability reportedly resulted in a VPN session hijack.

So are governmental mandates enough to help prevent such attacks? If an organization is compliant with HIPPA, it “…does not mean it is secure in any way”. One huge downfall that was a common theme with Premera, Anthem and other attacks, was the length of time hackers had access to data before it was even noticed by anyone due to the lack of monitoring and the strong compliance beyond just HIPPA. Protection systems like Intrusion Detective System (IDS), Intrusion Prevention System (IPS) and Security information and event management (SIEM) System need to be in place. A useful source mentioned was a non-profit cooperative research and education organization called SANS that has a comprehensive list of top 20 Critical Security Controls that mitigate and prevent security breach; organizations that have implemented these security controls have an 85% less likely chance of a breach.

The slides that go into HIPPA are in the link below for your reading pleasure! I don’t want this to become a blog about the subject (easily done due to the vastness), but please read their slides because they do a wonderful job of summing it up. Instead I want my next point to be about my question asked. I wrote in asking Aaron and Alex their opinion on utilizing Amazon Web Services (what Wellpepper uses), to store PHI data etc. and what they believed the pros and cons to be. Aarons opinion was the bigger the company the better… they have solid safeguards to protect PHI data and can easily present their policies to clients, but as a customer if you have a security request that is in conflict with their efficiently organized architecture, they are not going accommodate. Alex agreed adding that it is a matter risk of transference; will Amazon do a better job of protecting our data by taking the risk for us? Yes, because Amazon maintains class one data centers all around the world that have very good security controls, they have resources to invest in the highest level of protection available with an entire team to do so. With that coming from Alluvien security professionals, it is nice to be reassured that PHI data that Wellpepper utilizes is well protected.

The webcast is available here after a short ‘registration’ process. The on demand webcast expires at the end of July.

You Might Also Like

Emerging Technologies That Will Change Dentistry Forever

How Technology Tools Can Benefit Physicians and Patients

Breakthroughs in Gene Targeting in Mouse Can Help Humans

Accelerate SaMD product development with these regulatory strategy insights

You MUST Monitor Kids’ Smartphones to Keep Them Safe

Share this Article
Previous Article The 80-20 Rule and Disruptive Healthcare Professionals
Next Article 2011 Google AdWords Income. Source: Wordstream Dr. Google, I’d Like You to Meet Google Insurance Co.

Stay Connected

Latest News

Why Work with Pharmaceutical Staffing Agencies & How to Choose One
Career
what medical industry learnt from covid-19
Who Should Get the COVID-19 Antibody Test Panel?
Covid-19
becoming a travel nurse
What Skills are Needed as a Travel Nurse?
Career
How to Take Advantage of Open Enrollment in Medicare
How to Take Advantage of Open Enrollment in Medicare
Medicare
Lost your password?