Thwarting Cybercrime in HealthcareHow to Fight Identity Theft, Other Fraud
"We really are living in a new world ... a new paradigm in healthcare," says McMillan, CEO of security consulting firm CynergisTek. Cybercriminals are targeting healthcare organizations for identity theft and other forms of fraud because their systems are a rich source of financial and clinical information, he says in an interview with Information Security Media Group.
And because hospitals, clinics and other provider organizations are relying more heavily on business associates, including cloud service providers, they're also vulnerable to "supply chain security issues," he says. Many of those business associates "are not as secure as the hospital and are essentially back doors into their systems," he adds.
The consultant also notes: "The proliferation of poorly protected connected endpoint devices is just growing exponentially. One of the big problems is that we're still trying to chase the device, and what we really need to be doing is managing the data so that the device doesn't become our Achilles heel," he says.
Steps to Take
Healthcare organizations can take several steps to prevent patients from becoming the victims of medical identity theft and fraud committed by insiders, as well as by hackers and other cybercriminals, McMillan says.
One key step, he says, involves improving monitoring of data access. In addition to taking advantage of audit logs, organizations should use behavioral analysis that measures patterns of when and where users are accessing data and what they're looking at, he says. Improved authentication methods can also help prevent improper access to data, he says.To improve defense against external threats, including fraudsters that use social engineering to gain access to data, McMillan suggests healthcare organizations ramp up their employee training. "What HIPAA says they need to be educated on is not enough," he says "[Employees] need to recognize what a phishing attack is ... and how not to become a victim of that."
Many organizations also need to improve their system controls, McMillan says. "We need to authenticate not just users, but systems," he says. "When platforms are trying to connect to a critical server or asset, and our environment doesn't recognize that IP address ... [the system] should say 'no, you're not authorized'."
In the interview, McMillan also discusses:
- The biggest mistakes healthcare organizations make with role-based access control and management;
- Technologies and best practices that are most overlooked by healthcare organizations in preventing breaches involving healthcare billing and claims fraud;
- Why malware poses an increasing threat to healthcare entities.
McMillan is co-founder and CEO of CynergisTek Inc. an Austin, Texas-based firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of the Healthcare Information and Management Systems Society's privacy and security task force. McMillan was recently named by ISMG a Top Influencer for 2014.