Is your old EMR or PM system the backdoor that a hacker needs to access your network? According to the Bitglass Healthcare Breach Report 2016, the big change from 2014 to 2015 was that hacking and IT-related incidents resulted in the vast majority of data breaches (98%), where in 2014 the majority were related to loss or theft of employee devices as the primary source. Criminal attacks are now seen as the leading cause of data breeches in healthcare. An attack can be costly; a recent Ponemon Institute report puts the average cost at $368 per lost or stolen record for healthcare as compared to $154 overall.
So, is that old EMR/PM system with patient PHI and guarantor Social Security Numbers and often times credit care information a problem? You bet! Typically, these old systems are forgotten about, or are not part of the strategy to “secure the enterprise”. In many cases, they are on old hardware, maybe not in a data center, but a unsecured closet in an acquired clinic’s office. They may have a connection to the Internet, but “it is just for the providers to pull up old records”.
Employee phishing attacks continue to be a huge concern, but weak user passwords, and patch management continue to leave easy points of entry for hackers. One of the things that we have discovered here at MICA Health is that legacy systems often times provide a perfect back door for hackers. These systems, more often than not, are not actively maintained – no patch management, no user management. Oftentimes an out of date software-based firewall is employed. RDP, Citix or IIS access is available, but not updated or managed.
So, what can you do? First of all, restrict access to the application. Terminate all of the user accounts that no longer need access to the system. In many cases you will discover that employees that left the organization years ago are still active. Enforce password complexity, the two most common passwords used in 2015 were “123456” and “password” according to a recent Gizmodo article. If possible, apply patches to the OS. However, in many instances, it is impossible to update the environment because of limitation of the application. MICA Health can help. We offer a variety of affordable options to safeguard the data that these sunset systems hold in a secure and accessible manner.