October 8, 2019


With security as an increasing focus in the healthcare space, CIO’s and CTO’s spend significant time ensuring the safety and privacy of patient information. However, the varying degrees of security attacks and privacy concerns leave IT specialists and stakeholders with a never-ending list of concerns.

Types of Security attacks (although not an all-inclusive list):

  • ADVANCE PERSISTENT THREATS (APT) – a security threat to the network remaining undetected for an extended period of time, most common when the data is of high-value.
  • AI ATTACKS – an attack which can automate identity, crack passwords and DOS making these attacks much more formidable.
  • DISTRIBUTE DENIAL OF SERVICE (DDoS) – the goal is to deny access to the server by overwhelming the target system by flooding it with network traffic.
  • MALWARE – a stealthy approach, without end-users knowledge, to put code on a device (i.e.: Trojan Horse).
  • PASSWORD ATTACK – an unsecured source attempting to break in or obtain a user’s password.
  • PHISHING – Social engineering to obtain information or approval to run code on a device.  C-suite you’re a Favorite target for an attach like this.
  • PHYSICAL SECURITY & DRIVE BY ATTACK – an unsecured wireless environment allowing threats to easily attack the system.
  • RANSOMWARE –blocks access to date with the threats to permanently compromise the data unless a ransom is paid.

Social engineering is the foundation of several attacks. These attacks occur when a source acts as a trusted advisor gaining access to codes and passwords for various devices. These attacks provide the source with the ability to obtain damaging information and/or create a foothold in the network to further exploit security issues.

IT and cyber-attacks in the healthcare industry rate as one of the most damaging and costly occurrences compared to other industries. As a whole, the healthcare industry spends an estimated $6 billion dollars a year dealing with security attacks and breaches.

According to one of the latest Becker’s reports, more than 5 million US patients can be accessed online by just a basic web browser. The below diagram published by the HIPAA Journal, shows rise in the number of reported data breaches.

Image from: HIPAA Journal

Steps to prevent a security break and ensure the privacy and safety of information is secure is a fraction of what an organization could lose in a cyberattack. Addressing these five items can help to eliminate the possibility of future threats and attacks.

  1. NETWORK ACCESS: Access to the network can be as easy as identify the SID (Security Identify) and a password breaker available on the internet for free. Make sure the wireless connection doesn’t advertise the SID and that communications are encrypted.  Using an advanced authentication protocol as the environment will handle like a Kerberos and Network Encryption protocols like IPsec will help safeguard the network.
  2. PROFESSIONAL INSTALLATION: Hiring highly qualified staff to administer the network and DMZ (the entry way into your network from public networks). This will ensure firewalls, protocol and port analyzers are proactivity looking for breaches. Conducting a penetration by a 3rd party will also confirm safety measures are correctly in place.
  3. SECURE DEVICES: Ensure the network and PC devices are locked down. Leveraging bio identification technology or a 3rd party code generator for two-factor authentication will help improve overall security of the system. Utilize a three-factor authentication and additional security to access addition data or performing sensitive activation (i.e. ordering narcotics) is also another way to safeguard high-valued information.  Lastly, having end-users security policies in place and enforced will also increase protection.
  4. 3rd PARTY ASSISTANCE: Use 3rd parties who specialize in healthcare security when necessary. It’s important to include security that covers the protection of medical devices and patient devices/wearables such as heart monitors.

At Excite Health Partners we use consultants and partners who specialize in Healthcare IT.  We can perform assessments to ensure the environment and the patient’s data is well protected. 

Todd Klein, CIO VP of EHR Services & Digital Solutions