Systems Thinking
Systems Thinking on a National Level, Part 2
Drew Davidson, Eric Sinclair Banyon, Shady Navarro, Shalamar Santana, Ziomara Pagan, & Stephanie Jean Coute
MHA/505
February 11, 2019
Rachael Kehoe
Running head: SYSTEMS THINKING ON A NATIONAL LEVEL, PART 2
1
SYSTEMS THINKING ON A NATIONAL LEVEL, PART 2
10
Systems Thinking on a National Level, Part 2
Cybersecurity breaches in the Healthcare industry pose a significant threat to those organizations. According to Gordon et al., cybersecurity breaches not only affect the patient’s information but it can also affect the organization’s creditability (2017). When an organization creditability comes into question due to a cybersecurity breach, that organization may lose customers due to the fear of their information not being appropriately protected. In Healthcare it is crucial that we understand the impact of cybersecurity breaches. Most of the major hospital in the United States are using electronic medical records (EMR). A lot of hackers are using phishing methods to trick hospital and breaching their security protocol by tricking staff members into disclosing sensitive and personal information (Winder, 2014). Therefore, the following will discuss way cyber security breaches happen in the healthcare industry and way to prevent them from happening in the future.
Cyber Security Breach Diagram
Malicious and Non-Malicious
Cyber security breaches in healthcare can happen in several different ways. These different types of breaches can either be malicious or non-malicious. A malicious cyber security breech in healthcare, is when an individual or individuals purposely hacked into and attack or gain unauthorized access to members PII. Unauthorized access (such as hacking) to protected healthcare systems is the result of malicious behavior, things like holding the system ransom or stealing private information are acts of malicious behavior (Katz, 2018). Penetrating a system manually and disabling the systems defenses or by downloading software programs are other types of malicious behavior. Hacking is a malicious behavior, but just because the system is hack doesn’t necessarily mean any personal information is compromised. A number malicious cyber security breach may not be done intentionally but can cause just as many issues as a malicious cyber security breech. When data is unintentionally left exposed to an authorized access it is a non-malicious behavior. Cyber security breaches in healthcare can be the result of employee error or negligence. In healthcare malicious behavior is a portion of the inflow of cyber security breaches and non-malicious behavior is the portion of the outflow of a cyber security breech.
Eavesdropping
As a group, we have identified a multitude of cybersecurity breaches that are growing concerns amongst the healthcare providers and companies that offer their services to the community. Another one of these concerns’ hails in the form of eavesdropping. Eavesdropping is a dilemma within the healthcare industry. As we advance in the use of technology about how we communicate patient’s private information, eavesdropping is one of those breaches that causes heighten awareness. As the industry advances in the transmission of information via cyberspace, the threat of information falling in the hands of those who seek criminal activities are more prevalent. According to Epic University (“Epic University, ”2019) The term ‘eavesdropping’ is used to refer to the interception of communication between two parties by a malicious third party. Since the beginning of the digital age, the term has also come to hold great significance in the world of cybersecurity. Using wireless services, smartphones, and handheld computers must have protection at all cost. The encryption of these devices is by far the most critical aspect of protecting consumers information where this level of communication rules. If these devices are not able to be encrypted to protect the consumers, they should not take precedent. Eavesdropping, within the industry, affect all areas of cybersecurity. This phase of cybersecurity is like the kryptonite of all virus. Eavesdropping can infiltrate all aspects of cybersecurity and reap major havoc for any organizations. It is essential that we understand what eavesdropping can do to an organization and provided the necessary tools to combat these threats. We as individual and organizations must obtain the required education, training, and etcetera to help protect the consumer’s personal information.
SQL Injection Attacks
Not only is eavesdropping being a problem, but so is having to deal with SQL injection attacks. Eavesdropping along with the other forms of cybersecurity attacks cannot be ignored, but this attack can cut a bit deeper and cause an organization to lose creditability. This attack affects the coding of a healthcare organization, and coding within the healthcare system is like peanut butter and jelly. It’s like mostly you cannot have one without the other. Here we are talking about getting deep into a database to retrieve a personal information phone number, address, financial information, etcetera. If the wrong individual obtains that vital information, an organization will have to deal with potential liability that is tough to recover. This type of attack is getting to the heart of the administrative side of thing. Some of the most critical information is housed for the patients, and information that violates so many different aspects of a patients record. Imagine if this attack happens at a large Hospital and the Cyber thieves were able to decode the system and completely wipe their database system. I know this is not something you would want to be a part of figuring out. These attacks are why it is super essential for employees to be very cautious when handling patient’s information. Protecting the privacy of your passwords, not opening phishing emails, not violate HIPAA rules, not leaving data exposed, and etcetera is vital. This type of attack happens typically via a company Website.
All in all, education of how to spot these threats, and not allowing or minimizing vulnerability goes a long way. This attack, as well as the other attacks mention, will forever be a part of our lives. But being prepared to combat these threats can make the difference between success and failure of any organization.
HIPPA
HIPPA is an internal source of threats to healthcare information security. Goals of data security are to allow access to healthcare information to authorized individuals, allow access only when needed and retrieve what is accurate for use (Donald & Berwick, 2018). HIPPA has many gaps which should be addressed. First, the privacy rule should be made applicable to all healthcare entities and not only those covered. This means, it must be made a mandatory. Second, the security rule should not only cover electronically stored data but also paper records. Lastly, all covered entities have not fully complied with HIPPA requirements, a more serious threat to information. Unless these are addressed, insecurity will still be a problem.
Data Loss
As an industry, healthcare institutions need to implement strategies that can prevent data loss while ensuring privacy and security of information. Prevention of data loss can be done by configuring solutions that are designed to protect sensitive data (Abouelmehdi et al., 2018). This data include Electronic Medical Records, Protected Health Information and other data so that it is not accessed and misused in anyway by unauthorized users (Abouelmehdi et al., 2018). Data loss prevention tools are helpful for monitoring endpoints, streams of network data and cloud, thus protecting data from any potential loss to any insider or outsider.
Phishing Emails
Phishing emails are a huge thing for hackers to get into health care systems and get protected health information. In fact, ninety-three percent of the breached data in the health care industry is due to phishing emails (“Perils Of Healthcare Phishing And What You Can Do About It”, 2019). Then calculated the eighty-three percent of all doctors have experienced cyber-attacks from phishing emails (“Perils Of Healthcare Phishing And What You Can Do About It”, 2019). Many of these attacks have caused a full day of clinical downtime. How do the hackers do it? The phishing emails look just like an email a staff member would receive that is safe and from a trusted source (“Perils Of Healthcare Phishing And What You Can Do About It”, 2019). Phishing emails have caused one-hundred and fifteen million-dollar lawsuits on health care facilities (“Most Common Phishing Emails Identified”, 2019). That is more than most have for revenue in a year. Then there are at least six-teen phishing emails sent to the facility and each staff member every thirty days (“Most Common Phishing Emails Identified”, 2019). There has to be quarterly training on the newest phishing email trends according to HIPAA. The most common phishing email in the health care industry is fake payments. Health care in America has become so costly and the hackers have caught on that all healthcare providers have an account that is in default so making malware look as though it is a payment or is about a payment is the easiest way in to the protected health information (“Most Common Phishing Emails Identified”, 2019).
Data Exposure
The increase of technology in the healthcare industry has provided many health organizations with the ability to monitor their patients remotely through digital devices and electronic health records. The healthcare data is often collected and stored into a cloud base system where healthcare providers can have access anywhere to the patient’s data in real-time. However, the vast network of devices that are connected directly with each other to collect, process, and share vital information has put many healthcare organizations at great risk for cybersecurity breaches. “Failed security has resulted in massive data breaches that have led to the loss or compromise of millions of personally identifiable healthcare records. Historically, the security of information systems, in general, has not been seriously considered in many instances until a breach has occurred.” (Moganedi, 2018, p. 297). Therefore, it is significant for healthcare companies to take measurable actions to prevent their patient’s information from being accessible to unwanted users. Such measures can be made by performing annual HIPPA security risk analysis, implementing role base permission only for individual employees to have access to certain areas of the database, and requiring employees to change their username and password frequently.
Password Protection
Password protection is so very important when dealing with access to protected health information. Having to change passwords at least every three months seems so difficult and so annoying to many health care providers. HIPAA is in healthcare it may be the first true definition learned. HIPAA has certain requirements that are put on passwords for accessing protected health information. HIPAA wants there to always be a two factor authorization for logging in to protected health information (“The HIPAA Password Requirements And The Best Way To Comply With Them”, 2018). This means that a username and password are required plus a pin number (“The HIPAA Password Requirements And The Best Way To Comply With Them”, 2018). Protected health information is personal and should always be protected especially when getting the information or storing the information electronically. HIPAA also requires every password to access the protected health information to be at least eight characters long(“The HIPAA Password Requirements And The Best Way To Comply With Them”, 2018). This of course is using numbers and letters. A suggestion from HIPAA for making a password to gain access to protected health information is that the capitalization is random and that you take a phrase that you can remember then mix up the spelling (“HIPAA Security And Privacy “, 2003).There are penalties involved with sharing passwords for gaining access to protected health information one is up to two-hundred and fifty thousand dollars in a fine and the other is up to ten years in prison (“HIPAA Security And Privacy “, 2003). There are simple rules to follow when making sure that your password is protected. It can be devastating if someone unauthorized gains access to protected health information. Take our military and wars into consideration, what if during a war a main terrorist is after a certain general and hackers can decode a password to protected health information to find the generals information of what hospital he is at. Think about law enforcement there have been many in the news lately and an officer involved shooting can cause quite an uproar. Imagine the wrong person gaining access to the officer involved address or where he was being treated at. The results from these situations would make a bad situation even worse. These are just a few reasons why password protection in the health industry is so important.
Viruses
All it takes is one click, and the virus could spread like wildfire. That is why it is so vital that healthcare organization train their employee on how to look out for possible phishing emails which is the highest risk for health organizations to receive a virus. “Before 2016, healthcare organizations were not thought to be a primary target for ransomware. However, 14 hospitals had become the target of ransomware, and a total of 173 hacking/information technology (IT) incident data breaches had been officially reported by October 16, 2016, 17, 18. Hospitals have become an easy target for hackers for two reasons: The necessity of computer storage of information associated with patient care and the security holes in IT systems” (Spence, Bhardwaj, & Paul, 2018, p. 2). Therefore, healthcare organization must take actions by training their staff never to open up unknown emails, documents or download unknown files. Also, healthcare organizations must implement preventive measures such as having the latest virus software and running daily virus scans on all electronic devices within the organization. Without the proper actions taken to prevent data breaches within the healthcare industry, the percentages of cybersecurity attacks will continue to rise putting patients at risk.
Conclusion
Cybersecurity breaches in the Healthcare industry pose a significant threat to those organizations. That is why security breaches in the healthcare organizations must be handled immediately for the safety and security of the patients. Therefore by educating the staff about various ways security breaches can occur and ways to prevent them from within and outside the organization, then the decrease in cybersecurity beaches will began to improve in the healthcare industry.
Reference
Epic University (2019). What is Eavesdropping in Computer Security? Retrieved from
https://www.ecpi.edu/blog/what-is-eavesdropping-in-computer-security.
Gordon, W. J., Fairhall, A., & Landman, A. (2017). Threats to information security—Public health implications. New England journal of medicine, 377(8), 707-709.
Moganedi, S. (2018, June). Undetectable Data Breach in IoT: Healthcare Data at Risk. Cyber Warfare and Security, 8(1), 296-298. Retrieved from https://search-proquest-com.contentproxy.phoenix.edu
Most common phishing emails identified (2019). Retrieved from https://www.hipaajournal.com/most-common-healthcare-phishing-emails-identified
Perils of Healthcare phishing and what you can do about it(2019). Retrieved from https://healthitsecurity.com/features/perils-of-healthcare-phishing-and-what-you-can-do-about-it
Spence, N., Bhardwaj, N., & Paul, D. (2018, June). Ransomware in Healthcare Facilities: A Harbinger of the Future? Perspectives in Health Information Management, 1-22. Retrieved from https://search-proquest-com.contentproxy.phoenix.edu
Storm, D. (2015). MEDJACCK. Hackers Hijacking Medical Devices to Create Backdoors in Hospital Networks.
The HIPAA Password Requirements and the Best Way to Comply With Them(2018). Retrieved from