To mitigate risk to your patients' protected health information, you need to consider the cybersecurity policies your healthcare business associates and vendors have in place at their own organizations. These are a few questions you should be asking potential partners to help reduce risk from extremely common malware.
We can't stress enough the importance of ensuring that business associates have appropriate security policies and practices. A major threat to the security of your patients' protected health information is infostealer malware that may steal employees’ login credentials from their browsers without their knowledge. To illustrate the risk, consider a hypothetical scenario and its potential impact.
Scenario
“John” works for a revenue cycle management firm with several hospitals and medical practices as clients. As a result of the pandemic, he started working remotely, using his personal computer to access his work account. Like many people who use complex passwords for security, John uses a password
manager installed in his browser to store all his logins. Unbeknownst to John, a website visited by a family member infected his computer with malware that
exported copies of all his family’s login credentials that were stored in their browser – online banking, social media accounts, the children’s schools, healthcare patient portals, retail accounts, and John’s login credentials to work. The logs were eventually sold on a dark web market.
Impact
Assume our hypothetical criminal attempts to log in to the revenue cycle management firm using John’s credentials. Will they succeed? It depends. Some questions to ask a potential healthcare partner or business associate:
What authentication do your business associates require for login to their systems by employees connecting remotely?
For example, Protenus requires all employees to connect to the internal Protenus Network for all Protenus activities, including for logging into any systems that contain customer data. Additionally, all data at Protenus is managed in a Zero Trust model, such that additional authentication is required for access to the data and applications within the Protenus Platform.
How do your vendors and business associates connect to your system? Do you require two-factor or multi-factor authentication, or can anyone log in if they have a working username and password?
All authentication at Protenus requires the use of multi-factor authentication, in addition to usernames and passwords. Additionally, access is restricted by geographic regions, and all connections to the Protenus Platform are checked for suspicious behavior.
A final thought
While the risk to employers, business associates, and covered entities is significant, we do not want to downplay the risk to the employee’s family. Info stealers are indiscriminate in whom they hit. One of the most common ways people wind up with info stealer malware infections is by visiting a gaming site or a site with information on gaming, cracks, or cheats. If you or your child use your personal computer for gaming, get a separate computer for work — it really is that much of a risk.
For more on this topic, watch the healthsystemCIO webinar, "Managing & Mitigating Security Risks from Third-Party Vendors."
