In his own doctor's office, cybersecurity expert Gary Glover found he could gain unauthorized access to physician practice data.
It wasn't that he was trying to hack the system, exactly, Glover, director of security assessment at SecurityMetrics, explains in an interview at HealthcareInfoSecurity on securing remote access to healthcare systems. Rather, while waiting for an appointment, he needed Wi-Fi and was able to get on the practice's system.
From there, he found a server that was exposed and that it didn't require a password. Glover was able to get into everything, including credit card data. Alarmed, he quickly got out and later asked the doctor if he needed help with security. The doctor told him his brother handled that.
Wireless can be one way that people get in, he explained.
"You may not think people are poking around, but there's a lot of smart people out there," Glover said.
Once you're inside, with a direct network connection through wireless or a virtual private network, you can attack other systems and essentially gain the keys to the kingdom, he said.
He advises organizations, first of all, to educate employees about the need for strong passwords--a long combination of characters and numbers not found in the dictionary.
"It's amazing that most of the compromises we're seeing [involved inappropriate] remote access that could've easily been prevented with strong passwords," he said.
Secondly, he said, employees should be taught not to give out those passwords. Social engineering is prevalent and largely successful, with people posing as HR or posing as the IT department, saying they need the password. Employees should learn to be wary.
Additionally, he said, two-factor authentication provides the most secure way to provide remote access.
Security experts predicted that phishing and ransomware would pose particular challenges for healthcare in 2015. Phishing emails try to lure recipients into giving out information such as usernames, passwords or credit card numbers. Ransomware allows cybercriminals to hold data hostage while they demand payment to unlock it.
After a breach of health insurer CareFirst--announced last month--which compromised information on 1.1 million customers, security experts warned that phishing could gain information for criminals that could be used for everything from medical identity fraud to future attacks geared toward extracting even more data from victims.
To learn more:
- here's the interview