CHS Data Hack: Is Your Company’s Information Secure?

While the tech security industry’s discovery of the Heartbleed bug in April made few mainstream headlines, its impact on information security became front-page news this week. Community Health Systems announced a massive security breach in which hackers gained non-medical information about approximately 4.5 million patients in their database.

According to a source “close to the CHS investigation”, the group responsible for the breach gained access by exploiting an unpatched occurrence of the Heartbleed bug in a Juniper device used by the hospital group. Once in, the attacker logged in via a VPN and was able to move deeper into the network.

The Heartbleed vulnerability was discovered in April in networking equipment distributed by Cisco and Juniper – unarguably two of the largest names in business networking equipment. The bug compromised the security of data encryption on IP networks, both internal and external. A patch was quickly developed, yet by June more than half of the infected sites on the internet had failed to apply it.

Security breaches are troublesome in every industry due to the potential for financial loss and identity theft, but in the healthcare industry there could be legal repercussions as well. Healthcare providers and vendors could be in violation of HIPAA regulations governing patient privacy even if the information compromised does not include details of their care.

Is your company’s information secure? Below are some best practices to ensure security now and in the future.

Make sure you’re secure.

Conduct an audit of your security as soon as possible. If you don’t have in-house IT professionals, schedule an appointment with a reputable third-party consultant to review your system. The IT professional will identify areas of potential vulnerability to address, as well as best practices to employ moving forward.

Educate your staff.

Human error accounts for a large portion of security breaches, so be sure that your employees are vigilant about information security. Remind them of basic protocol, such as not opening email attachments from unfamiliar email addresses, and advise them to be careful when downloading any extraneous programs onto their system. (In fact, you may simply prohibit the use of non-work-related software.)

Staff adherence to security procedures extends to their use of company hardware outside the workplace. Emphasize the importance of keeping work computers and devices safe when they are in the employee’s personal possession – after all, if a work laptop is stolen from an employee’s car then your information is equally at risk.

Use multiple layers of security.

Use different passwords for different programs, and give them an increased level of complexity – letters, numbers, and characters combined will help to thwart “dictionary attacks” run on the words within passwords. There are a number of passcode generators that you can use for a string of random characters. Reset your passwords regularly, and don’t write them down.

Update your anti-virus and antispyware software regularly to benefit from new definitions, and use an intrusion detection program to identify and block illegitimate attempt to access the system.

Encrypt your data

Protect the information in your network no matter where it goes. For communications including sensitive information, use an email encryption to secure the data against prying eyes.

Back up your data!

Always have a working hard copy of your data that you can use to restore the system in case the information is lost or compromised in a security breach. There are reputable online backup services that you can use as well, but the best practice is to also have a copy offline that you can access manually.

Protect mobile devices connected to your network.

If you work away from your office, either on a home network or a mobile device (laptop, tablet, phone), make sure that the security settings on those devices are also up to date. If it is an option, restrict the use of business-related information to devices that are owned and distributed by the business.

Have an updated security policy.

All of the above tips should be regular practices in your security policy, which you should always follow and periodically reevaluate. Other policies to consider may include:

  • Restricting who can access your network via VPN and when
  • Prohibiting staff from sharing security information over the phone, no matter what
  • Requiring that work hardware not be taken off the premises without authorization

Information security is a large investment of both time and money, but it is one of the most critical investments you can make in the longevity of your business. While you may not be able to thwart every potential attack on your data, having established security practices and following them will help you to recover more quickly and minimize the damage that an attack can cause.

If you lack the cash flow to invest in information security, PRN Funding can help. Our comprehensive healthcare factoring and medical accounts receivable factoring programs help healthcare companies from nurse staffing agencies to medical billing companies and more turn their open invoices into working capital that they can use to support their business – including its information security. Contact PRN Funding to learn more about healthcare factoring and medical accounts receivable factoring services.