To mitigate risk to your patients’ protected health information, you need to consider the cybersecurity policies your healthcare business associates and vendors have in place at their own organizations. These are a few questions you should be asking potential partners to help reduce risk from extremely common malware.
We can’t stress enough the importance of ensuring that business associates have appropriate security policies and practices. A major threat to the security of your patients’ protected health information is infostealer malware that may steal employees’ login credentials from their browsers without their knowledge. To illustrate the risk, consider a hypothetical scenario and its potential impact.
Scenario
“John” works for a revenue cycle management firm with several hospitals and medical practices as clients. As a result of the pandemic, he started working remotely, using his personal computer to access his work account. Like many people who use complex passwords for security, John uses a password manager installed in his browser to store all his logins. Unbeknownst to John, a website visited by a family member infected his computer with malware that exported copies of all his family’s login credentials that were stored in their browser – online banking, social media accounts, the children’s schools, healthcare patient portals, retail accounts, and John’s login credentials to work. The logs were eventually sold on a dark web market.
Impact
Assume our hypothetical criminal attempts to log in to the revenue cycle management firm using John’s credentials. Will they succeed? It depends. Some questions to ask a potential healthcare partner or business associate:
What authentication do your business associates require for login to their systems by employees connecting remotely?
How do your vendors and business associates connect to your system? Do you require two-factor or multi-factor authentication, or can anyone log in if they have a working username and password?
All authentication at Bluesight requires the use of multi-factor authentication, in addition to usernames and passwords. Additionally, access is restricted by geographic regions, and all connections to the Bluesight Platform are checked for suspicious behavior.
A final thought
While the risk to employers, business associates, and covered entities is significant, we do not want to downplay the risk to the employee’s family. Info stealers are indiscriminate in whom they hit. One of the most common ways people wind up with info stealer malware infections is by visiting a gaming site or a site with information on gaming, cracks, or cheats. If you or your child use your personal computer for gaming, get a separate computer for work — it really is that much of a risk.
Contact us to learn more on this topic.