Most healthcare facilities expend a great amount of resources toward compliance to safeguard patient information, which when compromised can lead to information getting in the wrong hands and hefty fines being handed down.
Many compliance issues are violated when employees take laptops or thumb drives off campus and lose them or have them stolen and hospital data is suddenly in the wrong hands. These devices carry a vast amount of information about patients. One hospice center in Idaho was recently fined $50,000 when an employee lost a laptop with more than 400 patients’ information on it. In this case the data was not encrypted, which is one safeguard that many healthcare facilities use to protect information.
But it’s not always a lost hard drive or thumb drive containing hospital data that leads to serious violations against patient protection laws; sometimes it’s the work of a hacker who has found ways around the firewall.
One of the most commonly used tactics by hackers that help them breach firewalls is using cross site scripting, or XSS. This involves a situation where an application won’t validate user data. Hackers have found ways to build scripts that takes advantage of the situation and allows them access to the user’s computer and release malware that can perform any number of operations with the computer’s owner completely unaware that anything is happening.
The best method of avoiding this situation is to use a whitelist that rejects all suspicious data that isn’t on a previously verified list. Another option is to encode output data that will halt any malicious script injection into a browser.
Injection flaws are another issue that leads to healthcare facilities being compromised by hackers. It’s actually quite easy for hackers to develop this method of hacking as they rely on the user data to be routed to an interpreter, most often in SQL. What happens is the interpreter is tricked into a set of changed commands that allow the hacker to do what they want rather than what the user has ordered the computer to do.
The best way to prevent this injection situation from occurring is to avoid using interpreters. Instead, use parameterized queries or stored procedures. And most certainly, don’t use dynamic SQL.
Hackers also use malicious file execution attacks through remote file inclusion (RFI) that will affect XML and PHP frameworks. Once hackers are able to upload rootkits onto the user’s server, they can take over the entire thing. But to circumvent this type of invasion, don’t use filenames that have been offered up by server-based resources. Also, set the firewall settings to never accept new connections to web sites that are external.
OffSite Image Management, Inc., has developed a health information exchange that ensures radiological data is safe at all times and can be shared with confidence that it’s getting to the right place and in front of the right eyes. Using its proprietary Honeycomb platform, Offsite can promise robust service that connects digital silos accorss multiple system and organizations.