Perimeter Security: It’s the Simple Things That’ll Get You

Are you sure your medical records aren’t accessible by outsiders? Maybe check your perimeter security. I’m not talking about fancy technical security gadgets, but the simple, obvious things like setting a password on your internet-facing applications.

Here’s why I ask. Did you hear about the 187 medical system servers not protected by passwords or necessary perimeter security measures? Thank the recent Pro Publica investigation for that bombshell.  An example: with just a simple data query, a MobilexUSA server exposed the names of more than a million patients!  The investigation uncovered the release of names, birthdates, and in some cases, social security numbers.

Get back to the basics. Avoid the obvious errors like

  1. leaving default passwords on servers (ask the State of Utah about their massive breach),
  2. not setting passwords at all and other blatant mistakes.

You lose patient trust, and you lose money.  There are notification costs, harm to your reputation, not to mention significant OCR fines.  Another big expense? The regulators’ imposed corrective action plans (CAPs).

Let’s look at the password issue alone. Basic perimeter security doesn’t stop at the need to change default server passwords, and to set up an original password.  Take it up a notch. Make sure the passwords you set aren’t easy to guess. Get complex. For cybercriminals, it doesn’t take a lot of computing power to crack a simple password.  Take it for granted that you need to set complex passwords on all of your devices.

Too often, it’s the simple things that get you.  If simple mistakes are why your data is exposed to the internet, you’re setting your organization up to an OCR finding of willful neglect.  That will definitely lead to civil penalties or monetary settlements.  Remember, fancy technology isn’t your biggest risk; it’s people and easy mistakes with significant implications.

No doubt, limited resources are an issue for smaller healthcare organizations like small clinics and health information technology (HIT) startups.  On the other hand, the adverse impact of not attending to even simple things can put smaller organizations out of business.  If you’re a smaller organization, or just not sure where to start, try the Office of the National Coordinator for Health Information Technology (ONC). There are plenty of no-cost resources available, like the toolkit for providers. Tackling perimeter security can be overwhelming, which is why it’s essential to start small, with the basics.

Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC is a nationally known speaker and author. He most recently authored the McGraw-Hill Healthcare Information Technology Exam Guide chapter on the regulatory aspects of health IT. Chris is also a nationally recognized expert and educational instructor on information security, privacy, HIPAA, the HITECH Act, state privacy law, and electronic health information exchange.