With all the pressures on health care, to which COVID-19 added, it seems like piling on to raise the issue of cyber security. But in part because of COVID, it's on the rise in a significant way. Health care is a primary target because of the amount of patient data and the financial value of operational records.
You've seen the headlines, but you probably aren't aware of the unintentional insider threat that healthcare providers, hospitals, home care providers and others have left open for the hacker- poorly secured websites.
The reality for patients is that they are interacting with health care and home care websites now more than ever before. Online appointment setting, coordinating telemedicine, and self education by patients are all on the rise. While the underlying systems may be secure, the website is the interface where all of this vital information is transacted, and if it is an interface that can be penetrated by a hacker, all bets are off when it comes to maintaining security.
It's tempting for IT managers to view the company website, which is hosted outside the internal network, to be a low priority, but hackers don't think so. Effective large scale hacking uses a variety of methods to acquire user credentials, place phishing assets on websites, and create a scenario where they can defraud the institution or its patients.
Here's the challenging truth: a large percentage of health care and home care websites use risky website practices which make them easy prey for intentional hacking efforts.
Poorly secured websites create an insider threat- a vulnerability resulting from inside the organization, in this case due to negligent website practices. In a highly litigious industry, health care and home care cannot afford to raise its risk profile, especially when it is entirely unnecessary. Hackers have taken note of this weakness.
What's the Health Care & Home Care Risk?
- Liability - The cost of losing personal information and resulting damages, or cost of ransomware attacks.
- Reputation Risk - Public embarrassment and damage to rapport from hacking incidents.
- Patient Fraud - Vulnerable populations like seniors can be defrauded using phishing scams.
- Restoration Cost - Costs to restore data and repair websites can be substantial.
- Business Continuity Costs - Interruptions in business that follow defaced websites or public incidents.
The greatest Vulnerabilities come from poorly secured websites
Open source websites, such as WordPress, are the frequent target of cyber attacks. Hackers have a variety of motivations that range from simply defacing the website or malicious nuisance, to obtaining administrative password patterns, setting up phishing schemes using the company website and brand to secure patient's private information.
While all software is vulnerable if users don't carefully guard their credentials, WordPress and other open source software have so much code written by tens of thousands of contributors, it makes for an easy target. Literally anyone can write one of the plugins that makes WordPress operational and useful.
Hosting risks can also compound the problem. Large public hosting companies that are mostly in the business of selling domain names, also offer hosting. Their size and the number of questionable domains they host add to the inherent risk in open source software. Vulnerabilities are compounded with low quality hosting.
If you review to statistics from 40,000+ WordPress Websites that Alexa lists in the Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.
It's Your patients (and employees) They are After
While there are numerous avenues to reach patients that can include administrative systems, point of sale, data storage or email, one area that is a blatant vulnerability is the website. Infosec describes two primary avenues: 1) hackers are using your site to lure in others, or 2) administrators or employees receive phishing emails. It is particularly effective if phishing can lead people back to a page on the website, where as a trusted source they can collect vital access information from your clients.
A phishing scheme can put your website to work for its fraudulent purposes:
- Hacker compromises the website
- Hacker sets up a page designed to collect important information (say, "reset your patient or employee passwords?")
- Hacker invites patient or employee to visit the page and Bam! They are in and the kind of information they can collect is essentially unlimited.
- The compromised information can lead to direct fraud, be paired with a phone or mail scam, or lead them to identify password information that opens additional networks to cyber attack.
It's hard to imagine a more compromising situation than your customer giving up their critical passwords on a hacked page on the health care or home care website. Since the IT team for your institution is working hard to protect both data and operations, providing an opening like this just doesn't make sense.
At Story, when we used to employ and sell a highly popular hosting service (a name you'd recognize), almost every one of our client's websites were hacked. It was like clockwork, and it was never easy to fix. We graduated to a more secure hosting environment, but we noticed something else - the open source software that we loved and promoted was full of vulnerabilities. Simply adding security software or better hosting to WordPress is really only a half-measure. We even had websites hacked that really offered nothing to the hacker, except the thrill of owning someone else's site, or perhaps for just a little hacking practice.
Website Software Like WordPress is a Hacker's Dream
The very nature of WordPress invites hackers. Since in order to operate WordPress, you need a large number of plugins which are developed by the random assortment of volunteer developers around the world. The national average is greater than 20 plugins per website. Every time that WordPress updates, half of those plugins become vulnerable before they are updated. And keeping them all up-to-date is a regular chore - a chore that almost no one maintains effectively.
-->Learn how to quickly make the move from vulnerable to secure with a website that delivers more clients, too.
A best practice approach for healthcare is the use of enterprise level software for their own website.
Story Collaborative began making its move to SaaS (fully managed security and code) website software beginning in 2017. Talk with us if you are a health or home care provider and you want to quickly move to a secure web profile, you want a pain-free process, and want the other enterprise benefits for sales and marketing that come along in the package. And you'll also remove the reputation and liability risk that comes with allowing the potential for client's critical access passwords to be compromised.
