Remote access makes doing business extremely convenient. However, it’s critical to understand that with this ease, comes vulnerability. Insecure remote access is the number one attack pathway used by hackers today.
Remote access technology is an incredibly valuable business tool – as long as there is an Internet connection, it allows workforce members to easily access the office network from anywhere.
However, insecure remote access gives hackers a pathway to compromise organization networks and gain access to medical records.
Remember Target’s massive data compromise in 2013? It is believed that the incident began when a hacker gained access to one of Target’s systems via a remote access account belonging to an HVAC company. Hackers were able to use that access to gain a foothold on an internal system and then leapfrog to other systems inside the retailer’s network.
The breach resulted in the theft of data on 40 million consumer credit and debit cards, and affected over 70 million.
Recent attack trends show that cyber thieves have been shifting focus to healthcare due to the lucrative nature of patient health information on the black market. According to a 2015 Ponemon Institute study, medical identify theft incidents increased 21.7 percent since 2014.
How do hackers do it?
Many healthcare organizations open up their networks to vendors, partners, suppliers, and other business associates to streamline processes and enable better service and support. Few implement processes governing third-party access.
It’s no coincidence that the exploitation of improperly configured remote management tools is the plan of attack most frequently used by hackers. If not properly secured, remote access puts organizations at a severe security disadvantage by allowing attackers to bypass the firewall and most other system security measures and remotely gain access to the POS or other systems in the payment environment.
It’s simply that easy for hackers, especially because while there tend to be rules in place for employees using remote access, the same rules are not always applied to external parties.
According to preliminary SecurityMetrics forensics investigation data of breached organizations during 2014, insecure remote access played a role in 93 percent of cases.
While IT may be able to manage security on one end with remote access, there is no guarantee of security on the remote user’s side. In the majority of recent hacking cases, specific businesses weren’t necessarily targeted, rather, the hackers likely scanned the Internet for vulnerable remote access systems first, and then attempted to compromise them.
By utilizing easily accessible scanning tools, the attacker can simultaneously scan multiple computers, routers, servers and websites, searching for specific data (like if the organization uses remote access).
Recommended mitigation strategy
It's critical to look at how to effectively govern company use of remote access technologies. When implemented and managed properly, remote access can be secure. Here are a number of best practices recommended to protect your organization against hackers:
- Limit those who can access the system remotely. Only provide remote access to those whose job requires it. Don’t share remote access credentials, and ensure everyone has a unique username and password.
- Don’t use default remote access passwords. Many remote access systems come pre-installed with a default password, and those passwords are easily found via a web search. If you haven’t changed your default remote access password, you’re just making a hacker’s job easier.
- Require two-factor authentication. Using a single factor (a password) makes it easy for attackers to gain access. However, by implementing strong authentication processes, you can keep remote access secure. Two-factor authentication greatly reduces the risk of an attack. One example may be the use of a password in conjunction with a security token that regularly generates a new access code. Or, the combination of both a password and a certificate. Note that user IDs are not considered a factor of authentication.
- Keep firewalls up-to-date. This will help ensure that inbound rules provide adequate protection.
- Maintain HIPAA compliance. If you aren’t already doing it, implement and maintain HIPAA standards for continuing data security protection.
- Get everyone on the same page. Periodically review data security practices to ensure employees protect sensitive patient data.
Greater security all around
In our ‘always-on’ era, where work is conducted from the road via smartphone or at an offsite meeting on a tablet, it’s a safe assumption to say remote access is here to stay. Integrated biometrics (fingerprints, palm prints, facial characteristics) will likely help securely authenticate a person’s identity in the future, but in the meantime, healthcare has work to do.
To reduce opportunities for hackers to succeed, healthcare entities must be proactive about protecting sensitive data across their organization. Security must be an ongoing practice – a top priority that resides at the heart of business operations and data management.