Cyber-Security Team Always at the Ready
Intruders want to exploit the personal information of patients and staff for their own gain. Here's what we're doing to stop them.
Cyber-Security Team Always at the Ready
Imagine if someone was trying to break into your house at all hours of the day—rattling doorknobs, banging on windows, trying to crawl through any opening, no matter how small—with the intention of stealing from you or simply causing chaos in your life. That’s the situation the Information Services Security Team at Cincinnati Children’s deal with all year ’round as they work to keep patient, family and employee data safe.
“I couldn’t begin to tell you how many attempts there are to breach our computer systems on a daily basis,” Gavin Durman, lead security analyst, says. “It’s a firehose of password login attempts, vulnerability and misconfiguration scans and other methods of poking and prodding. And then there are what we call “zero day exploits” when someone finds an error in a program that makes us vulnerable to disruption. That’s when you have to drop everything to come up with an emergency plan. It’s constant.”
Cyber security is a hot topic these days, touching on all aspects of our lives—from our personal identity to the integrity of our national systems (e.g., the energy grid, electoral processes, military defense, and more). Among the types of data thieves commonly look for when trying to hack into a computer server are Personal Identifying Information (PII) and Protected Health Information (PHI).
PII consists of any information that can be used to contact, locate, or identify a specific person, e.g., credit card numbers, Social Security number, driver’s license number and other account numbers. It also includes date of birth, home address, phone number, email address, employment history, purchase history and facial images.
PHI consists of any PII that is obtained when providing healthcare services, as well as medical, dental or prescription drug records, insurance coverage, your health plan number, your status in a government healthcare program and dates of hospitalization.
According to the Center for Internet Security, protected health information (PHI) is a popular target because an individual’s health history can’t be changed, unlike, say, credit card information. Pediatric PHI is even more valuable, says Durman. “If you steal the identity of a 70-year-old, you can potentially use that information to commit fraud for a few years before it gets flagged on a credit report. But a child typically has a longer life span. There’s more time for a thief to sell pieces of data to other parties, and the more adulterated the record becomes, the more difficult it is to clean up and correct false records.”
Uncovering the Source Who are the hackers threatening our security? Sometimes it’s a kid who is just learning how to program computers. They find a script and want to see what it does, according to Durman. “They don’t understand the real-world ramifications of what they’re doing.” More frequently, it is criminals acting on their own or who are loosely affiliated with larger groups. In some cases, they are sponsored by nation states.
What You Can Do to Help
Each of us plays an important role in keeping Cincinnati Children’s digital systems secure. Here are a few tips for maintaining a safe online presence on the job and at home:
- Open external emails with caution.
- If you are uncertain if an email is legitimate:
o Call the sender or sender’s organization directly. o Do not use information from the email to make contact until you verify. o Have IS Security check the safety of attachments by calling the Service Desk at 6-4100. Do not open it.
- Delete suspicious emails or SPAM. Do not reply, forward, click on any links or open attachments.
- Use strong passwords (at least 12 characters).
- Use a pass phrase (a sentence or string of words) to help you easily remember
- Do not use:
o Your name o Personal information that could be easily guessed o Dictionary word with just a capital letter and number or symbol.
- Create a throw-away email address for mailing lists and shopping sites.
- Secure your home Wi-Fi with a strong password and use the most secure type of authentication available from your wireless router (WPA-PSK instead of WEP).
- Use different passwords for different services—email, each banking or financial site, social media.
- Install all updates and patches for your personal devices, computers, wireless router, and firewall. Manage settings to install automatically or alert you when updates are available.
- Surf websites with caution just as you would at work, especially since you likely have less advanced tools to monitor your network.
- Hang up if you get a phone call from someone claiming to be Microsoft or "computer" support. Never give someone you didn't initiate contact with remote access to your computer.
- If you are a parent, consider freezing your child’s credit. Since a child doesn’t need access to credit until they are 18, this could save you both a lot of headaches.
For more information about cyber-safety, go to: IS Security Home
The biggest risk to Cincinnati Children’s in the event of a major cyber-attack is the lack of access to timely and accurate date,” says Durman. “Because nearly everything we do is electronic, our ability to check medical records and use other applications could be compromised, and that would negatively impact the quality of care we provide to patients.”
To prevent such attacks, Information Services has put in place layers and layers of protections and backups, starting at the individual computer level on up to the institution’s servers and the cloud.
“We have redundancies in place everywhere we can,” says Durman. “We have firewalls, application gateways and internal security software on devices connected to the network. You have to build resilience into any type of system.”
A Foot in the Door
A lot of what Durman and his colleagues deal with is human error. Employees will accidentally click on a link or unwittingly open a suspicious email.
“We emphasize how important it is to beware of phishing scams,” says Durman. “In 2021, phishing was the most common cause of data breaches nationwide. Despite the filters we’ve installed to prevent these emails from getting through, some still do. One of the most challenging situations is when someone’s external email address is compromised in a way that allows a third party to send messages that appear to come from this person, who may be a trusted contact. It looks legitimate, but it’s not.”
Time is of the essence in shutting down a cyber-attack, because once a program downloads to a computer, it only takes milliseconds to execute.
“The vast majority of the time, when you click on something questionable, your local virus protection is going to pop up and give you a warning,” says Durman. “Or your browser may catch it. It’s all part of the security layering.”
If you do click on a bad link, it may not be immediately obvious that your computer has been compromised, Durman explains. “It may run a little slower or act wonky. If someone has managed to get remote control of your computer, you may even see your cursor move, or you’ll step away, come back, and see things you didn’t open. Sometimes, the hacker will just sit there and log your keystrokes looking for credit card numbers or other personal and financial information.” Most phishing scams don’t contain anything that could access a password-protected application. For example, it could not log into Epic and change or encrypt patient data. But there is some malware that attempts it, so as a defensive measure, Information Services follows a “least privilege” practice, which means employees only have permission to access the programs they need to do their job. “It’s a way of limiting the scope of exposure or the footprint of that person’s ability to touch infrastructure,” Durman says. To stay on top of best practices and the latest cyber threats, Cincinnati Children’s participates in discussions with various groups that include policy influencers, law enforcement and healthcare. “The National Institute of Standards and Technology is the bellwether for digital security standards,” says Durman. “They put out guidelines that many organizations use as the basis for their policies.” Durman also praises Cincinnati Children’s leadership for their support. “The medical center has invested heavily in data security, and it’s paid off in that we have the tools and the staff we need to safeguard our systems,” he attests. “We also have a great team who enjoy working together. Maybe I’m a bit biased, but I really believe that if there were some sort of U.S. News ranking for Information Technology departments, Cincinnati Children’s would be right at the top.”