Why hackers like cash-intensive hospital departments
Lax security leaves financial, demographic information at risk, says Christopher Ensey.
The cash-intensive areas of a hospital, such as the cafeteria and billing department, as well as non-cash units like marketing, are desirable targets for hackers. Even so, the data security threats are not being adequately addressed, says Christopher Ensey, chief operating officer at Dunbar Security Solutions, a customized security services firm.
Information systems in departments that process cash and debit-credit card payments often share a network with other units in the facility. But Ensey contends that these departments need their own separate, isolated networks “so they don’t get pulled into someone else’s breach,” he adds.
That’s because departments that process payments and operate systems on a shared network can be easily hacked if another department on that network is attacked.
Payment systems are attractive targets because hackers can get access to a lot of credit or debit card data in a short period of time and sell the data—names, card numbers, expiration dates and possibly security codes—on the Dark Web, or just use the card information to go shopping.
Employee meal cards and any department outside the cafeteria handling those cards, such as human resources, also would be at risk if a hospital cafeteria is hacked, according to Ensey, who advises that employee meal card functions should be on an isolated network.
The marketing department and other units doing promotional outreach also have security risks that may not be addressed; these departments typically use patient demographic information, and often having more information on hand than necessary.
Consequently, these units must be careful in how they disseminate patient information to other organizations and vendors, such as marketing and analytics companies, Ensey counsels.
Often times, marketing information is not fully protected—it might be encrypted on a laptop, but generally not when a copy of a database is sent to a third party.
“It comes down to ease of access,” Ensey says. “The applications used today don’t make it easy to add encryption.”
Information systems in departments that process cash and debit-credit card payments often share a network with other units in the facility. But Ensey contends that these departments need their own separate, isolated networks “so they don’t get pulled into someone else’s breach,” he adds.
That’s because departments that process payments and operate systems on a shared network can be easily hacked if another department on that network is attacked.
Payment systems are attractive targets because hackers can get access to a lot of credit or debit card data in a short period of time and sell the data—names, card numbers, expiration dates and possibly security codes—on the Dark Web, or just use the card information to go shopping.
Employee meal cards and any department outside the cafeteria handling those cards, such as human resources, also would be at risk if a hospital cafeteria is hacked, according to Ensey, who advises that employee meal card functions should be on an isolated network.
The marketing department and other units doing promotional outreach also have security risks that may not be addressed; these departments typically use patient demographic information, and often having more information on hand than necessary.
Consequently, these units must be careful in how they disseminate patient information to other organizations and vendors, such as marketing and analytics companies, Ensey counsels.
Often times, marketing information is not fully protected—it might be encrypted on a laptop, but generally not when a copy of a database is sent to a third party.
“It comes down to ease of access,” Ensey says. “The applications used today don’t make it easy to add encryption.”
More for you
Loading data for hdm_tax_topic #care-team-experience...