Serious Security Risks Found in Healthcare Laptops

A recent analysis of healthcare security risks by the Clearwater CyberIntelligence Institute (CCI) has shown laptop computers pose a major threat to hospitals, health systems, and their business associates.

Laptops are portable and can easily be lost or stolen which places data at risk. The devices can be accessed remotely and used to access healthcare networks, and many organizations fail to monitor how the devices are used by employees. CCI ranked laptop computers 6th among sources of risk for healthcare organizations.

CCI research showed 70% of high and critical risk scenarios for laptop vulnerabilities were in three areas: Endpoint data loss (29.9%), excessive user permissions (22.4%), and dormant accounts (17.8%).

The most serious risk is endpoint data loss, which was rated critical or high due to the number of vulnerabilities in this area. Within this category, 98.9% of laptops had vulnerabilities related to the failure to lock down external ports such as USB, CD, DVD, and Firewire. Consequently, it is easy for data to be copied onto portable storage devices by users.

63.3% of devices lacked controls to prevent users from storing sensitive data locally. Healthcare organizations can address this vulnerability by using virtual desktop software to access the organization’s programs and data. If sensitive data is not stored on the laptop’s hard drive, data exposure can be avoided in the event of loss or theft of the device.

52.7% of laptops were not protected by tools to prevent data loss and the sending of sensitive data to unauthorized individuals. Tools exist that can scan both internal and external network traffic to increase protection.

Control deficiencies were identified in high numbers of laptops. 100% of those studied had deficiencies related to user activity reviews, 97.73% had deficiencies in user permissions reviews, and 91.57% had deficiencies in log aggregation & analysis.

It is important to periodically scan user activity to identify anomalous behavior that could be indicative of an attempt to compromise the system and gain access to sensitive data. User permission reviews are required to detect dormant accounts to allow them to be deactivated and for excessive user permissions to be found and corrected to reflect an individual’s role in the organization. Security information and event management applications should also be used for log aggregation and analysis to identify suspicious activity.

CCI urges all healthcare organizations to assess their laptop computers, through a comprehensive risk analysis, to determine whether the above mentioned controls have been implemented correctly, whether risks have been effectively reduced to an appropriate level, and to ensure that remediation plans have been implemented to address critical risks involving endpoint data loss, excessive user permissions, and dormant accounts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.