Enterprise IT security news and advice

Internet Access Control for Hospitals

Why Internet Access Control for Hospitals is Now Essential

The increase in cyberattacks on healthcare organizations in recent years has made Internet access control for hospitals a necessity. Cybercriminals have been targeting healthcare organizations because they store huge volumes of valuable data: Data that can be used to commit identity theft or medical fraud.

Keyloggers are used to obtain login credentials to networks and email accounts and gain access to healthcare networks and EHR systems. Wipers are used to sabotage health systems, taking entire systems out of action. The NotPetya (ExPetr) wiper attacks being a recent example.

Over the past 12 months, ransomware attacks on hospitals have increased. Ransomware is a form of malware that encrypts files and prevents the owner of the data from accessing documents, images and other data. A ransom demand is then issued. If the ransom is paid, the attackers provide the keys to unlock the encryption. Hospitals are a major target for these kinds of cyberattacks because access to patient data is necessary to provide medical services.

Hollywood Presbyterian Medical Center paid a ransom of $17,000 to regain access to its data. It was one of many hospitals that were forced to pay a ransom.

Internet access control for hospitals offers excellent protection against malware and ransomware and other web-based attacks. An Internet filter will prevent all users from accessing websites known to host malware or exploit kits that download malicious code.

Internet access control for hospitals is not only about preventing costly cyberattacks, it is also an important element of HIPAA compliance. The HIPAA Security Rule requires hospitals to implement reasonable security measures to reduce the risk of malware infections. Internet access control is one such measure that can safeguard the confidentiality, integrity, and availability of PHI.

How Do Internet Filters Work?

Internet filters for hospitals can be hardware appliances through which all Internet traffic is routed, software solutions based on individual devices or servers, or DNS-based systems that filter the Internet through a third-party service provider.

An Internet filter works by assessing the content of a webpage to determine whether it complies with an organization’s acceptable Internet usage policies. Those policies are programmed into the filter during set up. Most Internet filters for hospitals allow rules to be set for certain categories of website – adult websites for instance – or by keywords contained on the webpage. It may even be possible to block sites if a specified keyword density is exceeded. In order for the Internet filter to block those webpages, it must read the content of the site and perform a check prior to access being granted.

Internet access control for hospitals is also possible using blacklists of websites. Blacklists are lists of webpages and websites that are used for phishing, have been discovered to host malware or exploit kits, or are used for other nefarious purposes. Blacklists are also maintained for sites containing illegal material such as child pornography.

Internet Access Control for Hospitals’ Wired and Wireless Networks

Cybercriminals can gain access to healthcare networks via wired and WiFi networks, so it is important both are protected by Internet access controls. If hospital employees are allowed to access the Internet without any restrictions in place, malware downloads are a serious risk. This should be picked up during a risk assessment.

Hospitals may decide not to overly restrict Internet access for employees, although it is important – as a minimum – to use blacklists to prevent the deliberate or accidental accessing of risky websites and those that are known to host malware.

Even visiting legitimate websites carries a risk. Malicious adverts have been displayed on websites such as MSN and The New York Times. Those adverts redirect users to phishing websites and exploit kits where malware can be downloaded. Cybercriminals may now favor spam email to spread malware, although the risk of web-based attacks should not be ignored.

An internet filtering solution should therefore be deployed to prevent employees from accessing malicious sites or unacceptable Internet content, while WiFi access should also be controlled – for employees, guests and patients.

Internet access control for hospitals is not just about improving security posture, although that is one of the most important reasons why Internet access control for hospitals is critical. Some of the other key benefits of Internet access control are detailed below.

Internet Access Control for Hospitals Improves Productivity of the Workforce

Several studies have shown that the failure to control Internet access can have a detrimental effect on productivity of the workforce. A single employee spending an hour a day on personal Internet use will add up to a significant loss over the course of a year. However, if every employee was to waste an hour a day, the losses are substantial. An organization with 1,000 employees could lose $35 million a year if every employee spent an hour a day on personal Internet use, according to one study.

Another study by Data Corp showed that only 60-70% of Internet use in an average business is spent on work-related activities, while 25% of unfiltered Internet traffic was for non-work-related activities. That traffic includes visiting social media sites, online shopping, and accessing pornography – The top three causes of Internet-related productivity losses. Internet access control for hospitals can be used to reclaim those lost hours and put them to better use.

Internet access control for hospitals can also be used to conserve bandwidth to ensure all users can enjoy reasonable Internet speeds. By restricting access to video streaming websites and gaming sites, organizations can ensure that sufficient bandwidth is available for all users, especially during times when Internet use is heavy.

Internet filtering also helps to protect health systems from legal liability from employees accessing pornography or engaging in illegal online activities such as copyright-infringing file sharing.

Options for Controlling Internet Access in Hospitals

Health systems looking to control Internet access in hospitals have three main options. A hardware-based Internet filter, a software-based filter or a cloud-based web filter. Each has benefits and disadvantages. Appliance-based Internet filters can be expensive, especially for larger healthcare organizations with multiple access points, multiple locations, and large numbers of Internet users. Each appliance can only cope with a certain number of devices at any one time, so multiple appliances will be required. These solutions also lack scalability. As users increase, more appliances must be purchased.

Software-based filters can be installed as virtual appliances and may not require any additional hardware purchases. These solutions offer the equivalent level of protection as an appliance, but with greater flexibility. Cloud-based solutions – DNS filters – are the easiest option. There is no latency and implementation is as simple as changing the DNS record to point to the service provider’s DNS. With cloud-based solutions there is no need for any patching or upgrades as the solution is maintained by the service provider. Cloud-based filters can also protect wired and WiFi networks.

There are many potential solutions offering Internet access control for hospitals. Look for a solution that is easy to install, configure and maintain. Some solutions may appear to offer cost savings, but a high management overhead will reduce the cost effectiveness of the solution over time.

The ideal solution should allow controls to be easily applied for different departments, locations, user groups and users. Scalability is also important – A solution should be able to grow with the organization.

Your chosen solution should allow extensive reporting to provide visibility into which sites users are attempting to access, and allow the filtering of webpages in multiple languages. It is also useful to have APIs available to make it easy to integrate the solution with your back office.

With the right solution, hospitals will be able to improve their security posture, comply with HIPAA Rules on data security, reclaim hours lost to personal Internet use, and create a safe browsing environment for all staff, patients and guests.