Internet Robots (Spiders, Crawlers and Web Bots) May Put Healthcare Organizations at Risk for HIPAA Violations

Healthcare Compliance Perspective:

Inappropriate use of healthcare provider computers increases the risk for virus attacks which may compromise a protected, private network of systems, data, and services. Strong passwords reduce the likelihood that access will be compromised by unauthorized users and therefore it is essential to keep all passwords confidential, create strong passwords, and change passwords every six months.

As healthcare organizations expand their use of technology to perform a variety of automated tasks for such things as “indexing a search engine,” they need to be aware of the potential for these “bots” to be used maliciously.

After a “bot” gains access to an organization’s computerized environment, albeit for what is intended to be an innocent purpose, it can also access other information that is protected by HIPAA Privacy Laws-insurance accounts, providransomware healthcareer organization accounts, patient portal accounts and vendor accounts.

According to a vice president of a cybersecurity company specializing in the detection and mitigation of situations where “bots” are used maliciously, hackers can use bots to “find test results, financial information, debit and credit card numbers, patients’ Social Security numbers” and much more than just “basic health information.” The VP describes it as the perfect tool for “identity theft.”

In these days of media coverage regarding the opioid epidemic, it is not surprising that a “bots’ identity theft capabilities are being maliciously used to obtain medication information that includes prescriptions for opioids. All a hacker has to do is “grab the prescription, go to the patient’s pharmacy, state the patient’s name and address, and walk out with the opioids.” Basically, this means that “anyone with PHI online” and who is prescribed opioids could be a target.

One of the ways a healthcare organization can avoid being hacked by malicious “bot” malware, is to “routinely monitor web traffic into the facility” and if malware is suspected, the facility should contact an expert in dealing with the problem. It is a challenge for a non-expert to “keep up with an automated application that disappears and then reappears somewhere else in a system.”

An individual can protect themselves by using unique passwords for their accounts rather than the same password for everything.