Foster a Healthy Security Posture
February 27, 2017
Healthcare organizations and providers focus on offering a high-level of care for their patients’ health and wellbeing; however, what is often overlooked is providing that same level of care when handling patients’ personally identifiable information (PII).
That's not to say that practices and healthcare organizations are purposely careless with sensitive information. What's closer to the truth is in many circumstances, when a breach occurs, the practice has implemented at least some of the security measures to comply with necessary requirements, but end up in the headlines anyway, including having to face hefty fines.
Securing medical records is a complex undertaking. It goes far beyond the minimal technical requirements of HIPAA and involves a precise balance of technical knowledge of IT teams, properly trained office or hospital staff, and even third-party vendors that service systems within an organization. All too frequently in healthcare settings, these responsibilities are pushed aside, proven by the recent major hacks at health insurers, hospital networks, and medical centers. According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data
, nearly 90 percent of healthcare organizations suffer data breaches.
Why are thieves targeting healthcare?
The answer is quite simple: profit. Personal health information is extremely attractive due to its lasting value.
Think about it this way, if credit card information is stolen, the cardholder can cancel the card and report it to the credit bureaus as soon as the theft or fraud is noticed, destroying any future profitability.
However, when identity theft is accomplished through stolen healthcare data, the amount of money a hacker can generate by opening fraudulent credit accounts in someone’s name makes credit card theft seem like a drop in the bucket. The higher the amount of money the hacker makes, the greater the impact the theft has on the life of the individual – causing potential mistrust for the compromised healthcare organization. In 2016 it was reported that victims of medical identity theft paid an average of $13,500 to resolve the crime!
It's important to understand that cybercriminals are aware of these facts and figures. Efforts to exploit this have resulted in hackers, once perceived as lone individuals, becoming more organized in their approach, running their malicious operations like full-time businesses. They are well-funded with labs, and an abundance of time and resources devoted toward research and development.
So, what is needed to make healthcare security stronger and prevent these incidents?
Healthcare organizations need an array of security technologies that can be used to prevent malicious attacks and keep personal healthcare information safe, while retaining the day-to-day ease-of-use.
Encrypt all the things.
In early 2016, it was discovered that nearly 400,000 records were compromised when a staff member’s computer was stolen due to unencrypted records. HIPAA technical requirements state that electronic personal health information (ePHI)—whether at rest or in transit—must be encrypted.
Protect against Ransomware.
Ransomware is still as relevant today as it was when we first began covering stories of healthcare organizations becoming targets. Your employees are one of your greatest defenses against ransomware
. Proper ongoing training on how to not only handle sensitive records, but also how to identify potential threats is imperative.
Remove unauthorized devices.
The risk of mobile threats and privacy issues continues to grow at alarming rates due to the millions of apps available for all ages, and the growth of devices used globally. Cisco predicts that by 2020 the number of people who own mobile phones will exceed the amount of people that have access to running water and electricity.
Not only is the use of mobile devices prevalent from a personal standpoint, from shopping to banking, the healthcare industry has started leveraging those devices more to keep up with competition and demand for better, faster, more convenient service.
USB devices, such as flashkeys and thumb drives can easily infect computers with self-replicating viruses that spread—similar to the floppy disks of years past. A USB device can emulate a keyboard and install malware and other malicious material. A USB drive or external hard drive can infect connected computers upon initial start, before antivirus tools have a chance to catch the attack.
Vet your third-party vendors.
Your systems may be secure, but what happens when you require outside assistance with an issue? Ensure that all vendors you use follow guidelines to secure their related technology to keep both you and your data safe and secure. There is a strategy known as “vendor as vector”, which can be a direct attack on a healthcare system or an attack on a smaller practice’s IT vendor in order to breach many clients at once. Ensuring these third-party companies have the latest endpoint security in place is also part of the healthcare practice’s responsibility.
Gain real-time breach detection and response.
This is a fairly new addition since it's been an expensive technology, typically elusive for many smaller practices and organizations. With advances in technology, there are breach detection and response solutions for SMBs at a reasonable price-point.
Leverage the latest Security Information and Event Management (SIEM).
SIEM has become a key technology in fighting off cybercriminals and keeping healthcare companies informed of suspicious network activity. SIEM platforms ingest the millions of logs generated by all the systems and devices in the infrastructure and then sort through them for you, in real-time. Proper SIEM systems can pinpoint a threat in real-time and alert you immediately, helping stop an attack in its tracks, while tracking it to the device it started in.
Whatever size healthcare organization, every patient should have peace-of-mind that their personal information is safe when they step into a provider’s office and fill out a form with their full medical history and personal information. Today’s cyberthreats require new ways of thinking and new tools to protect healthcare organizations against breaches, and the resulting company and patient data loss. It’s time that the industry make use of these advanced tools packaged with the services needed to use them effectively to keep them safer and better protected from the relentless attacks—creating a healthier security posture and fostering patient trust.
For more tips and best practices, check out our latest eBook on creating a Healthcare Cybersecurity Plan