The security of a healthcare organization can be as precarious as a row of dominos: Just one weak link in the chain can take down an entire network once an attacker has access. In 2015 alone, the highest-profile healthcare security breaches — Community Health Systems, Anthem and Premera — resulted in the exposure of 96 million personal health records. The impact of the breaches didn’t end there, as several network partners of each of those companies were impacted, due to the very nature of information sharing up and down the value chain.
The healthcare industry is increasingly turning to and trusting the cloud, taking advantage of benefits such as cost, scalability and collaboration. According to IDC (News - Alert) Health Insights, by 2020, 80 percent of healthcare data will “...pass through the cloud at some point in its lifetime, as providers seek to leverage cloud-based technologies and infrastructure for data collection, aggregation, analytics and decision-making.”
Unfortunately, migration to the cloud will not mitigate the risk of security breaches, if anything it could potentially increase risk as networks in transition are inherently more vulnerable to unauthorized access, as security tools and resources are stretched across multiple environments. This creates more opportunities for external and internal threats.
Defending Against External Threats
Millions of patient records are processed and stored across healthcare networks each year. Hospitals need to be able to search for patient data, doctors need to connect with patients, and hospitals and doctors must communicate and share information. This data, in transit or at rest, is naturally a high-value target for attackers.
The first step when analyzing an organization's vulnerability to external threats is for internal IT teams to ask themselves two important questions:
- Are your systems connected to external command and control applications?
- Do you know the types of reconnaissance and exploitation attempts that are being directed at your servers in the cloud?
In order to trust that your data will be secure within any external command and control applications, you first need to identify areas of potential weakness. This goes beyond checking a box. It’s within the context behind each connection that will ultimately instill confidence or raise alarms within the network’s security posture.
Secondly, if internal security teams are unable to identify the types to attack attempts being directed at on-premises servers or in the cloud, they are essentially monitoring blind.
Additionally, it’s important for healthcare organizations to secure their physical infrastructures. While cloud services are often mentioned in connection with these data breaches, a large majority of healthcare data breaches are actually a result of outsiders taking advantage of an unattended cell phone or laptop. In fact, theft of mobile devices is the most common form of security breach in healthcare. A survey by the Center of Democracy and Technology of 600 U.S. hospital executives, physician organizations, health insurers, and pharmaceutical/life sciences companies found that mobile theft accounted for 66 percent of reported data breaches over the past two years
Knowing Your Insider Threats
Organizations are often subject to more insider threats and compromised account incidents then they realize. According to UK research group, Loudhouse, 58 percent of all security incidents can be attributed to company insiders, including current employees (33%), ex-employees (7%) and customers, partners or suppliers (18%). Even if stringent security policies and controls are in place, inside actors can often get past security defenses. This is because, while data may reside deep inside production applications, authorized developers still need access to it. This can lead to accidental (or worse, intentional) leaks of personally identifiable information (PII).
There are two crucial protections against insider threats that all healthcare organizations must implement:
- Strict BYOD Controls
- Bringing Shadow IT into the light
Mobile devices can become a hacker’s vehicle to data access, but non-malicious threat vulnerabilities are also all too common in the healthcare industry. While most organizations employ BYOD policies, these measures do not enforce data encryption. According to the Department of Health & Human Services, 22 percent of healthcare breaches since 2009 were due to unauthorized access via mobile devices. Added to the high occurrence of device theft mentioned above, it’s clear that, more than ever, healthcare organizations need to employ additional security controls for mobile devices, including encryption, secure passwords and app usage monitoring.
Shadow IT occurs when employees don’t request permission from IT before deploying a work-related cloud service and use company credentials to sign-up for these services. Alternatively, employees may also use their company credentials for non-work related services. This becomes an attackers golden ticket to entry, as many employees will not only use their work email to sign up, but may also use their work-related passwords.
Next Steps: Implementing Detection
Healthcare organizations must make data security central to how they manage their information systems today. Using cloud services is not negotiable for most companies, given the fact that these technologies help them meet regulatory mandates (including HIPAA compliance), improve productivity and even provide competitive advantages.
Too often, companies struggle to not only deal with known threats but to predict and protect against the unknown. Luckily, technology has evolved to the point where you don’t need to be able to predict the future to catch security threats.
There are two immediate actions all healthcare organizations can employ, which will immediately reduce their risk for data breaches. The first is to approach employees and partners with trust. Trust your employees, partners, security controls and SaaS (News - Alert) applications. Trust that these groups are non-malicious and want to protect sensitive healthcare data as much as organizations do. The next step is to verify this trust. By implementing a continuous monitoring solution and identifying normal, baseline behavior within all data environments – on-premises, in the cloud or even in containers – anomalous behavior will immediately be detected, wherever it occurs.
However healthcare organizations choose to address the constant threat of data breaches, it’s clear to both organizations and patients that a solution is desperately needed. Transitioning to the cloud is a step in the right direction for the future of our healthcare, but not at the risk of our most vulnerable data.
About the Author: As Threat Stack's Chairman & CEO, Brian is passionate about building disruptive technology companies, fueled by innovation and high performing teams. A seasoned technology executive with nearly two decades of experience, Brian joins Threat Stack from Industrial Defender where he was Founder and CEO, and which he saw through a successful acquisition by Lockheed Martin (News - Alert) in April 2014. Additionally, Brian held top management positions at Invensys and Simulation Sciences, Inc., where he engaged in business opportunities around the globe, including a 2-year expatriate assignment in Saudi Arabia. Brian holds an Electrical Engineering degree from the University of Vermont.
Edited by Maurice Nagle