The threats to healthcare organizations are unique in that the value of what they’re trying to protect is significantly higher than other industries. From a purely monetary perspective, medical records, depending upon their completeness, can fetch upwards of $1,000 per record. Contrast that number with credit cards, where the typical value is $30 assuming its a “fullz” (hacker slang for a complete credit card record). Monetary perspectives aside, and beyond the value of the data itself, healthcare organizations also need to protect against data tampering.
Over the last few years, many healthcare organizations have interconnected networks and devices to the cloud. Where a decade ago operating rooms were autonomous, many are now Internet-connected and utilize cloud technologies on the backend. While the focus on the past has been data breaches, the growing future threat is hackers literally holding someone’s life ransom, or worse yet, intentionally modifying medical device data that could result in the loss of life. This is not some dystopian future but rather a present reality with the torrent of new smart hospital technology. So this begs the question: what can healthcare organizations do to keep Protected Health Information (PHI) private?
While there are many ways to keep PHI safe and secure, there are two that we’ll focus on in this article as they represent what we believe to be the most effective and under-invested areas for reducing the risk of data breaches. The first, and most challenging, is that many healthcare organizations do not have strong data governance programs. This means that they do not have a solid understanding of the data in their possession, where it resides, be it in the cloud, on-premise or on a wearable medical device. Unless healthcare organizations institute strong data governance programs, which track information throughout its lifecycle, they will likely continue to struggle with breaches. Once data is identified, it can be secured with various forms of encryption as well as ensuring the principle of least privilege is driven by a strong Identity and Access Management (IAM) program. The second is device security and is still very much an emerging area. With the advent of smart devices, which are Internet and cloud-connected, healthcare organizations need to ensure these devices are secured to best practices and continually updated with the latest patches. As part of working towards a nationally accepted cybersecurity standard for IoT devices, the National Institute of Standards and Technology (NIST) is working on NISTIR 8200 which is currently in draft status. While this is a great start, healthcare security teams don’t have to wait as history often holds answers to the future’s questions.
According to data from Privacy Rights Clearinghouse, 52% of reported breaches across industries were from healthcare. This puts healthcare in the #1 spot far ahead of its closest industry competitor. The most common attack vector is typically phishing. Phishing remains a lucrative method as hackers have become dramatically better in their ability to replicate official-looking emails as well as evade legacy antivirus controls. Consider Anthem’s 2015 incident where 78.8 million records were breached. In a post-breach analysis, it was found that a phishing email was sent and from the initial point of infection, the attacker then pivoted to multiple systems finally getting access to their data warehouse. Beyond phishing, the healthcare industry continues to see a very high rate of ransomware. In the cases of both phishing and ransomware, enterprises appear to struggle with some of the IT 101 basics. In many instances, both ransomware and phishing are successful due to a combination of unpatched systems and excessive privileges.
The RedLock Cloud Security Intelligence (CSI) team team recently discovered that nearly a quarter (24%) of organizations have cloud hosts that are missing high-severity security patches. Additionally, 20% of organizations allow root user accounts (which have unfettered access to systems) to be used to perform non-admin activities. Interestingly enough, the Australian Government has outlined a clear Top 4 strategy to mitigate cyber intrusions and healthcare organizations would be wise to heed them. The 4 strategies include: application whitelisting, patching applications, patching operating systems and minimizing administrative privileges. The Australian government estimates that implementing the Top 4 can mitigate cyber intrusions by upwards of 85%.
As healthcare organizations move more systems to the cloud, they will need to evaluate their existing controls as they will likely have large control, visibility and HIPAA security gaps as part of the clouds shared security responsibility model. Healthcare organizations are struggling as they’re not able to lift and shift legacy security tools that don’t speak the language of cloud Application Programming Interfaces (APIs).
Look for security tools that, at a minimum, support Infrastructure and Platform as Service clouds (IaaS & PaaS) such as Amazon, Google and Microsoft as visibility inside cloud environments is typically opaque to security teams. A key technology that healthcare organizations should investigate is User and Entity Behavior Analytics (UEBA). UEBA can help proactively discover threats and user behavioral changes, providing visibility to detect user-based threats that otherwise may not have been detected. If you are a healthcare organization contemplating a move to cloud or are already there in some capacity, learn more about RedLock’s HIPAA compliance offering which offers out the box compliance monitoring and audit reporting or better yet, schedule a demo to see it in action.