Reports declared 2015 as the year of the healthcare security breach. In fact, data from IBM’s 2016 Cyber Threat Intelligence Index report found healthcare with the highest volume of breaches in 2015, surpassing financial services, manufacturing and retail – which dropped out of the top five list. From 2014 to 2015, the reported number of records compromised in healthcare breaches increased by 1166%.
Why? In many areas healthcare data has a high resale value in the black market, and the consequences are multilayered. Unlike banking accounts and credit cards, data related to healthcare never expires and rarely has the option to be ‘cancelled’. Hackers have the ability to market medical reports, hold your data to ransom using ransomware, and steal a person’s identity for virtually forever. The value of credit cards are measured in days and hours before they are shut down – health data remains valuable – and ransomware turns the data directly into “cash” (bitcoin) which is much more convenient for an attacker.
From a business perspective, cyberattacks in healthcare often come with a very hefty cost. According to the 2015 Ponemon Institute’s Global Cost of Data Breach study, the average cost of a data breach per capita in healthcare reaches as high as $363 – that’s more than double the average total cost of a data breach.
We’ve already witnessed high profile cases of ransomware and cyber threats targeting institutions in Canada, including hospitals. Now is the time to make advanced cybersecurity a business priority.
Consider these six takeaways to keep your organization’s health in check:
- Follow the principle of least privilege
While outsiders and unauthorized insiders, such as non-medical staff, increase the level of risk, reports found that privileged users (with granted authorization) that exceed their functional needs are commonly known as the biggest insider threat. Consider an identity and access management approach, backed by behavioral analytics to identify and manage suspicious user activity.
- Organize your network, test the backups
Access to public and private networks have become a tougher challenge to manage, especially with Bring-Your-Own-Device (BYOD) policies on the rise. Good auditing practices can help with that. Due to the sensitivity, volume and velocity of the data in transit traveling through health organizations, how people use the network is crucial to consider the planning stages of IT investments and resources. In addition, newer ransomware can lay low for months quietly encrypting and decrypting files on the fly and allowing compromised files to enter into your backups. When it pulls the plug, even your backups are no-use, so you need a regime of regularly testing your ability to wipe and restore systems successfully.
- Monitor non-IT medical devices
Properly managing today’s surge of mixed data is mandatory. IBM research indicates that the average person is likely to generate more than one million gigabytes of health-related data in their lifetime – that’s equivalent to more than 300 million books. So ensure each device is following its mandate, no matter the volume of information. For instance, a record containing identifying information shouldn’t inadvertently be sent to a server that allows access from mobile devices that could potentially leak confidential data.
- Train your users, respond to warning signs quickly
Many attacks are highly targeted phishing attacks with hand-crafted, believable messages that will sail through firewalls without triggering anti-malware systems. That’s why users need to be trained on how to recognize and understand ways systems can be compromised. The longer it takes to counter an attack, the more costly and harmful the outcome will be. More time for the attack to progress will allow infiltrators to intensify the issue.
- Start looking into SIEM solutions
The amount of security log data your servers, firewalls, anti-malware systems, IDS etc. generate means it is impossible to find the data you care about in the logs. SIEM (security information and event management) technologies bring analytics to bear on the problem. Small to medium healthcare organizations find this an expensive prospect, and daunting in terms of skills, but there are moves to deploying these technologies on a shared service basis or as a cloud service that are making them more accessible.
- Think like a hacker
Don’t be afraid to get a little creative – the bad guys certainly aren’t. Conduct regular penetration tests to identify weaknesses within the organization, and learn from the results you get out of it.
Retailers have been making strides in security – and now it’s up to healthcare professionals to do the same. Aside from significant costs to compromised healthcare records, patients of targeted organizations face a plethora of potential hardships and costs. The ability of attackers to cause immediate harm speaks volumes of the need for the industry to address issues quickly and direct IT security and privacy investments wisely.
Paul C. Lewis is the Executive Consultant in IBM’s North American Security Services leadership team. Prior to his current role, he has served as a senior manager at Deloitte, BearingPoint and IBM in the U.K., as well as managing director for Ethtelligent Consulting, and Fujitsu Consulting. Paul is a seasoned expert in Canadian, U.S. and International privacy and security issues, currently focusing on bringing IT security awareness to healthcare sectors across Canada.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…