Protected Health Information, or PHI, is increasingly attractive to cybercriminals. According to PhishLabs, health records can fetch as much as 10 times the value of credit card data on the black market.
Stolen healthcare records can be used for fraudulent billing which, unlike financial fraud, can go undetected for long periods of time. The rising price of healthcare records on the market is attracting more cybercriminals, who are exploiting any vulnerability they can find, be it an unpatched system or an insecure endpoint device.
We’ve all heard about several devastating data breaches in the healthcare industry this year – Anthem’s breach of more than 78 million records and the Premera Blue Cross breach of 11 million records. In the first quarter of 2015 alone, there have been 87 reported data breaches affecting 500 or more individuals, according to data from US Department of Health and Human Services Office for Civil Rights. These breaches affected a combined total of 92.3 million individuals, up 3,709 percent from Q1 2014.
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
Given the mega breaches experienced by Anthem and Premera, one could consider them as outliers. In terms of comparison, excluding the aforementioned breaches would still leave us with a 4.9 percent increase in individuals affected in the first quarter of 2015 versus the same quarter in 2014. Although the first three months of 2014 saw three more data breaches than what has occurred in 2015, it is clear that the number of individuals affected per breach is on the rise.
2015 is the year of the “hack”, but people are still the root cause.
In the first quarter of the year, 33 percent of data breaches were attributed to hacking or an “IT incident,” but the methods by which cybercriminals have successfully penetrated corporate networks are quite telling. These breaches have originated from unencrypted data, unpatched systems, or compromised passwords. In 2015, several hacking incidents have been tracked back to the compromise of a single set of credentials.
The Verizon 2015 Data Breach Investigations Report analyzed nearly 80,000 security incidents including 2,122 confirmed data breaches. Its findings reveal that despite the rise in cyberattacks, 90 percent of security incidents are tied back to people and their mistakes including phishing, bad behavior, or lost devices. The report notes that, even with a detailed technical report of a security incident, the “actual root cause typically boils down to process and human decision-making.” This is frightening but also good news, as there are measures that can be taken to reduce these risks by improving upon process and education, complemented by the right data security solutions.
It’s not all about the network
Healthcare organizations reacting to data breach headlines may focus efforts on protecting the network, leaving data vulnerable to other attack vectors and overlooking the people and process risks that ultimately result in most data breaches.
Cyberattacks come from many different vector points. It only takes one missing device, one use of unsecured WiFi, one compromised password, one click of a phishing email to compromise the entire corporate network. Many of these risks, which originate on the endpoint, put corporate network at risk. Current data security strategies in healthcare cannot be network versus endpoint, nor can they ignore the “people” risk that is only amplified by such trends as BYOD, mobile work, the cloud, and the Internet of Things.
A holistic approach to healthcare security
If we don’t adopt a different approach – one that addresses the multitude of options available to cybercriminals – breaches will continue to occur. Healthcare organizations that want to get ahead of cybercriminals need to create a holistic approach to data security that incorporates threat prevention, incident detection, and efficient response.
Reduce “the attack surface”
Every point of interaction with PHI puts that data at risk. Reducing the sum total of these points of interaction – the attack surface – can reduce the risk to the data. I suggest a layered approach to data security which decreases the attack surface across endpoints as well as the network, including:
- A foundation of tight controls and processes;
- Encryption is a must, but on its own is often circumvented;
- Supplement encryption with a persistent technology that will provide a connection with a device, regardless of user or location while defeating attempts to remove the technology;
- Network segmentation is key — granular access controls and tools for continuous monitoring offer real-time intelligence about the devices on the network and the security status of these systems;
- Automate security remediation activities such as setting new firewall rules or locking down a suspicious device in the case of suspicious activities.
Minimize the “people” risk
You can have the best firewalls, encryption and network access controls, but your employees are still your weakest link. Using a combination of process (education and interactive ongoing training) and technology (such as mobile device management), employees should be aware of their part in protecting corporate data on endpoints.
Know how to detect anomalies
Conduct regular security audits on the network and endpoints. Know where your sensitive data resides and how it’s being used (or misused, in the case of employees) with the aid of a data loss prevention (DLP) tool. Most DLP and endpoint security tools can create automated alerts for suspicious activity.
Develop and maintain an incident response plan
With clear procedures in place to pursue anomalies and to escalate breach situations, potential risks can be addressed promptly and effectively. With many false positives, skilled IT personnel need to connect the dots (such as a user name change, unauthorized physical changes to the device or the device location, software vulnerabilities, registry changes or unusual system processes) and spot a true security incident quickly. Ensure your endpoint security supports remote actions such as data delete and device freeze.
With data regulations tightening, and healthcare data breaches escalating, don’t give cybercriminals an easy “in” to your organization. Trim the sails and batten the hatches to weather the oncoming storm of cyberattacks with a holistic approach to data security.
The more layers of protection you have in place, the better chance you have of avoiding a breach. Just as sailors can make or break a ship’s success in a storm, your employees are your first line of defense in preventing and detecting a data breach incident. If an incident is discovered, an efficient response plan can help your organization stay afloat in the muddy and complex waters of compliance.
About Stephen Treglia
As Legal Counsel at Absolute Software, Stephen Treglia provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. Stephen counsels the Absolute Investigations team who conduct data forensics, theft investigations, and device recoveries. Stephen has extensive knowledge of the US regulatory landscape, including SOX, HIPAA, and other industry-specific regulatory bodies.
