Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Feeling the Pulse of Cyber Security in Healthcare

The most recent headlines about data breaches at a broad range of healthcare providers and their third-party vendors (e.g., Legacy Health, LabCorp Diagnostics,

The most recent headlines about data breaches at a broad range of healthcare providers and their third-party vendors (e.g., Legacy Health, LabCorp Diagnostics, Med Associates, LifeBridge Health, ATI Physical Therapy) demonstrate that the healthcare market continues to be a lucrative target for cyber adversaries.

This is not surprising, considering that the industry deals with a vast amount of highly sensitive data which needs to remain current and accurate, as life or death decisions may depend on it. In turn, healthcare records are a hot commodity on the Dark Web, often going for a far higher price than credit cards. This raises the question of what healthcare providers can do to limit their exposure to data exfiltration, while fulfilling their stringent regulatory obligations.

The healthcare market has changed dramatically over the last decade, as many providers transitioned from paper-based to digital systems. As part of these modernization efforts and the desire to provide better and more efficient patient care, many healthcare providers plan to offer telehealth services. Telehealth presents the same security issues as any other online transmission, such as the integrity of the connection and the need for protection of the data.

The State of Cyber Security in Healthcare

The privacy and security concerns associated with digital patient records make the healthcare industry one of the most regulated industries in the United States. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act create a much higher standard of scrutiny than other verticals with regards to privacy and disclosure requirements.

Healthcare Information SecurityHowever, being compliant doesn’t mean you’re secure. Traditionally, healthcare providers’ mission is to save lives. As a result, IT security departments are typically not a top priority when it comes to budget dollars and are often chronically understaffed. This explains why many healthcare IT environments are outdated and consequently woefully unprepared to deal with cyber-attacks, which increases the risk of compromise situations such as an employee unintentionally leaking data (e.g., mis-delivery of email, loss of computer, data entry error), physical theft, malware, and social engineering. According to the 2018 Verizon Protected Health Information Data Breach Report (PDF), misuse is the common root cause of data breaches in the healthcare market. In 66 percent of incidents, the threat actor is misusing privileged credentials to gain unauthorized access to data.

Fighting the Enemy from Within

Verizon’s report also concludes that the healthcare industry is the only industry in which internal actors are the biggest threat to an organization ― 58 percent of incidents involve insiders compared to just 42 percent tied to external actors. Considering the working conditions and low wages in the healthcare industry, these numbers might not be as surprising when put into context of potential financial gains, which is the primary motive for data breaches in this vertical.

On the Dark Web, complete medical records (e.g., patient’s name, birthdate, social security number, and medical information) can sell for as much as $50 per individual, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3. Medical records can be leveraged for a wide variety of nefarious purposes, ranging from healthcare fraud, identity theft to open a new line of credit to blackmail and extortion.

Advertisement. Scroll to continue reading.

So what safeguards should be put in place to minimize the risk of exposure to external or internal threat actors? There are four rudimentary measures healthcare providers should apply to strengthen their security posture:

• Employee Security Awareness Training – Drive cultural change in the organization to incorporate security practices into day-to-day operations and secure the financial resources required to implement them. Frequently train employees and partners’ employees to minimize the risk of phishing attacks and social engineering.

• Data Encryption – The theft or misplacement of unencrypted devices continues to contribute to data breaches in the healthcare market. In this context, data encryption is both an effective and low-cost method of keeping sensitive data out of the hands of bad actors. Data encryption can also mitigate the consequences of physical theft of assets.

• Use of Multi-Factor Authentication – Supplement passwords with multi-factor authentication (MFA). Since MFA requires multiple methods for identification, it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. MFA should be used everywhere, meaning not just for end user access to applications, but across every user (end users, privileged users, contractors, and partners), and every IT resource (cloud and on-premises applications, VPN, endpoints, and servers).

• Enforce Least Access and Privilege – Considering the high percentage of privileged access misuse in the healthcare industry, it is essential to limit access and privilege by applying a Zero Trust Security approach. This entails establishing granular, role-based access controls to limit lateral movement, as well just enough, and just-in-time privilege to applications and infrastructure.

By implementing these measures, healthcare organizations can limit their exposure to both internal and external cyber threats, while fulfilling their stringent regulatory obligations. Solving the security challenges healthcare providers face will fuel faster growth, enable further digital transformation, and ultimately result in enhanced patient care and data protection. 

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...