Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cyber Insurance

Feeling the Pulse of Cyber Security in Healthcare

The most recent headlines about data breaches at a broad range of healthcare providers and their third-party vendors (e.g., Legacy Health, LabCorp Diagnostics,

The most recent headlines about data breaches at a broad range of healthcare providers and their third-party vendors (e.g., Legacy Health, LabCorp Diagnostics, Med Associates, LifeBridge Health, ATI Physical Therapy) demonstrate that the healthcare market continues to be a lucrative target for cyber adversaries.

This is not surprising, considering that the industry deals with a vast amount of highly sensitive data which needs to remain current and accurate, as life or death decisions may depend on it. In turn, healthcare records are a hot commodity on the Dark Web, often going for a far higher price than credit cards. This raises the question of what healthcare providers can do to limit their exposure to data exfiltration, while fulfilling their stringent regulatory obligations.

The healthcare market has changed dramatically over the last decade, as many providers transitioned from paper-based to digital systems. As part of these modernization efforts and the desire to provide better and more efficient patient care, many healthcare providers plan to offer telehealth services. Telehealth presents the same security issues as any other online transmission, such as the integrity of the connection and the need for protection of the data.

The State of Cyber Security in Healthcare

The privacy and security concerns associated with digital patient records make the healthcare industry one of the most regulated industries in the United States. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act create a much higher standard of scrutiny than other verticals with regards to privacy and disclosure requirements.

Healthcare Information SecurityHowever, being compliant doesn’t mean you’re secure. Traditionally, healthcare providers’ mission is to save lives. As a result, IT security departments are typically not a top priority when it comes to budget dollars and are often chronically understaffed. This explains why many healthcare IT environments are outdated and consequently woefully unprepared to deal with cyber-attacks, which increases the risk of compromise situations such as an employee unintentionally leaking data (e.g., mis-delivery of email, loss of computer, data entry error), physical theft, malware, and social engineering. According to the 2018 Verizon Protected Health Information Data Breach Report (PDF), misuse is the common root cause of data breaches in the healthcare market. In 66 percent of incidents, the threat actor is misusing privileged credentials to gain unauthorized access to data.

Fighting the Enemy from Within

Verizon’s report also concludes that the healthcare industry is the only industry in which internal actors are the biggest threat to an organization ― 58 percent of incidents involve insiders compared to just 42 percent tied to external actors. Considering the working conditions and low wages in the healthcare industry, these numbers might not be as surprising when put into context of potential financial gains, which is the primary motive for data breaches in this vertical.

Advertisement. Scroll to continue reading.

On the Dark Web, complete medical records (e.g., patient’s name, birthdate, social security number, and medical information) can sell for as much as $50 per individual, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3. Medical records can be leveraged for a wide variety of nefarious purposes, ranging from healthcare fraud, identity theft to open a new line of credit to blackmail and extortion.

So what safeguards should be put in place to minimize the risk of exposure to external or internal threat actors? There are four rudimentary measures healthcare providers should apply to strengthen their security posture:

• Employee Security Awareness Training – Drive cultural change in the organization to incorporate security practices into day-to-day operations and secure the financial resources required to implement them. Frequently train employees and partners’ employees to minimize the risk of phishing attacks and social engineering.

• Data Encryption – The theft or misplacement of unencrypted devices continues to contribute to data breaches in the healthcare market. In this context, data encryption is both an effective and low-cost method of keeping sensitive data out of the hands of bad actors. Data encryption can also mitigate the consequences of physical theft of assets.

• Use of Multi-Factor Authentication – Supplement passwords with multi-factor authentication (MFA). Since MFA requires multiple methods for identification, it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. MFA should be used everywhere, meaning not just for end user access to applications, but across every user (end users, privileged users, contractors, and partners), and every IT resource (cloud and on-premises applications, VPN, endpoints, and servers).

• Enforce Least Access and Privilege – Considering the high percentage of privileged access misuse in the healthcare industry, it is essential to limit access and privilege by applying a Zero Trust Security approach. This entails establishing granular, role-based access controls to limit lateral movement, as well just enough, and just-in-time privilege to applications and infrastructure.

By implementing these measures, healthcare organizations can limit their exposure to both internal and external cyber threats, while fulfilling their stringent regulatory obligations. Solving the security challenges healthcare providers face will fuel faster growth, enable further digital transformation, and ultimately result in enhanced patient care and data protection. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.