Security Experts:

Feeling the Pulse of Cyber Security in Healthcare

The most recent headlines about data breaches at a broad range of healthcare providers and their third-party vendors (e.g., Legacy Health, LabCorp Diagnostics, Med Associates, LifeBridge Health, ATI Physical Therapy) demonstrate that the healthcare market continues to be a lucrative target for cyber adversaries.

This is not surprising, considering that the industry deals with a vast amount of highly sensitive data which needs to remain current and accurate, as life or death decisions may depend on it. In turn, healthcare records are a hot commodity on the Dark Web, often going for a far higher price than credit cards. This raises the question of what healthcare providers can do to limit their exposure to data exfiltration, while fulfilling their stringent regulatory obligations.

The healthcare market has changed dramatically over the last decade, as many providers transitioned from paper-based to digital systems. As part of these modernization efforts and the desire to provide better and more efficient patient care, many healthcare providers plan to offer telehealth services. Telehealth presents the same security issues as any other online transmission, such as the integrity of the connection and the need for protection of the data.

The State of Cyber Security in Healthcare

The privacy and security concerns associated with digital patient records make the healthcare industry one of the most regulated industries in the United States. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act create a much higher standard of scrutiny than other verticals with regards to privacy and disclosure requirements.

Healthcare Information SecurityHowever, being compliant doesn’t mean you’re secure. Traditionally, healthcare providers’ mission is to save lives. As a result, IT security departments are typically not a top priority when it comes to budget dollars and are often chronically understaffed. This explains why many healthcare IT environments are outdated and consequently woefully unprepared to deal with cyber-attacks, which increases the risk of compromise situations such as an employee unintentionally leaking data (e.g., mis-delivery of email, loss of computer, data entry error), physical theft, malware, and social engineering. According to the 2018 Verizon Protected Health Information Data Breach Report (PDF), misuse is the common root cause of data breaches in the healthcare market. In 66 percent of incidents, the threat actor is misusing privileged credentials to gain unauthorized access to data.

Fighting the Enemy from Within

Verizon’s report also concludes that the healthcare industry is the only industry in which internal actors are the biggest threat to an organization ― 58 percent of incidents involve insiders compared to just 42 percent tied to external actors. Considering the working conditions and low wages in the healthcare industry, these numbers might not be as surprising when put into context of potential financial gains, which is the primary motive for data breaches in this vertical.

On the Dark Web, complete medical records (e.g., patient’s name, birthdate, social security number, and medical information) can sell for as much as $50 per individual, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3. Medical records can be leveraged for a wide variety of nefarious purposes, ranging from healthcare fraud, identity theft to open a new line of credit to blackmail and extortion.

So what safeguards should be put in place to minimize the risk of exposure to external or internal threat actors? There are four rudimentary measures healthcare providers should apply to strengthen their security posture:

• Employee Security Awareness Training - Drive cultural change in the organization to incorporate security practices into day-to-day operations and secure the financial resources required to implement them. Frequently train employees and partners’ employees to minimize the risk of phishing attacks and social engineering.

• Data Encryption - The theft or misplacement of unencrypted devices continues to contribute to data breaches in the healthcare market. In this context, data encryption is both an effective and low-cost method of keeping sensitive data out of the hands of bad actors. Data encryption can also mitigate the consequences of physical theft of assets.

• Use of Multi-Factor Authentication - Supplement passwords with multi-factor authentication (MFA). Since MFA requires multiple methods for identification, it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. MFA should be used everywhere, meaning not just for end user access to applications, but across every user (end users, privileged users, contractors, and partners), and every IT resource (cloud and on-premises applications, VPN, endpoints, and servers).

• Enforce Least Access and Privilege - Considering the high percentage of privileged access misuse in the healthcare industry, it is essential to limit access and privilege by applying a Zero Trust Security approach. This entails establishing granular, role-based access controls to limit lateral movement, as well just enough, and just-in-time privilege to applications and infrastructure.

By implementing these measures, healthcare organizations can limit their exposure to both internal and external cyber threats, while fulfilling their stringent regulatory obligations. Solving the security challenges healthcare providers face will fuel faster growth, enable further digital transformation, and ultimately result in enhanced patient care and data protection. 

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).