Security Experts:

Healthcare and the Other CIA

For IT professionals, the acronym “CIA” refers to the Confidentiality, Integrity and Availability of information, not the Central Intelligence Agency. However, given the current threat level to data security, IT teams may wish they could get a little help from people with intelligence community tradecraft experience. 

Healthcare has become a prime target for what amounts to data espionage. According to the U.S. Department of Health and Human Services, there were 618 breaches and attacks serious enough to affect at least 500 people in 2021, and there’s no reason to think 2022 will be any better. 

Two specific types of exploits are being seen with disturbing frequency. The first is out-and-out theft of patient records for financial gain. A typical example is the breach of a third-party system from Dental Care Alliance. This exploit impacted more than 1 million patients,10% of which had their bank account numbers stolen. 

The second type of exploit is ransomware, which is even more devastating, because inability to access patient data can put their lives at risk. There are plenty of statistics available about the increasing number of ransomware attacks on hospitals and healthcare systems in general, but the most frightening development is the rise of Ransomware-as-a-Service (RaaS). Anyone reading this article could log on to the dark web and easily obtain ransomware capabilities. 

More sophisticated RaaS systems are priced in the thousands of dollars, but many of them come with commercial-style features like 24/7 technical support. And the rewards of a successful attack can be huge. In 2021, IBM reported the average cost of a cyberattack to a healthcare system to be $4.62 million per incident, much of which went into attackers’ pockets.

To sum up, healthcare systems are attractive targets and the means to attack them are more available than ever.

Fortunately, effective defenses do exist. Many of them work quite well, but they all come with pluses and minuses. Here’s a summary: 

● Training: When employees are trained to avoid risky behavior, such as clicking on links in an email from an unknown source, the threat of attack is reduced. However, human error is a fact of life, and no amount of training can ensure employees will never make a mistake.

● Upgrades: Software updates often include important security improvements along with other features. However, upgrades can be complicated to install, require testing, and are notorious for crashing systems. Recently, the installation of a recommended update from an international software vendor resulted in a major incident that took down 20 National Health Service IT systems in the UK. 

● Cybersecurity software: A wide (and sometimes confusing) variety of applications are available to detect and mitigate cyber attacks, and in general they work. Unfortunately, they are often beyond the budget of healthcare organizations. They sometimes have steep learning curves and are typically incompatible with one another. Also, because the cybercrime community is constantly evolving new forms of attack, these applications can quickly become outdated.  

● Best Practices: Adopting best practices such as end-to-end encryption, role-based access and least-privileged access controls, mandatory password updates and the like all contribute to data security. However, all of these require a significant commitment of resources for administration, and can introduce significant friction into the system.

Recently, a new approach to data security has emerged that should be extremely attractive to health care organizations for its low cost, ease of use and effectiveness: obfuscation, sometimes referred to as security through obscurity. In simple terms, obfuscation technology creates a path to data and applications residing in commercial clouds that cannot be traced. Offered as a service, obfuscation lets users interact with data (or one another) with one click inside their familiar browser. 

Obfuscation is becoming more and more relevant to healthcare organizations because of their increasing adoption of cloud technology. In one recent survey, 60 percent of IT executives in healthcare said they were migrating to the cloud by adopting a hybrid approach, and 82 percent relied on the cloud in some way or another. Obfuscation can make healthcare data in commercial or private clouds invisible. 

The battle between the attackers and defenders of data, in healthcare and everywhere else, is bound to continue. As the defenses become stronger and more robust, the weapons of attack will continually improve. Obfuscation provides a means of avoiding this endless battle altogether by simply hiding.

view counter
Gordon Lawson is CEO of NetAbstraction, a company that specializes in network privacy, non-attribution and obfuscation for enterprises worldwide. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.