Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Healthcare and the Other CIA

For IT professionals, the acronym “CIA” refers to the Confidentiality, Integrity and Availability of information, not the Central Intelligence Agency. However, given the current threat level to data security, IT teams may wish they could get a little help from people with intelligence community tradecraft experience. 

For IT professionals, the acronym “CIA” refers to the Confidentiality, Integrity and Availability of information, not the Central Intelligence Agency. However, given the current threat level to data security, IT teams may wish they could get a little help from people with intelligence community tradecraft experience. 

Healthcare has become a prime target for what amounts to data espionage. According to the U.S. Department of Health and Human Services, there were 618 breaches and attacks serious enough to affect at least 500 people in 2021, and there’s no reason to think 2022 will be any better. 

Two specific types of exploits are being seen with disturbing frequency. The first is out-and-out theft of patient records for financial gain. A typical example is the breach of a third-party system from Dental Care Alliance. This exploit impacted more than 1 million patients,10% of which had their bank account numbers stolen. 

The second type of exploit is ransomware, which is even more devastating, because inability to access patient data can put their lives at risk. There are plenty of statistics available about the increasing number of ransomware attacks on hospitals and healthcare systems in general, but the most frightening development is the rise of Ransomware-as-a-Service (RaaS). Anyone reading this article could log on to the dark web and easily obtain ransomware capabilities. 

More sophisticated RaaS systems are priced in the thousands of dollars, but many of them come with commercial-style features like 24/7 technical support. And the rewards of a successful attack can be huge. In 2021, IBM reported the average cost of a cyberattack to a healthcare system to be $4.62 million per incident, much of which went into attackers’ pockets.

To sum up, healthcare systems are attractive targets and the means to attack them are more available than ever.

Fortunately, effective defenses do exist. Many of them work quite well, but they all come with pluses and minuses. Here’s a summary: 

● Training: When employees are trained to avoid risky behavior, such as clicking on links in an email from an unknown source, the threat of attack is reduced. However, human error is a fact of life, and no amount of training can ensure employees will never make a mistake.

● Upgrades: Software updates often include important security improvements along with other features. However, upgrades can be complicated to install, require testing, and are notorious for crashing systems. Recently, the installation of a recommended update from an international software vendor resulted in a major incident that took down 20 National Health Service IT systems in the UK. 

● Cybersecurity software: A wide (and sometimes confusing) variety of applications are available to detect and mitigate cyber attacks, and in general they work. Unfortunately, they are often beyond the budget of healthcare organizations. They sometimes have steep learning curves and are typically incompatible with one another. Also, because the cybercrime community is constantly evolving new forms of attack, these applications can quickly become outdated.  

● Best Practices: Adopting best practices such as end-to-end encryption, role-based access and least-privileged access controls, mandatory password updates and the like all contribute to data security. However, all of these require a significant commitment of resources for administration, and can introduce significant friction into the system.

Recently, a new approach to data security has emerged that should be extremely attractive to health care organizations for its low cost, ease of use and effectiveness: obfuscation, sometimes referred to as security through obscurity. In simple terms, obfuscation technology creates a path to data and applications residing in commercial clouds that cannot be traced. Offered as a service, obfuscation lets users interact with data (or one another) with one click inside their familiar browser. 

Obfuscation is becoming more and more relevant to healthcare organizations because of their increasing adoption of cloud technology. In one recent survey, 60 percent of IT executives in healthcare said they were migrating to the cloud by adopting a hybrid approach, and 82 percent relied on the cloud in some way or another. Obfuscation can make healthcare data in commercial or private clouds invisible. 

The battle between the attackers and defenders of data, in healthcare and everywhere else, is bound to continue. As the defenses become stronger and more robust, the weapons of attack will continually improve. Obfuscation provides a means of avoiding this endless battle altogether by simply hiding.

Written By

Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...