Guest post by Santosh Varughese, president, Cognetyx.
The U.S. healthcare industry is under siege from cyber criminals who are determined to access patient and employee data. Information security think tank Ponemon Institute’s most recent report on healthcare cyber security, published in May 2016, revealed some sobering statistics:
- In the past two years, 89 percent of healthcare organizations – and 60 percent of their business associates (or BAs) – experienced at least one data breach, with 79 percent experiencing two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. These breaches have not declined since Ponemon began tracking them in 2010.
- The average cost of a healthcare data breach is about $2.2 million.
- Criminal attacks, from outside the organization or from malicious insiders, account for half of all healthcare data breaches, the other half being due to mistakes by employees or BAs.
- The majority of respondents (69 percent of healthcare organizations and 63 percent of BAs) feel that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, the majority of respondents reported that their organizations had either decreased their cyber security budgets or kept them the same.
Another study conducted in April by IBM, found similar problems, as well as insufficient employee training on cybersecurity best practices and a lack of commitment to information security from executive management.
With only about 10 percent of healthcare organizations not having experienced a data breach, hackers are clearly winning the healthcare data security war. However, there are proactive steps that the healthcare industry can take to turn the tide in its favor.
Data Security Starts with a Culture of Security Awareness
Both the IBM and Ponemon studies highlight an issue that experts have been talking about for some time: despite increasing dangers to information security, many healthcare organizations simply do not take cybersecurity seriously. Digital technologies are relatively new to the healthcare industry, which was very slow to adopt electronic records and when it finally did so, it implemented them rapidly without providing employees adequate training on information security procedures.
Unfortunately many front-line employees feel their only job is to treat patients and that information security is “the IT department’s problem.” These employees fail to grasp the importance of data security, and are not educated on the dangers of patient data breaches, reflected in Ponemon’s findings that employee mistakes account for half of all healthcare data breaches.
The healthcare industry needs to adjust this attitude toward cybersecurity and implement a comprehensive and ongoing information security training program, and cultivate a culture of security awareness. Information security should be included in every organization’s core values, right beside patient care. Employees should be taught that data security is part of everyone’s job, and all supervisors – from the C-suite down to the front line – should model data security best practices.
Additionally, organizations should implement physical security procedures to secure network hardware and storage media (such as flash drives and portable hard drives) through measures like maintaining a visitor log and installing security cameras, limiting physical access to server rooms, and restricting the ability to remove devices from secure area.
Behavior Analysis: The Game-Changer
However, employees are only human, and humans make mistakes. Regardless of how stringent and thorough security protocols are, inevitably, someone will decide to break the rules “just this once.” Additionally, malicious insiders who purposefully violate procedures will always be a threat. Therefore, technological defenses must be employed as well.
Common defenses in the data security war include firewalls and ensuring that the organization’s operating systems, software, and anti-virus packages are up to date. However, these defenses fail when hackers use legitimate credentials to access systems – something that, according to a Verizon study, happens in 95 percent of data breaches, including the notorious Anthem breach that compromised the private information of 80 million individuals. In the Anthem case, hackers stole the login credentials of five IT employees, including a system administrator. Using this login information, they were able to access the company’s database and steal patient data. The attackers remained in the system, undetected, for several weeks, until the system administrator noticed someone else had been logging in using his credentials. Had he not stumbled upon the problem, the breach may have continued for some time.
Many organizations employ network surveillance techniques in an attempt to head off the misuse of login credentials. These involve the use of behavior analysis, a technique that the financial industry has been employing for years to detect credit card fraud. Behavior analysis is a cutting-edge, continually evolving field that combines artificial intelligence with machine learning algorithms to create “ambient,” always-on network surveillance that can catch user deviations that humans would miss. It can be used not only to stop outside hackers and malicious insiders but also to flag problem employees who continually violate cybersecurity policy.
The technology is advanced, but the core concept is simple: First, a baseline pattern of user behavior is established. Then, any actions that deviate from that behavior, such as logging in from a new location or accessing a part of the system the user normally doesn’t access, are flagged. Depending on the problem, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate the issue.
While the logic of how to detect malicious insiders was sound and easy to articulate, only until recently has the technology advanced to the point where such a goal could be achieved. Machine learning artificial intelligence can sort through the large amounts of data to set patterns and detect anomalies. The continuing declining cost of storage and processing power from cloud computing giants, such as Amazon Web Service and others have finally made the dream of AI a reality.
The healthcare data security war can be won, but it will require action and commitment from the industry. In addition to allocating adequate human and monetary resources to information security and training employees on best practices, the industry would do well to implement network surveillance that includes behavior analysis. It is the single best technological defense against the misuse of login credentials by criminal outsiders or malicious insiders and the most powerful weapon the healthcare industry has in its war against cybercriminals.