Guest post by Joseph Schorr, director of advanced security solutions, Bomgar.
Moving into 2016, healthcare organizations will continue to be one of the most attractive targets for hackers. Last year, attacks against healthcare organizations were up 125 percent from 2010 and cost the industry $6 billion, according to the Ponemon Institute.
As illustrated in the Anthem and Excellus Blue Cross Blue Shield data breaches, hackers are moving beyond phishing attacks and random malware drops, and adopting methods that are more sophisticated. By leveraging third-party access and privileged account credentials (such as those held by IT security professionals, IT managers and database administrators) to exploit IT systems, hackers can gain an unrestricted and unmonitored attack foothold on the network. Once they have this foothold, they are remaining inside the victim’s environment for an incredible span of time – on average more than 200 days.
With this trend continuing, healthcare organizations can expect to see an uptick in these types of attacks within the industry. To combat this rise, healthcare organizations will need to focus on shoring up IT security around vendors and other third parties in the year ahead. The following are areas where they can concentrate attention to aid in this effort:
Reevaluate the legacy
In particular, third parties such as vendors are particularly juicy targets because they often use VPN and other legacy access methods to access systems. Examining and implementing more secure, sophisticated remote access and privileged access solutions is a good place to start strengthening IT security for the new year.
It’s a common misconception that VPN is a secure way to provide third-party vendors with network access. The problem lies in that an organization cannot ensure that third-party vendors’ security policies and practices are as strenuous as internal practices. If a criminal compromises a valid VPN connection, they have an open tunnel to an organization’s network and the sensitive data within.
Be in control
For too many healthcare organizations, vendors have more access than they need or their access can’t be monitored or restricted. It’s a scary question: Does your IT department know who their privileged users are and what level of IT permissions they have? If not, taking stock of those users, the systems to which they need access, and when they must access them is a critical undertaking for 2016. Following that, the organization can set access parameters that allow those privileged users to be productive and gain access to tools, data and systems they need to do their jobs, while limiting risk. Proactively controlling and monitoring access to critical systems can help tighten IT security within healthcare organizations.
Data breaches and HIPAA violations became common, almost daily, news in 2015, exposing sensitive client information with devastating results. Understanding HIPAA compliance will be critical in 2016, especially since the Office for Civil Rights (OCR) will begin a new round of HIPAA audits.
In spite of record spending on firewalls, anti-virus software, malware detectors and the widget of the day, healthcare organizations keep getting hacked because the focus is in the wrong place. Here are three trends taking presence in 2016 that can help any organization fight the good fight against cyberattacks.
Buying Technology Alone is a Security Strategy That Does Not Work
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it.
A majority of breaches are from data that has been stolen, via record removal, virtually and physically. We see the trend in 2016 shifting from technology to people if healthcare organizations are going to defeat hackers.
Focus on the Human Element
Examine the largest data breaches of 2015. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2016 and beyond that must be recognized if organization hope to safeguard patient records.
Guest post by Stephen Cobb, senior security researcher, ESET.
HIPAA’s privacy and security rules are often labeled as being burdensome and restrictive. The rules are increasingly criticized as ineffective and people wonder how an organization can be HIPAA compliant and still suffer a breach of protected health information.
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, a patient can get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against, or the threat agent more virulent than you supposed? That’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. The difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats. Continue Reading
Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.
The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.
This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.
Current data security climate
Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI. The survey also found that:
Unrestricted database administrator (DBA) access heightens risk: 73 percent of DBAs can view all data.
Data compromise/theft remains rampant: 50 percent of respondents say data has been compromised or stolen by a malicious insider such as a privileged user.
Organizations are under-coping:68 percent have difficulty restricting user access to sensitive data, 66 percent have difficulty complying with privacy/data protection regulations and 55 percent lack confidence that they would even detect data theft/loss from their own production environments.