By Ilia Sotnikov, vice president of product management, Netwrix.
On February 21, UConn Health reported that personally identifiable information (PII) from 326,000 patients was compromised. A malicious third party illegally gained access to several employee email accounts that contained patient names, dates of birth, Social Security numbers, addresses, and limited medical information, such as billing and appointment information.
What is most important about this data breach is that the hackers were not necessarily looking for patient medical records — they seem to have been looking for any personal information they could steal. That vividly illustrates the importance of having stringent policies to protect PII, supported by employee training on best security practices. Specifically, there are three lessons to learn from this event if you want to mitigate your risk of suffering a similar breach.
Lesson #1. Classify your sensitive data
The 2018 Netwrix IT Risks Report shows that healthcare organizations generally lack proper data governance practices and rarely check what data they store and how sensitive it is. The majority of respondents classify data based on its sensitivity (61 percent) and clear up unnecessary data (67 percent) only once a year or even less often.
It’s estimated that by 2020, each person will generate 1.7 MB of data every second. However, not all of that data needs special protection. Therefore, an effective strategy is to develop a data classification policy to discover all the data you have and classify it according to your organization’s needs. That way, you can prioritize your security efforts on the data that deserves it the most. At the same time, you can eliminate duplicate and unneeded files, which will reduce your attack surface area and lower your storage and backup costs.
Lesson #2. Put adequate security controls in place
Once you understand which data is critical, you need to protect it. First, make sure you can detect the signs of an attack as early as possible, ideally before data exfiltration starts. The Netwrix report shows that 44% of organizations don’t know how users deal with their sensitive files. Continuous monitoring will help you quickly spot spikes in user activity, such as a large number of failed access attempts, a suspiciously high number of file modifications, or unusual access to company’s sensitive data, any of which can be a sign of an attack. Second, remember that there is always a risk that an employee will fall victim to a malware or phishing attack that unleashes malware or gives an outsider access to your network. Therefore, ensure you take regular backups of your files and follow the least-privilege principle to minimize the amount of data an attacker can access using a single compromised account.
Lesson #3. Train all employees on cyber security
Advanced security solutions are a great help in data protection. But employees are your first line of defense. Make sure that everyone is involved in cybersecurity initiatives from their first day. Hold regular training sessions to update employees on how to recognize phishing and other social engineering attacks work, recreating real-world situations that show how to avoid these scams. In the Uconn Health case, multiple users fell prey to phishing. Also be sure to refresh employees on your policies for handling sensitive data. For example, explain that they should avoid sending PII via email — a key mistake in the UConn Health breach.
The best defense against breaches like the one at UConn Health is a combination of security tools, automation and best practices, tailored to your organization’s size, type and structure. On a positive note, UConn Health seems to have realized this — executives there have promised to evaluate additional security platforms, educate their staff and review their technical controls to prevent similar breaches in the future.