Healthcare is no doubt a highly regulated, extremely visible industry. Should its cyber security controls be just as stringent? Sentiment and good intention aside, healthcare remains a far-too-targeted space for cyber-attacks. The surface is quite wide, too, as the “insider” threat remains an uphill climb for enterprise security teams.
Data from Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR) suggests that personal information is vulnerable in healthcare – perhaps more so than other industries.
The findings showed 58% of cyber security incidents in healthcare involved insiders. The insider motivation: 48% of the time it was financial gain. Some users sought data for fun/out of curiosity (31%), and convenience (10%).
What’s more, 70% of cyber security incidents with malicious code were classified as ransomware attacks, suggesting that these strains remain a top concern for enterprise teams.
See Related: 'Evolution Not Revolution': Kenna Security CEO Talks Risk Management
For healthcare specifically, patient data remains both integral to operations and highly sought-after by cyber-criminals. Twenty-one percent of polled incidents happened because of stolen devices which housed unencrypted PHI.
(Comprising about one quarter (27%) of the incidents were mishaps with paper records.)
Verizon’s breach report evaluated 1,368 cyber security incidents across 27 countries. Elsewhere in the report includes causal trends, types of incidents and best practices for securing PHI.
Some of the solutions include: encryption, continuous monitoring (including training), and the development of preventative measures (this would likely help on the ransomware front).
The Security World's Take
Commenting on the findings from the Verizon report, Aetna Chief Security Officer, Jim Routh, told the Cyber Security Hub: “Most of the security incidents referenced are due to people making mistakes and sending the wrong information to the wrong party or forgetting to protect the information.”
He continued: “This is due to the fact that the attack surface in healthcare is significantly greater than other industries, since most patient data is identified with a Social Security Number (SSN).”
Routh advised healthcare organizations to “shrink the attack surface by eliminating the use of SSN for both authentication and identification.”
Routh said that to mitigate this threat, it won’t come down to training alone. “Reducing the size of the problem by eliminating the use of SSN is a first step,” he said. “The next step is the adoption of better data protection tools, such as format-preserving encryption, differential privacy, multi-layer encryption and machine-learning algorithms applied to data loss protection.”
See Related: Preparation & Response Chain: CISO Talks Enterprise Readiness
Denver Health Chief Information Security Officer (CISO) and Privacy Officer, Randall Frietzsche, told the Cyber Security Hub: “The 58% number includes both malicious and accidental incidents. Training certainly helps around the accidental issues. As far as malicious insiders, several items are critical.”
To mitigate, the CISO pointed to: access limitations (restricting job roles), logging at the user device and access points, feeding logs into a good SIEM that can correlate activity and continuing to input controls that can identify potentially anomalous user behavior (including User Behavior Analytics).
Frietzsche also suggested that enterprise security teams train and equip themselves with digital forensics tools, apply background checks on new employees and enforce strong policies (Acceptable User Policy, and more). The Denver Health CISO said that a new-employee orientation should include “a very clear statement that any attempt to circumvent the organization’s security controls will be subject to disciplinary action.”
A combination of these factors, he said, should help reduce the “insider threat” embedded in the healthcare enterprise.
Stay tuned to CSHub.com for more industry-specific cyber insight!
Be Sure To Check Out: CISO Calls For Sweeping Policy Changes To Address Cyber Concerns