Whether a data breach at a hospital, or healthcare insurance company, its rare a week goes by without a major story about vulnerable health data in the hands of the wrong people. Medical records have become an increasingly popular target for electronic theft more so than either retail or banking thefts. According to the Ponemon Institute, 1.3 million medical records were stolen in 2013 and the recently-publicized Anthem breach may add a whopping 80 million to the total for 2014-2015. Despite this reality, cloud adoption and electronic medical record use continues to explode, with organizations increasingly trusting new medical equipment, devices and third parties with incredibly sensitive data. The good news is that impact of most of these attacks can be mitigated with the right threat detection system and a proper response plan.
Why medical records?
Stolen medical records are far more damaging to victims than stolen credit card information. The wealth of information that data-intensive medical records contain makes them ideal targets for a wide array of misdeeds and one of the most valuable commodities on the black market. Even more alarming, its very lucrative to sell childrens identities and children make up a significant portion of medical record fraud.
Data from stolen medical records are used to open fraudulent credit accounts or to steal items such as prescription drugs or medical devices which are then sold on the gray or black markets. Unfortunately, victims of medical fraud often shoulder the responsibility to prove that they didnt purchase the thieved items themselves. As a result, the valuable nature of medical records has driven more cyber criminals to shift their theft operations from payment cards to medical records.
Compliance cant continue driving security
The increasing use of electronics and mobile processing, coupled with the federal governments recent mandate requiring the use of electronic medical records, is resulting in tunnel vision focused on speed and compliance. Healthcare isnt the only industry caught in this high-stakes catch-22. The financial industry, intent on driving faster payments processes through new, compliant technologies, overlooks how these payment technologies affect their overall business processes and security landscapes.
Its important to recognize that compliance and security are not the same. Compliance can be a motivator and budget driver for improving security. Ultimately, organizations need both to protect themselves from cyber attacks.
Initial steps to security
As your organization prepares to move healthcare data or processes to the cloud or any electronic system, you must develop a thorough understanding of what your business processes are designed to achieve and how those processes fit within your overall security plan. This is most often an overlooked step. Business processes and technology work hand-in-hand to achieve corporate success; not taking both into consideration creates security holes.
A separate set of problems exists for those healthcare organizations hesitant to update their medical systems and devices or that have older operating systems that are slow to receive patches. These updates take on a whole new level of concern when it relates to a device that supplies insulin, anesthesia, or other highly dosed care. Across all industries, unpatched code is the conduit for close to 50 percent of successful attacks, noted Hewlett-Packards Cyber Risk Report 2015. Additionally, insider threats, both deliberate and unintentional, contribute to an organizations vulnerability, and further exacerbate the if its not broken, dont fix it strategy common in medical devices and equipment.
No company should expect timely breach detection, or even the prevention of some breaches, if they simply check boxes on compliance report cards. Gartner Analyst, Anton Chuvakin explained, Many environments buy security tools for compliance and then not use them at all [not even for compliance], or only use them to the extent needed to satisfy the most creatively minimalistic interpretation of a particular mandate or regulation. Compliance is designed as a component of a bigger security plan, which is in turn designed to defend against attackers.
You will be attacked
Its true; even if your medical environment is well-defended, well-monitored, and handled by a team of information security professionals, you still operate in a highly targeted sector and you will be attacked at some point. Statistically, many of these attacks will result in successful breaches. For these reasons, organizations within the healthcare industry need a layered approach to security one that includes surveillance cameras for medical records.
Assess your endpoints, protect your data
The information security landscape is rapidly evolving and the healthcare industry is a key target for many different types of attacks. Mobile workplace policies, legacy systems and electronic record policies all add additional layers of complexity as IT professionals attempt to control and secure endpoint systems. And unfortunately we are seeing insufficient protection on endpoint devices. Healthcare organizations are under mounting pressure to secure endpoints and servers from data theft and meet industry compliance regulations to protect personal data like medical records.
Host-based software cant protect medical records from sophisticated hackers on its own. Security software (ie antivirus) is mandated for PCs and servers, but is generally inefficient against rapidly evolving malware and dedicated attackers. Perimeter network visibility doesnt adequately address insider threats, and lacks visibility into increasingly encrypted communications. Effective threat detection requires continuous monitoring and analysis of security data, with the endpoint as the key to minimizing the impact of breaches.
The good news is that you can improve your organizations protection for its medical records by assessing and supplementing endpoint security with processes and solutions that increase visibility and monitoring of endpoint activities and behavior. These can be efficiently applied across the organizations security infrastructure using compliance regulations as a starting point for your security processes. After all, your state-of-the-art EMR systems and processes are only as good as the security process that protects it.
About the Author:Brian leads Red Canary to deliver its mission of bringing world-class threat detection and response to every business. Prior to co-founding Red Canary, Brian incubated cybersecurity products at Kyrus, innovated big data processing solutions for the intelligence community at Northrop Grumman and started his career in cybersecurity at ManTech. He can be reached at firstname.lastname@example.org.
Edited by Dominick Sorrentino