The State of Cyber Security in Healthcare

January 8, 2019

The privacy and security concerns associated with digital patient records make the healthcare industry one of the most regulated industries in the United States. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act create a much higher standard of scrutiny than other verticals with regards to privacy and disclosure requirements.

However, being compliant doesn’t mean you’re secure.

Traditionally, healthcare providers’ mission is to save lives. As a result, IT security departments are typically not a top priority when it comes to budget dollars and are often chronically understaffed.

The healthcare market has also changed dramatically over the last decade, as many providers transitioned from paper-based to digital systems. As part of these modernization efforts and the desire to provide better and more efficient patient care, many healthcare providers plan to offer telehealth services. Telehealth presents the same security issues as any other online transmission, such as the integrity of the connection and the need for protection of the data.

This explains why many healthcare IT environments are outdated and consequently woefully unprepared to deal with cyber-attacks, which increases the risk of compromise situations such as an employee unintentionally leaking data (e.g., mis-delivery of email, loss of computer, data entry error), physical theft, malware, and social engineering.


Healthcare Under Attack

Headlines about data breaches at a broad range of healthcare providers and their third-party vendors (e.g., CMS, AccuDoc Solutions, UnityPoint Health) demonstrate that the healthcare market continues to be a lucrative target for cyber adversaries.

This is not surprising, considering that the industry deals with a vast amount of highly-sensitive data which needs to remain current and accurate, as life or death decisions may depend on it. In turn, healthcare records are a hot commodity on the Dark Web, often going for a far higher price than credit cards.

A 2018 research letter in JAMA American Medicine revealed that more than half (53 percent) of health data breaches are triggered internally, and that they are on the rise.

This raises the question of what healthcare providers can do to limit their exposure to data exfiltration, while fulfilling their stringent regulatory obligations.

Fighting the Enemy from Within

According to the 2018 Verizon Protected Health Information Data Breach Report, misuse is the common root cause of data breaches in the healthcare market. In 66 percent of incidents, the threat actor is misusing privileged credentials to gain unauthorized access to data.

Verizon’s report also concludes that the healthcare industry is the only industry in which internal actors are the biggest threat to an organization ― 58 percent of incidents involve insiders compared to just 42 percent tied to external actors. Considering the working conditions and low wages in the healthcare industry, these numbers might not be as surprising when put into context of potential financial gains, which is the primary motive for data breaches in this vertical.

On the Dark Web, complete medical records (e.g., patient’s name, birthdate, social security number, and medical information) can sell for as much as $50 per individual, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3. Medical records can be leveraged for a wide variety of nefarious purposes, ranging from healthcare fraud, identity theft to open a new line of credit to blackmail and extortion.


Safeguards to Reduce Risk

So what safeguards should be put in place to minimize the risk of exposure to external or internal threat actors? There are four rudimentary measures healthcare providers should apply to strengthen their security posture:

  • Data Encryption - The theft or misplacement of unencrypted devices continues to contribute to data breaches in the healthcare market. In this context, data encryption is both an effective and low-cost method of keeping sensitive data out of the hands of bad actors. Data encryption can also mitigate the consequences of physical theft of assets.
  • Employee Security Awareness Training - Drive cultural change in the organization to incorporate security practices into day-to-day operations and secure the financial resources required to implement them. Frequently train employees and partners’ employees to minimize the risk of phishing attacks and social engineering.
  • Use Multi-Factor Authentication - Supplement passwords with multi-factor authentication (MFA). Since MFA requires multiple methods for identification, it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. MFA should be used everywhere, meaning not just for end user access to applications, but across every user (end users, privileged users, contractors, and partners), and every IT resource (cloud and on-premises applications, VPN, endpoints, and servers).
  • Enforce Least Access and Privilege - Considering the high percentage of privileged access misuse in the healthcare industry, it is essential to limit access and privilege by applying a Zero Trust Privilege approach. This entails establishing granular, role-based Privileged Access Management controls to limit lateral movement, as well just enough, and just-in-time privilege to applications and infrastructure.

By implementing these measures, healthcare organizations can limit their exposure to both internal and external cyber threats, while fulfilling their stringent regulatory obligations. Solving the security challenges healthcare providers face will fuel faster growth, enable further digital transformation, and ultimately result in enhanced patient care and data protection.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.