Over 40 million patient records were compromised in 2021 alone, according to the U.S. Department of Health and Human Services Office of Civil Rights, which is responsible for tracking privacy violations in U.S. healthcare. With growing amounts of sensitive patient data being stored electronically, aging infrastructure, and increasingly sophisticated cybercriminals, it has become more difficult for Healthcare organizations to protect their assets.
Many medical organizations seek a magic cybersecurity solution to solve this problem, but the fact is that no silver bullet for security exists. The only effective method of protecting healthcare data is to create a multi-layered approach to security that ensures data is secure throughout its lifecycle.
This article explores the security challenges in Healthcare and presents guidance on how Healthcare organizations can build a robust cybersecurity program.
Healthcare Security Challenges
According to Verizon’s latest Data Breach Investigation Report, healthcare is a significant target for cybercriminals, with over two-thirds of healthcare data breaches resulting in data disclosure. These attackers focus on the heavily regulated industry as it has valuable data to steal and is likely to comply with extortion demands to minimize downtime and avoid regulatory penalties.
Cybercriminals are hoping to capitalize on factors that make healthcare incredibly profitable. The value of the data combined with an expanding attack surface and a need to maintain business operations no matter the cost creates a situation they hope will lead to their profit.
Compliance / HIPAA
One of the first factors that come to mind for securing data in healthcare is meeting regulatory compliance mandates. Healthcare organizations are heavily regulated for securing their data, and failures to comply are met with harsh penalties.
In the U.S., HIPAA (Health Insurance Portability and Accountability Act) is the primary concern for healthcare organizations. It prioritizes ensuring the privacy of patient information and mandates that companies apply a risk-based approach to cybersecurity efforts. Most organizations are left to meet these requirements independently, but deeper investigations occur if a breach occurs. In cases where the organization was not compliant, the penalties are severe, including fines, mandatory corrective action programs, and bad publicity.
Europe has similar privacy measures in the form of GDPR (General Data Protection Regulation), which mandates strict controls on organizations that can store sensitive patient information. These mandates give patients control and visibility into how their data is shared. Failing to protect the security of patient data leads to data disclosures and significant fines that can be up to $22.07 million or 4% of global revenue, whichever value is larger for the most egregious violations.
Expanding Attack Surface
Healthcare organizations also have the challenge of a rapidly expanding attack surface, complicating the data security challenges. The pandemic launched the rapid adoption of telehealth, cloud utilization, and remote work, expanding data beyond the traditional security perimeter. The expanded attack surface created by current business needs makes the environment harder to monitor and protect. Without using targeted solutions to protect this information, it leaves an easy target for cybercriminals.
Valuable Data To Steal
Healthcare records contain a large quantity of information that is valuable on the dark web and in direct sales to criminal organizations. Everything from social security numbers to government identification and supporting information such as date of birth (DOB), address, phone, and email supports identity theft attacks or other fraudulent purposes. In addition to personally identifying information (PII), healthcare organizations also handle payment information. The ease with which this data can be re-purposed for immediate misuse increases its value for sale.
Valuable Target To Extort
Attackers know that healthcare organizations generally have a financial incentive to get data back that was locked by ransomware. They need to rapidly return to operations. This is especially true if the ransomware affects critical systems or data.
In 2022 alone, almost 300 hospitals suffered ransomware attacks. There are some instances where attackers discovered a conscience when it became clear that they attacked a hospital, but system disruption had already occurred. Building a holistic security program can prevent threats from taking hold and avoid the trouble that comes with them.
Finding ways to ensure that healthcare is secure requires more than just a single solution, as the attack surface is so broad. Using a multi-layered holistic approach that interweaves security into every aspect of healthcare delivery, organizations can create a solid defensive posture, making them a hard target for attackers.
Understanding the entire attack surface and where sensitive data resides is crucial for building an efficient security program. This information allows the tailoring of security controls to harden critical areas rather than just building broad-reaching, generic security. Building with this approach allows your organization to defend against attackers more effectively while minimizing implementation and management costs.
Identifying Potential Targets
Discovering the most valuable and vulnerable assets is crucial to securing them. By determining where your high-value data resides and what defenses are in place to defend it, your organization can take a risk-based approach to define your defenses as is required by HIPAA.
Identifying targets does not only happen in the on-premise environment. This needs to include all external assets, including those in the cloud, 3rd parties, and remote workers. Discovering what data lies in these environments and how it is protected ensures that your organization can take steps to protect it rather than creating an easy target for attackers.
Deploying Targeted Defenses
Simply adding security controls to protect your healthcare organization is not enough to ensure they are effective. For healthcare, the data is the prime target of attackers, so defenses should focus on protecting the data first. They should make it harder for attackers to access and challenging to steal.
Using controls such as encryption and strong access control policies makes it harder for cybercriminals to get their hands on the information. The access control policies restrict visibility to sensitive information so that individuals only have access to the information necessary to do their work, minimizing the potential impact if an account is compromised. This is also required by HIPAA and GDPR. Encryption controls take this a step further, ensuring that data remains unreadable, even if attackers find ways around access controls. Encrypted data also gains the benefit of safe harbor protection for HIPAA and GDPR if it is stolen because any sensitive data contained is unusable.
Staging a good defense is only as effective as your organization’s visibility into your assets. Improved visibility lets you not only know when attacks are happening because you can’t stop attacks you don’t know are happening and how your data is being used. With this information, the effectiveness of defenses can be evaluated, and problems can be identified early on before they scale to full-blown breaches.
Creating in-depth visibility starts with collecting information about how systems are accessed and how data is utilized. Using widespread logging to collect this information is crucial to generating the visibility necessary to run active defenses. This collection process can generate massive volumes of data which are impossible to effectively parse for humans, even with large teams. Making the data useful requires additional solutions to parse and analyze the data, possibly even leveraging machine learning to generate actionable insights that teams can use to detect and stop threats.
Implementing Active Threat Detection
Having visibility is necessary to detect threats, but stopping only at visibility still keeps the attacker operating. Solutions that offer dashboarding that translates the visibility into data that teams can action against are a valuable way to utilize the visibility. However, they still rely on human intervention to stop the threats. While this approach does get the job done, there are delays in response which allow the attackers to drive deeper into the organization.
Using advanced machine learning, organizations leverage and consume large volumes of data to determine high-risk actions and automatically cut them off. By assessing this information, baseline behaviors can be created to identify insider threats, ransomware, and external threats. This is especially important for maintaining patient privacy, as it is easy to miss abuse in the noise of regular access necessary to provide treatments. Utilizing automation with machine learning eliminates the threats as soon as they are detected, stopping attackers before they can make any significant impact.
Preparing For the Worst
Healthcare organizations must also be prepared for a worst-case scenario when creating a holistic defense. No security is perfect, and even a layered approach could possibly be circumvented by advanced attackers. A way to rapidly return to operations is crucial for surviving these situations with minimal organizational impact.
Healthcare organizations can rapidly recover from attacks using backups, data redundancy, and buffering. Traditional backups create a recovery point in time but are often slow to restore and don’t usually have full coverage of all critical resources. More modern data redundancy and buffering solutions use the flexibility of cloud resources to build a rapid recovery system that can rebuild on the fly immediately after an incident is resolved. This approach eliminates traditional backups’ lag, focusing on a near real-time restoration.
Building A Complete Solution
Sotero is a single solution that builds a multi-layered defense for your organization against threats to your data. Sotero takes a holistic approach to data security, helping healthcare organizations take control of their data by limiting access, keeping data encrypted at all times, and using advanced threat detection to detect attacks before they can get a foothold. The Sotero platform protects your internal organization and the cloud to ensure that data outside the traditional security parameters remains defended against cyber criminals.
Contact Sotero today for a demo on how the Sotero Data Security Platform can help your healthcare organization get and maintain complete data security coverage.