The Covid-19 pandemic has presented global healthcare providers with never-before seen challenges. There has been an unprecedented increase in the number of critical patients, a migration to supporting existing patients ‘virtually’ in order to limit the spread of the deadly virus, and temporary requirements to report to various government departments. These changes present challenges to the healthcare industry that cybersecurity has never seen before – at least not to this extent and with this amount of urgency.
Mitigating the scope and impact of data breaches is a major concern for many healthcare institutions. In fact, according to a recent report, IBM and the Ponemon Institute found that from a recovery standpoint, healthcare data breaches are the most expensive form of data loss. To elaborate, data breaches in healthcare sector costs US$ 6.45 million (£5.2 million) on average, almost double that of the average for a standard data breach. As if this statistic wasn’t concerning enough, experts warn that this number is set to rise.
Currently, cyberattacks account for more than half of the data breaches in the healthcare industry. The goals behind these cyberattacks range from economic espionage to geopolitical or corporate espionage. The cyberattacks themselves employ ransomware to shut down operations by targeting vulnerable medical devices. The remainder of the breaches tend to be the result of insider threats – including employee negligence, third-party attacks, or lost or stolen devices. While the reasons and method of attack may vary, one thing is certain: the healthcare industry must do more to protect personally identifiable information (PII), and personal health information (PHI).
Improving the cybersecurity posture
Irrespective of the origins of the breach, one of the major concerns is that existing tools deployed by healthcare organizations are not effective in detecting the breaches in time to prevent losses. Legacy security monitoring tools are not equipped for the need to protect patient data privacy required by regulations and certifications such as HIPAA, HITRUST, and GDPR. This can be a big challenge when it comes to enterprises collecting and processing electronic medical records (EMR). Legacy security monitoring tools rely predominantly on rule-based security event monitoring methods that are often only marginally effective at meeting basic compliance needs, but do not protect patient data from insider threats, advanced persistent threats, or targeted cyberattacks.
Healthcare organizations are bound by stringent regulatory requirements (including HIPAA) to protect patient data privacy. Most mature institutions have strong processes and controls in place to manage and monitor access to patient data. However, with the sudden move to remote visits and changes in reporting requirements, healthcare institutions are facing a variety of new challenges. Despite this, there are several steps that organizations can take in order to better their cybersecurity posture, comply to various longstanding and temporary regulations, and protect patient personal health information.
- Remote Access Setup: In order to comply with shelter in place guidelines and slow the spread of the pandemic among their employees and patients, healthcare organizations are suddenly faced with the need to grant remote access to large portions of their workforce. This presents many challenges from logistical (e.g., having enough IT staff to support a massive volume of requests) to security (e.g., having multi-factor authentication in place to comply with existing regulations).
- Training: A workforce that is not accustomed to the unique challenges of working remotely is more likely to use poor security hygiene, such as using insecure internet connections or weak passwords. Therefore, healthcare institutions should look to deliver consistent training services to their staff in order to prioritize the importance of maintaining a security conscious workforce and limit the possibility of a critical data breach despite precarious times.
- Critical App Exposure: Critical applications with EMR data are typically not exposed to the internet without strong security controls. This norm is being challenged by today’s remote work setup at the expense of security. The applications that are most critical are often targeted the most frequently by cybercriminals. This is because they store a treasure trove of personal information that is incredibly valuable on the dark web. Also, these systems may be targeted by ransomware operators, as in many cases, hospitals and healthcare institutions have no choice but to pay the ransom in order to continue offering a service. By limiting the exposure of critical applications, enterprises can mitigate the risk of a serious data breach.
- Use of Personal Devices: Not every employee has a corporate issued mobile device (including laptops or smart phones), especially in the working from home environment. This is forcing organizations to allow employees to use personal devices to access critical systems, raising additional security concerns. However, devices that have not been vetted by trusted security teams pose dangerous attack vectors. Decision-makers should be sure to supply workers with secured devices, or VPNs to ensure efficient and secure business operation.
- User Monitoring: Employee activity patterns and prospective attack vectors have changed radically. Monitoring and detection controls need to be able to adapt quickly to new patterns in order to detect attacks. This will allow security teams to monitor for unexpected or unauthorized access to sensitive data, and provide actionable insight, allowing them to shut down access to any device that may be showing malicious tendencies.
These many issues can be solved by the right data privacy monitoring partnership. Enterprises seeking to increase their security posture and regulatory compliance frameworks should look to focus on two critical aspects: the employees accessing the record and the patient whose record is accessed. Monitoring activity involves analyzing and correlating events across the IT infrastructure in order to detect any suspicious patterns.
These suspicious patterns can help to limit the numerous insecurities from internal threat such as unauthorized access to patient data by employees, patient data snooping from family or co-workers, or anomalies that may lead to ransomware. Furthermore, the right patient data protection system will isolate unusual record access from unexpected locations or multi-location access that may lead to compromised records. These services can be used to prevent unusual VIP record access such as failed logins from high-ranking employees or download spikes from unexpected locations. This means that anyone who leaves the company should have their account terminated and deprovisioned. This is especially true for users with privileged access to protected data, and even dormant user accounts should be considered dangerous if they still have access to any form of patient data. Finally, the correct security protocol will have the ability to limit access to discharged or deceased patient records while complying to a multitude of privacy regulations, both specific to the healthcare vertical such as HIPAA or HITRUST, or more general frameworks such as GDPR.
By leveraging machine learning and artificial intelligence to identify threats to patient data, enterprises can look to quickly and accurately predict and prevent nefarious cybercriminals that are seeking to prey on the current climate of fear and confusion for their own benefits.
Nitin Agale, VP or product and strategy, Securonix