Cybersecurity infrastructure within the nation’s leading healthcare companies has not kept pace with the rapid proliferation of electronic health records.
As the black market price for healthcare-related data steadily rises, healthcare providers and insurance companies face the need to re-imagine their security systems to neutralize the emerging threats at their door.
Over the years, health care companies have grown by acquisition, creating vast overlapping networks that are more complex and, theoretically, less attractive for cybercriminals. But data tells a different story: a SANS Institute report issued in February warned that health care cybercrime was on the rise, citing 375 US-based healthcare organizations were compromised between September 2012 and October 2013.
Healthcare data’s value comes from its stability: pre-existing conditions, medication logs, procedure codes — this data is evergreen, and names and social security numbers are difficult to change. By contrast, credit card numbers are transient data. As soon as a compromise is discovered, the number is changed and the data is valueless. Stolen healthcare data can be used to file fraudulent claims or obtain prescriptions, and social security numbers can be quickly monetized.
Unfortunately, healthcare companies lag behind other industries in terms of cybersecurity. They are often using security tools that were architected long before the proliferation of mobile and cloud, and do not provide adequate speed in detecting vulnerabilities. Utilizing antiquated systems is considered out of the question in other highly regulated industries handling sensitive information, such as banking, yet the status quo persists in healthcare. As a result, 83% of healthcare industry respondents reported unintentional exposure of private or sensitive information in PricewaterhouseCoopers’ most recent US State of Cybercrime Survey.
The reality for many organizations is the convenience of data and the right security solutions are mutually exclusive, often forcing them to choose between the two. The most secure way to store data in a traditional system can create inefficiencies for accessing that data. Air gap environments and separate data sets make it difficult to access, aggregate and analyze data — not to mention the impact on customer service, information management and the bottom line: this kind of security is expensive.
In the end, however, investing in security over efficiency will protect customers and your bottom line. Trust is an essential element in an ongoing relationship with customers. As cybercrime increasingly impacts consumers’ lives, we face a near future where the public chooses brands that have clearly demonstrated they can safeguard customer data.
While the hackers will continue, there are things that can be done. Simply put, companies must have access to real-time data showing what is happening, how information is flowing and where vulnerabilities exist. CSOs would be greatly strengthened by leveraging community-based data, especially in machine readable, actionable, standard formats. An easy first step for all health care organizations would be to subscribe to NH-ISAC, and to create protocols that ingest shared intelligence and make that data actionable in real time. Seeing the entire system in seconds, across hundreds of thousands of end points is essential for security staff to locate, neutralize and eradicate threats.
If customers lose faith that computers can safely store their data, our foundational relationships between customers and institutions will begin to fall apart. And when that customer is a patient, the stakes are even higher. Therefore, the health care security community stands at a critical juncture — move at the speed and scale of the hackers, or watch your businesses be changed forever.</p>
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.