Healthcare industry suffers from significant security breaches
The healthcare industry has had a remarkably tough couple of years when it comes to security. Hacks of hospitals and health plans are now occurring almost daily, according to the U.S. Department of Health and Human Service’s online database. Over 100 million patient records were reportedly breached in 2015 — equivalent to a third of the U.S. population. This year is not any better: nearly 80 percent of providers experienced a “significant security incident,” according to a recent survey conducted by the Healthcare Information and Management Systems Society (HIMSS), a trade group for the health IT industry.
The issue is not going away. Medical records and devices are only going to become more connected — on a massive scale and at a rapid pace. And while this move toward more connected systems is a positive one, it will also make it even easier for health care providers to be hacked if the industry does not prioritize cybersecurity.
The good news is: both providers and the government are starting to recognize there’s a serious problem. That same HIMSS study showed that health care providers are making information security a higher priority — specifically, 87% of acute providers and 81% of non-acute providers. Meanwhile, HHS launched a Cybersecurity Task Force, and, earlier this month, announced they will now investigate breaches of less than 500 records — acknowledging that, when it comes to medical records, no breach is too small to warrant action.
But the healthcare industry still faces some big, persistent problems that have made it an easy target for hackers. Most providers still use legacy systems that weren’t designed with security in mind. They often lack the funding to upgrade to more secure systems, or to hire specialized personnel. And as the struggle to get electronic health records in place demonstrates, health care is an industry that generally lags the rest when it comes to technology.
Health records are also one of the most lucrative types of information that a hacker could steal—gathering significantly more money on black markets than stolen card credits or lone social security numbers. With a health record, you have access to a person’s entire identity—and in many cases, their family’s identities too. All of this gets at why we – healthcare providers, cybersecurity firms, government – need to make healthcare cybersecurity a top priority.
So what’s the solution?
Put simply, get the basics right and make healthcare systems more resilient as upgrades occur. Before joining Tanium, I spent six years investigating cyber breaches. Many of the companies I worked with then — and 61% of the HIMSS study respondents today — were worried about “advanced threats.” But the vast majority of breaches — even those involving advanced threats — could be prevented with basic security hygiene.
Five ways the industry can improve its cyber hygiene
Here are five ways the industry can improve its cyber hygiene:
- Get to know your network. As many incident responders can attest, most organizations can’t tell you how many computers they manage, let alone identify all security vulnerabilities contained on those computers. A complete understanding of a network — including your hardware/software inventory, vulnerabilities and configurations — requires that you have timely access to all devices.
- Ensure real-time visibility. Constant, real-time visibility into your network also provides organizations with the ability to quickly identify and stop attacks within minutes. When I investigated breaches, more often than not, hackers had obtained access months or years before the investigation. The severity and cost of a breach is often directly proportional to the length of time an attacker has remained within your network, undetected.
- Determine a “to be” state — one that balances security with usability. Designs should incorporate industry practices such as multi-factor authentication, network segmentation, application whitelisting and limiting the number of privileged users. Realtime information about your network can also be used to prioritize budgets, as opposed to what many organizations are forced to do — guess.
- Move your employees toward safer behavior. Train people how to properly use systems and spot potentially malicious emails. Teach them about various threats and how to safeguard sensitive data. This won’t stop every attack — make no mistake, neither will any security solution — but it will reduce the number of attacks and allow employees to report those they identify.
- Practice. As an organization matures, they should engage third parties to continually test their systems — something referred to as red teaming. This allows cybersecurity experts to continually test the resiliency of your network and for organizations to constantly adjust their defense and practice their tradecraft.
The health care industry is at a critical point. In the next five years, it will look remarkably different than it does today. Patients will have easier and broader access to care, as providers connect more of their systems to the Internet of Things. As upgrades occur, this is the precise time to implement a more secure, resilient architecture.
About the Author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.