6 ways healthcare providers can lower their risk of a data breach.
Healthcare organizations can take proactive steps to could help prevent a data breach.
Healthcare organizations are trusted by their patients to be custodians of massive amounts of highly confidential data, namely, patient health records, payment details and other personally identifiable information (e.g., Social Security numbers). These data are highly valued on the black market, making healthcare one of the most targeted industries by hackers and other cybercriminals.
According to HIPAA Journal, U.S. healthcare data breaches are reported at the rate of one per day, with hacking emerging as a dominant activity causing the breach of data. Since the inception of breach activity reporting in 2009, more than 176 million health records have been exposed — that figure is greater than 50 percent of the U.S. population. Clearly, patient trust in the safety of their healthcare information is misplaced — and storing and keeping private data, well, private is a massive challenge for the U.S. healthcare industry.
But as scary as this sounds, it’s probably just the opening round in a topic that may have even more far-reaching implications in the future. What happens if or when hacker behavior affects patient outcomes? We’ve seen a raft of ransomware attacks in healthcare lately — attacks that hold data hostage, awaiting payment of a ransom to the bad actor. Timely access to accurate information in this age of healthcare digital transformation is likely to be impactful on those highly regarded and valued patient outcomes. It’s not just about reputation and loss of records anymore. It’s about life and death. What happens when the patient information, inevitably, becomes richer, likely involving our individual DNA genetics and customized treatments based on that? How important will it be then to safeguard the patient’s information?
As the cloud computing shift continues and the healthcare industry continues to incorporate new technologies into its arsenal, safeguarding data becomes even more challenging. With digital transformation of this size and scope comes new security challenges introduced via third-party providers and internet of things (IoT)-connected devices, for example.
Some of the most common security challenges facing healthcare organizations today include:
Any IP-based device can expose an organization to a data breach. Most staff aren’t IT or security specialists, and they do not understand how IP-based devices can be compromised. In addition, most organizations cannot identify the number of computer systems, endpoints or medical devices on their network(s), let alone monitor them in real-time.
Printers and cameras are two well-known classes of IoT devices that exist on most business networks, including within healthcare. There are well-documented, even sensational, stories about how networked printers were compromised, serving as part of a botnet army to disrupt network traffic. And there have been similar cases of cameras being compromised by a bad actor to eavesdrop on local activity. What about lighting/power control systems, infusion pumps, heart monitors, dialysis equipment, X-ray, MRI and CAT imaging equipment? The only difference is that, if those medical devices are compromised, it might impact a patient outcome.
Current solutions, readily available in the market today or commonly used by many organizations, are fundamentally flawed at providing the full visibility needed to secure healthcare networks effectively. On average, our empirical data in production environments shows that over 40 percent of today’s dynamic networks, endpoints and cloud infrastructure are unknown, unmanaged, rogue or participating in shadow IT, leading to significant infrastructure blind spots. This indicates an astounding lack of real-time awareness to prevent attackers from compromising systems.
Once the right visibility tools are in place, large networks can and should be broken down to allow authorized communications to traverse only authorized areas of the network, while disallowing unauthorized activity. Anything touching the network should be segmented by type, purpose, access rights, and/or solution type.
In a hospital setting, do you want your patient wireless networks to have paths or connectivity to your billing and financial systems, which are likely covered under Payment Card Industry (PCI) requirements? What about life-saving medical devices sitting on the same network segments as employee wireless connectivity? Probably not, as these high-risk examples expose the more sensitive use cases (PCI and life-saving devices) to bad behavior and compromise.
How do you know this isn’t a problem on your own network? More than just knowing that a device is on the network, IT teams need to have tight control over where they are, what they are doing and who they’re communicating with, always. Devices should never be trusted unless authorized. Segmentation rules should be implemented, with policies updated frequently and tested or validated for erroneous changes, such as via human error or rogue activity.
In the past, medical devices, were traditionally “closed” because of proprietary communications protocols, limited connectivity and operating systems that were incompatible with traditional IT. As that has changed with everything now IP-enabled, walls come down — enabling beneficial communications and data sharing but exposing the operational technology (medical device) environments to greater security risk. Segmentation and active network infrastructure monitoring for vulnerabilities enable you to securely take advantage of the IP-enablement benefits.
Here is a list of criteria that healthcare providers and related organizations need to consider to the lower risk of a breach:
Reggie has a technology background with BE and MS degrees in EE and more than 25 years of experience in communications, networking and IT security. He’s currently the CEO of Lumeta, a FireMon company focused on delivering cyber situational awareness for complete real-time visibility into the extended network and across all connected endpoints.
Reggie has been involved in the founding of three start-up companies, which successfully progressed to M&A, including Teleos Communications (sold to Madge Networks), AccessWorks (sold to 3Com) and Netilla Networks (sold to AEP Networks). Prior to joining Lumeta, Reggie was president and chief operating officer at ProtonMedia, where he oversaw the operations and product teams. He started his career at Bell Labs, the R&D arm of AT&T.
Get the best insights in healthcare analytics directly to your inbox. Register for our daily newsletter.