Struggles continue for healthcare information security. Today UCLA Health announced a breach that may have exposed the personal health information for 4.5 million people. Details are pending, but suspicious activity on UCLA’s network dates back to September of 2014.
Healthcare providers face unique security challenges inherent to their industry. Medical records are highly coveted by hackers because they are permanent and can therefore be used to open multiple fraudulent accounts. The going price on the black market for a health record is around $10, 10 to 20 times that of a credit card number.
Operational requirements also stretch healthcare information security thin. Medical records must be available on a multitude of devices at different locations and to a wide variety of user types, from assistants to nurses to doctors – all of whom aren’t necessarily cognizant of security best practices. Spanning four hospitals and 150 offices, UCLA’s requirements illustrate the difficult task of healthcare IT and security departments. In pursuing the most responsive and effective methods of delivering care, organizations are simultaneously fighting to keep from losing a grip on sensitive data.
A Bane for the Industry
The staggering number of breaches at healthcare organizations led Forbes journalist Dan Munro to call cybersecurity “the top US healthcare story.” The potential breach at UCLA would bring the number past the century mark for a total of 100.5 million records stolen in four blockbuster incidents: Community Health Systems (4.5 million), Anthem (80 million), Premera (11 million), and now UCLA.
The exact mechanics of these attacks are rarely disclosed, but we have seen similarities in security vulnerabilities. Electronic records are most-often kept in unencrypted on-premises databases. This architecture leaves data vulnerable if attackers get access to the organization’s network. Cloud services pose significant a but largely unaddressed threat to medical organizations, with the average healthcare company using 928 cloud services, 93% of which do not meet security standards. In the case of the Anthem breach, a cloud file-sharing service was used to exfiltrate data.
Responding Under Siege
The UCLA Hospital System’s president, Dr. James Atkinson, declared in a statement that the group is under “near-constant attack” by hackers and blocks “millions of known hacker attempts each year.” How can healthcare organizations protect data in the face of such steep odds?
The first step is to let go of a network perimeter approach to security. 14.4% of healthcare employees have a login credential for sale on the Darknet. Furthermore, out of convenience healthcare employees habitually upload data to cloud services, outside the scope of a traditional network firewall. Preventing initial access to a network is no longer a viable security strategy. Instead, organizations need to leverage defense in depth.
This approach calls for the implementation of several technologies, all of which offer an opportunity to prevent or minimize a catastrophic data breach. The first line of defense, multi-factor authentication, is also one of the most powerful as it helps neutralize the threat from compromised credentials. The implementation of identity as a parameter is a key framework for managing the flow of data across a large number of endpoints and user types, as is the case within healthcare organizations. Structured and unstructured encryption should also be considered essential components of a health organization’s security strategy.
On top of these preventative measures, companies need to focus on detecting and mitigating the removal of data. Security intelligence tools can monitor for high-risk, anomalous behavior and can be instrumental in stopping data exfiltration, especially via the cloud as in Anthem’s case. Compliance-enforcement and DLP should also be integrated within this stack. HIPAA violations are all-too-common in the cloud; earlier this week, St. Elizabeth’s Medical Center was assigned a $218,000 HIPAA penalty for an employee’s use of a cloud file-sharing service to store documents containing protected health information “without having analyzed the risks associated with such a practice.” This last phrase underlines the importance of employee education and security awareness, especially with regards to cloud services, which are often available free of cost.
Finally, security does not end at the walls of your company. The business partner ecosystem cannot be neglected from a security standpoint, as CVS and Walmart discovered this week when their photo-hosting vendor suffered a breach. The average enterprise connects to 1,555 partners via the cloud, and many of these businesses do not follow strict information security policies. Healthcare organizations need to evaluate any partners who receive medical data – not only to avoid HIPAA violations, but also as a part of security due diligence.