Today, healthcare organizations have been the favored targets of cyber criminals; healthcare records are some of the most valuable data on the cyber black market. Just a few years ago, these attacks were relatively rare in healthcare; financial services companies typically bore the brunt. Does the trajectory of the financial services sector from target to data protector show any signs of being replicated by the healthcare industry?
Doug Copley, Deputy Chief Information Security Officer (CISO), specializing in Healthcare, at Forcepoint, says healthcare organizations face a much harder road to ensure information security than nearly every other industry. “By their very nature, the types of data collected by providers and payers are highly attractive to cyber criminals,” he shared. “There is a complete record of personally identifiable information (PII), including Social Security Numbers, plus sensitive clinical information and it’s a life-long record. It’s also more vulnerable, as healthcare provisions require that the complete record is stored in many different locations and can be accessed by a variety of people – from the admissions desk to the radiographer, for example. Financial information is not as far-reaching, so the financial services security model is not very relevant to healthcare CISOs.”
“Health insurers are used to working with credit card payments and collections and therefore already have stronger security safeguards and likely, data segmentation in place. For them, adhering to the HIPAA security control requirements is less of a challenge. For hospitals and health systems, it requires a much more intentional effort from executives and a grass-roots approach to not just satisfy regulatory control requirements, but to truly manage security risk for the company, ” shared Copley.
Without a doubt, the most common vulnerability point for any organization is the point at which humans interact with this critical data. In addition, most providers have blind spots in understanding where data resides and how it flows in and out of systems. “While most people who access data do not have malicious intentions, there are always a few intentional bad actors and many more who inadvertently expose information,” said Copley. “Most breaches come from these accidental behaviors by good employees, with no intention of harming their healthcare organization.”
His advice? CISOs need to change how they educate employees about cybersecurity. Rather than a perfunctory, once-a-year PowerPoint presentation, Copley advises that CISOs make employees partners in information security and deliver training on a regular basis, preferably every month, focusing on an area of risk with tips on how to manage that particular issue.
For example, one of the biggest risks comes from phishing emails, which introduce all manner of threats, including ransomware, into a network. Setting up a training exercise where a phishing email is staged and delivered to employees is an incredibly effective tool. “If the employees click a link on the email, they’re taken to a page where they can learn more about how to identify phishing techniques,” Copley shares. “A people-centric security approach includes practical and meaningful education, rather than just thinking about abstract threats.”
The other major threats to information security are the blind spots in how data is managed, stored, and transported – and this is both easier and harder to solve. The best place to start is for CISOs to develop a risk management plan that leads to an understanding of where data resides, if it is backed up on a regular basis, who has access and if access can be audited, as well as gaining visibility into encrypted traffic on the network. In fact, this last element is the Achilles Heel of most organizations; more than 80 percent of network traffic is now encrypted via HTTPS but it is rarely inspected. “Effectively,” said Copley, “organizations are operating in the dark without inspecting traffic.”
Despite the myriad threats, Copley is optimistic about future of information security for healthcare organizations. In his view not only will they be able to withstand the attacks and remediate, but they will begin to get ahead of the curve through a combination of user education, risk management planning, and next-generation technologies that can observe behavior and help security analysts understand the intent of insiders, whether inadvertent or malicious. “We could wait for regulations to be handed down, or we can work together to ensure that access to best practices and innovative tools is ubiquitous. That’s how I see information security professionals in the healthcare industry working today and succeeding in the future,” he concluded.
Want to know more about the state of information security for healthcare and across industries? Here’s a practical guide to download.