All organizations must manage the human factor in defending and protecting data, but healthcare providers and payers have unique challenges. While many think of technology as the frontline solution against cyber threats people are, in fact, the most important factor in information security from the perspective of both network defense and cyber attackers.
You could have the most sophisticated technology in place to protect your networks but if your employees aren’t practicing good cyber hygiene from password best practices to knowing what a phishing email looks like, then you’ve got a significant gap in your security posture. Equally, while we talk about malware and other tools attacking our networks, what we’re really dealing with are the humans behind those tools. If we understand their motivation, how they’re funded and the digital signatures they leave behind, we’re much better equipped to protect our data and our networks.
There are three types of people CISOs and their teams need to keep in mind when designing their cyber defenses. The first is the malicious insider – the person who feels that they’ve been wronged by the company they work for; the second is the cyber attacker – the compromised insider who’s motivated by financial gain or supporting nation-state goals; and finally the accidental threat – the person who means no harm but whose lack of awareness leads them to expose data to risk.
Each type of human threat vector needs a defense strategy that’s part of the overall information security posture so that the information from each attack becomes part of the broader anomaly detection process. The more you understand about your network threats the more likely you are to be successful in preventing intrusions, reducing dwell time, and successful remediation. Healthcare organizations that have invested in next-generation technology that leverages machine learning are able to gain even more insight by applying analytics to understand user behavior and identify and remediate anomalous activity far more quickly.
The convergence of human activity, machine learning and the application of analytics to detect and remediate anomalous behavior is just one example of putting all three parts of the information security equation together for great effect. The next generation of security products focuses on this intersection. Another interesting tech example is adding a DVR-like agent to an endpoint, like a desktop or laptop, which is triggered to record if a policy is violated or anomalous behavior is detected. For instance, if someone is using the endpoint outside their normal business hours, it would trigger recording and alert analysts, who can quickly determine which of the three buckets the individual using the endpoint falls into. These types of tools help organizations defend their networks more effectively, mitigate and remediate the incursion more efficiently, and protect highly sensitive data in ways we haven’t been able to before.
In the end, there are three key steps to ensure healthcare data is protected in your organization; each one involves collaboration between people and technology to drive better information security.
First: Educate your employees and end-users on everything from password security to how to recognize a phishing email.
Then: Bring in business unit stakeholders and collaborate to assess and assign risk for each part of the organization based on what data each stakeholder collects, where that data is stored and how they need to access and use information.
Finally: Develop workflows and governance rules to prevent data loss. For example, with Epic introducing cloud-based records systems, information that was once stored on-premise will now be stored in a hosted facility. CISOs need to adjust information access policies according to the types of new vulnerabilities introduced by this change, which includes the ability to access PHI via mobile devices from anywhere. In this situation, it would be wise to introduce tiered access policies and two factor authentication (2FA) at a minimum.
Interested in learning more about the human factor in protecting PHI and PII? You can find useful resources here.