October is National Cyber Security Awareness Month, a global campaign run annually to raise awareness about the importance of cybersecurity. We’ve asked some of our leading security experts here at Absolute to chime in on some of the most pressing issues in cybersecurity today. In Part 3 of this series, we bring you insight from Kevin Golas, Senior Director, Investigations and Risk Management who brings extensive insight into the complexities of compliance, security architecture design and forensic analysis to enterprises and healthcare organizations. See Part 2 of this series: 5 Ways to Combat the Insider Threat.
The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats to our critical infrastructure – electricity, financial institutions, transportation – are of paramount importance, it’s the increasing threats to healthcare that keep many of us security experts up at night. These threats have been steadily rising for many years, with headline-grabbing breaches from Anthem shaking many to their core… but it’s the repercussions of the loss of ePHI that have me worried.
We talk about the impact of data breaches on organizations, with healthcare data breach costs still 2.5 times the global all industry average at $380 per breached record, a sum which costs the healthcare industry as a whole many billions of dollars each year. But what about the impact to patient? That’s where my concerns lie. What happens when patient data is used in medical identity theft for years, only discovered when the collections agency comes calling? Or worse, when a patient receives incorrect medical care because the medical record is compromised by false updates? What happens to the patient who enters the hospital for care only to find all hospital systems shut down by ransomware? What happens to the patient if his pacemaker or MRI machine is hacked?
Healthcare technology has made leaps and bounds in terms of its ability to improve patient outcomes, and yet many technologies are being deployed before security concerns can catch up. We trust that we’ll receive the best care possible from our doctors, but we’ve only just begun to feel the impact of cybersecurity threats on patient care. So, what can healthcare organizations do to improve the situation?
- Thoroughly review vendor contracts and partner systems. Healthcare organizations today are large and complex systems, with many ‘smaller’ entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
- Put in place a data breach notification procedure, including detection and response capabilities and consider purchasing special insurance. Under the upcoming GDPR requirements, organizations must report a data breach within 72 hours.
- Rehearse your data breach plans and make sure the organization can report on the consequences of a breach very quickly.
- Ensure visibility to all endpoints to ensure firmware and software can be updated against vulnerabilities and that red flags go up if a device misses an update, goes missing or shows signs of tampering.
- Update or protect legacy technology in healthcare against attack. The reality of limited budgets in healthcare means that many legacy systems remain unsupported, with unmatched vulnerabilities, that could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
- Automate detection and response capabilities – our recent Ponemon study found that traditional endpoint security approaches are costing enterprises more than $6 million in poor detection, slow response and wasted time. Security solutions should be automated to detect and contain threats with minimal human input or intervention.
- Add resiliency to security solutions to ensure that the controls in place cannot be tampered with by malicious or insider activity. This resiliency is only available through Absolute’s persistence technology, embedded in the firmware of over 2 billion devices.
- Make data protection a board level concern by appointing a CISO or Data Protection Officer to be responsible for data security and ensuring data security is a regular topic by the Board, a key differentiator in reducing security gaps.
- Train staff regularly on the importance of data security to mitigate the insider threat. Have a well communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
- Set up and undertake regular compliance reviews in order to identify and rectify issues.
Recognizing the greater potential fallout of healthcare breaches and the impact these breaches have on consumers, the incoming EU General Data Protection Regulation (GDPR) is set to enforce a new and higher set of data protection standards on healthcare organizations. You can read more about these data protection recommendations and more in our whitepaper, GDPR And What Healthcare Organizations Need to Know.