While official numbers for 2018 haven’t yet been released, we know roughly 7 million healthcare records were involved in data breaches this past year. The reasons are tangled and varied, but we can find common themes that can help us learn how to prevent future data breaches.
For starters, the two most common causes for reporting a data breach to the U.S. Health and Human Services Office for Civil Rights (OCR) were: 1) deliberate hacking of IT systems and 2) unauthorized access or disclosure of protected health information (PHI). Though equal in number of incidents, deliberate IT hacking stands alone as the tactic with the greatest success, resulting in over 4 million records swiped.
Attackers didn’t show any deference to the well-resourced UnityPoint Health (1.4 million records stolen) or federal agencies, such as when the Centers for Medicare & Medicaid Services (CMS) reported unauthorized exposure to its own PHI in Healthcare.gov. In addition to these deliberate assaults, the largest single fine of 2018 was a $4.3 million expense levied on MD Anderson Cancer Center when the world-renown oncology research hospital was unable to prove that a stolen device was secure and encrypted.
Naturally, you may conclude that these kinds of incidents are bound to happen. After all, healthcare organizations are brimming with high value data that lures the worst cybercriminals armed with impressive tools and tactics. But under a different reckoning, you can see how every one of these breaches could have been halted.
Lesson 1: Visibility Rules
Whether you are monitoring the data flow between cloud clusters or the cyber hygiene of an endpoint population, keeping eyes on glass is the first step to finding your blind spots and seeing where your data resources are exposed. Think about it, how can you secure what you can’t see? Thankfully, IT asset management is stepping up to the plate and transitioning from being a keeper of inventories to a robust intelligence service feeding critical information to other groups and teams, enriching detection and response to uncover vulnerabilities.
Lesson 2: Configurations Count
We can see how an AWS Secure Storage Service (S3) can be calibrated to the exact specification to allow attackers in the door. We also know that such services come equipped with all the controls necessary to stave off the tragedy. So what’s going wrong?
Not only are newer technologies more complex than ever, but with the rise of DevOps and continuous iterations, the services and resources we use are in constant flux. Keeping tabs on the right configurations for the current build and maintaining your own security intent has never been more complicated. But just as we learned in Lesson 1, having an unobstructed view of the attack surface will help to identify where configurations are risky and what steps you can take to restore order. Never has this been more necessary than with endpoint cyber hygiene.
Devices are teeming with PHI and users need unimpeded access to critical information to, save lives. However, ability to lay hands on health data is also a focal point for attackers. When countless records are on endpoints, why go any further to penetrate a well-fortified data center or cloud storehouse when so much is waiting for you on a device? The trend in distributed data creates an incentive-rich environment that requires control over every device with maniacal precision. Orchestrating all those controls demands universal control across the endpoint population and endpoint data discovery to pinpoint where sensitive data is riskiest.
Lesson 3: Crowd Sourced Learning Reigns
Healthcare, in some ways, is in a privileged position. With so many federal guidelines and regulations for reporting, there is an ocean of incidents to learn from. Now that the entire industry is held to standard practices, when those protections are usurped, everyone gets to hear about it. If we aren’t learning from the failures around us — even within our peers and the industry leaders we respect — we will be flanked by a preventable hazard had we taken that knowledge and put it into action.
Take note of the breaches inside and outside of healthcare. Look for common patterns and themes. Crawl your own IT environment and see if similar conditions are ripe for exploit. Being smart is learning from your mistakes, but being wise comes when we also incorporate learning from others’ shortfalls.
To learn more about how to build and implement a sound cybersecurity strategy for your healthcare organization, download the whitepaper Data Breach Prevention for Healthcare: A Best Practices Guide.